In this guide, I’m going to give a brief introduction to using Metasploit by attacking and compromising a box. This demonstration is using Kali Linux which comes with Metasploit pre-installed, and the target machine is Metasploitable which is an intentionally vulnerable Linux virtual machine.
I am not going to cover the installation or setup of Kali or Metasploitable because it is outside of the scope of this guide, and there are plenty of resources available online. That being said, if you want to replicate this environment, feel free to drop me a PM and I will certainly help you out.
This section is technically outside of the scope of this guide as well, however I felt that it is important because this section determines our actions for the rest of the attack.
Recon is simple here. It’s a basic Nmap scan to see what is available to us. I used the common
Nmap –sS –sV -O <target address>
scan to see what ports are reported as open on the target machine.
You can see that there is a plethora of available services at our disposal.
I personally am gravitated to attacking Samba when it’s available, so I can already tell that that’s going to be my starting point for this attack.
Using an auxiliary module to identify the Samba version
The nmap scan reads that the target machine is running
Samba smbd 3.x - 4.x (workgroup: WORKGROUP). That isn’t enough information for us to actually identify a vulnerability and choose an exploit.
So first things first, lets load up metasploit with the comman
Now let’s load the auxiliary module that comes packaged with Metasploit that can often identify the version of Samba that is running on the remote machine.
The module is located at
scanner/smb/smb_version. We are going to use the
use command in Metasploit to load a module.
use command is how we will load Metasploit modules such as auxiliary modules and exploits so that we can use them within Metasploit. So load up the module using the use command:
Our command prompt changes to represent the module that we have loaded.
Now we use the command
show options to see what the different options are that we have with that particular module.
From the output, it looks like all we need to set is the “RHOSTS”. This is the RemoteHOSTS.
So we use the command
set to set the RHOSTS option.
set RHOSTS <target IP address>
and we use the command
run to run the module.
The “smb_version” script successfully identifies the remote Samba version as 3.0.2-Debian.
Finding and choosing a metasploit exploit
We can use the
search command in Metasploit and see if there is an exploit that targets that version.
search Samba 3.0.20
Nothing stands out as being a perfect exploit for this attack. From here we do a little bit more reconnaissance (searching Exploit-DB) to see that that version of Samba has any other vulnerabilities. Our search turns up that it is vulnerable to the “usermap_script” vulnerability.
We can use the
back command to leave the auxiliary module we loaded earlier, and again use the
use command to load up our exploit. The exploit was available in the search from before so we load it with:
show options command again to see what it needs from us.
Again it looks like a simple exploit, and all we need to set is the RHOSTS (which is the Remote HOSTS, or the target servers IP address),
So, lets use the
set command again to set the RHOSTS option to the address of our target machine, and since there isn’t anything more for us to do, we can go ahead and fire the exploit with the
As you can see by the message “Command shell session opened” the exploit was successful. It’s a bit hard to tell, but we are actually sitting on a shell on the remote machine.
I’m going to send the bash command
whoami to see what user I am running as.
Welp, were running as root, so let’s get some information out of the system with
At this point the box is owned. So let’s be dicks.
This example is clearly a watered down attack on a remote system. It’s unlikely that things would ever go this smooth right off of the bat, and I had the advantage of already knowing the ways that this system was going to be vulnerable. That being said, we still learned the core concepts to using Metasploit.
use Selects a module by name back Move back from the current context set Sets a context-specific variable to a value show Displays modules of a given type, or all modules run Run an Auxiliary module exploit Fire the selected exploit search Search the Metasploit internal database for a string
Any questions, or if you think I have missed something please let me know!