Metasploit Secrets

Introduction

In 2003, a hacker known as “HD Moore” got the idea to develop a tool for quickly writing exploits. Thus was born the Metasploit project, which is well known in all circles. The first version of the framework was written in Perl, containing a pseudographic interface based on the curses library.

By 2007, developers had consolidated, having founded Metasploit LLC; at the same time, the project was completely rewritten in Ruby and, partially in C, Python and Assembler.

In October 2009, the Metasploit project was acquired by Rapid7 with the condition that HD Moore would remain the technical director of the framework, to which Rapid7 agreed.

Today, Metasploit is one of the most popular programs with the largest database of exploits, shellcodes and a lot of various documentation, which can not but rejoice.
')
Metasploit allows you to simulate a network attack and identify system vulnerabilities, check the effectiveness of IDS / IPS, or develop new exploits, with the creation of a detailed report. The people even managed to call him "hacker Swiss knife."

Thanks to the code of the framework rewritten mainly in ruby, it remains cross-platform, that is, it does not have a specific binding to any OS. HD Moore somehow demonstrated the launch of Msfconsole on a clock with linux firmware.

To date, Metasploit is contained in several linux distributions:

- Kali linux ( kali.org );
- Backtrack linux ( backtrack-linux.org (support discontinued));
- Pentoo ( pentoo.ch );
- BlackArch ( www.blackarch.org );
- Backbox ( backbox.org ).

Since the acquisition of Freymforka, a lot has changed.
For example, there were PRO and Community versions, and in 2010, a more simplified version for "low-skilled" users - Metasploit Express.

The tool has several configurations:

1) Command shell (msfconsole);
2) Web interface (Metasploit Community, PRO and Express);
3) Graphic shell (Armitage, and a more advanced version - Cobalt strike).

Framework: practice

If you still do not have Metasploita - it does not matter, you can download it on the official website metasploit.com .
It should be noted that msf works correctly only with the PostgreSQL database.

After we downloaded the package, open the console and do the following:

1) cd Download / (go to the download directory);
2) chmod + X metasploit-latest-linux-installer.run (give start permissions);
3) sudo ./metasploit-latest-linux-installer.run (we start the graphical installation).



(More detailed installation documentation is available on the Metasploit website).

As a brief description, we will look at the basic concepts, as well as consider some of the MSF commands.

Exploit - A fragment of code that uses a vulnerability in the software or OS to execute an attack on the system.
Module - A module that automates the process of an attack.
Shellcode - Shellcode. Used as an exploit payload, providing access to the OS shell.
Payload - Useful, or semantic load. This is the code that runs after a successful attack. There are a lot of types of load in msf.
"Stager" - Load broken into pieces. Establishing the connection, the shell is fully loaded.
"Reverse shell" - Backconnect walked.
"Meterpreter" - Perhaps one of the most popular, if not the most popular shell. It has a lot of opportunities: migration to processes; XOR encryption, to bypass IDS and antiviruses; two types of dll injection, etc. You can also select “metsvc” load, which will flood and register meterpreter as a service. More details about meterpreter can be found in the articles, links to which will be at the end of the article.

Finish the short meterpreter tour and go to the msf console.

use - Exploit selection
search - Search. The search command is more extended; if you have forgotten the exact name or location of the exploit, it is able to display all the available information
show options - View options for setting. After choosing an exploit, you can see which options are available for customization.
show payload - View payloads. Msf contains many payloads; Using this command, you can also see the recommended loads for a particular operating system or operating system.
info - View payload details
(info payload_name)
set - Set parameters. The set command sets the necessary parameters, for example, RHOST (remote) and LHOST (local), or the payload
(set PAYLOAD windows / shell / reverse_tcp)
check - Check host for vulnerability
exploit - Launch sploita. When the goal is selected and everything is set up, only the final stage remains - the exploit command.

Also worth noting is the little-known but useful feature of msf - the ability to create resource scripts. The resource script itself is a text file containing a sequence of commands to be executed; it also allows you to execute ruby ​​code.
These files are very convenient, and allow you to almost completely automate the already easy testing process. For example, it may be useful to automatically start the server, or to clean up the garbage.

Conclusion

Vulnerability RDP protocol allows execute code on remote system. Consider the ms12_020 exploit leading to a BSOD.

Sploit is located at auxiliary / dos / windows / rdp / ms12_020_maxchennelids:



Choosing flop, set it up. It is enough to specify a remote host:



As we can see in the screenshot above, the session is established.

Properly spent flop leads to a similar picture:


By default, the current version of Windows RDP protocol is not included. So you should first enable it.

Links

www.metasploit.com - Metasploit Official Website
www.offensive-security.com/metasploit-unleashed/Main_Page - Official Metasploit Documentation
www.rapid7.com/products/metasploit/editions-and-features.jsp - Version comparison metasploit
www.exploit-db.com - The largest online public exploit database
www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics - Meterpreter Documentation
github.com/darkoperator/MSF-Installer - Automatic installation script metasploit
community.rapid7.com/docs/DOC-2100 - Detailed installation of metasploit (linux)

Original: Pentest Magazine Journal .