Metasploit – General concepts

By | 30/10/2014

General information

Program folder: /usr/share/metasploit-framework/

User environment

The home folder allows to load personal modules, save configuration and use of “rc” files.

Home folder: $HOME/.msf4/

“rc” files can be used to store a sequence of commands. Already run commands can be saved in a .rc file with the makerc file.rc command and .rc files can be run from a session using the resource file.rc command.

Current session configuration can be save using the save command. It will be saved in the $HOME/.msf4/config file.

Mestasploit Interfaces

Msfconsole (run msfconsole)
Msfweb
Msfgui & Armitage
Msfcli – to run exploits from shell

Msfconsole commands

Information commands:

  • help
  • search
  • info
  • show <options> <advanced>

Interaction commands:

  • use/back
  • set/unset
  • setg/unsetg – set global parameters that will be used for different modules
  • connect – connect with other metasploit
  • irb – Ruby interpreter
  • load/unload – load plugins
  • route – used for pivoting, routing tables
  • loadpath
  • check
  • exploit
  • sessions – list open sessions and connect to them
  • jobs
  • kill
  • resource
  • makerc

Configuration commands:

  • save
  • reload
  • reload_all – reloads all the modules

Console management

Ctrl + Z – from the remote shell, return to msfconsole
sessions – list of the active sessions
sessions -i “ID” – return to the remote shell
exploit -j – run the exploit in the background
jobs – shows the running jobs
jobs -K – kill all the jobs

 

Arquitecture

Written in Ruby

Modules

Metasploit is based on modules. There are 6 types of modules:

  • Payloads
  • Exploits
  • Encoders – used to ofuscate the exploits
  • Nops – to modify the payloads. There are 8 nops available
  • Aux – altres que no tenen que veure amb l’exploiting – força bruta, port scan,…
  • Post – scripts post explotación

Modules are stored in the following Path:
/usr/share/metasploit-framework/modules

Modules organization:
/exploits/<OS/Platform>/<Protocol/Service/Local…>/file.rb

Exploits: they have attributes (rhost, rport) and methods (exploit, check)
Auxiliary: they have attributes (rhost) and methods (run)
Payload: they have attributes and advanced attributes

Modules management

msfupdate -> Update of all the modules, but it removes any changes done manually in the modules folder
Modules can be downloaded from different sources – exploit-db (also contains the vulnerable application),packetstorm, security-focus.
There is a official github with updated modules: https://github.com/rapid7/metasploit-framework

Auxuliary

It include all the modules not related to expliting: DOS, PDF, scans, brute force, fuzzer, spoofing,…

Some examples
auxiliary/server/<service>/<service>version – get service version
auxiliary/scanner/potscan/tcp – scan open tcp ports in a network
auxiliary/scanner/discovery/arp_sweep
auxiliary/scanner/<protocol>/<protocol>_login – brute force attacks

Payload

Code that is going to be run after the exploit is run successfully. It’s written in Assembly and it’s OS/Platform dependent.

Bind/reverse – connection is set from the attacker to the victim or from the victim to the attacker
Inline or Singles – payload is run in one phase of execution
Stagers – first phase to setup the connection
Staged – download of the payload and its execution
No NX y NX

 

Meterpreter

Meterpreter is a special type of payload. It provides lots of functionality, it’s modular and contains different scripts depending on the system (windows, linux, android,…)

Run <script>

run checkvm
run hashdump
run metsvc – install a persistent service in the machine that listens to 31337 (bind shell)
run persistence -U -X -i() -p -r – install persistent service to establish a reverse shell
run hashdump <- get the users and hashses
run winenum <- provides lot of Windows information

getsystem
getuid – provides information about the permissions with which meterpreter is running in the victim.

Modules (extensions)

  • Sniffer – manage network interfaces to sniff traffic
  • Incognito – manage users and identities
  • Espia – record actions of the logged user
  • Mimikatz – Get windows passwords

Mimikatz usage

Migrate to a system process
Ps <- search the PID process used by SYSTEM
migrate PID
Load mimikatz
Help
Kerberos <- obtain the user and passwords