Metasploit Framework
H.D. Moore and a team created Metasploit to help build and use exploits. It works best on UNIX systems but can run on Windows with limits. Metasploit connects exploits, payloads, and targets, making it useful for attackers and security testers. It’s open-source, though other tools like Core Impact and Immunity CANVAS are also strong options.
Using Metasploit, the attacker picks an exploit and a payload for the target system. They add the target’s IP address, port, and other needed details. Metasploit then builds and sends the attack package, giving the attacker flexibility to launch it.
Metasploit has tools for scanning ports and checking if a target has vulnerabilities it can exploit. It also offers evasion options using encoding for exploits and payloads.
The Metasploit Arsenal
Metasploit is a tool with many exploits—small codes that make a victim system run the attacker's code. It supports over a thousand exploits for systems like Windows, macOS, and Linux. Metasploit also has payloads, which are codes attackers want to run on the target, like creating a command shell or controlling the system's GUI remotely. Users don't need to understand how it works—they just pick an exploit and payload, and the tool sends them to the target, where the exploit activates the attacker's code. This makes it easy for beginners to use.
Metasploit has auxiliary modules for scanning, DoS, and finding vulnerabilities, while post modules are used after exploiting a system to gather data or escalate privileges.
Metasploit includes tools to help developers create new exploits and payloads. These tools find vulnerabilities, locate memory regions for running code, and offer code samples for injecting payloads. They also reduce detection risks. Developers can easily swap payloads and exploits within the framework.
Metasploit User Interfaces
Metasploit offers different interfaces like console, command-line, web, and GUI (Armitage). Attackers pick an exploit to use. Some can check for vulnerabilities before attacking, while others directly run the attack.
The attacker sets the target's IP address and port. For payloads needing to talk back to the attacker, like a reverse shell, they add their system's address and port for listening. The attacker then picks a payload, usually a command shell or reverse shell. If no payload is available, they can choose a command to run on the target.
Once you set up everything, the attacker can start the exploit. We'll often use the search command in Metasploit. Let's dive into a Lightning Labs event to practice this command.
1) Start by listing the files in your home directory. Run ls.
2) The ls output reveals a file named INTEL.txt. Display the file contents with cat.
3) Next, start the Metasploit console by running msfconsole.
4) Metasploit has integrated help. Run help to get context-sensitive help.
5) You can also get help for a specific command. Type help search to get help for the search command.
The output from help search shows several command line arguments, keywords, and examples.
6) Issue a search to find any Metasploit modules that include the string cacti by running search cacti.
7) You can also filter the search results by adding a keyword:value pair. For example, you can limit the results to only display modules with a reliability rank of excellent by adding rank:excellent
8) You can load the exploit with the use command. Often we'll type use then the long exploit name, but after a search you can enter use N where N is the search result index number.
Load the cacti_unauthenticated_cmd_injection exploit with use 0.
8) When you load an exploit, the prompt changes to indicate the exploit name. From here you can run info to get basic information about the exploit. Run the info command to see.
9) Use the options command to see the available exploit options, and the values assigned.
10) The RHOSTS option is used to specify one or more systems to target with the exploit by name or IP address. Use the set command to set the RHOSTS option to the Cacti server at 10.20.20.38.
The RPORT option is used to set the port number on the target. Set the RPORT parameter to 80 for the Cacti target.
Run the options command again to check your work.
Here we see the RHOSTS and RPORT options are properly configured, but we need to set one more option.
11) The LHOST option is the attacker IP address. This option is used for any reverse TCP exploit, including the default Meterpreter payload for this exploit. Set the LHOST option to your attacking system at 10.20.20.4.
12) To deliver the exploit you can issue the exploit command. Alternatively, the run command will also work.
13) From the Meterpreter shell you can manipulate the victim system. Run the shell command to get shell access.
14) Cacti installs store passwords in the /var/www/html/include/config.php file. Use cat to get the contents of that file.
15) Here we learn the username and password for the database. Use those credentials with the mysql utility to retrieve the password information stored in the Cacti user_auth table.
Using the Metasploit console we can search for modules, sort and filter the results, and use an exploit to target a vulnerable system.
Exploits Currently Included Metasploit Framework
Metasploit has over 2,000 exploits and will likely add more as new vulnerabilities are found and code is developed. Exploits target things like browsers, PDF readers, UNIX services (e.g., Apache, SSH), and increasingly mobile devices (Android, iOS).
Metasploit exploits commonly take advantage of memory management vulnerabilities such as buffer overflows, heap overflows, and other related attacks. Other exploits gain remote code execution using system backdoors, platform feature manipulation, password reuse attacks, and more.
Payloads Included in Metasploit Framework
Metasploit payloads aim to work on different systems and fix any issues they cause, avoiding crashes or leftover problems.
The payloads available within the framework include:
Bind shell to arbitrary port: This starts a command shell listener on any TCP port the attacker picks.
Reverse shell: This sends a command shell back to the attacker on a TCP port, who will probably be listening with Netcat.
Windows VNC Server DLL Inject: This attack lets the hacker control the victim's screen remotely using VNC. The VNC tool is sent as a DLL and runs within the victim's process, so no installation is needed.
Create Local Admin user: This payload makes a new admin user with the name and password set by the attacker.
Meterpreter is a powerful Metasploit payload for Windows that gives attackers command-line access without creating new processes or touching the hard drive. It runs within the exploited process, operates purely in memory, uses its own commands, and can load new modules to change its functions dynamically.
The last two features are the most powerful. Instead of using hostname.exe, Meterpreter has a built-in module for system info. Attackers can add more modules to Meterpreter as needed, using the Meterpreter channel to control them.
Meterpreter Features
Here is a set of the features included with the Meterpreter:
Show system info, including the OS type and the user ID of the Meterpreter session.
Manage files and directories: navigate (cd), list files (ls), and upload/download files.
Work with the network to get configuration details and set up TCP port forwarding to bypass firewalls.
Manage processes by starting new programs, stopping processes, or listing those that are currently running.
To avoid detection by admins or security systems, Meterpreter encrypts its traffic with TLS on a port selected by the Metasploit user.
Attack Framework Defense: Preparation
Keep systems patched to avoid risks! New exploits can quickly emerge after a vulnerability is found, so it’s crucial to have a strong patching process to act fast. Threat intelligence feeds can give early warnings, but a solid patching routine is key. Also, use Endpoint Detection and Response (EDR) tools to spot and block attacks, adding an extra layer of protection.
In 2017, Microsoft improved Windows Defender for Endpoint on Windows 10, originally called Exploit Guard (EG). Now known as exploit protection, it includes extra security features like exploit prevention, system rules, network protection, and controlled access to important folders. For more details, visit Microsoft's website.
You can use application allow list software to run only approved apps. While it might not stop the exploit itself, it can prevent the payloads from running and quickly alert admins if an attack is blocked early.
For Linux systems, use SELinux on important servers (like web or mail servers). Check each distribution’s website for setup instructions (e.g., Debian or RedHat). Also, consider Linux AppArmor for added security, but ensure it's properly configured. More info on AppArmor can be found at its GitLab page.
Additional Defenses: Preparation
Filter all traffic in and out of your network to reduce risk. Use proxies for outbound traffic to control and monitor it. Since networks might already have compromised systems, it’s important to actively search for hidden attackers. Threat hunting involves using methods that bypass regular security to find attackers who might use similar tactics.
Conduct threat hunting analysis
Check for long URLs
Check for DNS entries that are on known offender lists
Check for beacon connections
Check for odd services and .exes
Finally, there is a great webcast on this topic for RITA at https://youtu.be/HRBDdnhPazk.
Lab 4.1: Metasploit Attack and Analysis
In this lab, we'll attack the Windows VM from the Linux VM. In doing so, we'll expose you to some of the features of Metasploit. You will learn what skillful attackers can do to a victim system. Additionally, you'll see that even advanced attackers will leave traces that skillful defenders can use to track what the adversary is doing.
Goals of Metasploit Lab
This lab has two goals:
Explore Metasploit tools and features, including msfconsole, psexec, Meterpreter payload, hashdump, and process migration.
Analyze the victim system during an attack, focusing on TCP ports, process activity, and event logs.
For this lab, we will use our Slingshot Linux VM to attack your Windows machine.
From the Slingshot Linux VM, let's launch msfconsole.
Next, let's examine the many Metasploit exploits available.
Metasploit has many exploits. We can use its search feature to find modules with specific keywords. At the msf6 > prompt, let's search for the psexec module by adding type:exploit to show only exploits.
Here we see many modules contain the string "psexec." To narrow down results, let's add more keywords. Use the help search command to see available search keywords.
We'll use exploit/windows/smb/psexec.
The output shows configuration options and comments about using the psexec module. This module is very useful in Metasploit because it lets you run code on a target with SYSTEM privileges using SMB and admin credentials. It's especially handy in fully patched Windows systems.
Next, let's configure Metasploit to launch the attack. Select the exploit/windows/smb/psexec module.
Metasploit uses the default payload windows/meterpreter/reverse_tcp, which we can check by running set PAYLOAD.
Let's run show options to see all variables for this exploit and payload.
In this lab, we'll attack the Windows VM at 10.10.0.1. Let's set the RHOSTS variable to this target.
The psexec module needs admin credentials from the target machine. It uses these to create and run a service with SYSTEM privileges. Set SMBUser and SMBPass to the admin user's details.
Note: The SMBPass variable might be set to the user's LANMAN instead of their real password. Metasploit can use this hash to log in with psexec on Windows without needing the actual password.
Let's set the LHOST variable to tell the Meterpreter reverse_tcp payload where to connect back. We want it to connect to the Linux VM.
We use the LPORT variable to set a TCP port for connections. We keep it at 4444 to easily spot the connection. A stealthy attacker might use port 443 to hide among HTTPS traffic.
Finally, let's review the options again to make sure we've set them all appropriately.
With everything set up, we can start the attack to load Meterpreter into the target machine's memory and have it connect back to us.
Look carefully at the status messages from Metasploit. We can see that it authenticates to the target machine and uploads the stager. The stager is the reverse_tcp part of the payload, which implements communication and the loading of the stage. The stage is Meterpreter itself.
Once the stager is active on the target, it sends the Meterpreter stage and connects back to msfconsole, giving us access to the Meterpreter prompt. We now control the target machine with Meterpreter: meterpreter >
Once we have the meterpreter prompt, we can manage sessions using msfconsole. First, let's use the background command to move the Meterpreter session to the background and return to the msfconsole prompt.
Metasploit allows us to have multiple sessions with different target machines. To see all open sessions, let's use the sessions command.
Each session has a number starting from 1 for the first one Metasploit opens. To go back to a session and interact with it, let's use the sessions command and specify the session number (e.g., 1).
Now let's get information about the host itself.
In this output, we can see the host's name (Computer), the operating system type, the CPU architecture, and the language pack installed.
To get more info, let's use the built-in systeminfo command with Meterpreter:
-i: Lets us interact with the process to see the command's output.-f systeminfo: Specifies the command to run.
We've run the systeminfo command on Windows without any extra options to get detailed information about the system, like the OS name, product ID, and install date.
Next, let's check the current user ID by running the getuid command, like this:
We used the psexec tool with admin credentials to get local SYSTEM access on the target.
We can get a list of running processes on the Windows victim using the ps command.
We can find our Process ID using the getpid command, like this.
To access help in Meterpreter, we can use the help command or type a question mark.
When Meterpreter has SYSTEM or admin rights, we can use it to get password hashes from the target. We can dump them from memory with the Meterpreter hashdump command.
When Meterpreter has SYSTEM or admin rights, we can use it to get password hashes from the target. We can dump them from memory with the Meterpreter hashdump command.
On many Windows versions, this command doesn't work because Microsoft made it harder to get hashes from memory. But with SYSTEM privileges, we can bypass this restriction. There's another way to avoid Windows 10 defenses, but we need to check the migrate feature first.
Meterpreter can move to different processes to avoid detection or gain more system privileges. For instance, if a Metasploit attack needs Meterpreter to match the system's CPU architecture, and the current process (like powershell.exe) doesn't match, we can migrate to another process (such as vmtoolsd.exe) with the correct architecture using the migrate command.
Note: Experienced Metasploit users know that the Meterpreter session often fails during the migrate command. If migrate fails, type exit to leave the session. Restart the exploit from the msf6 prompt and try migrate again. Sometimes, you might need to try different processes like VGAuthService.exe, openvpnserv.exe, or SearchIndexer.exe. If migrate still fails, reboot your Windows VM.
Let's run sysinfo and getpid commands again to check for changes in the new session, noting the new Meterpreter platform (x64/windows) and process ID.
The hashdump command didn't work because Windows has stronger protections against extracting password hashes. However, attackers can still try to exploit the LSASS process permissions to get the hashes.
The Local Security Authority Subsystem Service (LSASS) is a Windows service that manages security tasks. If hashdump fails because of permission issues, we can move into the LSASS process to get around this restriction.
Let's migrate to the lsass.exe process.
Next, let's run the hashdump command again:
The Administrator, DefaultAccount, and Guest accounts have empty password hashes because they are disabled. The Sec504 user and WDAGUtilityAccount accounts have non-empty NTLM hashes.
If there were several users with passwords, we'd get all the password hashes. But the attacker wouldn't stop there. Next, we'll explore ways to run commands on the Windows system and gain extra access.
Let's check the Windows events recorded when using Metasploit's psexec module. On our Windows VM, let's switch to the C:\Tools\hayabusa directory.
Next, let's run Hayabusa, specifying the local system logs for analysis.
Hayabusa finds signs of an attack but wrongly blames Cobalt Strike. This mistake is understandable because the technique used is similar to one used by Cobalt Strike.
In PowerShell, we can use the Import-Csv command to read a CSV file and create a timeline. Let's filter the results to show only critical and high-risk alerts with the Where-Object command and -CIn (contains) filter.
This lab clarified the features of Metasploit, a crucial tool for both defenders and attackers. It helps them simulate real-world attacks effectively.
Bonus: Examine DLL Information
Let's repeat the lab exercise, examining the DLL changes with the Notepad process before and after the migrate command.
First let's start Notepad on windows.
Let's exit the current meterpreter session and exploit the target again.
Next, let's create a file with the list of DLLs open for the Notepad process.
Now, let's try to migrate to notepad.exe from our meterpreter session.
Let's return to PowerShell again and create a new list of DLLs open for the Notepad process.
Now, let's compare the two files.
Several extra DLLs load into the Notepad process after the Meterpreter migrate command. While these DLLs aren’t harmful, they are unusual for most Windows processes, helping us spot potential signs of an attacker using Meterpreter C2 on our systems.
Last updated
