Search for question
Question

Metasploit Lab ✓ Details Overview | Deliverable Overview With data obtained from scanning you can attempt to exploit vulnerabilities discovered. Tools Used • Kali / Linux or OS (preferably Linux/Unix based system) Metasploit Framework Armitage Metasploitable2 ● • Docker Target: Metasploit Lab Metasploitable2 Docker container (172.17.0.0/24 network) Purpose The aim of this lab is to develop and execute exploits against a remote machine and test its vulnerabilities using Metasploit 1/11 2/20/24, 8:58 PM Tasks | Lab Requirements Metasploit Lab Task0 Setup the environment We will be installing the docker container engine on the Kali Linux or equivalent Virtual Machine (VM). Then downloading and running the Metasploitable2 container within the VM. 1. To start you will need to update your packages on your Kali VM and install the docker.io package sudo apt-get install docker.io -y 2. Download, install, and run the Metasploitable2 machine sudo docker run -it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash" 3. When the docker is done pulling the image, it will start the container in interactive mode so you will want to keep the terminal open. You can run the ifconfig command within that terminal to verify that the IP is set. It should be 172.17.0.2 4. Ensure your VM and the container can communicate with each other by pinging the containers IP from another terminal. Deliverables: • Provide a screenshot showing that the two systems can ping each other. Task 1 Using Metasploit Start the tool We are going to start exploring the Metasploit console and looking into a few of the various basic commands you can perform. 1. To start Metasploit, open a terminal on the Linux VM and issue the below command should give you roughly a result as seen in the image. Metasploit does have a various amount of banners that it will load so the image may not always look similar to the one provided. msfconsole 2/11 2/20/24, 8:58 PM 2. + MMMN$ MMMN MMMMM MMMN MMMMMMMN MMMN MMMMMMMMMI imml MMMNI MMMMM MMMNI MMMM MMM MMMNI MMMMM MMMMMMM MMMMM MMMM MMMNI MMMMM MM IMMMM MMMMM MMMM MMMNI MMMNM MMMMMMM MMMMM MMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM dMMMM MMMMNM ?MMM MMMMMMN ?MM MMMM dMMMMM MM? NMMMMMN JMMMMMNMI eMMMMMNMMN MMMMMMMNe MMMMMMNMMNMMNM + -(kaliG kali)-[~] msfconsole + IMMMMMNM, JMNMMMMMNX MMMMMM MMMMMMMMMM msf6 > VMMMM MMMMM JMMMM JMMMM JMMMM jMMMM MMMM NMMMMMMM IMMM MNMMNMMMMm+ .. +MMNMMNMNMMNMMNMM https://metasploit.com =[metasploit v6.2.36-dev =[ 2277 exploits =[ 951 payloads 45 encoders - 11 nops -=[ 9 evasion 1194 auxiliary - 408 post Metasploit tip: Save the current environment with the save command, future console restarts will use this environment again Metasploit Documentation: https://docs.metasploit.com/ Metasploit Lab 3. As we can see there are plenty of items in each of the modules. We can use the show command to view the contents of each module. So you could use the command as shown below to see all the payloads in the payloads module. show payloads 4. We can also use the search command to search through the modules. This may be useful for finding specific payloads during your exploit or finding an auxiliary module that you want to use. Let's look for a 5. We will use the search option to search for the Eternalblue attack (ms17_010). We should see some exploits and auxiliary modules that are related to our search. You should also note that at the bottom we can interact with these modules by name or the index number. 3/11 2/20/24, 8:58 PM msf6 > search ms17_010 Matching Modules n # Name 0 exploit/windows/smb/ms17_010_eternalblue 1 exploit/windows/smb/ms17_010_psexec 2 auxiliary/admin/smb/ms17_010_command 3 auxiliary/scanner/smb/smb_ms17_010 Name CHECK_ARCH true CHECK_DOPU true CHECK_PIPE false NAMED_PIPES RHOSTS RPORT Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010 6. Use the below command to view the info about the module number 3. It will provide you details regarding items like the name, module, rank, options, and description. info 3 Current Setting SMBDomain SMBPass SMBUser THREADS 7. Below you will see us using the command use 3 to go into that module and our prompt should change. Then after that running a show options command will get us a list of the options. Do not for the options, as indicated by the red boxes, that the items marked as yes in the Required column must be set. msf6 > use 3 msf6 auxiliary(scanner/smb/smb_ms17_010) > show options Module options (auxiliary/scanner/smb/smb_ms17_010): med_pipes.txt Disclosure Date Rank 2017-03-14 2017-03-14 2017-03-14 445 no no no /usr/share/metasploit-framework/data/wordlists/na yes 1 average Yes normal Yes normal No normal No set RHOSTS 192.168.1.22 Metasploit Lab Check Description MS17-010 Eternal Blue SMB Remote Windows Kernel Pool Corruption MS17-010 Eternal Romance/EternalSynergy/Eternal Champion SMB Remote Windows Code Execution MS17-010 Eternal Romance/EternalSynergy/EternalChampion SMB Remote Windows Command Executio MS17-010 SMB RCE Detection yes yes no no no yes Required Description Check for architecture on vulnerable hosts Check for DOUBLEPULSAR on vulnerable hosts Check for named pipe on vulnerable hosts List of named pipes to check The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit The SMB service port (TCP) The Windows domain to use for authentication The password for the specified username The username to authenticate as The number of concurrent threads (max one per host) View the full module info with the info, or info -d command. msf6 auxiliary(scanner/smb/smb_ms17_010) > 8. To set a item you can use the set command and the name of what you want to set. Once settings the options it's good practice to use the show options command again to verify appropriate options were set properly (typos / wrong value set). Below is an example of how you would set the RHOSTS name for the module shown previously for an example IP of 192.168.1.22. 9. After every thing has been verified, you should use the command run to run the auxiliary module. 4/11 2/20/24, 8:58 PM Metasploit Lab 10. Within the MSF console you could even issue the help command and it will give you additional details of commands you can run. For this example it will give us some of the basic commands but even some commands related to the auxiliary module we are currently using. Below is a segment pulled from after using the help command that's related to the current module. Auxiliary Commands Command check exploit rcheck recheck reload rerun rexploit Description Check to see if a target is vulnerable This is an alias for the run command Reloads the module and checks if the target is vulnerable This is an alias for the rcheck command msfconsole Reloads the auxiliary module Reloads and launches the auxiliary module This is an alias for the rerun command Launches the auxiliary module run 11. That's it, this section is complete Task2: Exploits with MSF and Armitage Metasploit Framework Before starting you should ensure that the Metasploitable machine has started and running. For this part we have discovered that there is a Tomcat Manager Application Deployer exploit we can run to try and exploit the system. 1. Start Metasploit by opening a terminal and issuing the below command if you don't already have MSF running. 2. Search for an Aux module that will try to login to the Tomcat Application Manager 3. Select the module by name or by the ID number with the use command 4. Show the options to se what needs to be set. You will need to update and set the following options: • RHOSTS to the IP of the target system o RPORT to the tomcat service listening on port 8180 5. Once options are verified, issue the run command to start the scan 6. You will see a bunch of usernames and passwords that it tries. you will have to scroll up and you will see the username and password that stated there was a Login Successful. Take note of this information because it will be used for the exploit later. 7. Now search for the exploit module tomcat deploy 8. Use the module for the exploit that is exploit multi http tomcat mgr deploy 5/11