Mutt
Professional
- Messages
- 1,419
- Reaction score
- 989
- Points
- 113
Penetration testing allows you to answer the question of how someone with malicious intent could tamper with your network. Using penetration testing tools, white-hat hackers and security professionals can, at any stage of development or deployment, examine networks and applications for flaws and vulnerabilities by compromising the system.
One of such pentesting tools is the Metasploit project. Built in Ruby, this open source framework allows testing using the command line or GUI. It can be extended by creating your own multilingual add-ins.
Consider the following security testing steps found in almost any penetration testing project:
Stage 1. Statement of the problem
Testing the security of any IT infrastructure begins with setting a problem. In our case, we will restrict ourselves to searching for the maximum number of real vulnerabilities that can be exploited by potential attackers who have physical access to an organization's computer network.
To demonstrate how some modules work, this article will show the results of running them against an educational goal such as Metasploitable 2. Metasploitable 2 is a Linux virtual machine containing a host of vulnerable services. It is the de facto standard for training beginner security testers.
Stage 2. Gathering information and finding targets
To conduct security testing, specialists are provided with access to the enterprise network. During the preliminary collection, nodes are scanned, computer names are determined, public network folders and critical resources are discovered.
Port scan
Port scans can be performed using the db_nmap command, a wrapper utility for nmap in the Metasploit Framework that allows you to save scan results to a database.
It must be remembered that if we do not explicitly set the port range, then 1000 of the most common ports will be scanned, if we specify the -F switch, then 100, and if -p-, then all 65535.
From the results of the port scan, we can find out not only which network ports are open, but also the versions of services if we used the -sV switch, as well as the presumptive version of the operating system (-O switch).
After completing the network scan, it makes sense to unload the data from the Metasploit database using the db_export command and import the resulting xml file into MS Excel or LibreOffice Calc. In the future, this file can be used to search for nodes with specific ports and keep working notes with the test results for each node.
Search for shared network folders
As we discussed above, public network folders can contain a ton of useful information for an attacker. It makes sense to search for these folders both with an anonymous account (empty login / empty password) and with a regular user account.
To search for SMB resources, you need to use the auxiliary / scanner / smb / smb_enumshares module, and for NFS: auxiliary / scanner / nfs / nfsmount.
Search DBMS
To search for MS SQL DBMS, it makes sense to use the auxiliary / scanner / mssql / mssql_ping module, since it allows you not only to detect DBMS servers on the open UDP port 1434, but also to determine the TCP port on which the database is waiting for a connection.
Determining NetBIOS Names
It is often useful to define NetBIOS names, as they can also contain useful information (for example, which system a particular node belongs to). To do this, you can use the auxiliary / scanner / netbios / nbname module.
Stage 3. Search for vulnerabilities
First, let's look at the main methods for identifying vulnerabilities, which are presented in the following table:
# MethodVulnerability typeExamples1Vulnerability identification by product versionPublishedDetermination of the product version using a network service banner and search for information about known vulnerabilities in an Internet search engine2Attempted exploitationConfiguration errors, published vulnerabilitiesAn attempt to connect to a Windows system through a zero session and unload a list of user accounts.
Launching an exploit against a network service without first analyzing its compliance with this service.
Attempting to intercept traffic using arp-poisoning
3 Configuration analysis Configuration errors,
published vulnerabilities
Analyzing the contents of the Windows registry4 Reverse engineeringZero-day vulnerabilitiesDisassembling an executable file in order to study the logic of program execution and working with data5Analysis of the source codeZero-day vulnerabilitiesSearch in php code for fragments related to filtering user input in order to bypass filtering rules and injecting JavaScript code6FuzzingZero-day vulnerabilitiesInput into web-form of various variants of SQL queries and analysis of received error messages
From this list, the Metasploit Framework contains modules for implementing the "Attempt to exploit", "Fuzzing" and partially "Determination of vulnerabilities by product version" methods.
"Vulnerability identification by product version" is not fully implemented in the Metasploit Framework, since vulnerability scanners are primarily used to automatically identify potential vulnerabilities. However, it is worth noting that some of the exploits in the Metasploit Framework support a check method that can be used to determine if a vulnerability is present before exploiting it.
If you do not have a vulnerability scanner at hand like the one included in Scanner-VS, which can run about 60 thousand checks in tens of minutes, including for domestic solutions and information security tools, you will have to conduct an analysis manually.
For manual vulnerability analysis, the data on the versions of network services obtained at the previous stage during the port scan is suitable. A security testing specialist, forming Google search queries of the type "service version" + vulnerability + exploit, finds pages with descriptions of vulnerabilities and exploits.
Known Vulnerability Databases:
For example, after analyzing the results of a Metasploitable 2 port scan, we can find that Very Secure FTP Daemon (VSFTPD) version 2.3.4 is waiting on port 21 for connections. A simple Google search for vulnerabilities in this version of the FTP server will lead us to find out that some funny guy has inserted a bookmark called "smiley face backdoor". The principle of using the program bookmark is simple: during authorization, you need to use the smiley "
" in the username, after which port 6200 will open on the remote machine with a command shell with administrator rights. The username and password you enter can be anything.
The Metasploit Framework includes a set of modules for fuzzing implementations of such protocols as dns, ftp, http, smb, smtp, ssh, etc. These modules are available at auxiliary / fuzzers /.
It should be noted that since security testing projects are usually limited to a period of 2-3 weeks, experts limit themselves to automated and manual searches for vulnerabilities by version, as well as exploitation attempts.
Stage 4. Operation and attack
To exploit vulnerabilities in network services and application software, exploits from the exploit section of the Metasploit Framework are used. At the moment, the number of ready-to-use exploits in the Metasploit Framework is already approaching two thousand.
Suitable exploits can be found using the search command by CVE code, service name or version (for example, search vsftpd).
When exploiting a vulnerability, a so-called payload is specified. A payload is code that runs on a compromised machine. The Metasploit Framework has various payloads: remote command line, account creation, booting the remote administration system, and so on. The command line is often the most convenient to use. Moreover, the Metasploit Framework has a dynamically expandable payload - Meterpreter, but it deserves a separate article.
Continuing the analysis of the vsftpd example, let's run the found exploit and gain remote access to the command line with administrator rights.
There is only one payload variant for this exploit, which is used by default:
Exploit launch:
Password guessing
The most dangerous attack for decades has been password guessing. The Metasploit Framework contains many modules designed to carry out such attacks. The following table lists the modules that are most commonly encountered during security testing.
# Protocol / Application Module Path 1smbauxiliary / scanner / smb / smb_login2ftpauxiliary / scanner / ftp / anonymous
auxiliary / scanner / ftp / ftp_login
3sshauxiliary / scanner / ssh / ssh_login4telnetauxiliary / scanner / telnet / telnet_login5postgresqlauxiliary / scanner / postgres / postgres_login6mysqlauxiliary / scanner / mysql / mysql_login7oracleauxiliary / admin / oracle / oracle_login8tomcatiliary / scanner
A complete list of similar Metasploit Framework modules can be obtained by typing the search login command.
It should be noted that most modules require specifying a list of accounts and passwords to be checked, but some already contain ready-made lists of default values that are useful to use.
Let's pick the default passwords for PostgreSQL and Apache Tomcat installed on Metasploitable 2:
The Metasploit Framework contains modules for carrying out specific computer attacks. In this article, we will limit ourselves to considering a few of the most common ones.
ARP poisoning
In the course of this attack, the attacker tries to "spoil" (to poison) the ARP tables of two hosts, the traffic between which he wants to intercept. Often, an attack is carried out against the workstation of a specific user (system administrator, chief accountant, etc.) and a domain controller or router. After "corrupting" the ARP tables, both victim nodes forward network packets to each other through the attacker's computer. An attacker, launching a sniffer, intercepts data of interest, for example, authentication sessions with password hashes.
To carry out the arp-poisoning attack in the Metasploit Framework, you can use the module:
Pass-the-hash
The peculiarity of the NTLM protocol implementation is that you do not need to know the password for successful authorization, you just need to have a password hash and an account name. Any operating system that uses the NTLM protocol can be affected by this vulnerability.
A pass-the-hash attack can be carried out using the exploit / windows / smb / psexec module.
As a result of this phase of security testing, we have a list of vulnerabilities that can actually be exploited by intruders, and remotely. As a result of launching exploits and conducting attacks, we have access to various systems, as well as information about compromised accounts.
Important note.
Running exploits can easily lead to the unavailability of a service or an entire network node. To minimize the negative consequences of such tests, security testing specialists:
Stage 5. Expansion of the zone of influence and escalation of privileges
Often, having access to a system allows you to extend it to other systems. Sometimes escalation of privileges is also possible, allowing a regular user to become an administrator.
Let's consider two typical situations, knowledge of which makes it easier to conduct security testing.
Users using the same passwords
Users like to use the same passwords in different systems, so it is advisable to check once matched login: password pairs in all available systems.
IT Pros Forgetting to Remove Critical Data from Test Environment
In large organizations, serious systems usually have a test environment in which to work out changes, train users, and so on. Test environments are very often created by restoring from backups of production environments, and since they are test environments, information security issues are not always given due attention. So, for example, they can create an administrator account with an easily guessed password or not install critical operating system updates. Security testing specialists, having gained access to the test environment, unload user data (logins / password hashes), which for the most part correspond to those used in the combat system.
Post-Exploitation Modules in the Metasploit Framework
The Metasploit Framework has a set of so-called post-exploitation modules that allow you to solve the following tasks for expanding access and elevating privileges:
Stage 6. Development of the report
If the results of security testing are of interest not only to the system administrator himself, then it makes sense to prepare a high-quality report.
The main component of the report is information about vulnerabilities, which, as a rule, is presented in the following structured form:
Conclusion
We looked at using the Metasploit Framework for self-administration for security testing by administrators and verified the availability and effectiveness of the tool. Most of the "pain points" can be easily checked thanks to the wide range of modules of this framework. The only area of concern for security testing solely for the Metasploit Framework is the laborious manual search for vulnerabilities, but this issue can be resolved by using a vulnerability scanner.
Thanks for attention!
One of such pentesting tools is the Metasploit project. Built in Ruby, this open source framework allows testing using the command line or GUI. It can be extended by creating your own multilingual add-ins.
Consider the following security testing steps found in almost any penetration testing project:
- Formulation of the problem
- Collecting information and finding targets
- Search for vulnerabilities
- Exploitation and attack
- Expansion of the zone of influence and escalation of privileges
- Report development
Stage 1. Statement of the problem
Testing the security of any IT infrastructure begins with setting a problem. In our case, we will restrict ourselves to searching for the maximum number of real vulnerabilities that can be exploited by potential attackers who have physical access to an organization's computer network.
To demonstrate how some modules work, this article will show the results of running them against an educational goal such as Metasploitable 2. Metasploitable 2 is a Linux virtual machine containing a host of vulnerable services. It is the de facto standard for training beginner security testers.
Stage 2. Gathering information and finding targets
To conduct security testing, specialists are provided with access to the enterprise network. During the preliminary collection, nodes are scanned, computer names are determined, public network folders and critical resources are discovered.
Port scan
Port scans can be performed using the db_nmap command, a wrapper utility for nmap in the Metasploit Framework that allows you to save scan results to a database.
It must be remembered that if we do not explicitly set the port range, then 1000 of the most common ports will be scanned, if we specify the -F switch, then 100, and if -p-, then all 65535.
From the results of the port scan, we can find out not only which network ports are open, but also the versions of services if we used the -sV switch, as well as the presumptive version of the operating system (-O switch).
After completing the network scan, it makes sense to unload the data from the Metasploit database using the db_export command and import the resulting xml file into MS Excel or LibreOffice Calc. In the future, this file can be used to search for nodes with specific ports and keep working notes with the test results for each node.
Search for shared network folders
As we discussed above, public network folders can contain a ton of useful information for an attacker. It makes sense to search for these folders both with an anonymous account (empty login / empty password) and with a regular user account.
To search for SMB resources, you need to use the auxiliary / scanner / smb / smb_enumshares module, and for NFS: auxiliary / scanner / nfs / nfsmount.
Search DBMS
To search for MS SQL DBMS, it makes sense to use the auxiliary / scanner / mssql / mssql_ping module, since it allows you not only to detect DBMS servers on the open UDP port 1434, but also to determine the TCP port on which the database is waiting for a connection.
Determining NetBIOS Names
It is often useful to define NetBIOS names, as they can also contain useful information (for example, which system a particular node belongs to). To do this, you can use the auxiliary / scanner / netbios / nbname module.
Stage 3. Search for vulnerabilities
First, let's look at the main methods for identifying vulnerabilities, which are presented in the following table:
# MethodVulnerability typeExamples1Vulnerability identification by product versionPublishedDetermination of the product version using a network service banner and search for information about known vulnerabilities in an Internet search engine2Attempted exploitationConfiguration errors, published vulnerabilitiesAn attempt to connect to a Windows system through a zero session and unload a list of user accounts.
Launching an exploit against a network service without first analyzing its compliance with this service.
Attempting to intercept traffic using arp-poisoning
3 Configuration analysis Configuration errors,
published vulnerabilities
Analyzing the contents of the Windows registry4 Reverse engineeringZero-day vulnerabilitiesDisassembling an executable file in order to study the logic of program execution and working with data5Analysis of the source codeZero-day vulnerabilitiesSearch in php code for fragments related to filtering user input in order to bypass filtering rules and injecting JavaScript code6FuzzingZero-day vulnerabilitiesInput into web-form of various variants of SQL queries and analysis of received error messages
From this list, the Metasploit Framework contains modules for implementing the "Attempt to exploit", "Fuzzing" and partially "Determination of vulnerabilities by product version" methods.
"Vulnerability identification by product version" is not fully implemented in the Metasploit Framework, since vulnerability scanners are primarily used to automatically identify potential vulnerabilities. However, it is worth noting that some of the exploits in the Metasploit Framework support a check method that can be used to determine if a vulnerability is present before exploiting it.
If you do not have a vulnerability scanner at hand like the one included in Scanner-VS, which can run about 60 thousand checks in tens of minutes, including for domestic solutions and information security tools, you will have to conduct an analysis manually.
For manual vulnerability analysis, the data on the versions of network services obtained at the previous stage during the port scan is suitable. A security testing specialist, forming Google search queries of the type "service version" + vulnerability + exploit, finds pages with descriptions of vulnerabilities and exploits.
Known Vulnerability Databases:
- www.exploit-db.com
- www.rapid7.com/db
- nvd.nist.gov
- www.cvedetails.com
- vuldb.com
For example, after analyzing the results of a Metasploitable 2 port scan, we can find that Very Secure FTP Daemon (VSFTPD) version 2.3.4 is waiting on port 21 for connections. A simple Google search for vulnerabilities in this version of the FTP server will lead us to find out that some funny guy has inserted a bookmark called "smiley face backdoor". The principle of using the program bookmark is simple: during authorization, you need to use the smiley "
" in the username, after which port 6200 will open on the remote machine with a command shell with administrator rights. The username and password you enter can be anything.The Metasploit Framework includes a set of modules for fuzzing implementations of such protocols as dns, ftp, http, smb, smtp, ssh, etc. These modules are available at auxiliary / fuzzers /.
It should be noted that since security testing projects are usually limited to a period of 2-3 weeks, experts limit themselves to automated and manual searches for vulnerabilities by version, as well as exploitation attempts.
Stage 4. Operation and attack
To exploit vulnerabilities in network services and application software, exploits from the exploit section of the Metasploit Framework are used. At the moment, the number of ready-to-use exploits in the Metasploit Framework is already approaching two thousand.
Suitable exploits can be found using the search command by CVE code, service name or version (for example, search vsftpd).
When exploiting a vulnerability, a so-called payload is specified. A payload is code that runs on a compromised machine. The Metasploit Framework has various payloads: remote command line, account creation, booting the remote administration system, and so on. The command line is often the most convenient to use. Moreover, the Metasploit Framework has a dynamically expandable payload - Meterpreter, but it deserves a separate article.
Continuing the analysis of the vsftpd example, let's run the found exploit and gain remote access to the command line with administrator rights.
There is only one payload variant for this exploit, which is used by default:
Exploit launch:
Password guessing
The most dangerous attack for decades has been password guessing. The Metasploit Framework contains many modules designed to carry out such attacks. The following table lists the modules that are most commonly encountered during security testing.
# Protocol / Application Module Path 1smbauxiliary / scanner / smb / smb_login2ftpauxiliary / scanner / ftp / anonymous
auxiliary / scanner / ftp / ftp_login
3sshauxiliary / scanner / ssh / ssh_login4telnetauxiliary / scanner / telnet / telnet_login5postgresqlauxiliary / scanner / postgres / postgres_login6mysqlauxiliary / scanner / mysql / mysql_login7oracleauxiliary / admin / oracle / oracle_login8tomcatiliary / scanner
A complete list of similar Metasploit Framework modules can be obtained by typing the search login command.
It should be noted that most modules require specifying a list of accounts and passwords to be checked, but some already contain ready-made lists of default values that are useful to use.
Let's pick the default passwords for PostgreSQL and Apache Tomcat installed on Metasploitable 2:
The Metasploit Framework contains modules for carrying out specific computer attacks. In this article, we will limit ourselves to considering a few of the most common ones.
ARP poisoning
In the course of this attack, the attacker tries to "spoil" (to poison) the ARP tables of two hosts, the traffic between which he wants to intercept. Often, an attack is carried out against the workstation of a specific user (system administrator, chief accountant, etc.) and a domain controller or router. After "corrupting" the ARP tables, both victim nodes forward network packets to each other through the attacker's computer. An attacker, launching a sniffer, intercepts data of interest, for example, authentication sessions with password hashes.
To carry out the arp-poisoning attack in the Metasploit Framework, you can use the module:
Code:
auxiliary / spoof / arp / arp_poisoning.Pass-the-hash
The peculiarity of the NTLM protocol implementation is that you do not need to know the password for successful authorization, you just need to have a password hash and an account name. Any operating system that uses the NTLM protocol can be affected by this vulnerability.
A pass-the-hash attack can be carried out using the exploit / windows / smb / psexec module.
As a result of this phase of security testing, we have a list of vulnerabilities that can actually be exploited by intruders, and remotely. As a result of launching exploits and conducting attacks, we have access to various systems, as well as information about compromised accounts.
Important note.
Running exploits can easily lead to the unavailability of a service or an entire network node. To minimize the negative consequences of such tests, security testing specialists:
- testing outside of working hours;
- testing on identical test servers;
- agree on the choice of goals with the customer (for example, workstations of non-critical employees are selected);
- launch dangerous checks by alerting responsible administrators.
Stage 5. Expansion of the zone of influence and escalation of privileges
Often, having access to a system allows you to extend it to other systems. Sometimes escalation of privileges is also possible, allowing a regular user to become an administrator.
Let's consider two typical situations, knowledge of which makes it easier to conduct security testing.
Users using the same passwords
Users like to use the same passwords in different systems, so it is advisable to check once matched login: password pairs in all available systems.
IT Pros Forgetting to Remove Critical Data from Test Environment
In large organizations, serious systems usually have a test environment in which to work out changes, train users, and so on. Test environments are very often created by restoring from backups of production environments, and since they are test environments, information security issues are not always given due attention. So, for example, they can create an administrator account with an easily guessed password or not install critical operating system updates. Security testing specialists, having gained access to the test environment, unload user data (logins / password hashes), which for the most part correspond to those used in the combat system.
Post-Exploitation Modules in the Metasploit Framework
The Metasploit Framework has a set of so-called post-exploitation modules that allow you to solve the following tasks for expanding access and elevating privileges:
- search for suitable local exploits (post / multi / recon / local_exploit_suggester);
- launching a keylogger (post / windows / capture / keylog_recorder);
- collecting accounts and hashes (post / windows / gather / credentials / credential_collector), etc.
Stage 6. Development of the report
If the results of security testing are of interest not only to the system administrator himself, then it makes sense to prepare a high-quality report.
The main component of the report is information about vulnerabilities, which, as a rule, is presented in the following structured form:
- detection - information about the name of the vulnerability, its codes, a list of nodes affected by it.
- Exploitation - screenshots and logs showing exploitation of the vulnerability;
- risk - what the exploitation of the vulnerability can lead to;
- recommendations - recommendations of a technical and organizational nature to eliminate the vulnerability.
Conclusion
We looked at using the Metasploit Framework for self-administration for security testing by administrators and verified the availability and effectiveness of the tool. Most of the "pain points" can be easily checked thanks to the wide range of modules of this framework. The only area of concern for security testing solely for the Metasploit Framework is the laborious manual search for vulnerabilities, but this issue can be resolved by using a vulnerability scanner.
Thanks for attention!
