Metasploit Framework

Questions and Answers

Which of the following operating systems is the MetaSploit Framework (MSF) available for?

• Windows
• Linux
• Mac OS X
• All of the above (correct)

Exploit modules in MetaSploit are designed to perform auxiliary actions like host discovery and enumeration, rather than directly compromising the target.

False (B)

What is the primary function of a payload within the MetaSploit Framework (MSF)?

• To execute code on a compromised target (correct)
• To list all available exploits
• To discover hosts on the network
• To encrypt communications between attacker and target

To view a list of all available exploits in MetaSploit, you would use the command ______.

show exploits

Which command in MetaSploit is used to load a specific exploit, changing the command prompt to indicate you are working within that exploit's context?

use exploit_path_name (D)

Once an attacker has gained initial access to a system, maintaining that access is unnecessary as the vulnerability used will always remain exploitable.

False (B)

What is the primary purpose of creating a backdoor on a compromised system?

To establish a persistent and covert method of re-accessing the system (B)

What tool can system administrators (and attackers) use to connect two machines, and can be run in either client or server mode?

Netcat

Why is 'calling back' (reverse shell) considered more reliable against firewalls and Intrusion Detection Systems (IDS)?

It initiates the connection from inside the network, often bypassing firewall rules. (A)

VNCinject, as a MetaSploit payload, only provides command-line access to the target system.

False (B)

What type of MetaSploit payload is entirely executed from memory and can take control of a process?

Meterpreter

Which of the following describes the primary goal of 'covering tracks' after gaining access to a system?

To erase or hide evidence of unauthorized activity (B)

Which of the following actions are typically involved in covering tracks?

Modifying or deleting logs (D)

It is always best to completely delete all logs to avoid detection, regardless of the expertise of the system administrator.

False (B)

In Windows, you can hide a file using the attrib command with the ______ attribute.

+h

In Linux, what is the common method for hiding a file or folder?

prefixing with a period (.)

Match the following MetaSploit Framework commands with their descriptions:

show exploits = Lists all available exploits use exploit_path_name = Loads a specific exploit show payloads = Lists available payloads for the chosen exploit set PAYLOAD chosen_payload = Selects a payload to use

Which of the following is NOT a typical action for maintaining access to a compromised system?

Patching system vulnerabilities (B)

Modifying log files is always a more effective method of covering tracks than deleting them.

False (B)

The MetaSploit Framework (MSF) is written in the programming language ______.

Ruby

Flashcards

MetaSploit Framework (MSF)

A framework available for multiple OSes. It supports payload selection and advanced target interaction using VNCinject and meterpreter.

Exploit Modules

Modules in MSF that compromise the target and inject a payload using buffer overflows.

Auxiliary Modules

Modules in MSF that perform actions like host discovery, enumeration, and capturing NTLM/LM hash challenges.

MSF Payload

Code executed on a compromised target, which performs actions like binding a command shell or adding a user account.

show exploits

Command in MSF that lists all available exploits.

info exploit_path_name

Command in MSF providing details of the exploit.

use exploit_path_name

Command in MSF loading a specific exploit.

show payloads

Command in MSF listing all the payloads available for the chosen exploit.

set PAYLOAD chosen_payload

Command in MSF setting the desired payload.

show options

Command in MSF displaying options for the selected payload.

exploit

Command in MSF launching the exploit.

Create a backdoor

Establishing an encrypted channel to the victim or using the victim to infect others in its LAN.

Netcat

A tool used by system admins to connect two machines, can be set up to open a shell.

Calling back

More reliable against firewalls and IDS.

VNCinject

MSF payloads useful for maintaining access, containing a VNC server DLL for desktop access.

Meterpreter

A multifunctional Windows payload taking control of a process, executing entirely from memory.

Covering Tracks

Typically altering logs and hiding files to avoid detection after gaining access.

Modify Logs

Hiding all the tracks of the attack, but it can be forgotten.

Delete Logs

Removing all traces of the intrusion, but this increases the risk of detection.

Hiding files

Uses commands like attrib +h (Windows) and .folder_name (Linux).

Study Notes

• The presentation discusses owning a system through gaining access, maintaining access, and covering tracks

Gaining Access

• Metasploit Framework (MSF) is available for Windows, Linux, and Mac OS X; is free and written in Ruby, C/C++, and assembly
• MSF supports the selection of specific payloads and advanced interaction with the target using VNCinject and meterpreter payloads
• MSF has exploit modules that compromise the target by using buffer overflows and then injecting a payload (2000+)
• MSF Auxiliary modules perform actions like host discovery, enumeration of VMware groups/users, and capturing NTLM/LM hash challenges (200+)
• Payloads will execute once the target is compromised using shellcode specific to the target platform, capable of binding a command shell to a port, or adding a user account
• MSF payloads can be encrypted using encoder modules, and there are 500+ available payloads
• MSF can be used by selecting an exploit module and payload, then setting appropriate options
• To select an exploit module, use the show exploits command to list them all or use info exploit_path_name to get info about target software or OS; load with use exploit_path_name
• To select a payload, use the show payloads command to list the available payloads for the chosen exploit
• Set a payload by using set PAYLOAD chosen_payload
• Use show options to list available options for the payload, and use exploit to launch the exploit

Maintaining Access

• Vulnerabilities get patched and systems get rebooted, so maintaining access is important to avoid the overhead of re-exploiting a vulnerability
• Backdoors could be used to establish an encrypted/covert channel, or infect other machines in a LAN
• Netcat is used by system admins to connect two machines and can run in client or server mode
• An attacker can set netcat to listen on the victim side and then connect to it to open a shell
• Victims can be set to phone home
• Calling back is more reliable against firewalls and IDS
• The Metasploit Framework has two interesting payloads useful to maintain access
• VNCinject payload contains a VNC server DLL to give desktop access to the target
• Meterpreter is a multifunction Windows payload that can take control of a process and harness its privileges and is entirely executed from memory

Covering Tracks

• Alter logs and hide files to cover tracks
• System and application logs can be modified or deleted
• Modify logs by hiding all the tracks of the attack and of the changes to the logs
• Delete logs entirely, but that could invite detection even if the admin cannot understand what the original attack did
• Hide files by using attrib +h folder_name on Windows, or .folder_name on Linux
• Change files and folder names, especially executables