Metasploit is a huge security project provides info about security vulnerabilities which helps a lot in penetration-testing and Intrusion detection signatures development, Metasploit helps in developing and executing exploit codes against remote targets. below is a brief basic tutorial explaining how to use Metasploit.
Searching for Vulnerabilities using Nessus Vulnerability Scanner
Scanning the victim machine with Nessus vulnerability scanner results many vulnerabilities. in this example w’ll compromise the victim machine by taking advantage of a very critical windows RPC vulnerability MS08-067 (CVE-2008-4250), this vulnerability allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow.
on the next steps more info will be explained in details on how we can take advantage of the discovered vulnerability (CVE-2008-4250 in this example) using the great tool Metasploit. as mentioned before Metasploit can function in several modes while in this example we’ll use the console mode, in the Linux shell just type msfconsole .
if you know a general idea about what you are searching you can use any string in the search while Metasploit will locate this string in the modules name , descriptions..etc. you can refine your search using a built-in keyword system. ( ex: search cve:2009 type:exploit app:client) for more details type help search as following:
Searching for exploits
in our case we will search with the vulnerability CVE id, each discovered vulnerability has a common identifier name CVE-xxx-yyyy :
or you can search with Microsoft security bulletin id (MS08-067) of the vulnerability (this is only for the vulnerabilities that affect Microsoft systems) as following:
Calling an Exploit
when you find the exploit module from the search result you can call it to be used by the command use as the following, also all exploit options and the required fields is shown by the command show options
for more info about the exploit info command can be used as the following:
the following is how you put the IP address of your victim system using the set RHOST command
Calling a payload
calling a payload is done as the following using the set payload command
putting a local host IP is required in some payloads , for the payload used in this example the default local port is 4444 and you may change it if you want by the command set LPORT
note: make sure that you allow the inbounds traffic on the firewall to the used local host ip and port.
Reviewing the exploit and the payload parameters
you can review all the options again by using the show options command as following:
Executing the exploit
yes this is the step where your heartbeat rate is going to increase 😉 executing the exploit using the command exploit
as seen in the last screenshot the exploit has been executed successfully and a a meterpreter has initiated a backdoor session to the victim. if there is a multiple attacks to multiple victims , session -i command con list all the open sessions currently.
Inside the infected system
meterpreter provides a whole new environment, for more details help command inside the meterpreter session will assist alot
to know more details about the attacked victim machine sysinfo command may be used
you can grap the hashdump of the created logins in the system using the hashdump command inside the meterpreter session.
Defensive actions should be done by the security professionals
- Admins should follow up the vulnerabilities and bugs announcements and newsletters and patch there systems as soon as the vulnerability has been discovered and validated in the equivalent test systems.
- Vulnerability assessment and penertation testing should be done in intervals based on the security standard/compliance that the company follow