Exploitation Process using Metasploit
Exploitation in Metasploit is efficient and intelligent. Metasploit takes a scientific approach to hijacking process control, and turns the process into a quick, seamless hack. Great lessons can be learned from the meta-approach, and applied to any injection attack; for this reason, I find this five step process valuable from an educational standpoint. I will be demonstrating this process using the Metasploit Framework Command Line Interface, or msfcli. Also, note that for advanced exploit development, any of these modules can be customized, as the framework allows users to design and code their own scanners, exploits, payloads, encoders, fuzzers, malware, and even web-kits. The following paragraphs deal with the five steps in the exploitation process: scanning the target, selecting an exploit, selecting a payload, encoding the exploit, launching the attack.
1) Port scanning and vulnerability scanning is very easy and manageable in Metasploit. The framework has a lot functionality built into it, for example typing ipconfig into msfcli on Windows machines (ifconfig on Linux machines) will simulate a similar shell call, bringing up your ip addressing information. The first step is being aware of one’s own addressing information, as this will be necessary in communicating with the target. For target identification, an attacker can also call nmap from within msfcli, for full nMap functionality. The module works exactly like the nMap command line, and the user can enter nmap –h for a manual on the too. These results can even be piped to a Metasploit database, for automated attacks based on relevant port data. Please note, that automated attacks are typically nosier, and more likely to be detected by intrusion detection systems (IDS). An attacker can even take it a step farther, and use the Nessus vulnerability scanner, by entering load nessus into the msfcli. Again, all of these results can be piped to a database for automation. An attacker can even do web application scanning with Metasploit, by calling the wmap, and using the help command in the new interface. To create a database, call the db_create/[address]/ command. The help command will generate lots of options for importing vulnerability scans. If the attacker doesn’t know which vulnerabilities have matching exploits, they can use db_autopwn –t –x command to show all exploits that may work on the vulnerable machine.
2) Selecting an exploit in Metasploit is simple and industrialized. The attacker can call the show exploits command to get a full list of all the exploits available. Once an attacker has the exploit they think can leverage thevictim’s machine, they should call use [exploit name]. Once an attacker is in the exploit module they should run a check [target IP] to make sure they have selected the right exploit. If this is the one they have decided to go with, they call set [exploit name], to lock it in place (not necessary if one is already within the exploit module). There are a few more steps an attacker may want to solidify before a payload, these are locking in the target IP address and port with set rhost [target IP] and set rport [target port], as well as locking in their host IP address and port with set lhost [your IP] and set lhost[your port]. Setting a port is not always necessary, and is often times set by the specified exploit and payload.
3) Selecting a payload in Metasploit has become an optimized and elegant process. Payloads are the commands the attacker runs apon a successful completion of their exploit. These get packaged with the exploit, and are sent in one bundled attack. Metasploit offers tons of extensibility here, and once in a specific exploit module, calling show payloads will list specific payloads that work with the chosenexploit. One can always call show payloads outside an exploitation module for a general list, and a lot of these payloads will be compatible with most exploits, for example, shell, reverse-shell, and meterpreter. Shells create a direct connection to the target machine across a newly opened internal port listening for instructions. Unfortunately, IDS may drop this connection if it is configured to do so. To circumvent this, one can call a reverse-shell which creates a similar connection, but from the inside of the target machine, back out to the host machine. One can also use a meterpreter session, which utilizes a reverse-shell in a very elegant manner, increasing functionality and minimizing presence on the target machine. I will go more in depth on meterpreter sessions in the post-exploitation chapter. Finally one can call set PAYLOAD[payload name]to lock the specified payload in place.
4) Encoding in Metasploit is how the exploit and payload are packaged together, and is often done automatically, via the set commands. Encoding typically determines how thecode will be structured, delivered and whether or not it incorporates nop padding. Now that the attacker has built an ‘exploit and payload’ package via the set commands,they can useobfuscation, and apply encryption methods to maintain stealth in operations. If one is still in the exploit module, call show options to see any extra encoding one may apply. The attacker can often spoof the names of payloads, processes, and even host IP addresses, via encoding. If one is not in a specific exploit module, they can always pipe their commands through ./msfencode to apply more secrecy to the attack. The command ./msfencode –h will help one choose and apply the proper encoding. It is also a good idea to communicate over encrypted ports or services, such as meterpreter, so it is tougher for someone sniffing traffic to discern malicious traffic from normal traffic. Encoding also works well with web injection when one needs to obfuscate ‘bad characters’ to surpass IDS.
5) Launching the attack is the easiest part, once all the settings have been set, the attacker simply calls exploit. An attacker can also save the entire exploit to a.exe and use it as a client side, or local exploit. Each exploit and payload has a rating to go along with it, estimating it’s chance for success. These are typically moderate, good or great, and ensure repeatability by only accepting quality modules submitted from the community.
1) Port scanning and vulnerability scanning is very easy and manageable in Metasploit. The framework has a lot functionality built into it, for example typing ipconfig into msfcli on Windows machines (ifconfig on Linux machines) will simulate a similar shell call, bringing up your ip addressing information. The first step is being aware of one’s own addressing information, as this will be necessary in communicating with the target. For target identification, an attacker can also call nmap from within msfcli, for full nMap functionality. The module works exactly like the nMap command line, and the user can enter nmap –h for a manual on the too. These results can even be piped to a Metasploit database, for automated attacks based on relevant port data. Please note, that automated attacks are typically nosier, and more likely to be detected by intrusion detection systems (IDS). An attacker can even take it a step farther, and use the Nessus vulnerability scanner, by entering load nessus into the msfcli. Again, all of these results can be piped to a database for automation. An attacker can even do web application scanning with Metasploit, by calling the wmap, and using the help command in the new interface. To create a database, call the db_create/[address]/ command. The help command will generate lots of options for importing vulnerability scans. If the attacker doesn’t know which vulnerabilities have matching exploits, they can use db_autopwn –t –x command to show all exploits that may work on the vulnerable machine.
2) Selecting an exploit in Metasploit is simple and industrialized. The attacker can call the show exploits command to get a full list of all the exploits available. Once an attacker has the exploit they think can leverage thevictim’s machine, they should call use [exploit name]. Once an attacker is in the exploit module they should run a check [target IP] to make sure they have selected the right exploit. If this is the one they have decided to go with, they call set [exploit name], to lock it in place (not necessary if one is already within the exploit module). There are a few more steps an attacker may want to solidify before a payload, these are locking in the target IP address and port with set rhost [target IP] and set rport [target port], as well as locking in their host IP address and port with set lhost [your IP] and set lhost[your port]. Setting a port is not always necessary, and is often times set by the specified exploit and payload.
3) Selecting a payload in Metasploit has become an optimized and elegant process. Payloads are the commands the attacker runs apon a successful completion of their exploit. These get packaged with the exploit, and are sent in one bundled attack. Metasploit offers tons of extensibility here, and once in a specific exploit module, calling show payloads will list specific payloads that work with the chosenexploit. One can always call show payloads outside an exploitation module for a general list, and a lot of these payloads will be compatible with most exploits, for example, shell, reverse-shell, and meterpreter. Shells create a direct connection to the target machine across a newly opened internal port listening for instructions. Unfortunately, IDS may drop this connection if it is configured to do so. To circumvent this, one can call a reverse-shell which creates a similar connection, but from the inside of the target machine, back out to the host machine. One can also use a meterpreter session, which utilizes a reverse-shell in a very elegant manner, increasing functionality and minimizing presence on the target machine. I will go more in depth on meterpreter sessions in the post-exploitation chapter. Finally one can call set PAYLOAD[payload name]to lock the specified payload in place.
4) Encoding in Metasploit is how the exploit and payload are packaged together, and is often done automatically, via the set commands. Encoding typically determines how thecode will be structured, delivered and whether or not it incorporates nop padding. Now that the attacker has built an ‘exploit and payload’ package via the set commands,they can useobfuscation, and apply encryption methods to maintain stealth in operations. If one is still in the exploit module, call show options to see any extra encoding one may apply. The attacker can often spoof the names of payloads, processes, and even host IP addresses, via encoding. If one is not in a specific exploit module, they can always pipe their commands through ./msfencode to apply more secrecy to the attack. The command ./msfencode –h will help one choose and apply the proper encoding. It is also a good idea to communicate over encrypted ports or services, such as meterpreter, so it is tougher for someone sniffing traffic to discern malicious traffic from normal traffic. Encoding also works well with web injection when one needs to obfuscate ‘bad characters’ to surpass IDS.
5) Launching the attack is the easiest part, once all the settings have been set, the attacker simply calls exploit. An attacker can also save the entire exploit to a.exe and use it as a client side, or local exploit. Each exploit and payload has a rating to go along with it, estimating it’s chance for success. These are typically moderate, good or great, and ensure repeatability by only accepting quality modules submitted from the community.