Practical introduction to using Metaspoit


#1

In this guide, I’m going to give a brief introduction to using Metasploit by attacking and compromising a box. This demonstration is using Kali Linux which comes with Metasploit pre-installed, and the target machine is Metasploitable which is an intentionally vulnerable Linux virtual machine.

I am not going to cover the installation or setup of Kali or Metasploitable because it is outside of the scope of this guide, and there are plenty of resources available online. That being said, if you want to replicate this environment, feel free to drop me a PM and I will certainly help you out.

Recon.

This section is technically outside of the scope of this guide as well, however I felt that it is important because this section determines our actions for the rest of the attack.

Recon is simple here. It’s a basic Nmap scan to see what is available to us. I used the common

Nmap –sS –sV -O <target address>

scan to see what ports are reported as open on the target machine.

You can see that there is a plethora of available services at our disposal.

I personally am gravitated to attacking Samba when it’s available, so I can already tell that that’s going to be my starting point for this attack.

Using an auxiliary module to identify the Samba version

The nmap scan reads that the target machine is running Samba smbd 3.x - 4.x (workgroup: WORKGROUP). That isn’t enough information for us to actually identify a vulnerability and choose an exploit.

So first things first, lets load up metasploit with the comman msfconsole.

Now let’s load the auxiliary module that comes packaged with Metasploit that can often identify the version of Samba that is running on the remote machine.

The module is located at scanner/smb/smb_version. We are going to use the use command in Metasploit to load a module.

The use command is how we will load Metasploit modules such as auxiliary modules and exploits so that we can use them within Metasploit. So load up the module using the use command:

use scanner/smb/smb_version

Our command prompt changes to represent the module that we have loaded.

Now we use the command show options to see what the different options are that we have with that particular module.

From the output, it looks like all we need to set is the “RHOSTS”. This is the RemoteHOSTS.

So we use the command set to set the RHOSTS option.

set RHOSTS <target IP address>

and we use the command run to run the module.

The “smb_version” script successfully identifies the remote Samba version as 3.0.2-Debian.

Finding and choosing a metasploit exploit

We can use the search command in Metasploit and see if there is an exploit that targets that version.

search Samba 3.0.20

Nothing stands out as being a perfect exploit for this attack. From here we do a little bit more reconnaissance (searching Exploit-DB) to see that that version of Samba has any other vulnerabilities. Our search turns up that it is vulnerable to the “usermap_script” vulnerability.

We can use the back command to leave the auxiliary module we loaded earlier, and again use the use command to load up our exploit. The exploit was available in the search from before so we load it with:

use exploit/multi/samba/usermap_script

Use the show options command again to see what it needs from us.

show options

Again it looks like a simple exploit, and all we need to set is the RHOSTS (which is the Remote HOSTS, or the target servers IP address),

So, lets use the set command again to set the RHOSTS option to the address of our target machine, and since there isn’t anything more for us to do, we can go ahead and fire the exploit with the exploit command.

As you can see by the message “Command shell session opened” the exploit was successful. It’s a bit hard to tell, but we are actually sitting on a shell on the remote machine.

I’m going to send the bash command whoami to see what user I am running as.

Welp, were running as root, so let’s get some information out of the system with cat /etc/shadow

At this point the box is owned. So let’s be dicks.

Summary

This example is clearly a watered down attack on a remote system. It’s unlikely that things would ever go this smooth right off of the bat, and I had the advantage of already knowing the ways that this system was going to be vulnerable. That being said, we still learned the core concepts to using Metasploit.

use           Selects a module by name
back          Move back from the current context
set           Sets a context-specific variable to a value
show          Displays modules of a given type, or all modules
run           Run an Auxiliary module
exploit       Fire the selected exploit
search        Search the Metasploit internal database for a string

Any questions, or if you think I have missed something please let me know!


#2

Oh I’ve got questions but I feel that I would have to pay you a tuition fee for the time needed to explain it all to me :joy: Really cool stuff! Thanks for taking the time to post it and explain the steps.


#3

Glad it was interesting. Hope you were able to gain something from it anyways :slight_smile:


#4

Feel free to share. I am sure many of us (at least I) have those same questions. Let’s discuss!