So, what is Metasploit?

Exclusive offer: get 50% off this eBook here
Instant Metasploit Starter [Instant]

Instant Metasploit Starter [Instant] — Save 50%

The art of ethical hacking made easy with Metasploit with this book and ebook

$14.99    $7.50
by Karthik Ranganath | August 2013 | Open Source

This article by Karthik Ranganath, the author of Instant Metasploit Starter, outlines the need for a framework such as Metasploit in a penetration tester's arsenal. But before we dive into the framework, let's understand how the framework has evolved. The following are some basic concepts that will be frequently used in this article:

  • Vulnerability: In simple terms, vulnerability is a loophole in the system. It acts as a channel for an attacker to penetrate the system, which in other words is called exploitation.
  • Exploit: I would recursively define this term as any working piece of code that is used to exploit a vulnerable system.
  • Payload: An attacker exploits a system with a purpose. So, after a successful exploit whatever he/she intends to do with the system stands for payload. In other words,the payload is any working piece of code bundled with an exploit to aid the attacker in the post-exploitation phase.

I have defined these terms right at the beginning because these terms will be used very often throughout this article.

(For more resources related to this topic, see here.)

In the IT industry, we have various flavors of operating systems ranging from Mac, Windows, *nix platforms, and other server operating systems, which run an n number of services depending on the needs of the organization. When given a task to assess the risk factor of any organization, it becomes very tedious to run single code snippets against these systems. What if, due to some hardware failure, all these code snippets are lost? Enter Metasploit.

Metasploit is an exploit development framework started by H. D. Moore in 2003, which was later acquired by Rapid7. It is basically a tool for the development of exploits and the testing of these exploits on live targets. This framework has been completely written using Ruby,and is currently one of the largest frameworks ever written in the Ruby language. The tool houses more than 800 exploits in its repository and hundreds of payloads for each exploit. This also contains various encoders, which help us in the obfuscation of exploits to evade the antivirus and other intrusion detection systems ( IDS ). As we progress in this book, we shall uncover more and more features of this tool.

This tool can be used for penetration testing, risk assessment, vulnerability research, and other security developmental practices such as IDS and the intrusion prevention system ( IPS ).

Top features you need to know about

After learning about the basics of the Metasploit framework, in this article we will find out the top features of Metasploit and learn some of the attack scenarios. This article will be a flow of the following features:

  • The meterpreter module
  • Using auxiliary modules in Metasploit
  • Client-side attacks with auxiliary modules

The meterpreter module

In the earlier article, we have seen how to open up a meterpreter session in Metasploit. But in this article, we shall see the features of the meterpreter module and its command set in detail. Before we see the working example, let's see why meterpreter is used in exploitation:

  • It doesn't create a new process in the target system
  • It runs in the context of the process that is being exploited
  • It performs multiple tasks in one go; that is, you don't have to create separate requests for each individual task
  • It supports scripts writing

Let's check out what the meterpreter shell looks like. Meterpreter allows you to provide commands and obtain results.

Let's see the list of commands that are available to use under meterpreter. These can be obtained by typing help in the meterpreter command shell.

The syntax for this command is as follows:

meterpreter>help

The following screenshot represents the core commands:

The filesystem commands are as follows:

The networking commands are as follows:

The system commands are as follows:

The user interface commands are as follows:

The other miscellaneous commands are as follows:

As you can see in the preceding screenshots, meterpreter has two sets of commands set apart from its core set of commands. They are as follows:

  • Stdapi
  • Priv

The Stdapi command set contains various commands for the filesystem commands, networking commands, system commands, and user-interface commands. Depending on the exploit, if it can get higher privileges, the priv command set is loaded. By default, the stdapi command set and core command set gets loaded irrespective of the privilege an exploit gets.

Let's check out the route command from the meterpreter stdapi command set.

The syntax is as follows:

meterpreter>route [–h] command [args]

In the following screenshot, we can see the list of all the routes on the target machine:

In a scenario where we wish to add other subnets and gateways we can use the concept of pivoting, where we add a couple of routes for optimizing the attack. The following are the commands supported by the route:

Add [subnet] [netmask] [gateway]
Delete [subnet] [netmask] [gateway]
List

Another command that helps during pivoting is port-forwarding. Meterpreter supports port forwarding via the following command.

The syntax for this command is as follows:

meterpreter>portfwd [-h] [add/delete/list] [args]

As soon as an attacker breaks into any system, the first thing that he/she does is check what privilege levels he/she has to access the system. Meterpreter provides a command for working out the privilege level after breaking into the system.

The syntax for this command is as follows:

meterpreter>getuid

The following screenshot demonstrates the working of getuid in meterpreter. In the following screenshot, the attacker is accessing the system with the SYSTEM privilege. In a Windows environment, the SYSTEM privilege is the highest possible privilege available.

Suppose we failed to get access to the system as a SYSTEM user, but succeeded in getting access via the administrator, then meterpreter provides you with many ways to elevate your access levels. This is called privilege escalation. The commands are as follows:

  • Syntax: meterpreter>getsystem
  • Syntax: meterpreter>migrate process_id
  • Syntax: meterpreter>steal_token process_id

The first method uses an internal procedure within the meterpreter to gain the system access, whereas in the second method, we are migrating to a process that is running with a SYSTEM privilege. In this case, the exploit by default gets loaded in any process space of the Windows operating system. But, there is always a possibility that the user clears that process space by deleting that process from the process manager. In a case like this, it's wise to migrate to a process which is usually untouched by the user. This helps in maintaining a prolonged access to the victim machine. In the third method, we are actually impersonating a process which is running as a SYSTEM privileged process. This is called impersonation via token stealing.

Basically, Windows assigns users with a unique ID called Secure Identifier (SID). Each thread holds a token containing information about the privilege levels. Impersonating a token happens when one particular thread temporarily assumes the identity of another process in the same system.

We have seen the usage of process IDs in the preceding commands, but how do we fetch the process ID? That is exactly what we I shall be covering in this article. Windows runs various processes and the exploit itself will be running in the process space of the Windows system. To list all these processes with their PIDs and the privilege levels, we use the following meterpreter command:

meterpreter>ps

The following screenshot gives a clear picture of the ps command:

In the preceding screenshot, we have the PIDs listed. We can use these PIDs to escalate our privileges. Once you steal a token, it can be dropped using the Drop_token command.

The syntax for this command is as follows:

meterpreter>drop_token

Another interesting command from the stdapi set is the shell command. This spawns a shell in the target system and enables us to navigate through the system effortlessly.

The syntax for this command is as follows:

meterpreter>shell

The following screenshot shows the usage of the shell command:

The preceding screenshot shows that we are inside the target system. All the usual windows command shell scripts such as dir, cd, and md work here.

After briefly covering system commands, let's start learning the filesystem commands. A filesystem contains a working directory. To find out the current working directory in the target system, we use the following command:

meterpreter>pwd

The following screenshot shows the command in action:

Suppose you wish to search for different files on the target system, then we can use a command called search. The syntax for this command is as follows:

meterpreter> search [-d dir][-r recurse] –f pattern

Various options available under the search command are:

  • -d: This is the directory to begin the search. If nothing is specified, then it searches all drives.
  • -f: The pattern that we would like to search for. For example, *.pdf.
  • -h: Provides the help context.
  • -r: Used when we need to recursively search the subdirectories. By default this is set to true.

Once we get the file we need, we use the download command to download it to our drive.

The syntax for this command is as follows:

meterpreter>download Full_relative_path

By now we have covered the core commands, system commands, networking commands, and filesystem commands. The last article of the stdapi command set is the user-interface commands. The most commonly used commands are the keylogging commands. These commands are very effective in sniffing user account credentials:

  • Syntax: meterpreter>keyscan_start
  • Syntax: meterpreter>keyscan_dump
  • Syntax: meterpreter>keyscan_stop

This is the procedure of the usage of this command. The following screenshot explains the commands in action:

The communication between the meterpreter and its targets is done via type-length-value. This means that the data is getting transferred in an encrypted manner. This leads to multiple channels of communications. The advantage of this is that multiple programs can communicate with an attacker. The creation of channels is illustrated in the following screenshot:

The syntax for this command is as follows:

meterpreter>execute process_name –c

-c is the parameter that tells the meterpreter to channel the input/output. When the attack requires us to interact with multiple processes then the concept of channels comes in handy as a tool for the attacker. The close command is used to exit a channel.

Summary

In this article we learned what is Metaspoilt and also saw one of its top feature.

Resources for Article:


Further resources on this subject:


Instant Metasploit Starter [Instant] The art of ethical hacking made easy with Metasploit with this book and ebook
Published: June 2013
eBook Price: $14.99
See more
Select your format and quantity:

About the Author :


Karthik Ranganath

Karthik Ranganath is an active member of the DEFCON community in India. He is the POC for DEFCON Bangalore Group (DC9180). He has published various web application advisories in portals such as exploit-db and packetstorm security. As a passionate security researcher, he has found critical vulnerabilities in various corporate networks and responsibly disclosed it to the concerned authorities. He holds the EC-Council CEH certification and has a Bachelor's degree in Information Technology from National Institute of Technology Karnataka, India. In his free time, he shares his knowledge with the student community in the form of workshops and has conducted such programs for various technical universities in India. He has presented papers at various national level security conferences. He blogs at epsilonlambda.wordpress.com.

Books From Packt


Metasploit Penetration Testing Cookbook
Metasploit Penetration Testing Cookbook

Learning Metasploit Exploitation and Development
Learning Metasploit Exploitation and Development

Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide

Instant Penetration Testing: Setting Up a Test Lab How-to [Instant]
Instant Penetration Testing: Setting Up a Test Lab How-to [Instant]

BackTrack 5 Wireless Penetration Testing Beginner’s Guide
BackTrack 5 Wireless Penetration Testing Beginner’s Guide

BackTrack 4: Assuring Security by Penetration Testing
BackTrack 4: Assuring Security by Penetration Testing

BackTrack 5 Cookbook
BackTrack 5 Cookbook

Spring Security 3
Spring Security 3


Your rating: None Average: 1.6 (10 votes)

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
S
Y
D
1
Q
U
Enter the code without spaces and pay attention to upper/lower case.
Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Resources
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software