MSF
From charlesreid1
Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali
Basics
Initializing DB
First, you want postgresql to run as a server:
$ service postgresql start
This is the database format that MSF uses.
Now initialize the database:
$ msfdb init
Running
To get a metasploit console, run
$ msfconsole
Capturing Metasploit Console Output
If you want to capture the output you're seeing in Metasploit framework console, you can use the spool command.
spool /root/box/metasploitable/metasploit.log
If the spool command is not accessible, use the msfupdate command.
msf > spool /root/box/metasploitable/metasploit.log [*] Spooling to file /root/box/metasploitable/metasploit.log... msf >
To stop recording, set spool to off:
msf > spool off [*] Spooling is now disable msf >
Advanced
Creating Workspace
You can create a workspace to save scan information:
msf > db_status
[*] postgresql connected to msf
msf > workspace
* default
msf > workspace metasploitable
[-] Workspace not found: metasploitable
msf > workspace -a metasploitable
[*] Added workspace: metasploitable
msf > workspace
default
* metasploitable
msf > workspace -h
Usage:
workspace List workspaces
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old> <new> Rename workspace
workspace -h Show this help information
msf >
Nmap Scan Into Workspace
Use db_nmap instead of nmap to store info in database:
msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:54 PDT [*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn [*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.68 seconds msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT [*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn [*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.67 seconds msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT [*] Nmap: Nmap scan report for 10.0.0.27 [*] Nmap: Host is up (0.0015s latency). [*] Nmap: Not shown: 977 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp vsftpd 2.3.4 [*] Nmap: |_ftp-anon: Anonymous FTP login allowed (FTP code 230) [*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) [*] Nmap: | ssh-hostkey: [*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) [*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) [*] Nmap: 23/tcp open telnet Linux telnetd [*] Nmap: 25/tcp open smtp Postfix smtpd [*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, [*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX [*] Nmap: | Not valid before: 2010-03-17T14:07:45 [*] Nmap: |_Not valid after: 2010-04-16T14:07:45 [*] Nmap: |_ssl-date: 2016-03-25T23:42:57+00:00; -10h12m30s from scanner time. [*] Nmap: 53/tcp open domain ISC BIND 9.4.2 [*] Nmap: | dns-nsid: [*] Nmap: |_ bind.version: 9.4.2 [*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) [*] Nmap: |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 [*] Nmap: |_http-title: Metasploitable2 - Linux [*] Nmap: 111/tcp open rpcbind 2 (RPC #100000) [*] Nmap: | rpcinfo: [*] Nmap: | program version port/proto service [*] Nmap: | 100000 2 111/tcp rpcbind [*] Nmap: | 100000 2 111/udp rpcbind [*] Nmap: | 100003 2,3,4 2049/tcp nfs [*] Nmap: | 100003 2,3,4 2049/udp nfs [*] Nmap: | 100005 1,2,3 42714/tcp mountd [*] Nmap: | 100005 1,2,3 46675/udp mountd [*] Nmap: | 100021 1,3,4 33001/tcp nlockmgr [*] Nmap: | 100021 1,3,4 58755/udp nlockmgr [*] Nmap: | 100024 1 35518/udp status [*] Nmap: |_ 100024 1 46140/tcp status [*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) [*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) [*] Nmap: 512/tcp open exec netkit-rsh rexecd [*] Nmap: 513/tcp open login? [*] Nmap: 514/tcp open tcpwrapped [*] Nmap: 1099/tcp open java-rmi Java RMI Registry [*] Nmap: 1524/tcp open shell Metasploitable root shell [*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003) [*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1 [*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 [*] Nmap: | mysql-info: [*] Nmap: | Protocol: 53 [*] Nmap: | Version: .0.51a-3ubuntu5 [*] Nmap: | Thread ID: 10 [*] Nmap: | Capabilities flags: 43564 [*] Nmap: | Some Capabilities: Speaks41ProtocolNew, Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression, ConnectWithDatabase [*] Nmap: | Status: Autocommit [*] Nmap: |_ Salt: [k*.G\v`^63:h~cRR'eM [*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 [*] Nmap: 5900/tcp open vnc VNC (protocol 3.3) [*] Nmap: | vnc-info: [*] Nmap: | Protocol version: 3.3 [*] Nmap: | Security types: [*] Nmap: |_ Unknown security type (33554432) [*] Nmap: 6000/tcp open X11 (access denied) [*] Nmap: 6667/tcp open irc Unreal ircd [*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) [*] Nmap: |_ajp-methods: Failed to get a valid response for the OPTION request [*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 [*] Nmap: |_http-favicon: Apache Tomcat [*] Nmap: |_http-server-header: Apache-Coyote/1.1 [*] Nmap: |_http-title: Apache Tomcat/5.5 [*] Nmap: MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.6.X [*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6 [*] Nmap: OS details: Linux 2.6.9 - 2.6.33 [*] Nmap: Network Distance: 1 hop [*] Nmap: Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel [*] Nmap: Host script results: [*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) [*] Nmap: | smb-os-discovery: [*] Nmap: | OS: Unix (Samba 3.0.20-Debian) [*] Nmap: | NetBIOS computer name: [*] Nmap: | Workgroup: WORKGROUP [*] Nmap: |_ System time: 2016-03-25T19:42:53-04:00 [*] Nmap: TRACEROUTE [*] Nmap: HOP RTT ADDRESS [*] Nmap: 1 1.47 ms 10.0.0.27 [*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 78.16 seconds
This information will be imported and parsed accordingly:
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.0.0.27 08:00:27:47:98:ad Linux 2.6.X server msf >
Back Up Workspace
To back up a workspace, use db_export:
msf > db_export -h
dUsage:
db_export -f <format> [filename]
Format can be one of: xml, pwdump
[-] No output file was specified
msf > db_export -f xml /root/metasploitable.xml
[*] Starting export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
[*] >> Starting export of report
[*] >> Starting export of hosts
[*] >> Starting export of events
[*] >> Starting export of services
[*] >> Starting export of web sites
[*] >> Starting export of web pages
[*] >> Starting export of web forms
[*] >> Starting export of web vulns
[*] >> Starting export of module details
[*] >> Finished export of report
[*] Finished export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
msf >
Usage Example: Metasploitable Virtual Box
Main page for Metasploitable virtual box: Metasploitable
As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.
Setting Up Metasploitable
Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.
The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and o n the same subnet.
From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.
Recon
Let's take a few first steps in Metasploit, using the Metasploitable virtual box.
Make a record-keeping box for stuff:
$ mkdir -p box/metasploitable
Start by using nmap to scan the host.
First a fast scan -F:
$ nmap -F 10.0.0.*
Then we can do a more extensive scan:
$ nmap -sS 10.0.0.*
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
$ nmap -sS -sV -A 10.0.0.27
This will reveal an array of services, some of which may be exploitable using metasploit.
Sure enough, the verbose scan returns lots of good information:
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
MySQL
Let's focus on the MySQL service:
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK
We can brute-force MySQL, then use it to access files on the remote machine.
More info at Metasploitable/MySQL.
Wrapping Up and Moving On
After the nmap scan of the Metasploitable virtual box, we saw many services running, exposing this server's soft underbelly.
We began with MySQL. We were able to use Metasploit to brute-force the MySQL login. This was pretty trivial, since the password was blank.
Now that we've compromised the MySQL database, we've seen that there are several web services running - two instances of TikiWiki, an instance of Damn Vulnerable Web App, and information from/about owasp. The MySQL database gave us plenty of new attack vectors to dive into.
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|