I’ve been trying to expand my knowledge of Metasploit recently. I’ve gotten training which included quite extensive coverage of the framework, for which I’m grateful; but to really get how extensive the tool’s functionality is, there’s nothing quite like practice.
With this in mind, I downloaded the metasploitable VM over at sourceforge (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) and began hacking away at it.
When you start working on these things, it’s awful tempting to fall back into ‘CTF mode’, where your only objective is to get in. It’s not super effective in testing the tool, though. So I tried to limit myself to metasploit only, and see how far I could go. I also took a breadth-first approach rather than a depth-first approach - in other words, exploring as many of the scanning functionality as possible before moving on to exploitation.
My first task was to scan the machine. This is the focus of this article. I used the metasploit database functionalities to catalog what I found. If you’ve never tried this before, I’d highly recommend you check out this article: http://www.offensive-security.com/metasploit-unleashed/Using_the_Database
I began by performing a version and script scan of the machine using nmap and importing the results into the metasploit database. One can perform the scan within metasploit, so I see the use of nmap as fairplay. The version and script scan gets you all sorts of juicy information, which you can see using the ‘services’ command.
Crawling web pages
Metasploitable 2 has web applications running on it. One thing that constantly worries me during a pentest is whether I’m going to miss any pages, so at some point I’ll try to have at least two spiders index the site (in addition to any general statistics I might get by searching for the site on Google during recon). Here’s a nifty auxiliary I found for this in metasploit:
auxiliary/crawler/msfcrawler
You should note, however, that the module is a bit of a pain with regards to its output: every URI gets printed to screen, and it blocks metasploit while it’s running. Not ideal. So I’d recommend spawning an additional msfconsole session, running the command on that instance, and having it spool its output to a file. For more information about spooling, check out:
Working with MySQL
Metasploit also has an exposed MySQL instance, which is password protected. Here’s the name of the mysql bruteforcing auxiliary:
auxiliary/scanner/mysql/mysql_login
A few things to note here: first, the tool is flexible enough to allow you to specify files for users and passwords, provide specific values of either the user name or password, and/or indicate whether you want to use the creds in your metasploit database. Very cool. Second, it’s fairly slow. Don’t expect immediate results. Third, it can be as verbose – if not more – as the crawler module. I’d recommend turning off verbose mode.
Working with Tomcat
Similar to MySQL’s login auxiliary, you also have Tomcat’s auxiliary:
auxiliary/scanner/http/tomcat_mgr_login
In the case of metasploitable, this worked really nicely for me. Also, when using the database, any successfully found creds get stored in the database for re-use! You can see them by issuing the ‘creds’ command. Swanky.
Don’t forget that metasploit does come with a bunch of wordlists, which you’ll find in the data directory. Wordlists are segmented by type of service (such as http users, unix users, directory names…)
Other tools
There is a lot of functionality in metasploit; the more I look, the more I find. I typically do my searches from msf console using searches like:
grep keyword2 search keyword1
Multiple keywords searches and searching by type do not work for me. I’m probably doing something wrong, feel free to pipe in if you’ve got a solution to this. However, if you’re looking for metasploit goodness, it turns out that rapid7 has indexed of the out-of-the-box functionality offered by metasploit:
http://www.rapid7.com/db/search
tl;dr (too long; didn’t read)
nmap -sS -sV -sC metasploitable.host.local -oA metasploitable_scan
In metasploit:
workspaces -a metasploitable
db_import ~/scans/metasploitable_scan.xml
services
use auxiliary/crawler/msfcrawler
spool /tmp/crawler.log
setg RHOSTS metasploitable.host.local
exploit
use auxiliary/scanner/mysql/mysql_login
setg USER_FILE xxx
setg PASS_FILE yyy
set VERBOSE false
exploit
use auxiliary/scanner/http/tomcat_mgr_login
exploit