3. Test / Preparation 1 Overview
4.2 Selecting an Exploit
Figure 4.6 – Successful ping attempt.
The virtual network has been created and the Host and Target machine are communicating. Now exploits can be created and executed between the machines.
4.2 Selecting an Exploit
Before selecting or using exploits it is advisable to take a snapshot of the Target machine so that it may be reverted back to default. This will save time later as a complete reinstall might be needed after some exploits.
To do this on the target machine select Machine > Take Snapshot. This will bring up the screen shown in Figure 4.7.
Metasploit Penetration Testing in a Virtual Environment
Figure 4.7 – Taking a snapshot. Put in Snapshot name and hit Ok.
In order to discover vulnerabilities to exploit, the first thing that must be done is
discovering machines on the network. This would be done in a normal testing environment so it should be included here in order to know the function.
First one would sweep the network with a simple Ping scan to determine which hosts are online. This is done with the command: nmap –sP 192.168.56.1/24, as shown in Figure 4.8.
Metasploit Penetration Testing in a Virtual Environment
There are three hosts on this network, 192.168.56.1, 192.168.56.101 and 192.168.56.101.
Since it is known that the Metasploitable target machine is 192.168.56.101 the remainder of the exploit will be using this IP address as the Target.
Now that the IP address is known, the next step is to scan out what programs are running on which ports. The program chosen this way will be used in the exploit to gain access to the machine, so one must know the port numbers. The respective command is: nmap –sV
192.168.56.101, as shown in Figure 4.9
Figure 4.9 – NMAP port scan results
For this example the Apache Tomcat/Coyote JSP engine 1.1 is used next, to exploit. It has an open port on 8180.
Metasploit Penetration Testing in a Virtual Environment
This example named 'Tomcat Application Manager Login Utility', is provided by Matteo Cantoni, and jduck, to test credentials against a Tomcat application.
Figure 4.10 – Select Exploit
Setting up the exploit includes: using the exploit location, setting the RHOSTS which one will be exploiting (in this case 192.168.56.101), setting the RPORT (in this case 8180) and entering the “exploit” command, as shown in Figure 4.10.
The results of this are a huge list of attempts of username/password pairs. The following diagram in Figure 4.11 shows a viable username/password pair.
Figure 4.11 – Found successful login
Now that a successful username/password has been found, an exploit can be set up to send a payload.
Metasploit Penetration Testing in a Virtual Environment
4.3 Payloads
Metasploit contains many different types of payloads, each serving a unique role within the framework. Let's take a brief look at the various types of payloads available and get an idea of when each type should be used.
Inline (Non Staged)
A single payload containing the exploit and full shell code for the selected task.
Inline payloads are by design more stable than their counterparts because they contain everything all in one. However some exploits won’t support the resulting size of these payloads.
Staged
Stager payloads work in conjunction with stage payloads in order to perform a specific task. A stager establishes a communication channel between the attacker and the victim and reads in a stage payload to execute on the remote host.
Meterpreter
Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted payload that operates via dll injection. The Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques. Scripts and plugins can be loaded and unloaded dynamically as required and Meterpreter development is very strong and constantly evolving.
PassiveX
PassiveX is a payload that can help in circumventing restrictive outbound firewalls. It does this by using an ActiveX control to create a hidden instance of
Metasploit Penetration Testing in a Virtual Environment
Internet Explorer. Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses.
NoNX
The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory. In Windows, NX is implemented as Data Execution Prevention (DEP). The Metasploit NoNX payloads are designed to circumvent DEP.
Ord
Ordinal payloads are Windows stager based payloads that have distinct
advantages and disadvantages. The advantages are that it works on every flavor and language of Windows dating back to Windows 9x without the explicit definition of a return address. They are also extremely tiny. However two very specific disadvantages make them not the default choice. The first one is that it relies on the fact that ws2_32.dll is loaded in the process being exploited before exploitation. The second one is that it's a bit less stable than the other stagers.
IPv6
The Metasploit IPv6 payloads, as the name indicates, are built to function over IPv6 networks.
As soon as valid credentials have been found, jduck's Tomcat Manager Application Deployer (tomcat_mgr_deploy) can be used against it, as shown in Figure 4.12.
Metasploit Penetration Testing in a Virtual Environment
Figure 4.12 – Setting up tomcat_mgr_deply
Once these settings have been set up correctly, a payload can be set and exploited. In order to find a valid payload one can use the command show payloads, as presented in Figure 4.13.
4.13 – Valid Payloads
Since Apache Tomcat is using a JSP engine the best exploit to use would be
java/shell/bind_tcp in order to open a connection to Metasploitable and control the shell. The
Metasploit Penetration Testing in a Virtual Environment
respective command to set a payload is: ‘set PAYLOAD java/shell/bind_tcp’, then exploit, as shown in Figure 4.14.
Figure 4.14 – Successful payload delivery
After this, control of the shell of the target is possible, as shown in Figure 4.15.
Figure 4.15 – ls command on remote shell
Metasploit Penetration Testing in a Virtual Environment