Intro to Metasploit and a Basic Exploit
Metasploit?
Metasploit is a double-edged sword. Written in Ruby, it is a full-featured framework for penetration testing. Penetration testing is the act of breaking into systems—legally, for the good guys. Because it enables security engineers to find weaknesses to patch, it keeps them with a job.
You’re probably thinking that it can be used for nefarious purposes.
That definitely happens.
Why have it at all then if it can cause so much damage? Overall, the cybersecurity world is better off with it, because it empowers defenders more than attackers, who would find a way to attack one way or another. With Metasploit at least, the playing field is somewhat leveled, and the darkness with which black hats are comfortable is illuminated a bit more for the white hats. Not all weapons are evil.
Two flavors
Metasploit comes in a commercial Pro version, which ships with a GUI and is ideal for enterprise situations for those who can afford the $5000+ license. If you, my dear reader, are such a customer, you have likely come to the wrong place to learn about Metasploit.
Moving on, Metasploit Framewok is the open source version, which ships with MSFConsole, the main way to interface with the framework. If you’re running Kali or Parrot Linux, Metasploit should already be preinstalled.
Getting started
If you don’t have the framework installed yet, the Metasploit folks have provided a neat guide to set up a Metasploit development environment. Since I started by creating a Kali virtual machine, I did not need this guide. However, I did make sure to run sudo apt update && sudo apt upgrade to keep everything up-to-date.
Fundamentally, the Metasploit pentesting process requires three elements: an exploit, a vulnerability, and a payload.
To understand these elements better, here’s another weaponry metaphor: imagine that cyberspace is a medieval battlefield. You, the attacker, are trying to break through someone’s armor from a distance. What do you need to do it? You need a bow, a chink in the armor, and an arrow to fire into the chink. The bow is the exploit, the chink is the vulnerability, and the arrow is the payload.
Modules
How does Metasploit framework help with this? It breaks down the process into modules, all of which can be found neatly filed and labeled (at least in Kali) at /usr/share/metasploit-framework/modules
$ ls /usr/share/metasploit-framework/modules
auxiliary encoders evasion exploits nops payloads postLet’s cover them in alphabetical order.
**Auxillary **- these are supporting modules that aid especially in detection (e.g. fuzzers, scanners), but don’t directly run payloads.
**Encoders **- these obfuscate exploits and payloads to make them harder to detect. But modern antivirus software is good at getting past this.
**Evasion **- unlike encoders which are indirect, evasion modules directly try to evade antivirus software. They work better with encoders.
**Exploits **- these are exploits organized by target system:
$ ls /usr/share/metasploit-framework/modules/exploits
aix dialup firefox mainframe qnx
android example_linux_priv_esc.rb freebsd multi solaris
apple_ios example.py hpux netware unix
bsd example.rb irix openbsd windows
bsdi example_webapp.rb linux osx**Nops **- these “no-ops” don’t perform exploits, but ensure payload consistency
**Payloads **- don’t forget these! they are the bullets: code that will run on the target system. They come in three types:
- **Singles **- one shot, self contained (no slash in name)
- **Stagers **- small starters that run stages
- **Stages **- bigger payloads downloaded by stagers
**Post **- finally, these modules are the finishing touches, the final stage of the exploitation process. Once you’ve got the arrow in, what do you do?
Exploiting EternalBlue
That’s enough theory. Now, it’s time for a basic walk-through exploiting a popular vulnerability, EternalBlue. Although it was made publicly available, attackers were able to use it in two major damaging cyber attacks on unpatched computers in 2017. This is an important object lesson for pentesters!
EternalBlue targets Windows 7 machines, so I set up a VirtualBox VM for testing purposes. To attack it, I used a Kali VM I set up earlier with Metasploit sharpened and ready.
Intermezzo
Wait! The default network setting on VirtualBox, one adapter on NAT, do not allow guests to communicate with one another. Based on the table below, Internal mode was the work best for the Windows 7 ↔ Kali connection, because it isolates Windows from the entire world except one attacker. This is a list of modes and what communications they support:
| Mode | VM→Host | VM←Host | VM⇄VM | VM→Net/LAN | VM←Net/LAN |
|---|---|---|---|---|---|
| Host-only | ✔️ | ✔️ | ✔️ | ❌ | ❌ |
| Internal | ❌ | ❌ | ✔️ | ❌ | ❌ |
| Bridged | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
| NAT | ✔️ | Port forward | ✔️ | Port forward | |
| NATService | ✔️ | Port forward | ✔️ | ❌ | Port forward |
| Not attached | ❌ | ❌ | ❌ | ❌ | ❌ |
The easiest to do would have been Bridged mode, because it enables everything. It also requires almost no configuration, so where’s the fun in that?
An internal network looks like an Ethernet switch to the guest OSes. VirtualBox offers a way to set up a DHCP server on the internal network, but that felt like cheating. Instead of using DHCP, I learned a little bit about Static IPs to set this up.
Static IPs
There are two ways to configure an internal network: Dynamic and Static IP addressing. When a device connects to a dynamic network, a DHCP server (i.e. a router) will assign it an IP address.
If you don’t have a router, as in the VirtualBox Internal mode, computers can still talk to each other if configured correctly using static IP addresses. Each computer just needs to know what its IP address is and the other’s is, and the network will run.
Configuring VirtualBox
TL;DR - Create an internal network for both boxes. Configured in the OS, the static IP of one should correspond to the gateway of the other.
For Kali, the first network adapter can be left unchanged. It allows Kali to connect to the internet to do Kali stuff just fine.
Adapter 2 allows Kali to talk to the Windows 7 box through an Internal Network. You can name the network whatever you like, as long as it’s consistent between Kali and Windows.
On to Windows 7. All this one needed was one network adapter to the internal network, exactly like Kali.
Without a router, these two machines needed one last step to see each other. I started Kali and opened Advanced Network Configuration.
The original connection I named “NAT (internet)” to indicate that it is the one that connects to the internet. The one named “Internal” was configured like so:
eth1
Because there is only one network interface, Windows is a bit easier to configure. I just put Kali’s IP as the default gateway and Kali’s gateway as Windows’ IP.
If you were paying attention, you would have been able to visualize the following summary table:
| Device | IP address | Gateway/DNS | Network |
|---|---|---|---|
| Kali | 192.168.1.2 | 192.168.1.1 | intnet-1, NAT |
| Windows 7 | 192.168.1.1 | 192.168.1.2 | intnet-1 |
I verified that the Kali could see each Windows with a simple ip neigh:
And this shows that static IP is not that complicated to configure!
Making the system vulnerable
This isn’t a virus. The box has nothing installed on it. The file sharing feature is part of setting up the computer for the network, but it allows the attackers in through SMB.
I clicked the banner to turn on file sharing.
Running the exploit
I first searched for the exploits:
search command is useful for finding modules quickly.I wanted the first one, so I used it.
For this exploit, the one required option (via show options) is rhosts. I set it to my Windows VM’s IP address, then ran a check.
Since this one was vulnerable, I ran the exploit. This doesn’t always work, but this time, it did! I got the system fully under my control. Need proof?
Of course, the system was mine to begin with, but that’s the point! Pentesters can leverage the power of frameworks like Metasploit to think like a hacker and find chinks in armor before the bad guys do.
🕶️🐴