MSF

From charlesreid1

Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali

Basics

Initializing DB

First, you want postgresql to run as a server: 

$ service postgresql start

This is the database format that MSF uses.

Now initialize the database: 

$ msfdb init

Running

To get a metasploit console, run 

$ msfconsole


Using

Example: Metasploitable

As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.

Setting Up Metasploitable

Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.

The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and on the same subnet.

From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.


Recon

Make a box for stuff: 

$ mkdir -p box/metasploitable

Start by using nmap to scan the host.

First a fast scan -F: 

$ nmap -F 10.0.0.*

Then we can do a more extensive scan: 

$ nmap -sS 10.0.0.*

This reveals the IP address of the VirtualBox, which is 10.0.0.27.

We can also do a deeper scan: 

$ nmap -sS -sV -A 10.0.0.27

This will reveal an array of services, at least one of which is bound to have a service wit an exploit in metasploit.

Sure enough, the verbose scan returns lots of good information: 

nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds




Defcon.png
Kali Linux
"The quieter you become, the more you are able to hear."

Penetration testing Linux distribution.


Kali  · Category:Kali

Kali/Wireless Reboot


Kali Software:

Kali Tools

Kali Top 10

Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework

Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix

Dirbuster  · Valgrind


Attack Workflow:

Kali/Workflow

1 Physical Attacks: Kali/Layer 1 Attacks

2 Data/MAC Attacks: Kali/Layer 2 Attacks

3 Network Attacks: Kali/Layer 3 Attacks

4 Transport Attacks: Kali/Layer 4 Attacks

5 Session Attacks: Kali/Layer 5 Attacks

6 Presentation Attacks: Kali/Layer 6 Attacks

7 Application Attacks: Kali/Layer 7 Attacks


Red Team Blue Team

Metasploitable - Red Team

Metasploitable - Blue Team


Networking:

Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA

Kali/IPv6


Booting:

Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB


Installing:

Kali/Installing  · Kali/Post Install  · Kali/Fixes


Kali on Raspberry Pi:

Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install


Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle  · Category:Evil Twin

Flags  · Template:KaliFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MSF&oldid=9596"