The MSF supports various relational databases through the use of plugins.The current list of supported databases includes PostgreSQL, SQLite2, and SQLite3. In order to enable database support, you first need to install the RubyGems package from www.rubygems.org.To build the package, navigate to the folder where you have unzipped and untarred the installation package, and run the command ruby setup.rb. Verify that the gemcommand is in your path.
Next you will need to install ActiveRecord and the Ruby database driver for your selected database, say PostgreSQL.This is done through the commands gem install activerecord and gem install postgres, respectively.You may have to use the following variation of this com-mand if errors crop up:
gem install postgres -- pgsql-include-dir=/usr/local/pgsql/include --with-pgsql-lib-dir=/usr/local/pgsql/lib
The next step is to create a database instance:
$ initdb ~/metasploitdb
$ pg_ctl -D ~/metasploitdb start
To test the database support, install the appropriate Ruby support module, start msfconsole, and load the vendor-specific plugin:
msf> load db_postgres
[*] Successfully loaded plugin: db_postgres
At this stage, you can type the help command to see the various options available, as shown in Figure 1.3.
Figure 1.3Database Commands
One of the first things you would want to do is to issue the command db_create, or if the database has already been created, then connect to it with db_connect. Once the console is connected to the database, a new set of commands is available for execution. Once again the helpcommand would list these out, as shown in Figure 1.4.
Figure 1.4Database Commands after Connecting to the Database
The database support has the following structure:
Entity definitions for hosts, services, vulnerabilities, and notes:
lib/msf/core/db_objects.rb data/sql/*.sql
data/sql/*.db
Generic database API for manipulating entities:
lib/msf/core/db.rb
lib/msf/core/db_backend.rb
Generic database command set for interacting with the backend:
lib/msf/ui/console/command_dispatcher/db.rb
Vendor-specific plugins for linking the API to a real database:
plugins/db_sqlite2.db plugins/db_sqlite3.db plugins/db_postgres.db
Generic plugins for database integration:
plugins/db_tracker.rb
Using the database plugins and commands to automate the entire penetration testing process is explained in Chapter 4.
Meterpreter
Most often, penetration testing discussions center on reconnaissance and exploitation. But not much importance is given to the post-exploitation phase, especially the objective of exploiting vulnerable systems in as flexible and stealthy a manner as possible. Some of the common challenges during post-exploitation are:
■ When attempting to run a process after exploitation, it would show up in the system’s list of running processes. Even attempts at Trojaning the operating system commands would still leave enough trails for the experienced forensics investigator.
Host intrusion detection systems (HIDS) would also raise an alarm if a command prompt is executed on the system.
■ Besides the red flag that would be raised by launching a command shell, the shell itself might be restricted. For instance, if the process is running in a chroot environ-ment, where access to libraries and commands might be severely restricted, or if certain binaries have been removed from the system, it might be extremely difficult to do much damage.
■ Often before launching the exploit, the payload and the specific actions to be exe-cuted are decided.Thus, you would have to decide whether you would like to tunnel a reverse shell back to your system, or add a user on the remote system, or simply run any specific command once the exploit succeeds. But there’s no flexi-bility beyond that.
The Meterpreter is designed to overcome these limitations and provide APIs that would enable the attacker to code various post-exploitation attacks that would run on the
Meterpreter shell.The Meterpreter shell is essentially an attack platform that gets injected into the memory of the running process.Thus it avoids detection by HIDS as well as bypasses the limitations of the operating system’s native command shell. Moreover, it pro-vides APIs with which various actions can be carried out without significantly altering the system state.The built-in commands available with the Meterpreter shell illustrate this by allowing arbitrary commands to be executed on the exploited system, uploading and down-loading various files, as well as configuring port forwarding in a manner similar to Secure Shell’s (SSH’s) port-forwarding mechanism. We discuss Meterpreter much more in depth in Chapter 4.
Payloads
Payloads are pieces of code that get executed on the target system as part of an exploit attempt. A payload is usually a sequence of assembly instructions, which helps achieve a spe-cific post-exploitation objective, such as adding a new user to the remote system, or
launching a command prompt and binding it to a local port.Traditionally, payloads were cre-ated from scratch or by modifying existing pieces of assembly code.This requires an in-depth knowledge not only of assembly programming, but also of the internal workings of the target operating system. But a number of scripts now enable payloads to be developed without needing to modify any assembly code at all.
The MSF comes with a large number of pre-coded payloads, which can simply be plugged into the exploits, thus greatly increasing the flexibility of usage.Therefore, when attacking a Windows system, you have the freedom to choose from a wide array of payloads, including the famous Meterpreter and VNC DLL injection payloads.
The current payloads available within the framework are listed in Table 1.1.
Table 1.1The MSF’s Current Payloads
Name Description
bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsd/x86/exec Execute an arbitrary command
bsd/x86/exec/bind_tcp Listen for a connection and execute an arbitrary command
bsd/x86/exec/find_tag Use an established connection and execute an arbitrary command
bsd/x86/exec/reverse_tcp Connect back to the attacker and execute an arbitrary command
bsd/x86/shell/bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell/find_tag Use an established connection and spawn a com-mand shell
bsd/x86/shell/reverse_tcp Connect back to the attacker and spawn a com-mand shell
bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsd/x86/shell_find_port Spawn a shell on an established connection
Continued
Table 1.1 continuedThe MSF’s Current Payloads
Name Description
bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)
bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
bsdi/x86/shell/bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell/reverse_tcp Connect back to the attacker and spawn a com-mand shell
bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell
bsdi/x86/shell_find_port Spawn a shell on an established connection bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command
shell
cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent)
cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
cmd/unix/generic Executes the supplied command
cmd/unix/interact Interacts with a shell on an established TCP connection
cmd/unix/reverse Creates an interactive shell through two inbound connections
cmd/unix/reverse_bash Creates an interactive shell through two inbound connections
cmd/unix/reverse_perl Creates an interactive shell via perl linux/x86/adduser Create a new user with UID 0
linux/x86/adduser/bind_tcp Listen for a connection and create a new user with UID 0
linux/x86/adduser/find_tag Use an established connection and create a new user with UID 0
linux/x86/adduser/reverse_tcp Connect back to the attacker and create a new user with UID 0
linux/x86/exec Execute an arbitrary command
linux/x86/exec/bind_tcp Listen for a connection and execute an arbitrary command
Continued
Table 1.1 continuedThe MSF’s Current Payloads
Name Description
linux/x86/exec/find_tag Use an established connection and execute an arbitrary command
linux/x86/exec/reverse_tcp Connect back to the attacker and execute an arbitrary command
linux/x86/shell/bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell/find_tag Use an established connection and spawn a com-mand shell
linux/x86/shell/reverse_tcp Connect back to the attacker and spawn a com-mand shell
linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell
linux/x86/shell_find_port Spawn a shell on an established connection linux/x86/shell_find_tag Spawn a shell on an established connection
(proxy/nat safe)
linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
osx/ppc/shell/bind_tcp Listen for a connection and spawn a command shell
osx/ppc/shell/find_tag Use an established connection and spawn a com-mand shell
osx/ppc/shell/reverse_tcp Connect back to the attacker and spawn a com-mand shell
osx/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
osx/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
solaris/sparc/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/sparc/shell_find_port Spawn a shell on an established connection solaris/sparc/shell_reverse_tcp Connect back to attacker and spawn a command
shell
solaris/x86/shell_bind_tcp Listen for a connection and spawn a command shell
solaris/x86/shell_find_port Spawn a shell on an established connection
Continued
Table 1.1 continuedThe MSF’s Current Payloads
Name Description
solaris/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/adduser Create a new user and add them to local admin-istration group
windows/adduser/bind_tcp Listen for a connection and create a new user and add them to local administration group windows/adduser/find_tag Use an established connection and create a new group user and add them to local administration windows/adduser/reverse_http Tunnel communication over HTTP and create a
new user and add them to local administration group
windows/adduser/ Connect back to the attacker and create a new reverse_ord_tcp user and add them to local administration group windows/adduser/reverse_tcp Connect back to the attacker and create a new group user and add them to local administration windows/dllinject/bind_tcp Listen for a connection and inject a custom DLL into the exploited process
windows/dllinject/find_tag Use an established connection and inject a custom DLL into the exploited process
windows/dllinject/reverse_http Tunnel communication over HTTP and inject a custom DLL into the exploited process
windows/dllinject/reverse_ord_tcp Connect back to the attacker and inject a custom DLL into the exploited process
windows/dllinject/reverse_tcp Connect back to the attacker and inject a custom DLL into the exploited process
windows/exec Execute an arbitrary command
windows/exec/bind_tcp Listen for a connection and execute an arbitrary command
windows/exec/find_tag Use an established connection and execute an arbitrary command
windows/exec/reverse_http Tunnel communication over HTTP and execute an arbitrary command
windows/exec/reverse_ord_tcp Connect back to the attacker and execute an arbitrary command
windows/exec/reverse_tcp Connect back to the attacker and execute an arbitrary command
Continued
Table 1.1 continuedThe MSF’s Current Payloads
Name Description
windows/meterpreter/bind_tcp Listen for a connection and inject the meter-preter server DLL
windows/meterpreter/find_tag Use an established connection and inject the meterpreter server DLL
windows/meterpreter/ Tunnel communication over HTTP and inject the reverse_http meterpreter server DLL
windows/meterpreter/reverse_ Connect back to the attacker and inject the
ord_tcp meterpreter server DLL
windows/meterpreter/ Connect back to the attacker and inject the
reverse_tcp meterpreter server DLL
windows/shell/bind_tcp Listen for a connection and spawn a piped com-mand shell
windows/shell/find_tag Use an established connection and spawn a piped command shell
windows/shell/reverse_http Tunnel communication over HTTP and spawn a piped command shell
windows/shell/reverse_ord_tcp Connect back to the attacker and spawn a piped command shell
windows/shell/reverse_tcp Connect back to the attacker and spawn a piped command shell
windows/shell_bind_tcp Listen for a connection and spawn a command shell
windows/shell_reverse_tcp Connect back to attacker and spawn a command shell
windows/upexec/bind_tcp Listen for a connection; uploads an executable and runs it
windows/upexec/find_tag Use an established connection; uploads an exe-cutable and runs it
windows/upexec/reverse_http Tunnel communication over HTTP; uploads an executable and runs it
windows/upexec/reverse_ Connect back to the attacker; uploads an
ord_tcp executable and runs it
windows/upexec/reverse_tcp Connect back to the attacker; uploads an executable and runs it
windows/vncinject/bind_tcp Listen for a connection and inject the VNC server DLL and run it from memory
Continued
Table 1.1 continuedThe MSF’s Current Payloads
Name Description
windows/vncinject/find_tag Use an established connection and inject the VNC server DLL and run it from memory
windows/vncinject/ Tunnel communication over HTTP and inject the reverse_http memory VNC server DLL and run it from memory
windows/vncinject/reverse_ Connect back to the attacker and inject the VNC ord_tcp server DLL and run it from memory
windows/vncinject/reverse_tcp Connect back to the attacker and inject the VNC server DLL and run it from memory
Since payloads are nothing but sequences of assembly instructions often preceded by NOP sleds, it is possible for signatures to be developed to detect these attacks.Thus, payloads need to be encoded and variations of NOP sleds need to be used to evade IDS or IPS detection.The framework provides a list of encoders as well as a number of NOP generators to make the process of detection extremely difficult.
Exploitation
Exploitation involves code that performs a number of key functions, such as:
1. Connecting to the remote system on the vulnerable port.
2. Exchanging initial protocol sequence until the vulnerable fault injection point is reached.
3. Injecting exploit code, which includes instructions for the return address to be modified to point directly or indirectly into our payload, as well as NOP instruc-tions, which increase the chances that our code will eventually be executed.
4. Post-exploitation fun, which could be either connecting to a command prompt bound to a listening port on the compromised system, or connecting to the remote system with the username and password of a user that has been created as part of the exploit process, or it could mean connecting with a GUI client to a remote GUI (such as VNC), which has been injected in step #3.