Fyodor at www.insecure.org held a poll of all Nmap users to vote for their favorite security tools. This list is available at www.sectools.org, and includes such venerable tools as Ethereal (now known as Wireshark) and Nessus. Not surprisingly, Metasploit appeared at no. 5 on the list, which is remarkable, because no new tool has ever debuted in the top 15 of this list. With over 50,000 downloads, Metasploit is guaran-teed to hold a top 5 slot for the next few years.
So, for instance, if we are attempting to launch the Windows SMB exploit, we could portscan a range of hosts with the db_nmap –p 445 192.168.0.1/24command.Then matching exploits could be executed against potentially vulnerable systems with the db_autopwn –e command.The default payload is the generic bind shell, and the various ses-sions on the exploited systems can be accessed using the sesses-sions –i [ID] command, where ID is the specific session that you wish to interact with. Use Ctrl+C to kill a shell and Ctrl+Z to detach from a shell.You can use the jobs command to list and kill any remaining exploit sessions.
Other commands to manage the database are:
■ db_add_host Adds one or more hosts to the database
■ db_add_port Adds a port to the host
■ db_hosts Lists all of the hosts in the database
■ db_services Lists all of the services in the database
■ db_vulns Lists all of the vulnerabilities in the database
Summary
By decoupling the exploits from the payloads, Metasploit allows developers and attackers much greater flexibility in post-exploitation scenarios.The Meterpreter avoids the limita-tions of launching a command shell on the remote system. By injecting itself into the con-text of the exploited process, it avoids executing a new process or sub-process and maintains the stealthiness of the attack. It comes with built-in commands and extensions that allow obtaining system information, configuring port forwarding, as well as uploading and exe-cuting binaries and DLLs.The VNC DLL injection payloads enable remote GUI access to the Windows system. Although not the stealthiest of options, obtaining the GUI ensures greater ease in using this system to then pivot onto other systems within the internal net-work. PassiveX payloads creatively exploit the power of ActiveX to launch Internet Explorer, connect to the temporary Web server started by the MSF, and download an exploitation ActiveX control.The pre-configured proxy settings on Internet Explorer ensure that the probability of successful connections is much higher. Finally, the auxiliary module system combined with the database plugins allow the framework to execute all the steps in the pen-etration testing lifecycle—scanning ports, fingerprinting remote systems, reading in vulnera-bility scan outputs from Nessus, matching systems to available exploits, executing those exploits, managing the multiple exploit sessions, and storing all of this information in a database.
Solutions Fast Track
Meterpreter
The usual tactic of launching a command shell on the remote system after exploitation is fraught with limitations. It launches an additional process and increases chances of detection, commands that can be executed might be limited if the system has been hardened, or the command shell itself may not be available if the vulnerable process is executing in a chrootenvironment
The Meterpreter is a type of command or code execution platform that is injected into the context of the vulnerable process.
It allows any DLL to be uploaded and executed. Built-in commands allow extracting system information.
VNC Inject
On a Windows system, ease of exploitation comes from having remote GUI access.
The VNC DLL injection payloads accomplish this by injecting the VNC DLL into the context of the running process, which is being exploited
This is not very stealthy, but the courtesy command shell executed by the payload allows exploitation, even when the remote system screen has been locked out.
PassiveX
PassiveX payloads patch the remote system’s registry and launch Internet Explorer, connecting to a temporary Web server started by the MSF.
The pre-configured proxy settings on Internet Explorer ensure greater chance of a successful connection.
Once connected, any user-coded or pre-supplied ActiveX control can be downloaded and executed.
Auxiliary Modules
Auxiliary modules consist of exploits without payloads and of modules that enhance the functionality of the MSF.
This includes recon modules that perform remote system scanning and fingerprinting.
Notable are the UDP scanning and Windows SMB fingerprinting modules. Single or user-specified ranges can be targeted.
Automating the Pen-Test
The framework now comes with database support through plugins. Once the plugin has been loaded, a connection is established to the database.
You can import Nessus or Nmap results into the database, or execute Nmap and store results into the database.
The autopwn command can be used to match discovered systems with available exploits, and launch attacks against these systems
You can interact with multiple sessions using the sessionscommand, and kill sessions with the jobscommand.
Q: Of the various payload options available, which one should I use?
A: Chances are that you will usually get only one shot at launching and successfully exe-cuting your exploit, so the selection of a payload is very important.Your objective should be to get maximum mileage, while at the same time avoiding detection as much as pos-sible. In this regard, the Meterpreter might be your best bet. It executes within the con-text of the vulnerable process, and encrypts communication between client and server.
Moreover, if you have a programming background, you could code your chosen task and compile it as a DLL.You could then upload and execute this DLL or any binary through Meterpreter.The VNC DLL will open up a GUI, which increases the speed at which you can pivot onto other systems. It also increases the chances of being detected, since any mouse or keyboard action you execute on the remote system will also show up on the console of the remote system. If you are very sure that no one would be monitoring the system console, or would be connected to VNC at the same time, you could go ahead and use this payload. If your objective is only proof of concept, you may be best suited by using a payload that will simply run a command (windows/exec, /bsd/x86/exec, cmd/unix/generic or /linux/x86/exec).To leave your mark on the system, you could create a local file in a specific location.
Q: How easily can I customize the Meterpreter and PassiveX payloads?
A: The Meterpreter supports any language that can compile code into a DLL. Once you understand the simple Type-Length-Value protocol specification required by the
Meterpreter, you can easily create extensions.These can then be uploaded and executed on the fly on the remote system.
For PassiveX payloads, you could write your own ActiveX control and have that loaded by the Internet Explorer of the remote system.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.
syngress.com/solutionsand click on the “Ask the Author”form.
105