Metasploit Fundamentals – with exploiting example


Metasploit is a huge security project provides info about security vulnerabilities which helps a lot in penetration-testing and Intrusion detection signatures development, Metasploit helps in developing and executing exploit codes against remote targets. below is a brief basic tutorial explaining how to use Metasploit.

Searching for Vulnerabilities using Nessus Vulnerability Scanner

Scanning the victim machine with Nessus vulnerability scanner results many vulnerabilities. in this example w’ll compromise the victim machine by taking advantage of a  very critical windows RPC vulnerability MS08-067 (CVE-2008-4250), this vulnerability allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow.

Nessus result a critical windows rpc vulnerbility – click on the image to enlarge

Starting Metasploit

on the next steps more info will be explained in details on how we can take advantage of the discovered vulnerability (CVE-2008-4250 in this example) using the great tool Metasploit. as mentioned before Metasploit can function in several modes while in this example we’ll use the console mode, in the Linux shell just type msfconsole .

Metasploit welcome screen – click on the image to enlarge

if you know a general idea about what you are searching you can use any string in the search while Metasploit will locate this string in the modules name , descriptions..etc. you can refine your search using a built-in keyword system. ( ex: search cve:2009 type:exploit app:client) for more details type help search as following:

search help

Searching for exploits

in our case we will search with the vulnerability CVE id, each discovered vulnerability has a common identifier name CVE-xxx-yyyy :

search for an exploit with the CVE number – click on the image to enlarge

or you can search with Microsoft security bulletin id (MS08-067) of the vulnerability (this is only for the vulnerabilities that affect Microsoft systems) as following:

search for an exploit with the MS security number – click on the image to enlarge

Calling an Exploit

when you find the exploit module from the search result you can call it to be used by the command use as the following, also all exploit options and the required fields is shown by the command show options

calling a specific exploit module – click on the image to enlarge

for more info about the exploit info command can be used as the following:

more info about the exploit – click on the image to enlarge

the following is how you put the IP address of your victim system using the set RHOST command

assigning the victim IP

Calling a payload

calling a payload is done as the following using the set payload command

calling a payload – click on the image to enlarge

putting a local host IP is required in some payloads , for the payload used in this example the default local port is 4444 and you may change it if you want by the command set LPORT

note: make sure that you allow the inbounds traffic on the firewall to the used local host ip and port.

adding the local host IP used by the payload – click on the image to enlarge

Reviewing the exploit and the payload parameters

you can review all the options again by using the show options command as following:

show options – click on the image to enlarge

Executing the exploit

yes this is the step where your heartbeat rate is going to increase 😉 executing the exploit using the command exploit

FIRING the exploit !! – click on the image to enlarge

as seen in the last screenshot the exploit has been executed successfully and a a meterpreter has initiated a backdoor session to the victim. if there is a multiple attacks to multiple victims , session -i command con list all the open sessions currently.

Inside the infected system

meterpreter provides a whole new environment, for more details help command inside the meterpreter session will assist alot

meterpreter help – click on the image to enlarge

to know more details about the attacked victim machine sysinfo command may be used

sysinfo from meterpreter – click on the image to enlarge

you can grap the hashdump of the created logins in the system using the hashdump command inside the meterpreter session.

dumping the hash – click on the image to enlarge

Defensive actions should be done by the security professionals

  • Admins should follow up the vulnerabilities and bugs announcements and newsletters and patch there systems as soon as the vulnerability has been discovered and validated in the equivalent test systems.
  • Vulnerability assessment and penertation testing should be done in intervals based on the security standard/compliance that the company follow

Leave a Reply

Your email address will not be published.