Metasploit

August 4, 2023 · 7 minute read

Overview

DISCLAIMER: The information provided in this article is intended for EDUCATIONAL purposes only. It is NOT intended to promote, encourage, or condone any illegal or unethical activities. Any actions taken based on information provided in this article are at the sole discretion and risk of the user. By reading this article, you acknowledge and agree to these terms.

Metasploit is a well-known penetration testing framework developed by Rapid7. It provides a comprehensive suit of tools for security professionals to identify vulnerabilities in computer systems, networks, and applications. Metasploit has two mains version, Metasploit Pro, and Metasploit Framework.

Metasploit streamlines the process of identifying and exploiting vulnerabilities in various types of systems. Metasploit operates by utilizing a database of known vulnerabilities, along with an extensive collection of exploits, payloads, encoders, and auxillary modules. This framework allows users to identify vulnerabilities and deploy suitable exploits to compromise these vulnerabilities.

The terms, exploits, payloads, encoders, and auxillary modules refer to distinct components that contribute to the framework's capabilities for penetration testing and security assessment.

1. Exploits: Pre-written pieces of code designed to take advantage of specific vulnerabilities in target systems. Exploits leverage weaknesses to gain unauthorized access or control over the target system.
2. Payloads: Pieces of code that are delievered and executed on compromised systems after successful exploitation.
3. Encoders: Modules that transform the payload's code without changing its functionality. The main purpose is to obfuscate the payload's content, making it much more difficult for IDS and security tools to identify and block it.
4. Auxillary Modules: Miscellaneous tools and modules that serve various purposes beyond direct exploitation. They encompass a wide variety of functionalities such as network scanning, service enumeration, and more.

Metasploit is capable of supporting ALL phases of cyber attacks, from reconnaissance and scanning, to privilege escalation and data exfiltration, Metasploit contains a comprehensive suit of tools for both offensive and defensive security purposes.

Getting Started

If the Metasploit framework is installed, you can simply type msfconsole in the terminal to start Metasploit. Installation instructions can be found here.


──(root㉿kali)-[/home/kali]
└─# msfconsole 
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v6.3.27-dev                          ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post       ]
+ -- --=[ 1385 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can pivot connections over sessions 
started with the ssh_login modules
Metasploit Documentation: https://docs.metasploit.com/

msf6 >

To search for exploits, we can use the search keyword. For more information on a module, we can use the info keyword. To use a module, we can either use the use keyword with the module ID, or the use keyword and tab complete the module name.

Note that we can tell what type of capabilities the module contains by looking at the paths. Refer the to list of directories and terms above for information regarding module functionality.

For example, if we wanted to search for vulnerabilities related EternalBlue we can simply search for it in msfconsole. EternalBlue is the codename for a critical software vulnerability in Microsoft's Server Message Block (SMB) protocol. This vulnerability has also been referred to as CVE-2017-0144. This vulnerability allowed attacks to perform remote code execution (RCE) on vulnerable systems without user interaction.

Another popular vulnerability that popped up recently is the Log4j exploit. This exploit is also referredd to as CVE-2021-44228. This vulnerability allowed remote attackers to perform RCE by sending malicious log messages that could be processed by a vulnerable Log4j instance. Due to the number of servers and applications running Log4j, this was a massive issue and problem that left a plethora of companies vulnerable.

Below is an example of me searching for a Log4j exploit in Metasploit.


msf6 > search log4j

Matching Modules
================

    #  Name                                           Disclosure Date  Rank       Check  Description
    -  ----                                           ---------------  ----       -----  -----------
    0  exploit/multi/http/log4shell_header_injection  2021-12-09       excellent  Yes    Log4Shell HTTP Header Injection                                   
    1  auxiliary/scanner/http/log4shell_scanner       2021-12-09       normal     No     Log4Shell HTTP Scanner
    2  exploit/linux/http/mobileiron_core_log4shell   2021-12-12       excellent  Yes    MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)
    3  exploit/multi/http/ubiquiti_unifi_log4shell    2021-12-09       excellent  Yes    UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)


Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/ubiquiti_unifi_log4shell                                     

msf6 >

Above reveals an assortment of valuable modules. Notably, modules 0, 1, and 3 contain functionality intended for the exploitation of Log4j, while Module 1 specifically servers as a scanning tool designed to determine the vulnerability status of a targeted server in relation to Log4j. We can tell that this is the case since it is an auxillary module, and because the name of the module is log4shell_scanner.

As mentioned beforehand, we can use info [NAME OF THE MODULE] to ascertain more information about the module.


msf6 > info auxiliary/scanner/http/log4shell_scanner 

Name: Log4Shell HTTP Scanner
Module: auxiliary/scanner/http/log4shell_scanner
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-12-09

Basic options:
Name          Current Setting                            Required  Description
----          ---------------                            --------  -----------
HEADERS_FILE  /usr/share/metasploit-framework/data/expl  no        File containing headers to check
            oits/CVE-2021-44228/http_headers.txt
HTTP_METHOD   GET                                        yes       The HTTP method to use
LDAP_TIMEOUT  30                                         yes       Time in seconds to wait to receive LDAP connections
LDIF_FILE                                                no        Directory LDIF file path
LEAK_PARAMS                                              no        Additional parameters to leak, separated by the ^ character (e.g., ${env:U
                                                                SER}^${env:PATH})
Proxies                                                  no        A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS                                                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/
                                                                basics/using-metasploit.html
RPORT         80                                         yes       The target port (TCP)
SRVHOST       0.0.0.0                                    yes       The local host or network interface to listen on. This must be an address
                                                                on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT       389                                        yes       The local port to listen on.
SSL           false                                      no        Negotiate SSL/TLS for outgoing connections
TARGETURI     /                                          yes       The URI to scan
THREADS       1                                          yes       The number of concurrent threads (max one per host)
URIS_FILE     /usr/share/metasploit-framework/data/expl  no        File containing additional URIs to check
            oits/CVE-2021-44228/http_uris.txt
VHOST                                                    no        HTTP server virtual host

Description:
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.

This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path.

Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid,
Apache JSPWiki, Apache OFBiz.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis
https://logging.apache.org/log4j/2.x/security.html

Also known as:
Log4Shell
LogJam

View the full module info with the info -d command.

msf6 >

Above we can see detailed information about the module. From a brief description describing how it works, as well as available options and links to the NIST vulnerability page, there is a lot of information on this page that can help you utilize the module. Once we're reading to begin exploiting the vulnerability, we can begin to configure the options. This can be done by using the set command. The following syntax is as follows: set [OPTION NAME] [VALUE]

Once we finish configure the module, we can type exploit to start the module. In this case we didn't have to set up a payload since this is simply a scanning module, however if we did then we would use the following syntax: set payload [PATH TO PAYLOAD]. For example: set payload windows/x64/shell_reverse_tcp.

Meterpreter is a common and powerful payload that is utilized within the framework. It is one of the most widely used payloads due to its addvanced capabilities and flexibility. It is designed to provide a remote command shell on the target system. Meterpreter is capable of creating persistent backdoors, creating encrypted communication channels, and even escalating priviliges on compromised systems.