MSF Extended Usage

The Metasploit Framework is such a versatile asset in every pentesters toolkit, it is no shock to see it being expanded on constantly. Due to the openness of the Framework, as new technologies and exploits surface they are very rapidly incorporated into the msf svn trunk or end users write their own modules and share them as they see fit.

We will be talking about Backdooring EXE Files, Karmetasploit, and targeting Mac OS X.

 

PHP Meterpreter

The Internet is littered with improperly coded web applications with multiple vulnerabilities being disclosed on a daily basis. One of the more critical vulnerabilities is Remote File Inclusion (RFI) that allows an attacker to force PHP code of his/her choosing to be executed by the remote site even though it is stored on a different site. Recently, Metasploit published not only a php_include module but also a PHP Meterpreter payload. The php_include module is very versatile as it can be used against any number of vulnerable webapps and is not product-specific.

In order to make use of the file inclusion exploit module, you will need to know the exact path to the vulnerable site. Loading the module in Metasploit, we can see a great number of options available to us.

Read more @ offensive-security.com/metasploit-unleashed/PHP_Meterpreter

 

Backdooring EXE Files

Creating customized backdoored executables often took a long period of time to do manually as attackers. The ability to embed a Metasploit Payload in any executable that you want is simply brilliant. When we say any executable, it means any executable. You want to backdoor something you download from the internet? How about iexplorer? Or explorer.exe or putty, any of these would work. The best part about it is its extremely simple. We begin by first downloading our legitimate executable, in this case, the popular PuTTY client.

Read more @ offensive-security.com/metasploit-unleashed/Backdooring_EXE_Files

 

Karmetasploit

Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.

 

Karmetasploit Configuration

There is a bit of setup required to get Karmetasploit up and going. The first step is to obtain the run control file for Karmetasploit:

Read more @ offensive-security.com/metasploit-unleashed/Karmetasploit_Configuration

 

Karmetasploit In Action

Now, with everything ready, all that is left is to run Karmetasploit! We start up Metasploit, feeding it our run control file.

Read more @ offensive-security.com/metasploit-unleashed/Karmetasploit_In_Action

 

Attack Analysis

Wow! That was a lot of output! Please take some time to read through the output, and try to understand what is happening.

Let’s break down some of the output a bit here.

Read more @ offensive-security.com/metasploit-unleashed/Attack_Analysis

 

MSF vs OS X

One of the more interesting things about the Mac platform is how cameras are built into all of the laptops. This fact has not gone unnoticed by Metasploit developers, as there is a very interesting module that will take a picture with the built in camera.

Read more @ offensive-security.com/metasploit-unleashed/MSF_vs_OS_X

 

File-Upload Backdoors

Amongst its many tricks, Metasploit also allows us to generate and handle Java based shells to gain remote access to a system. There are a great deal of poorly written web applications out there that can allow you to upload an arbitrary file of your choosing and have it run just by calling it in a browser. We begin by first generating a reverse-connecting jsp shell and set up our payload listener.

Read more @ offensive-security.com/metasploit-unleashed/File-Upload_Backdoors

 

Building A Module

Writing your first Metasploit module can be a daunting task, especially if one does not code in Ruby on a regular basis. Fortunately the language’s syntax is intuitive enough, for anyone with prior programming and scripting knowledge, to make the transition (from Python for example) to Ruby.

Before taking the plunge into module construction and development, lets us take a quick look at the some of the modules currently in place. These files can be used as our base for re-creating an attack on several different supported protocols, or crafting ones own custom module.

Read more @ offensive-security.com/metasploit-unleashed/Building_A_Module

 

Payloads Through MSSQL

In the previous section, we created a very basic module to get a better understanding of the principales behind a build. This section briefly explains passing payloads using the MSSQL module. The code presented currently works on the following installations of Microsoft’s SQL server which are 2000, 2005 and 2008. We will first walkthrough the code and explain how this attack vector works before making our own from the ground up.

When an administrator first installs MSSQL they have the option of using either mixed mode authentication or SQL based authentication. Using the latter, a password for the ‘sa’ account must be specified by the administrator. The ‘sa’ account is the systems administrator for the SQL server and has most, if not all, permissions on the system. Guessing this password, either using social engineering or other means, one can leverage this attack vector using Metasploit and perform additional actions. In a previous module, we discussed discovering which TCP port MSSQL is using by querying UDP port 1434 and executing dictionary attacks for guess the ‘sa’ password.

For our purposes, we’ll assume we are aware of the SQL system administrator’s account password. If you wish to recreate this attack, you will need to have a working copy of Microsoft Windows as well as any of the previously mentioned versions of MSSQL.

Read more @ offensive-security.com/metasploit-unleashed/Payloads_Through_MSSQL

 

Creating Our Auxiliary Module

We will be looking at three different files, they should be relatively familar from prior sections.

Read more @ offensive-security.com/metasploit-unleashed/Creating_Our_Auxiliary_Module

 

The Guts Behind It

Looking int the ‘mssql.rb’ file using a text editor, locate the ‘mssql_upload_exec’. We should be presented with the following:

Read more @ offensive-security.com/metasploit-unleashed/The_Guts_Behind_It

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s