8 min read

(For more resources related to this topic, see here.)

In the IT industry, we have various flavors of operating systems ranging from Mac, Windows, *nix platforms, and other server operating systems, which run an n number of services depending on the needs of the organization. When given a task to assess the risk factor of any organization, it becomes very tedious to run single code snippets against these systems. What if, due to some hardware failure, all these code snippets are lost? Enter Metasploit.

Metasploit is an exploit development framework started by H. D. Moore in 2003, which was later acquired by Rapid7. It is basically a tool for the development of exploits and the testing of these exploits on live targets. This framework has been completely written using Ruby,and is currently one of the largest frameworks ever written in the Ruby language. The tool houses more than 800 exploits in its repository and hundreds of payloads for each exploit. This also contains various encoders, which help us in the obfuscation of exploits to evade the antivirus and other intrusion detection systems ( IDS ). As we progress in this book, we shall uncover more and more features of this tool.

This tool can be used for penetration testing, risk assessment, vulnerability research, and other security developmental practices such as IDS and the intrusion prevention system ( IPS ).

Top features you need to know about

After learning about the basics of the Metasploit framework, in this article we will find out the top features of Metasploit and learn some of the attack scenarios. This article will be a flow of the following features:

  • The meterpreter module
  • Using auxiliary modules in Metasploit
  • Client-side attacks with auxiliary modules

The meterpreter module

In the earlier article, we have seen how to open up a meterpreter session in Metasploit. But in this article, we shall see the features of the meterpreter module and its command set in detail. Before we see the working example, let’s see why meterpreter is used in exploitation:

  • It doesn’t create a new process in the target system
  • It runs in the context of the process that is being exploited
  • It performs multiple tasks in one go; that is, you don’t have to create separate requests for each individual task
  • It supports scripts writing

Let’s check out what the meterpreter shell looks like. Meterpreter allows you to provide commands and obtain results.

Let’s see the list of commands that are available to use under meterpreter. These can be obtained by typing help in the meterpreter command shell.

The syntax for this command is as follows:

meterpreter>help

The following screenshot represents the core commands:

The filesystem commands are as follows:

The networking commands are as follows:

The system commands are as follows:

The user interface commands are as follows:

The other miscellaneous commands are as follows:

As you can see in the preceding screenshots, meterpreter has two sets of commands set apart from its core set of commands. They are as follows:

  • Stdapi
  • Priv

The Stdapi command set contains various commands for the filesystem commands, networking commands, system commands, and user-interface commands. Depending on the exploit, if it can get higher privileges, the priv command set is loaded. By default, the stdapi command set and core command set gets loaded irrespective of the privilege an exploit gets.

Let’s check out the route command from the meterpreter stdapi command set.

The syntax is as follows:

meterpreter>route [–h] command [args]

In the following screenshot, we can see the list of all the routes on the target machine:

In a scenario where we wish to add other subnets and gateways we can use the concept of pivoting, where we add a couple of routes for optimizing the attack. The following are the commands supported by the route:

Add [subnet] [netmask] [gateway]
Delete [subnet] [netmask] [gateway] 
List

Another command that helps during pivoting is port-forwarding. Meterpreter supports port forwarding via the following command.

The syntax for this command is as follows:

meterpreter>portfwd [-h] [add/delete/list] [args]

As soon as an attacker breaks into any system, the first thing that he/she does is check what privilege levels he/she has to access the system. Meterpreter provides a command for working out the privilege level after breaking into the system.

The syntax for this command is as follows:

meterpreter>getuid

The following screenshot demonstrates the working of getuid in meterpreter. In the following screenshot, the attacker is accessing the system with the SYSTEM privilege. In a Windows environment, the SYSTEM privilege is the highest possible privilege available.

Suppose we failed to get access to the system as a SYSTEM user, but succeeded in getting access via the administrator, then meterpreter provides you with many ways to elevate your access levels. This is called privilege escalation. The commands are as follows:

  • Syntax: meterpreter>getsystem
  • Syntax: meterpreter>migrate process_id
  • Syntax: meterpreter>steal_token process_id

The first method uses an internal procedure within the meterpreter to gain the system access, whereas in the second method, we are migrating to a process that is running with a SYSTEM privilege. In this case, the exploit by default gets loaded in any process space of the Windows operating system. But, there is always a possibility that the user clears that process space by deleting that process from the process manager. In a case like this, it’s wise to migrate to a process which is usually untouched by the user. This helps in maintaining a prolonged access to the victim machine. In the third method, we are actually impersonating a process which is running as a SYSTEM privileged process. This is called impersonation via token stealing.

Basically, Windows assigns users with a unique ID called Secure Identifier (SID). Each thread holds a token containing information about the privilege levels. Impersonating a token happens when one particular thread temporarily assumes the identity of another process in the same system.

We have seen the usage of process IDs in the preceding commands, but how do we fetch the process ID? That is exactly what we I shall be covering in this article. Windows runs various processes and the exploit itself will be running in the process space of the Windows system. To list all these processes with their PIDs and the privilege levels, we use the following meterpreter command:

meterpreter>ps

The following screenshot gives a clear picture of the ps command:

In the preceding screenshot, we have the PIDs listed. We can use these PIDs to escalate our privileges. Once you steal a token, it can be dropped using the Drop_token command.

The syntax for this command is as follows:

meterpreter>drop_token

Another interesting command from the stdapi set is the shell command. This spawns a shell in the target system and enables us to navigate through the system effortlessly.

The syntax for this command is as follows:

meterpreter>shell

The following screenshot shows the usage of the shell command:

The preceding screenshot shows that we are inside the target system. All the usual windows command shell scripts such as dir, cd, and md work here.

After briefly covering system commands, let’s start learning the filesystem commands. A filesystem contains a working directory. To find out the current working directory in the target system, we use the following command:

meterpreter>pwd

The following screenshot shows the command in action:

Suppose you wish to search for different files on the target system, then we can use a command called search. The syntax for this command is as follows:

meterpreter> search [-d dir][-r recurse] –f pattern

Various options available under the search command are:

  • -d: This is the directory to begin the search. If nothing is specified, then it searches all drives.
  • -f: The pattern that we would like to search for. For example, *.pdf.
  • -h: Provides the help context.
  • -r: Used when we need to recursively search the subdirectories. By default this is set to true.

Once we get the file we need, we use the download command to download it to our drive.

The syntax for this command is as follows:

meterpreter>download Full_relative_path

By now we have covered the core commands, system commands, networking commands, and filesystem commands. The last article of the stdapi command set is the user-interface commands. The most commonly used commands are the keylogging commands. These commands are very effective in sniffing user account credentials:

  • Syntax: meterpreter>keyscan_start
  • Syntax: meterpreter>keyscan_dump
  • Syntax: meterpreter>keyscan_stop

This is the procedure of the usage of this command. The following screenshot explains the commands in action:

The communication between the meterpreter and its targets is done via type-length-value. This means that the data is getting transferred in an encrypted manner. This leads to multiple channels of communications. The advantage of this is that multiple programs can communicate with an attacker. The creation of channels is illustrated in the following screenshot:

The syntax for this command is as follows:

meterpreter>execute process_name –c

-c is the parameter that tells the meterpreter to channel the input/output. When the attack requires us to interact with multiple processes then the concept of channels comes in handy as a tool for the attacker. The close command is used to exit a channel.

Summary

In this article we learned what is Metaspoilt and also saw one of its top feature.

Resources for Article:

Further resources on this subject:

Packt

LEAVE A REPLY

Please enter your comment!
Please enter your name here