The Mechanics of Metasploit

This paper briefly covers the operating of various Metasploit special tools such as msfencode and Nasm shell and demonstrates how to launch an exploit to penetrate a remote computer using various user interfaces that Metasploit must offer, such as msfcli, msfconsole and msfgui.

Metasploit is exquisitely prevalent amongst penetration testers and especially hackers because it makes it very easy to develop and launch exploits for computer software vulnerabilities. This paper exclusively demonstrates how to configure and practice Metasploit that is a penetration testing platform for developing and launching exploits. This research paper primarily offers specification for the following:

  • Introduction
  • Prerequisite
  • Metasploit Core
  • Launch Pad Configuration
  • Metasploit Modules
  • Metasploit Utilities
  • Importing Exploits to Metasploit
  • Exploit Repository
  • Synopsis

In 2003, a storm (so called Metasploit) had entirely changed the cyber security atmosphere because everyone, even a layman of computer security, started detecting vulnerabilities in existing systems and became hackers by exploiting them. In fact, Metasploit is a free and open source tool and it was designed to developed exploits for various operating systems and frameworks. However, today it is used more especially by both penetration testers and hackers to assess loopholes. Metasploit could be referred to as a separate hacking operating system itself. It contains sophisticated commands to manipulate exploits and even has a couple of diverse module interfaces. So this article guide the aspirant penetration tester about how to use its commands, how to determine which exploit works, how to add new exploits in the database and how to launch an exploit.

Prerequisite

We'll spend the majority of this article showing Metasploit examples. So the aspirant needs to be proficient in configuring a penetration testing lab that includes all the significant tools. Apart from tools, he must have a good understanding of the Ruby Programming Language and network configuration skills because we will confront with the majority of network related operations. This article lab also assumes a reasonable familiarity with Linux as well as with the following tools and technologies:

  • Backtrack 5
  • Metasploit Modules
  • Network Connectivity 
  • Ruby Programming
  • Windows OS (Optional)

Metasploit Core

The Metasploit framework is a unified exploit database with an easy update mechanism. Since it is open source in nature, we can easily manipulate it to suit our needs, for instance we can write own code to exploit a vulnerability and could deploy that newly compiled exploit into an existing Metasploit database. The Framework was written in the Ruby language and includes various components written in Perl scripting, C, assembler and Python. It is basically, designed for the Linux operating system thus its command structure has a close resemblance to the Linux command shell, but nowadays, it supports all major operating systems such as Windows, Solaris and Mac. It has a consistent interface for configuring options and executing exploits and isolates exploits from payloads. Metasploit uses the following terminology to carry out a specifics type of attack and makes the act of exploitation portable.

Exploit

Exploits are typically pieces of malicious code that manipulates specific vulnerability in a computer system. Metasploit provides masses of exploits across multiple operating systems and applications, giving you many ways to attempt to breach a computer. The vulnerability can be detected by running a couple of scanning tools like Nessus and Nmap, that are exploitable by employing Metasploit. In case of, we identify a specific vulnerability and unable to find its corresponding exploit definition in the existing Metasploit database then www.exploit-db.com proves to be a great resource or database of an updated exploit where from we can download the updated exploit source code and later we can port them as a module in the Metasploit database.

Payloads

Once we have identified the vulnerability and are ready to exploit it, the next step is to set up a payload that determines what happens once the exploit succeeds. The payloads are essentially used to get the access of a remote computer to reverse the shell and penetrate the system to implant something malicious into the victim computer.

Encoders

It is not guaranteed that every exploit you fire from Metasploit works. Because it is likely possible that some victim computer has configured a filtering mechanism such as a firewall, antivirus and IPS. The moment an exploit tries to penetrate the remote computer, such filtering mechanism would deny such unrecognizable communication. So an encoder basically encodes the exploit definition to bypass or thwart the remote computer IDA, IPS or anti-virus.

Options

Each exploits and payloads have some built-in parameters such as remote host IP, Local host IP, LPORT, RPORT, server path, username and so on that must be configured before exploiting. These options could be confirmed by SHOW OPTIONS commands in the Metasploit.

Zero Day

Hackers exploit specific loopholes in the software or system to penetrate it and the vendor of such products in reaction, find the patch against exploitable vulnerabilities to thwart future penetration. It is not necessary that they release a patch for every vulnerability because some of exploits are still undetected or not yet disclosed. So such special exploits are considered tio be Zero-day exploits.

Launch Pad Configuration

Metasploit can be launched either from Windows, the Linux Operating system separately or as an integrated tool of Backtrack. It is recommended that Metasploit should be run from backtrack that mandates some initial configuration services to implement exploitation properly. After logging in to the BackTrack 5 using root as the user name and toor as password, we will configure and start these services and packages as in the following.

Update Backtrack 5

It is recommended to update the existing backtrack to get new or updated specifications of tools and exploits. Thus, we can update backtrack using this command as in the following:

# Sudo apt-get update.

Starting Networking Service

After login into backtrack, the IP address is usually not assigned automatically, we need to fire these commands to start or stop networking services consequently.

 

# service networking start
# service networking stop

Apart from that, we can also use the following commands to start networking services because subsequent commands always work accurately unlike earlier.

root networking

You may find that after rebooting your BackTrack machine, the networking service needs to be started again. To make the networking service start automatically, you can provide the following command:

# update-rc.d networking defaults

Setting Network Connection

If the previous commands don't work then we should need to set up the network connection manually to resume communication. That is an important step because we are doing penetration testing to a remote computer. So, it is necessary that both the victim and the hacker machine must at least ping each other properly. Typically, we can assign an IP address either by DHCP or by a manual process (static IP address). We can obtain an IP address using DHCP using the following command:

# dhcpcd eth0

If a dhcpcd package is not present then install it from the following command:

# sudo apt-get install dhcpcd

Backtrack has a couple of interfaces for wired networks, loopback and wireless networks and has assigned them 2 different names. We can double-check using vi /etc/networking/interfaces commands to confirm which one is obtaining an IP address from DHCP as in the following:

set network

If DHCP malfunctions for some reason then we can assign a static IP address using the following procedure in which we are manually assigning the IP address 192.168.1.2 as the default gateway and DNS server to the system.

set network 02

Refreshing Network Interfaces

Occasionally we can refresh various network interfaces such as both wired and wireless network interfaces using the commands in the following figure where we first put down the wired eth0 interface and then bring it up again:

refresh network interface

Wireless Connection

We can use the wicd program to connect to a wireless access point. We can start a wireless networking service using the following command:

# /etc/init.d wicd start

FTP services

Sometimes we need to transfer files or data to a victim machine back and forth or are planting a backdoor like netcat.exe in the victim computer that run as a covert process to maintain access. Thus, a Tftpd daemon is very useful in such situations. First, install this server using the apt-get command and do the rest of the configuration as in the following:

# atftpd --deamon --port 69 /tmp

HTTP Server Configuration

It is necessary to configure a web server to host files or to target web based exploits. Backtrack has a built-in Apache server that just needs to be started as in the following:

metasplit http

Metasploit Modules

Metasploit typically has three interface modules to execute exploits: Console, Command Line and Web. It actually doesn't make much difference either which modules you have chosen to exploit the computer but in general, the console is the most fully featured and powerful among three. Backtrack has a separate segment where all exploits reside and we can even do something with Metasploit modules from there.

modules of metasplit

It is highly recommended to update the existing Metasploit exploit database before executing exploitation that is changed time to time. We need a working internet connection and to fire the following command:

# ./msfupdate

Msfconsole

Msfconsole is the most competent, powerful and all-in-one centralized interfaces infrastructure for penetration testers to make the best use of an exploitation framework. We can consume msfconsole to launch an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitations against an entire network. To access "msfconsole", go to Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfconsole or use the terminal to execute the following commands:

# cd /pentest/exploits/framework3/
# ./msfconsole

msfconsole

Msfcli

msfcli is a command-line interface that renders an extensive range of modules that can be launched at any one instance collectively. It is different from msfconsole in most manners because it puts the priority on scripting and interpretability with other console-based tools whereas msfconsole provides an interactive way to access all the features in a user-friendly manner. However, it is substandard and lacks some of the advanced automation features compared to msfconsole. To access msfcli go to Backtrack | Exploitation Tools | Network Exploitation Tools | Metasploit Framework| Msfcli or use the terminal to execute the following commands:

# cd /pentest/exploits/framework3/
# ./msfcli

This will display all the available modes similar to that of the MSFConsole and use instructions for selecting the specific module and set its parameters as in the following.

msfcli eight

Msfweb

This is another module of Metasploit for penetration testing. Everything like exploits and payloads come in the form of a GUI interface and makes the job of pen tester easy. mfsgui starts a Metasploit web server on 127.0.0.1 port 55553 when it's services start from the console. We can start this interface using the following commands:

# cd /pentest/exploits/framework3/
# ./msfgui

msf web
We can confirm the login credentials from the File menu, by which msfgui is logged in as in the following:

connection details

Metasploit Utilities

Metasploit utilities are candid interfaces to specific characteristics of the framework and can be advantageous in specific situations, especially in exploit development. Metasploit offers the following special utilities.

NASM

This utility could be useful when you're confronted directly with assembly code, especially if, during exploit development, you need to recognize the opcodes (the assembly instructions) for a given assembly command. NASM is just a Ruby Programming made file that can be found in the framwork3 | msf3 |tools directory and put in a scenario as in the following:

nasm part

Msfencoder

Metasploit comprises a number of encoders for specific situations. They contain null characters that, when interpreted by many programs, signify the end of a string and this will cause the code to terminate before completion. Metasploit assists you in avoiding bad characters and evading a firewall, antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters such as xoo and xff that terminates the payload. We can go through with the msfencode option with the msfencode –h command and list the available encoders as in the following:

msf encoder

Msfpayload

The msfpayload command allows you to generate shell-code that is executable and much more to import exploits outside of the framework. Shell-code typically can be generated in many formats including C, Ruby and Visual Basic for Applications. Each output format will be useful in specific circumstances.

payload msf

Importing Exploits to Metasploit

We are not limited to rely on built-in exploits of the Metasploit framework exclusively. Although we can create our own custom exploit using the C, Ruby, Python and Perl programming languages or even can import the exploit directly from the third-party resources and later add them into the existing Metasploit exploit database. We can view the list of available exploits in the pentest | exploits | frameowrk3 | modules | exploits directory where exploits are categories according to their platform as in the following:

importing exploits

But in the BackTrack 5 initial version, we won't be able to successfully update an existing exploit database even if we add a new exploit definition. We can however, do this properly in the BackTrack 5 Service Pack 2 version where we need to create a directory in the opt | Metasploit | msf3 | modules | exploit and put the exploit code file over there. Later run the msfupdate command to make changes to the exploit database.

It is not necessary to place the newly devised exploit source code in the Metasploit exploit database folder. You can, however, run them directly instead.

Exploit Repository

Vulnerabilities have been disclosed time to time with the proof-of-concept exploit code to demonstrate the feasibility and viability of a loophole detector in the specific software or operating system, but many still remain unaddressed. Publicly available exploit and vulnerability information makes it easier for penetration testers to quickly search and retrieve the best available exploit that may suit their target system environment. We have provided a combined set of online repositories that may help us to track down any vulnerability information or its exploit by searching using them. The following table represents some of the resource of the exploited database:
 
Repository name                                      URL
Bugtraq SecurityFocus http://www.securityfocus.com
OSVDB Vulnerabilities http://osvdb.org
Packet Storm http://www.packetstormsecurity.org
VUPEN Security http://www.vupen.com
National Vulnerability Database http://nvd.nist.gov
ISS X-Force http://xforce.iss.net
SecuriTeam
http://www.securiteam.com
Government Security
http://www.governmentsecurity.org
US-CERT Vulnerability Notes http://www.kb.cert.org/vuls
BugReport http://www.bugreport.ir
Secunia http://secunia.com/advisories/historic/
Offensive Security Exploits Database http://www.exploit-db.com
Security Vulnerabilities Database http://securityvulns.com


Although we can access the majority of exploits of the exploit-db.com database in backtrack itself. Here the procedure is as in the following:

# cd /pentest/exploits/exploitdb/
# vim files.csv

The vim interface produce an overview of all the exploits that resided in the .csv file format as in the following:

vim interface

Synopsis

We have encountered the basics of the Metasploit Framework and are overwhelmed by its many interfaces, options, utilities, variables and modules. This paper briefly covered the operating of various Metasploit special tools such as msfencode and Nasm shell and demonstrates how to launch an exploit to penetrate a remote computer using various user interfaces that Metasploit must offer, such as msfcli, msfconsole and msfgui. We dove much deeper into msfconsole, msfcli, msfpaylods and other interesting concepts of Metasploit as we explore exploit development in later papers of this series.