MSF: Difference between revisions
From charlesreid1
(Created page with "Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali =Basics= ==Initializing DB== First, you want postgresql to run as a server...") |
|||
| Line 26: | Line 26: | ||
$ msfconsole | $ msfconsole | ||
</pre> | </pre> | ||
=Using= | |||
==Example: Metasploitable== | |||
As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box. | |||
===Setting Up Metasploitable== | |||
Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance. | |||
The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and on the same subnet. | |||
From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox. | |||
===Recon=== | |||
Make a box for stuff: | |||
<pre> | |||
$ mkdir -p box/metasploitable | |||
</pre> | |||
Start by using nmap to scan the host. | |||
First a fast scan <code>-F</code>: | |||
<pre> | |||
$ nmap -F 10.0.0.* | |||
</pre> | |||
Then we can do a more extensive scan: | |||
<pre> | |||
$ nmap -sS 10.0.0.* | |||
</pre> | |||
This reveals the IP address of the VirtualBox, which is 10.0.0.27. | |||
We can also do a deeper scan: | |||
<pre> | |||
$ nmap -sS -sV -A 10.0.0.27 | |||
</pre> | |||
This will reveal an array of services, at least one of which is bound to have a service wit an exploit in metasploit. | |||
Sure enough, the verbose scan returns lots of good information: | |||
<pre> | |||
nmap -sS -sV -A 10.0.0.27 | |||
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT | |||
Nmap scan report for 10.0.0.27 | |||
Host is up (0.016s latency). | |||
Not shown: 977 closed ports | |||
PORT STATE SERVICE VERSION | |||
21/tcp open ftp vsftpd 2.3.4 | |||
|_ftp-anon: Anonymous FTP login allowed (FTP code 230) | |||
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | |||
| ssh-hostkey: | |||
| 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) | |||
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) | |||
23/tcp open telnet Linux telnetd | |||
25/tcp open smtp Postfix smtpd | |||
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | |||
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | |||
| Not valid before: 2010-03-17T14:07:45 | |||
|_Not valid after: 2010-04-16T14:07:45 | |||
|_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. | |||
53/tcp open domain ISC BIND 9.4.2 | |||
| dns-nsid: | |||
|_ bind.version: 9.4.2 | |||
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) | |||
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 | |||
|_http-title: Metasploitable2 - Linux | |||
111/tcp open rpcbind 2 (RPC #100000) | |||
| rpcinfo: | |||
| program version port/proto service | |||
| 100000 2 111/tcp rpcbind | |||
| 100000 2 111/udp rpcbind | |||
| 100003 2,3,4 2049/tcp nfs | |||
| 100003 2,3,4 2049/udp nfs | |||
| 100005 1,2,3 42810/tcp mountd | |||
| 100005 1,2,3 45599/udp mountd | |||
| 100021 1,3,4 34385/tcp nlockmgr | |||
| 100021 1,3,4 60702/udp nlockmgr | |||
| 100024 1 38085/udp status | |||
|_ 100024 1 52004/tcp status | |||
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) | |||
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) | |||
512/tcp open exec netkit-rsh rexecd | |||
513/tcp open login? | |||
514/tcp open tcpwrapped | |||
1099/tcp open java-rmi Java RMI Registry | |||
1524/tcp open shell Metasploitable root shell | |||
2049/tcp open nfs 2-4 (RPC #100003) | |||
2121/tcp open ftp ProFTPD 1.3.1 | |||
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | |||
| mysql-info: | |||
| Protocol: 53 | |||
| Version: .0.51a-3ubuntu5 | |||
| Thread ID: 8 | |||
| Capabilities flags: 43564 | |||
| Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | |||
| Status: Autocommit | |||
|_ Salt: w$K,8vk7k8tagd@PR*zK | |||
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 | |||
5900/tcp open vnc VNC (protocol 3.3) | |||
| vnc-info: | |||
| Protocol version: 3.3 | |||
| Security types: | |||
|_ Unknown security type (33554432) | |||
6000/tcp open X11 (access denied) | |||
6667/tcp open irc Unreal ircd | |||
| irc-info: | |||
| users: 1 | |||
| servers: 1 | |||
| lusers: 1 | |||
| lservers: 0 | |||
| server: irc.Metasploitable.LAN | |||
| version: Unreal3.2.8.1. irc.Metasploitable.LAN | |||
| uptime: 0 days, 1:05:20 | |||
| source ident: nmap | |||
| source host: 6D4CD63B.D3975B40.7B559A54.IP | |||
|_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) | |||
8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | |||
|_ajp-methods: Failed to get a valid response for the OPTION request | |||
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | |||
|_http-favicon: Apache Tomcat | |||
|_http-server-header: Apache-Coyote/1.1 | |||
|_http-title: Apache Tomcat/5.5 | |||
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | |||
Device type: general purpose | |||
Running: Linux 2.6.X | |||
OS CPE: cpe:/o:linux:linux_kernel:2.6 | |||
OS details: Linux 2.6.9 - 2.6.33 | |||
Network Distance: 1 hop | |||
Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel | |||
Host script results: | |||
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | |||
| smb-os-discovery: | |||
| OS: Unix (Samba 3.0.20-Debian) | |||
| NetBIOS computer name: | |||
| Workgroup: WORKGROUP | |||
|_ System time: 2016-03-22T21:31:31-04:00 | |||
TRACEROUTE | |||
HOP RTT ADDRESS | |||
1 16.11 ms 10.0.0.27 | |||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds | |||
</pre> | |||
{{KaliFlag}} | |||
Revision as of 02:42, 23 March 2016
Metasploit framework info: http://docs.kali.org/general-use/starting-metasploit-framework-in-kali
Basics
Initializing DB
First, you want postgresql to run as a server:
$ service postgresql start
This is the database format that MSF uses.
Now initialize the database:
$ msfdb init
Running
To get a metasploit console, run
$ msfconsole
Using
Example: Metasploitable
As an example of how we can use metasploit, we'll be looking at the Metasploitable virtual box.
=Setting Up Metasploitable
Downloaded virtual disk image, loaded it up in a 64-bit Linux virtualbox instance.
The networking configuration was, I had the VirtualBox instance running on a Mac, and was attacking from a machine running Kali Linux. Both computers were on a private network and on the same subnet.
From VirtualBox, I created a bridged network adapter (meaning, VirtualBox can send/receive messages directly through that interface). Next, I flipped the switch on the VirtualBox, and away we went. The router automatically assigned an IP address to the Metasploitable VirtualBox.
Recon
Make a box for stuff:
$ mkdir -p box/metasploitable
Start by using nmap to scan the host.
First a fast scan -F:
$ nmap -F 10.0.0.*
Then we can do a more extensive scan:
$ nmap -sS 10.0.0.*
This reveals the IP address of the VirtualBox, which is 10.0.0.27.
We can also do a deeper scan:
$ nmap -sS -sV -A 10.0.0.27
This will reveal an array of services, at least one of which is bound to have a service wit an exploit in metasploit.
Sure enough, the verbose scan returns lots of good information:
nmap -sS -sV -A 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-22 18:30 PDT Nmap scan report for 10.0.0.27 Host is up (0.016s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA) |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd |_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2010-03-17T14:07:45 |_Not valid after: 2010-04-16T14:07:45 |_ssl-date: 2016-03-23T01:31:31+00:00; +33s from scanner time. 53/tcp open domain ISC BIND 9.4.2 | dns-nsid: |_ bind.version: 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 |_http-title: Metasploitable2 - Linux 111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/udp nfs | 100005 1,2,3 42810/tcp mountd | 100005 1,2,3 45599/udp mountd | 100021 1,3,4 34385/tcp nlockmgr | 100021 1,3,4 60702/udp nlockmgr | 100024 1 38085/udp status |_ 100024 1 52004/tcp status 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login? 514/tcp open tcpwrapped 1099/tcp open java-rmi Java RMI Registry 1524/tcp open shell Metasploitable root shell 2049/tcp open nfs 2-4 (RPC #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 | mysql-info: | Protocol: 53 | Version: .0.51a-3ubuntu5 | Thread ID: 8 | Capabilities flags: 43564 | Some Capabilities: Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, ConnectWithDatabase, LongColumnFlag, SupportsCompression | Status: Autocommit |_ Salt: w$K,8vk7k8tagd@PR*zK 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) | vnc-info: | Protocol version: 3.3 | Security types: |_ Unknown security type (33554432) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd | irc-info: | users: 1 | servers: 1 | lusers: 1 | lservers: 0 | server: irc.Metasploitable.LAN | version: Unreal3.2.8.1. irc.Metasploitable.LAN | uptime: 0 days, 1:05:20 | source ident: nmap | source host: 6D4CD63B.D3975B40.7B559A54.IP |_ error: Closing Link: cxfhgnbdt[10.0.0.25] (Quit: cxfhgnbdt) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/5.5 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.20-Debian) | NetBIOS computer name: | Workgroup: WORKGROUP |_ System time: 2016-03-22T21:31:31-04:00 TRACEROUTE HOP RTT ADDRESS 1 16.11 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds
