In this lab, we will revisit the module structure and functional analysis of Metasploit, and then focus on introducing scanners. You will learn how to develop your own Metasploit scanner.
This lab is a hands-on tutorial. To help you understand some operations, we will include some information security theory and recommend valuable articles for you to read, allowing you to solidify your theoretical foundation while practicing.
simple_tcp.rb FileFirst, let's review the structure of Metasploit.
Metasploit is designed with a modular concept to improve code reuse efficiency. The framework is developed in Ruby and includes components written in Perl, C, Assembly, and Python. It is primarily designed for Linux operating systems, so its command structure is very similar to a Linux command shell. However, it now supports all major operating systems, such as Windows, Solaris, and Mac.
+---------------+------------------+----------------------------------------------+
| English Name | Module Name | Description |
+---------------+------------------+----------------------------------------------+
| `Aux` | Auxiliary Module | Provides a wealth of auxiliary modules for |
| | | information gathering during penetration, |
| | | including scanning and fingerprinting |
| | | various network services, building fake |
| | | services to collect login credentials, |
| | | password guessing, etc. |
+---------------+------------------+----------------------------------------------+
| `Exploits` | Exploit Module | Code components that exploit discovered |
| | | security vulnerabilities or configuration |
| | | weaknesses to attack remote target systems, |
| | | plant and run payloads, and gain access |
| | | control over the target systems. |
+---------------+------------------+----------------------------------------------+
| `Post` | Post-Exploit | Supports various post-exploitation actions |
| | Module | on the controlled system after gaining |
| | | remote access control through exploitation, |
| | | such as obtaining sensitive information, |
| | | further pivoting, and launching pivot |
| | | attacks. |
+---------------+------------------+----------------------------------------------+
| `Payloads` | Payload Module | Payloads are code segments that run on the |
| | | target system after a successful |
| | | exploitation, typically to open a control |
| | | session connection for the attacker. |
+---------------+------------------+----------------------------------------------+
| `Encoders` | Encoder Module | After assembling the payload and NOP |
| | | instructions into an instruction sequence, |
| | | Metasploit needs to perform an important |
| | | encoding step before the exploit module |
| | | injects the malicious data buffer into the |
| | | target system for execution. |
+---------------+------------------+----------------------------------------------+
| `Nops` | NOP Module | NOP (No Operation) instructions are |
| | | operations or instructions that have no |
| | | substantial effect on the program's |
| | | execution state. |
+---------------+------------------+----------------------------------------------+Metasploit also integrates several vulnerability scanning components, such as:
Nmap scanner: Suitable for Windows, Linux, and Mac OS. Used for host discovery, port scanning or enumeration, service discovery, and detecting operating systems, hardware addresses, software versions, and vulnerabilities.
NeXpose scanner: Scans the network to find running devices, identify their operating systems and application vulnerabilities, analyze the scanned data, and generate vulnerability scan reports.
Nessus scanner: One of the most widely used vulnerability scanning tools. It adopts a client/server model, with the server performing security checks and the client configuring and managing the server. The server also uses a plugin system, allowing users to add plugins for specific functions and more complex security checks.
Now, we will create a new Metasploit scanner module called simple_tcp.rb.
sudo virsh start Metasploitable2ping 192.168.122.102Press Ctrl+C to stop the ping.
docker run -ti --network host b5b709a49cd5 bashping 192.168.122.102Press Ctrl+C to stop the ping.
scanner module directory:cd /usr/share/metasploit-framework/modules/auxiliary/scannersimple_tcp.rb:sudo vi simple_tcp.rbrequire 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Mr_Zhou Scanner',
'Version' => '$Revision$',
'Description' => 'Shiyanlou TCP Scanner',
'Author' => 'lucat',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(12345)
], self.class)
end
def run_host(ip)
connect()
sock.puts('HELLO SERVER')
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
enddef initialize
super(
'Name' => 'Mr_Zhou Scanner',
'Version' => '$Revision$',
'Description' => 'Shiyanlou TCP Scanner',
'Author' => 'lucat',
'License' => MSF_LICENSE
)This section sets the metadata for the module, such as its name, description, author, and license.
register_options(
[
Opt::RPORT(12345)
], self.class)This line registers the option to scan port 12345.
def run_host(ip)
connect()
sock.puts('HELLO SERVER')
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
endThis method is executed for each target IP address. It connects to the specified port, sends the string "HELLO SERVER", receives and prints any data from the server, and then disconnects.
Save the file and exit the editor.
To test our simple_tcp.rb scanner, we need to set up a listening server on the target machine.
On the LabEx host, open a new Xfce terminal and create a file called shiyanlou.txt:
vi shiyanlou.txtIn this file, enter any text you want. This text will be sent back to the scanner when it connects to the listening port. For example:
Life is short, i use Python.Save the file and exit the editor.
Next, start a listening server on port 12345 (the port our scanner is configured for) and send the contents of shiyanlou.txt to any clients that connect:
sudo nc -l 12345 < shiyanlou.txtThe server will now be listening on port 12345 and waiting for incoming connections.
simple_tcp ScannerNow that we have our simple_tcp scanner module and a listening server set up, let's run the scanner and see if it works.
First, start the Metasploit console in the Kali Linux container:
cd ~
sudo msfconsoleOnce the console is loaded, use our simple_tcp module:
use auxiliary/scanner/simple_tcpYou can view the module information with the info command:
infoHere's an example of the output you might see:
Name: Mr_Zhou Scanner
Description: Shiyanlou TCP Scanner
Author: lucat
License: Metasploit Framework License (BSD)
Version: $Revision$Next, set the target host IP address:
set RHOSTS 192.168.122.1Note: Use RHOSTS (with an 's'), not RHOST. You can check which option to use with the show options command.
Finally, run the scanner:
runIf everything is set up correctly, you should see the message from the listening server:
[+] Received: Life is short, i use Python. from 192.168.122.1If you didn't get that message, go back to your listening server and run sudo nc -l 12345 < shiyanlou.txt again.
Congratulations! You have successfully developed and tested your own Metasploit scanner module.
Press Ctrl+D to quit the Metasploit console then start the inspection
In this lab, you learned how to develop your own Metasploit scanner module. You reviewed the Metasploit module structure, created a new TCP scanner module called simple_tcp.rb, set up a listening server to test the scanner, and successfully ran the scanner to receive and display data from the server.
This hands-on experience with developing a Metasploit scanner will help you better understand the framework's capabilities and how to extend it with custom modules. You can use this knowledge to create more advanced scanners or other types of modules for various penetration testing tasks.