Mod 4 (Part III)

Tools Used in Ethical Hacking
Metasploit
Metasploit is an open source tool that is currently developed by Rapid7. Initially, there were only
19 exploits and 27 payloads included with Metasploit. The latest version of Metasploit includes
hundreds of exploits and payloads. Metasploit was originally used for developing exploit code but
it can also be used for exploitation and post-exploitation purposes. Hackers can use it for hacking
into target systems. Vulnerability assessment using Nessus and various other vulnerability
assessment tools is also supported by Metasploit. The tool is written in the Ruby programming
language. There are two other versions of Metasploit, Metasploit Express and Metasploit Pro, that
exist alongside Metasploit. All major operating systems, such as Linux, Mac OS, and Windows
support Metasploit.

Metasploit Interfaces
Metasploit are available into various interfaces, some of them are
i) Msf GUI.
ii) Msfconsole.
iii) Msfcli.
iv) Msfweb.
v) Metasploit pro.
vi) Armitage.

ARCHITECTURE OF METASPLOIT FRAMEWORK
Various components, such as libraries, modules, plugins, and tools make up the Metasploit
Framework architecture.
The library architecture in Metasploit is as follows:

• Rex: it is the basic library used in Metasploit and it is used to handle transformations,
sockets and protocols. HTTP, random text, SMB, Base64, SSL, and XOR are supported
by this library.

• Msf::Core: the application interface and framework of Metasploit are defined by this
library.

• Msf::Base: Metasploit Framework's application interface is defined by this library. The
way it is defined by this library is very user-friendly.

Metasploit includes different types of modules with each differing from the other in terms of the
task it performs. The following table explains the basic functionality of Metasploit's modules in a
bit more details:

Module type Working
Payloads This is used to carry out operations such as connecting to or
from the target system after exploitation or performing a
Auxiliary specific task such as installing a service and so on. Payload
Encoders execution is the next step after a system gets exploited
NOPs successfully. The widely used meterpreter shell in the
Exploits previous chapter is a common Metasploit payload.
Functions such as fuzz testing, fingerprinting, logging into
various applications, and reconnaissance can be performed
using auxiliary modules.
To prevent detection by firewalls and antiviruses, payloads
can be encrypted using encoders.
NOPs' usage makes the payloads stable.
The actual code that triggers to take advantage of a
vulnerable system.

Plugins
As contrasted to modules, plugins are intended to enhance the utility of Metasploit as a security
tool development platform. Plugins could be created to add various new commands to
Metasploit. Depending on the imagination of a security researcher, some tasks can also be
automated using various types of advanced plugins. For example, to discover the hosts on the
target network and the services running on those hosts, a plugin might be created that would
execute at least one recon module to perform these tasks. The type of exploits that can be used
on the target systems can be figured out using the information provided by the recon modules
executed by the plugin. The plugin could then possibly dispatch different sorts of exploits and
attempt with various alternatives for payloads and ports to establish the connection with the
target system.
During all of this, it might also be storing all the results into a database and writing a report file
documenting the results of all these actions. During all of this, it might also be storing all the
results into a database and writing a report file documenting the results of all these actions.

Msfconsole
The msfconsole is a traditional method of using the Metasploit Framework. In UNIX based
systems the msfconsole console can be launched via the './msfconsole' command. In the
Windows operating system the 'msfconsole' command can be used to launch Metasploit. Both
the commands need to executed from within the directory in which msfconsole has been
installed. The following steps can be used to run msfconsole on Kali Linux:

1. Boot up Kali Linux operating system.
2. Open Terminal
3. Write ‘msfconsole’ in the terminal and hit ENTER.
It fires up a statement on Terminal like “starting Metasploit Framework”.

How does exploitation work?
An exemplary case of an exploit would be a one in which a hacker uses a simple password
guessing attack to exploit weak password vulnerability on a computer system that is present in an
educational institution's computer lab. The student using the target PC had locked the PC before
going away. The hacker who disguises himself as a student of the institution uses Metasploit to
launch a password guessing attack on the FTP server running on the target PC, and finds the
password to be Zebra, which is a simple dictionary word. The payload helps the attacker to gain
complete control of the system after the execution of the exploit.
An adversary fundamentally sends an exploit to the target system with a payload attached to it to
the target computer system. The payload gets executed only after the successful execution of the
exploit on the target system. The hacker gets complete control over the target system, which
allows them to either steal data, upload malware, create backdoors, etc.

Getting started
Metasploit can also be used to perform basic footprinting and vulnerability scanning. It is
recommended to perform these tasks before starting the exploitation phase. Some good
footprinting and scanning functionalities are present in Metasploit as it is integrated with the
dradis framework. It is also configured to work with databases such as sqlite, postgresql, and
mysql.

Nmap command can be used to perform scanning within Metasploit. This is shown in the figure
above. The information can be stored in the database by using the db_nmap command. Nessus
scans can be run from within Metasploit by using the nessus_scan_new command. Before this,
however, the nessus_connect command should be used to connect to the Nessus server running
on the attacking system. This is possible only if the credentials are properly set while installing
Nessus. This is shown in the figure that follows.

After performing scanning and footprinting, the next step is exploitation. Let us take the example
of the exploitation of a target system running Windows XP that has the RPC DCOM
vulnerability. Metasploit can be used to exploit this vulnerabiliity. Exploit modules that contain
the word dcom can be searched for by using the “search dcom” command. The Metasploit
console will list out all the exploits that contain the word dcom. For this example, the particular
search result we are interested in is “Microsoft RPC DCOM Interface Overflow.” To use this
module, use the following command in Metasploit:
>> “use windows/dcerpc/ms03_026_dcom” followed by >> “show options”

After this, use the following command to set the target IP address on which the attack is to be
launched:
>> set RHOST 192.168.1.2

Then, use the following command to set the payload:
>>set PAYLOAD windows/adduser

The chosen payload adds a new user account in the target system.
To execute the exploit, in Metasploit type in the following command:
>> exploit

This exploit does not create a session but only creates a new account. One can check whether a
new account was actually created on the target system.