How to use Metasploit Framework: features, instructions for use

Metasploit Framework (MSF) is a free solution for testing the possibility of unauthorized entry into a Rapid7 open source computer system. The use of MSF ranges from protecting systems from penetration to exploring vulnerabilities that pose a real threat. Metasploit eliminates the need to write separate exploits, saving users time and effort.

The program presents a set of shell codes, fuzzing tools, payloads and encoders integrated into a single platform. It is available on Linux, Windows, OS X platforms. Its main goal is to check the organization’s computer protection by creating artificial attacks, provoking the system, something like “violate, protect”. Metasploit offers a wide range of tools and utilities for such attacks on all operating systems, including Android and iOS.

Public Code Security History

Metasploit was originally developed and conceived by HD Moore (Moore), an expert in network security, an open source programmer and hacker. He became the developer of MSF, a penetration testing software package, and the founder of the Metasploit Project.

Moore served as Principal Researcher at Rapid7 Security Firm in Boston, Massachusetts, a provider of data protection and analytics software and cloud solutions. He released his first Perl-based Msf in October 2003 with a total of 11 exploits and remained the chief architect of the Metasploit Framework until his dismissal. He announced his retirement from Rapid7 in 2016, moving to a venture capital firm.

Many users have contributed to the development of MSF. The main intellectual infusion was in 2006, after which the base was replenished with 150+ exploits. Then in version 3 there were major changes. It was reprogrammed in Ruby, became cross-platform and had a unique property - new versions and modules were easily downloaded and added to the software. In 2009, Rapid7 acquired the entire project, which is still owned by it. The basic architecture of Metasploit has not changed, and the versions have remained free.

Useful terminology

Getting started with Metasploit starts after installing the program. The software will easily help to install the file system and libraries, as it is intuitive. Metasploit is script-based, therefore it has a folder containing scripts “meterpreter” and others required by the platform. MSF can be obtained through the GUI, as well as the command line version.

General terms:

1. Vulnerability - weakness in the target system, due to which penetration can occur successfully.
2. An exploit, as soon as a vulnerability is known, an attacker exploits it and penetrates the system using code.
3. Payload, payload, a set of tasks initiated by an attacker after an exploit in order to maintain access to a compromised system.
4. Single is an autonomous payload that performs a specific task.
5. Stager - facilitates the delivery of useful functions and creates a network connection between the computers of the attacker and the victim. Before using Metasploit, they load functions through connections, for example, VNC and meterpreter.

There are other network and system commands that you need to learn to work successfully with software. Capturing keystrokes is easily accomplished using the stdapi user interface command set. Keyscan_start starts the service, and keyscan_dump shows captured by keystroke.

Graphical interfaces

A new GUI for Metasploit has been added by ScriptJunkie to the SVN repository. The first version is designed in such a framework that the framework is both functionality and durability. The new GUI is multi-platform and based on Java. The Netbeans project is located in the external / source / gui / msfguijava / directory for those who want to contribute and have Java and user interface skills. The GUI can be launched by calling the "msfgui" script in the MSF directory database.

Metasploit comes in a variety of interfaces:

1. Msfconsole is an interactive shell for performing multi-user tasks.
2. Msfcli - calls msf functions from the terminal / cmd itself, without changing it.
3. Msfgui is a graphical interface.
4. Armitag is another graphical tool written in Java for managing the pentest conducted with MSF.
5. The Metasploit community web interface provided by rapid7 is a framework that allows for easy testing.
6. CobaltStrike is another graphical interface with some additional features for post-operation and reporting.

Auxiliary, Encoders Modules

Exploit is a method by which an attacker exploits a vulnerability in a system, services, applications and is always accompanied by payloads. Payload, payload successful - a piece of code that runs on an operating system. After the exploit runs, the platform injects the payload through the vulnerability and launches it on the target system. Thus, an attacker gets inside the system or can obtain data from a compromised system before using the payload in Metasploit.

Auxiliary auxiliary module provides additional functionality, such as fuzzing, scanning, reconnection, dos-attack and others. Auxiliary scanning of banners or operating systems does not carry out a DOS attack on the target. It does not introduce a payload like exploits, so it will not be able to access the system using this module.

Encoders - encoders are used to mask modules in order to avoid detection using a protection mechanism, such as an antivirus or firewall, is widely used to create a back door.

Shellcode and Listener Instructions

Shellcode - a set of instructions used as a payload during operation, written in assembler. In most cases, a command shell or a Meterpreter shell will be provided after a series of commands is executed by the target machine.

The Listener instruction listens for connections from the payload entered into the compromised system. The Post module, as the name implies, is used for subsequent operation. After hacking, they go deep into the system or set up as a center for attacking other systems.

Nop - No Operation, a well-known function, thanks to x86 processors, is associated with shell code and machine language instructions, prevents the program from crashing when using jump operators in shell code. Nops loops over machine language instructions from the very beginning if they fall into an invalid memory area after issuing a jump statement and prevent the payload from failing. This is a very advanced concept, and the developer must understand shell coding before using Metasploit with the benefits of “nops”.

Guidelines

Most of the Metasploit support in the open source community is provided as modules. They should go through msftidy.rb and adhere to the guidelines of Contributing.md, both distributed with MSF.

Modules should have a clear and obvious goal: exploits lead to a shell, mail exploits lead to elevated privileges, auxiliary ones belong to the “Everything Else” category, but even they are limited to a clearly defined task, for example, collecting information for use. They should not activate others, given the complexity of setting up multiple payloads. Such actions are automation tasks for the frontend installed before starting Metasploit.

Denial-of-service modules should be asymmetric and at least have some interesting features. If this is comparable to sinflud, then it should not be included. If it is comparable to Baliwicked, then, on the contrary, it should be included. Modules, slowloris, are included with some justification.

Windows Client Exploits

MSF assigns each user a unique SID, a security identifier. Each stream has an associated primary token containing information about aspects such as privileges and groups. Using an impersonation token, a process or thread can temporarily accept the identity of some other user. As soon as the resource is used up, the stream again accepts the main token.

Token attack schemes:

1. Local privilege escalation. If a process with low privileges starts on a system with administrator authentication, an impersonation token is available for the administrator. If an attacker stops using any exploit, he will gain access to the impersonation token with administrator rights.
2. Domain privilege escalation. Here, the attacker goes to other machines over the network using an impersonation token.

This can be done incognito in the meterpreter console, which is installed before using Metasploit. Use commands such as list_tokens, steal_tokens, and impersonate_token to perform operations. If the target is behind a firewall or NAT, the attacker must provide the victim with a link that redirects him to his computer - an instance of Metasploit. This is necessary because direct sensing of the target is not possible.

Client and server on the same machine

You can use the Russian version of Metasploit for Windows to run all tests on the same machine. The MSF platform requires administrator rights to install on Windows. It will be installed by default in the c: \ metasploit folder. AV on the computer will generate warnings when installing MSF in Win, therefore, they create the correct exceptions.

Creating on Windows is slower than on Linux. Meterpreter uses MSFVenom (c: \ metasploit \ msfvenom.bat) to create 32-bit and 64-bit executables for entering payloads.

The list of commands:

• "Msfvenom.bat –help" will show the parameters;
• "Msfvenom.bat –list payloads" will show payloads;
• "Msfvenom.bat –help-format" will show all output formats.

Executable formats will generate programs and scripts, while conversion formats will simply create a payload. Use “msfvenom.bat” to create a 32-bit and 64-bit executable file with the “meterpreter_reverse_http” payload, which is determined before using Metasploit. If no platform and architecture is specified, msfvenom will select them depending on the payload.

The MSF handler is now waiting for a connection, run "meterpreter-64.exe" with administrator rights. After starting meterpreter-64.exe will connect to the handler and will wait for instructions.

Security Testing Tool

MSF is a software platform for developing, testing and executing exploits. It can be used to create security tools and application modules, as well as a penetration system for Android.

Commands required to execute:

1. Build an APK and launch the multi / handler exploit.
2. Open Kali Linux OS on Oracle VM VirtualBox. Default login: root / toor.
3. Log in to the Kali Linux virtual machine using the default credentials.
4. Check the IP address of the Kali machine. Enter the command: ifconfig.
5. Open a terminal in Kali Linux and record the IP address of the system.
6. Open MSF from terminal: msfconsole.
7. Run the command: msf> use exploit / multi / handler.
8. Install LHOST and LPORT with the set command.
9. Start the listener. Command: msf> exploit.

In Metasploit, the use command uses a specific framework model. In this case, you need an exploit “multi / handler”, which makes it easier to listen to the incoming wildcard connection. The search command in msfconsole is used to search for a keyword. This command finds the load Android meterpreter.

Along with the “use” and “search”, “set” commands, another command used by MSF to set a specific payload for an exploit is “show options” to see various input data.

Installing an Android Application

Metasploit termux is an Android application that supports the Linux environment.

To install the software, perform the following actions:

1. Install Termux Google Play-Store.
2. Enter the command "apt update".
3. Update the “apt install curl” command.
4. Enter "cd $ HOME".
5. After the download of the above file is completed, enter “ls”, the “.sh” file will open.
6. Enter this command "chmod + x metasploitTechzindia.sh".
7. The script is launched by a command such as “sh metasploitTechzindia.sh”.
8. Enter "ls".
9. Find the “Metasploit-framework” folder.
10. Open the cd yourfoldername folder.
11. Enter the command "ls".
12. Enter “./msfconsole” to start MSF.

MSF Web Interface Overview

The browser-based web interface contains a workspace that is used to set up projects and perform pentesting tasks and provides navigation menus for accessing the module configuration pages. The user interface works in the following browsers.

With it, a discovery scan is launched, an exploit is launched against a target, a report is created, system settings are configured, and administrative tasks are performed. Each has its own configuration page, which displays all the parameters and settings. The user interface displays the fields required for data entry, flag options that can be turned on or off depending on the requirements of the test, and drop-down menus.

The overview page shows statistical information for the project, such as the number of hosts and services discovered, as well as the number of sessions and credentials received. A project will not display statistics or a toolbar until a target is scanned or host data is imported, after which a dashboard will appear that provides a high-level graphical breakdown of the data stored in the project and a log of recent events.

Antivirus Bypass

For penetration testers, some antivirus solutions are not configured by default to scan MSI files or TMP files that are created when MSI files are executed. Use "msfconsole" to create the MSI file that will execute the MSF payload.

Alternatively, you can generate the .msi file using the “msfvenom ruby” script that comes with Metasploit: msfvenom -p windows / adduser USER = Attacker PASS = Attacker123! -f msi> evil.msi.

Copy the evil.msi file to the target system and start the MSI installation from the command line to execute the Metasploit payload. From the point of view of the penetration test, using the / quiet option is convenient because it suppresses messages that are usually displayed to the user.

Check antivirus logs to see if the payload has been detected. You can also check if the payload has been completed and add the Attacking user. If information about it is returned, then the payload is successful.

Vulnerability testing

Vulnerability scanner is similar to other types of scanners - for example, port scanners help protect the network and systems in it. The purpose of such checks is to identify any weaknesses and use the results to solve problems before the attackers do it. Common problems during the scanning process include buffer overflow detection, generic software, structured query language (SQL) problems, and others. How much the scanner detects depends on the software itself, some scanners are much more aggressive in scanning, detecting missing corrections or configuration errors, while others simply indicate to the user the right direction.

Metasploit goes beyond the usual vulnerability scanners, it gives the opportunity to develop their own exploits and delivery mechanisms. The idea is that in cases where other methods are based on known problems, Msf allows you to develop your own in order to provide greater flexibility in scanning, as well as in research.

To start the scanner function, follow the instructions for using Metasploit:

1. Select and configure an exploit for targeting. It will target the system in order to exploit a software defect. The pool depends on the operating system and changes depending on the version of the system, constantly increasing. Msf currently contains over 400 exploits for most modern operating systems.
2. They check an exploit against the system in order to find out if the system is vulnerable to it.
3. They select and configure the payload in the form of a code that is started after the scanner detects the entry point into the system.
4. Choose and configure the encoding and delivery method to be used. The goal of this step is to format the payload so that it can bypass entrenched intrusion detection systems (IDS).
5. Perform an exploit.

In this way, MSI offers a lot of security information. These are not just exploits; they are a complete network security framework. There is currently no shortage of tools in software. Metasploit .