Tips for an Information Security Analyst/Pentester career - Ep. 33 - Metasploit intro
Intro
In a previous post, I showed you how to manually hack into Metasploitable 2.
It's a tedious and slow process, strictly influenced by your reconnaissance activity.
In other words, if you did a good recon, you'll find more potential vulnerabilities to be exploited than you would if you did not.
In fact, you need to find an exploit online, check the code and make sure it does what it claims it does.
Furthermore, there's no guarantee for it to work in your specific configuration.
Exploitation can be very simplified through Metasploit framework, pre-installed on Kali but also available on multiple platforms.
Metasploit is a little bit the equivalent of Google for exploits.
It's a set-and-forget tool, containing scripts, exploits, post-exploitation and auxiliary modules.
All you need to do is to launch an Nmap scan with service versioning.
Once you know what services are running on a target, you can fire up Metasploit and look for vulnerabilities connected to that specific version.
Example
Using Metasploitable 2 as a target, let's see how to leverage the power of Metasploit.
An nmap scan reveals plenty of possible targets.
1) Launch Metasploit: The easiest way is to launch the msfconsole command. Once we have it up and running, we can search in its database. Exploits are classified based on the operating system (Windows, Unix, Linux, macOS, Android, etc.).
2) Select an exploit: To find a specific exploit, simply utilize the command search, followed by the name of the exploit or the keywords contained in it.
To use a specific exploit, simply enter use, followed by its name, as shown below. You'll see the prompt changes, as the name of the exploit we're using appears highlighted in red and enclosed in parentheses.
In my case, I'm going to use a PHP exploit (for more details, check out the embedded video).
To have a description of what a specific exploit does, we can use show info.
In order to make our exploit work, we need to setup some options, with show options.
Common options
a) RHOST (Remote host): the IP address of the remote host (i.e. of our victim machine).
b) RPORT (Remote port): the port on the victim machine the exploit is supposed to work on.
c) LHOST (Listening host): the IP address of the attacking machine
d) LPORT (Listening port): a port on the attacking machine that will receive a connection back from the victim machine.
Payloads
Not all exploits include a payload, so, to make this exploit work, we need to setup one.
We can check what payloads are available with show payloads.
Payloads can do a bunch of different stuff. The most important ones are those creating command shells.
We can have a bind shell or a reverse shell.
With a bind shell, the victim machine opens up a shell and listens on a local port. Then, the attacking machine connects to that port (through netcat, for example).
They're easily defeated by firewalls and are easier to detect.
A reverse shell, instead (one of the most important of which is Meterpreter, but we'll talk about it later on), creates a connection back to that attacking machine. As it's formed by outbound traffic, but initiated locally, it might more easily go undetected and slip through the firewall.
In this case, I used a reverse shell.
3) Exploitation stage: Once we're satisfied with our settings, we can launch the exploit command and wait for the connection back to our attacking machine.
In the nick of an eye we got a shell!! Metasploit calls them sessions.
We see the prompt changes and now we have a Meterpreter prompt, that allows to run commands directly on the target machines and extends the functionalities of the ordinary shell.
In fact, depending on whether we could hack in as a privileged user or not, we can have information about the system and the running processes, dump password hashes, migrate to a different process, etc.
In this case, I can't get a privilege escalation and can't do a lot, but you'll notice how hacking the system with Metasploit was way faster, compared with a manual attack.
Wrap up
Metasploit is a must for professional pentesters and, even though it's not the only framework available, it's a de facto exploitation standard.
It's intuitive and easy to use.
Searching for exploits and attacking your target becomes as easy as ABC.
However, there's some cons to it, as well.
It causes a professional to rely too much on automated tools and these exploits don't work all the time.
I'll be talking more about Metasploit with coming posts, but I hope this overview might be enough to supply you with a high-level picture of how it works.
Episode 34
Episode 32
I'll be talking more about Metasploit with coming posts, but I hope this overview might be enough to supply you with a high-level picture of how it works.
Episode 34
Episode 32
Comments
Post a Comment