Introduction Metasploit Architechture Filesystem And Libraries Modules And Locations Metasploit Object Model Mixins And Plugins Required Materials Hardware Prerequisites Metasploitable Windows XP SP2 XP SP2 Post Install Additional Services Creating A Vulnerable Webapp Metasploit Fundamentals msfcli msfweb msfconsole Launching Msfconsole Getting Help Tab Completion back check connect exploit vs. run irb jobs load/unload resource route
info set/unset sessions search show setg use Exploits Using Exploits Payload Payload Types Generating Payloads About Meterpreter Meterpreter Basics Information Gathering The Dradis Framework Configuring Databases Port Scanning Auxiliary Plugins Hunting For MSSQL Service Identification Password Sniffing Extending Psnuffle SNMP Sweeping Writing Your Own Tcp Scanner Vulnerability Scanning SMB Login Check VNC Authentication Open X11
WMAP Web Scanner Working With Nexpose Working With Nessus Nessus Via Msfconsole Using The MSF Database Writing A Simple Fuzzer Simple TFTP Fuzzer Simple IMAP Fuzzer Exploit Development Exploit Design Goals Exploit Format Exploit Mixins Exploit Targets Exploit Payloads Writing An Exploit Getting A Shell Using The Egghunter Mixin Completing The Exploit Alphanumeric Shellcode Porting Exploits Client Side Exploits Binary Payloads Antivirus Bypass Binary Linux Trojans Java Applet Infection Client Side Attacks VBScript Infection Methods MSF Post Exploitation
Privilege Escalation PSExec Pass The Hash Event Log Management Fun With Incognito Interacting With The Registry Persistent Netcat Backdoor Interacting With The Registry Enabling Remote_Desktop Packet Sniffing Pivoting TimeStomp Screen Capture Searching for Content Meterpreter Scripting Existing Scripts Writing Meterpreter Scripts Custom Scripting Useful API Calls Useful Functions Maintaining Access Keylogging Persistent Meterpreter Service Meterpreter Backdoor Interacting With Metsvc MSF Extended Usage PHP Meterpreter Backdooring EXE Files Browser Autopwn Karmetasploit
Configuration Karmetasploit In Action Attack Analysis MSF Vs OSX File Upload Backdoors Bulding A Module Payloads Through MSSQL Creating Our Auxiliary Module The Guts Behind It Beyond Metasploit Armitage Armitage Setup Scanning With Armitage Exploitation With Armitage Social-Engineering Toolkit Getting Started Menu Based Driving Spear-Phishing Attack Java Applet Attack Metasploit Browser Exploit Credential Harvester Attack Tabnabbing Attack Man Left In The Middle Attack Web Jacking Attack Multi-Attack Web Vector Infectious Media Generator Teensy USB HID Attack Vector SMS Spoofing Attack SET Automation SET Web-Interface
SET Frequently Asked Questions Set Fast-Track Fast Track Modes Fast Track Updates Autopwn Automation Nmap Scripting Engine MSSQL Injector MSSQL Bruter Binary To Hex Mass-Client Attack SQL Pwnage Payload Generator Module Reference Auxiliary Modules Scanner Modules DCERPC dnerpc/endpoint_mapper dnerpc/hidden dnerpc/management dnerpc/tcp_dcerpc_auditor Discovery discovery/arp_sweep discovery/ipv6_neighbor discovery/udp_probe discovery/udp_sweep FTP ftp/Anonymous ftp/ftp_login ftp/ftp_version
SMB smb/pipe_auditor smb/pipe_dcerpc_auditor smb/smb2 smb/smb_enumshares smb/smb_enumusers smb/smb_login smb/smb_lookupsid smb/smb_version SMTP smtp/smtp_enum smtp/smtp_version SNMP snmp/snmp_login SSH ssh/ssh_login ssh/ssh_login_pubkey ssh/ssh_version Telnet telnet/telnet_login telnet/telnet_version TFTP tftp/tftpbrute About The Authors Mati Aharoni William Coppola Devon Kearns David Kennedy Matteo Memelli Max Moser
Jim O'Gorman David Ovitz Carlos Perez
Metasploit Architechture From Metasploit Unleashed - Mastering The Framework Introduction Filesystem and Libraries - Modules and Locations - Metasploit Object Model - Mixins and Plugins
Filesystem and Libraries From Metasploit Unleashed - Mastering The Framework The MSF filesystem is laid out in an intuitive manner and is organized by directory. lib: the 'meat' of the framework code base data: editable files used by Metasploit tools: various useful command-line utilities modules: the actual MSF modules plugins: plugins that can be loaded at run-time scripts: Meterpreter and other scripts external: source code and third-party libraries
Libraries Rex The basic library for most tasks Handles sockets, protocols, text transformations, and others SSL, SMB, HTTP, XOR, Base64, Unicode Msf::Core Provides the 'basic' API Defines the Metasploit Framework Msf::Base Provides the 'friendly' API Provides simplified APIs for use in the Framework Metasploit Architechture
Modules and Locations From Metasploit Unleashed - Mastering The Framework Metasploit, as presented to the user, is composed of modules. Exploits • Defined as modules that use payloads • An exploit without a payload is an Auxiliary module Payloads, Encoders, Nops • Payloads consist of code that runs remotely • Encoders ensure that payloads make it to their destination • Nops keep the payload sizes consistent.
Modules Locations Primary Module Tree • Located under $install/modules// User-Specified Module Tree • Located under ~/.msf3/modules// • This location is ideal for private module sets Loading Additional Trees at Runtime • Pass the -m option when running msfconsole (./msfconsole -m) • Use the loadpath command within msfconsole Metasploit Architechture
Metasploit Object Model In the Metasploit Framework, all modules are Ruby classes. ▪ Modules inherit from the type-specific class ▪ The type-specific class inherits from the Msf::Module class ▪ There is a shared common API between modules Payloads are slightly different. ▪ Payloads are created at runtime from various components ▪ Glue together stagers with stages Metasploit Architechture
Mixins and Plugins From Metasploit Unleashed - Mastering The Framework A quick diversion into Ruby. • • • • •
Every Class only has one parent A class may include many Modules Modules can add new methods Modules can overload old methods Metasploit modules inherit Msf::Module and include mixins to add features.
Metasploit Mixins Mixins are quite simply, the reason why Ruby rocks. • Mixins 'include' one class into another • This is both different and similar to inheritance • Mixins can override a class' methods Mixins can add new features and allows modules to have different 'flavors'. • • • •
Protocol-specific (ie: HTTP, SMB) Behavior-specific (ie: brute force) connect() is implemented by the TCP mixin connect() is then overloaded by FTP, SMB, and others.
Mixins can change behavior. • • • •
The Scanner mixin overloads run() Scanner changes run() for run_host() and run_range() It calls these in parallel based on the THREADS setting The BruteForce mixin is similar
class MyParent def woof puts “woof!” end end class MyClass < MyParent end object = MyClass.new
object.woof() => “woof!” =============================================== module MyMixin def woof puts “hijacked the woof method!” end end class MyBetterClass < MyClass include MyMixin end
Metasploit Plugins Plugins work directly with the API. • They manipulate the framework as a whole • Plugins hook into the event subsystem • They automate specific tasks which would be tedious to do manually Plugins only work in the msfconsole. • Plugins can add new console commands • They extend the overall Framework functionality Metasploit Architechture
Hardware Prerequisites From Metasploit Unleashed - Mastering The Framework Before we dive into the wonderful world of the Metasploit Framework we need to ensure our hardware will meet or exceed some requirements before we proceed. This will help eliminate many problems before they arise later in this document. All values listed are estimated or recommended. You can get away with less although performance will suffer. Some of the hardware requirements that should be considered are: • • • •
Hard Drive Space Available Memory Processors Capabilities Inter/Intra-net Access
Hard Drive Space This will be the most taxing hurdle to overcome. Be creative if you might have some storage space constraints. This process can consume almost 20 gigabytes of Storage space, so be forewarned. This means we can not use a FAT32 partition since it does not support large files. Choose NTFS, ext3 or some other format. The recommended amount of space needed is 40 gigabytes. 730000000 696MB 730000000 696MB 730000000 696MB 730000000 696MB 730000000 696MB 272792685 260MB total -------3740MB 5959506432 5700MB 20401094656 19456MB total -------28896MB 8589934592 8192MB total -------37088MB 123290094 112MB 377487360 360MB 101075736 97MB 157286400 150MB total -------37807MB
//z01 //z02 //z03 //z04 //z05 //zip
file file file file file file
size size size size size size
on on on on on on
disk disk disk disk disk disk
//Total space before decom //Extracted image file siz //Per Converted FDCC VM on
//Optional Backtrack "GUES
//VMware-converter-4.0.1-1 //VMware Converter install //VMware-Player-2.5.3-1854 //VMware Player Installed
//See how fast it gets con
If you decided to produce clones or snapshots as you progress through this course, these will also take up valuable space on your system. Be vigilant and do not be afraid to reclaim space as needed.
Available Memory Without supplying enough memory to your HOST and GUEST operating systems you will eventually cause system failure. You are going to require RAM for your host OS as well as the equivalent amount of RAM that you are dedicating for each virtual machine. Use the guide below to aid you in deciding the amount of RAM needed for your situation.
Linux "HOST" Minimal Memory Requirement's 1GB of system memory (RAM) Realistically 2GB or more Per Windows "GUEST" Minimal Memory Requirement's At least 256 megabytes (MB) of RAM (1GB is re Realistically 1GB or more with a SWAP fi (Optional) Backtrack "GUEST" Minimal Memory Requ AT least 512 megabytes (MB) of RAM (1GB is re Realistically 1GB or more with a SWAP file
Processor Processor Speed is always a problem with dated hardware although old hardware can be utilized in other fashions to serve a better purpose. The bare-minimum requirement for VMware Player is a 400MHz or faster processor (500MHz recommended). The more horsepower you can throw at it, of course, the better.
Internet Accessibility This can be solved with a cat5 cable from your router/switch/hub. If there is no DHCP server on your network you will have to assign static IP addresses to your GUEST VM's. A wireless network connection can work just as well as an Ethernet cable, however, the signal degradation over distance, through objects, and structures will severely limit your connectivity. Required Materials
Metasploitable From Metasploit Unleashed - Mastering The Framework One of the problems you encounter when learning how to use an exploitation framework is trying to configure targets to scan and attack. Luckily, the Metasploit team is aware of this and released a vulnerable VMware virtual machine called 'Metasploitable'. This VM has a number of vulnerable services and packages installed for you to hone your skills on. The VM will run on any recent VMware product and is configured with a non-persistent disk so any potential damage you do to the system will be reverted on reboot. For more information on Metasploitable, you can read the introductory blog post at http://www.metasploit.com/express/community and download the torrent file from http://www.metasploit.com/express/community. Once you have downloaded the VM, extract the zip file, open up the vmx file using your VMware product of choice, and power it on. After a brief time, the system will be booted and ready for action. For more information on the VM configuration, there is a readme.txt file but beware...there are spoilers in it. Required Materials
Making The XP Machine Vulnerable From Metasploit Unleashed - Mastering The Framework Go into the Control Panel and select "Switch to Classic View" on the left-hand side. Open "Windows Firewall" and turn it "Off". Open "Automatic Updates" and select "Turn off Automatic Updates" so Windows doesn't undo our changes for us. Open "Security Center", select "Change the way Security Center alerts me" on the left-hand side and de-select all of the checkboxes. This will disable the annoying system tray pop-up notifications. Back in the Control Panel, open "Add or Remove Programs". Select the "Show updates" checkbox at the top. This will display all of the software and security updates that have been installed. Still in the Control Panel, from the toolbar, select "Tools", then "Folder Options". Select the "View" tab and scroll all the way to the bottom. Make sure you un-check the box next to "Use simple file sharing" and click "OK". Windows XP SP2
Setting Up Additional Services From Metasploit Unleashed - Mastering The Framework In order to provide a larger attack surface for the various components of Metasploit, we will enable and install some additional services within our Windows virtual machine. Bear in mind that you will require the Windows XP installation CD or iso in order to install additional services in the VM.
Internet Information Services (IIS) and Simple Network Management Protocol (SNMP) To begin, navigate to the Control Panel and open "Add or Remove Programs". Select "Add/Remove Windows Components" on the left-hand side. Select the "Internet Information Services (IIS)" checkbox and click "Details". Select the "File Transfer Protocol (FTP) Service" checkbox and click "OK". By default, the installed IIS FTP service allows for anonymous connections. Lastly, select the "Management and Monitoring Tools" checkbox and click "Details". Ensure that both options are selected and click "OK". When all is ready, click "Next" to proceed with the installation of IIS and SNMP. There is an issue with the .NET Framework installed in the NIST virtual machine but it is easily fixed. In the Control Panel, select "Add or Remove Programs" again, select "Microsoft .NET Framework 2.0 Service Pack 1", and click "Change". A progress window will pop up and a progress bar will be displayed and then it will close. This is normal behavior and you can now exit the Control Panel and proceed.
SQL Server 2005 Express We will also perform an installation of Microsoft's free SQL Server 2005 Express. This will allow us to use some of the different SQL modules in Metasploit. First, download the non-service pack version of SQL Server Express Note that if you are using your own custom-built VM for this course, you will need to install the Windows Installer 3.1 and the .Net Framework 2.0 in order to install SQL Express. Windows Installer 3.1 .NET Framework 2.0 Once the installer has finished downloading, we can run it and select all of the defaults except for "Authentication Mode". Select "Mixed Mode", set an "sa" password of "password1", and then continue on with the rest of the installation. Once the installation is complete, we will need to make it accessible on our network. Click "Start" -> "All Programs" -> "Microsoft SQL Server 2005" -> "Configuration Tools" -> "SQL Server Configuration Manager". When the Configuration Manager starts up, select "SQL Server 2005 Services", right-click "SQL Server (SQL EXPRESS)" and select "Stop". Next, expand "SQL Server 2005 Network Configuration" and select "Protocols for SQLEXPRESS". Double-click "TCP/IP", change "Enabled" to "Yes", and change "Listen All" to "No" on the "Protocol" tab. Next, select the "IP Addresses" tab, and remove any entries under "IPAll". Under "IP1" and "IP2", remove any values for "Dynamic Ports". Both IP1 and IP2 should have "Active" and "Enabled" set
to "Yes". Lastly, set the IP1 "IP Address" to your local address and set the IP2 address to 127.0.0.1. Your settings should look similar to the screenshot below. Click "OK" when everything is set correctly. Next, we'll enable the SQL Server Browser service. Select "SQL Server 2005 Services" and double-click "SQL Server Browser". On the "Service" tab, set the "Start Mode" to "Automatic" and click "OK". By default, the SQL server runs under a limited-privilege account which breaks a lot of custom web applications. We will change this by double-clicking "SQL Server (SQLEXPRESS)" and setting it to Log On as the Built-in Account "Local System". This can also be set by running "services.msc". Click "OK" when you've finished. With everything finally configured, right-click "SQL Server (SQL EXPRESS)" and select "Start". Do the same for the "SQL Server Browser" service. You can now exit the Configuration Manager and verify that the services are listening properly by running "netstat -ano" from a command prompt. You should see UDP port 1434 listening as well as your network IP address listening on port 1433. Windows XP SP2
Creating A Vulnerable Webapp From Metasploit Unleashed - Mastering The Framework In order to create our vulnerable web app, you will need to download Server Management Studio Express. Install SQL Server Managment Studio Express, accepting all of the defaults for the installation then run it via "Start" -> "All Programs" -> "Microsoft SQL Server 2005" -> "SQL Server Management Studio Express". When Management Studio starts up, select "SQL Server Authentication" and connect using the username "sa" and password of "password1". Right-click "Databases" in the "Object Explorer" and select "New Database". Enter "WebApp" for the database name and click "OK". In the "Object Explorer", expand "Databases", and expand the "WebApp" database. Right-click "Tables" and select "New Table". Create a new table named "users" with the column names and types as shown below. Save the "users" table, right-click it and select "Open Table". Enter in some sample data into the table and save all of your work. Under the main "Object Explorer" tree, expand "Security", then "Logins". Right-click "Logins" and select "New Login".
In the "Login - New" window, select "Search", enter "aspnet" and click "Check Names". Click "OK" but keep the "Login - New" window open. Click on properties for ASPNET, and ensure that under user mapping the user account has db_owner and public rights to the WebApp database. Next, we need to create our website to interact with the backend database we created. Start Notepad and paste the following code into a new document. Save this file as "C:\Inetpub\wwwroot\Default.aspx".
<%@ Page Language="C#" AutoEventWireup="true" V <%--the ValidateRequest="true" in the page dire