Metasploit: (Final Draft) Christopher Steiner Dr. Janusz Zalewski CNT 4104 Networks Florida Gulf Coast University Fort Myers, Florida 11-20-11 Christopher Steiner Florida Gulf Coast University Page 1
1. Introduction 1.1 Project Overview The purpose of this project is to initially create a series of virtual servers using Oracle VM Virtual Box in order to create a test environment to run Metasploit and then repeat it in the actual environment of the Computer Science network. The Metasploit Framework is considered the de-facto standard for penetration testing. Metasploit is used to create a test environment in order to better defend a network against hackers or cyber criminals. The penetration tests are often run in a virtual test environment as to not interfere with actual network usage. 1.2 Metasploit In order to understand the Metasploit Framework one needs to understand the basics of penetration testing. A penetration test, sometimes referred to as pentest, is the equivalent of hacking a secure network for the sole purpose of finding weaknesses for the betterment of the network. These tests are usually run by the person in charge of the network security or the person asked to find these vulnerabilities in the network and fix them. One thing that needs to be made clear is that these pentests are to be done with the consent of the owner of the network, otherwise it would just be hacking. Metasploit was developed by H.D. Moore. He developed a framework for creation and development of exploits and released a Perl-based Metasploit in October 2003. In 2004 H.D. rewrote the Metasploit project with the help of Spoonm which included 19 exploits and 27 payloads. More about exploits, payloads and vulnerabilities is explained later in this report. Metasploit was rewritten in Ruby in 2007. It grew rapidly due to an increasingly interested security community and user contributions. Rapid7, a widely known vulnerability-scanning firm, got a hold of Metasploit in 2009. With the acquisition both H.D. and Rapid7 were able to Christopher Steiner Florida Gulf Coast University Page 2
focus on the deployment of the Framework and commercial lines of Metasploit: Metasploit Pro and Metasploit Express. [6] The need for penetration testing is ever increasing as the external and internal threats to network security have become more prevalent over the past decade. While the rapidly increasing technological advances in networks are pushing our knowledge and abilities further, they are also allowing a whole new breed of hacker to infiltrate and compromise networks. Frameworks such as Metasploit allow network pentesters to provide the correct defense against the attacks. 1.2.1 Vulnerability A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities. [1] As the name implies the vulnerable state of the network is in discussion here. One must determine where these holes in security are and close them before they are found by an unwanted intruder. These vulnerabilities are not limited to software, hardware or operating systems that are in use in the system. They may be operating procedures of the company in question. As a penetration tester, finding as much information about the inner workings of a company may lead to possible vulnerabilities in their network. These days the intelligence gathering phase usually includes Google hacking, social-media networks such as Facebook and other methods as well. The old saying, Loose lips, sink ships stands true here as even employees have the opportunity to be a vulnerability in a network. They may leak a secure password to the wrong person. These holes in the security process are a little harder to close up. They have to be dealt with in a different way than Metasploit works, but can be dealt with before other kinds of penetration testing have started. Christopher Steiner Florida Gulf Coast University Page 3
Once the greatest threats to the network have been identified the vulnerability analysis starts with which attack would be the most viable. All of the information gathered from the intelligence gathering phase, coupled with port and vulnerability scans will give the penetration tester the best place to start in exploiting the network. 1.2.2 Exploits Once the best vulnerability has been discovered in a network, a small and specialized computer program, called an exploit, is used to take advantage of the vulnerability and give the penetration tester access to the computer system. The exploits are used to deliver the payloads to the target system. These payloads are the way that the penetration tester gains access to the computer system. Payloads are introduced in the next section. There are approximately over 180 exploits in the Metasploit Framework. Since the security community is encouraged to get involved in the continuing development of exploits there is currently a public database of usable exploits. The exploit database is constantly being updated by community support and when new exploits are found they are posted. 1.2.3 Payloads Payloads are pieces of code that get executed on the target system as part of an exploit attempt. A payload is usually sequence of assembly instructions, which helps achieve a specific post-exploitation objective, such as adding a new user to the remote system, or launching a command prompt and binding it to a local port. Traditionally, payloads were created from scratch or modifying existing pieces of assembly code. This requires an in-depth knowledge not only of assembly programming, but also of the internal workings of the target operating system. But a number of scripts now enable payloads to be developed without needing to modify any assembly code at all. [5] Christopher Steiner Florida Gulf Coast University Page 4
The different types of payloads allow for different types of control the penetration tester has over the target system. The most commonly used payload is called the Meterpreter. This payload allows the penetration tester to turn on the target systems webcam, take control of the mouse, keyboard and even take screenshots. All of these options are for the penetration tester to see what exact holes there are in the system. Having access to key functions on one computer may not necessarily mean control over the whole network, but it is a start in determining which aspects of the network are the most vulnerable. 1.3 Oracle VM Virtual Box In order to properly run a penetration test, a suitable network must be in place in order to test. Instead of having physical machines, this project initially aims to run these penetration tests in a completely virtual environment of the Oracle VM Virtual Box. As processing power and memory management on server machines becomes more powerful and easy to acquire, the opportunity to host these virtual networks becomes a more likely candidate. The Oracle VM Virtual Box allows the user to be able to create virtualizations of physical machines in order to either run them full time or do testing outside of a live environment. Since this project is using multiple virtual environments from Ubuntu to Windows Server 2003, there is a need to tap into the power that Oracle VM Virtual Box provides. There are other programs out there such as VMWare Workstation, but for our purposes in this experiment the free and easy access to Virtual Box will do just fine. There is even the possibility of virtualizing the entire project with the Metasploit Test Lab as a virtualized machine itself; however this goes beyond the scope of this project and perhaps may constitute an extension to it. Christopher Steiner Florida Gulf Coast University Page 5
This virtual network, even though it is hosted a single machine, will include multiple operating systems in strong isolation from each other. This gives a great ease of access when dealing with multiple hosts. If one had to go from machine to machine in order to check a part of the test, it would be very time consuming and maybe, if the test was large enough, not feasible. With access to any of the virtualized machines at any time, this test will cut down on significant foot traffic and allow for a test environment that is secured and off the grid. With the network being as isolated as it is, there is also the protection to the network the Test Lab is hosted on. All of the network traffic is localized to the host Test Lab itself. 1.4 Armitage Armitage is an open source graphical user interface for the Metasploit Framework. It allows the user to see a visual representation of the network as well as allows point and click exploitation and payload sending. In order to start using Armitage it must be installed on the same test environment that the Metasploit Framework is installed. Christopher Steiner Florida Gulf Coast University Page 6
2. Problem Description and Project Setup 2.1 Project Objective The Metasploit Framework environment is created on a central server which will then house three additional virtual machines. These virtual machines have different images on them such as Ubuntu and Windows XP. The purpose of setting up these three different types of virtual machines is to create a real world scenario in which a hacker might attempt to penetrate. Once this test environment has proved itself a real test will be done on the FGCU Computer Science Lab network. 2.1.1 Basic Configuration It is assumed that all virtual machines will be running simultaneously and that the penetration tests will be executed on all virtual machines. A sample Metasploit layout is presented in Figure 2.1. Figure 2.1 Metasploit Example Layout The following configureation items are needed in order to create a working test lab on a single machine with Metasploit: Metasploit Framework [1] Christopher Steiner Florida Gulf Coast University Page 7
Computer with the following specifications o Intel Core 2 Quad @2.66 GHZ o 8GB of RAM o 500GB HDD o Windows 7 x64 Oracle VM Virtual Box [2] Metasploitable Image [7] Ultimate LAMP Image [8] Windows XP Image Armitage [10] 2.2 Setting Up a Test Lab on a Single Machine In order to create a test lab on a single machine we first need to set up the three different virtual machines. For this test lab a Virtual Box is used to emulate a network to penetrate. The first thing one needs to do is to download and install Virtual Box and the next step is to download and install Metasploit. After these two applications have been downloaded and installed, one then needs to set up the Virtual Machines for each of the three operating systems. 2.2.1 Installing Oracle VM Virtual Box The process of virtualizing the three test environments to create the overall test lab starts with downloading Virtual Box [3]. Since the Test Lab is running on a Windows based machine one needs to download the Virtual Box 4.1.4 for Windows hosts x86 the process is shown in Christopher Steiner Florida Gulf Coast University Page 8
figures 2.2-2.7. It starts with clicking on the x86/amd64 link and save the file. Once Virtual Box is downloaded, double click the executable to start the install process. Figure 2.2 Select Next Figure 2.3 Select Next Christopher Steiner Florida Gulf Coast University Page 9
Figure 2.4 Select Yes Figure 2.5 Select Install After selecting install in Figure 2.5 Virtual Box will install, Once it is completed Next and Finish have to be selected as in Figures 2.6 and 2.7. Christopher Steiner Florida Gulf Coast University Page 10
Figure 2.6 Select Next Figure 2.7 Select Finish Christopher Steiner Florida Gulf Coast University Page 11
Figure 2.8 Virtual Box is installed. If the screen shown in Figure 2.8 appears then Virtual Box has successfully installed. One can close this for now since next, one needs to set up Metasploit and get images ready to continue setting up the Test Lab. 2.2.2 Installing Metasploit Now that the Virtual Box is installed and ready to go, it is time to set up the penetration testing software, Metasploit. The Metasploit Framework is to be installed on a Windows based test environment so one needs to download the Latest Windows Installer [4] executable setup for Windows machines. Save the executable and once it is downloaded the install process can start. This is shown in Figures 2.9-2.19 Christopher Steiner Florida Gulf Coast University Page 12
Figure 2.9 Turn off antivirus software. Select Ok. Figure 2.10 Turn off Windows firewall. Select Ok. Christopher Steiner Florida Gulf Coast University Page 13
Figure 2.11 Select Next Figure 2.12 Select I accept the agreement. Select Next. Christopher Steiner Florida Gulf Coast University Page 14
Figure 2.13 Select a folder to install. Select Next. Figure 2.14 Select Next. Christopher Steiner Florida Gulf Coast University Page 15
Figure 2.15 This will generate SSL certificate for this server. Select Next. Figure 2.16 Select Next. Christopher Steiner Florida Gulf Coast University Page 16
Figure 2.17 Select Next. Figure 2.18 Wait for Metasploit to install. Christopher Steiner Florida Gulf Coast University Page 17
Figure 2.19 Uncheck Access Metasploit Web UI?. Select Finish. Once the screen shown in Figure 2.19 appears, the Metasploit Framework has been successfully installed. It is recommended to do a reboot of the Test Lab computer before moving to the next step. 2.2.3 Preparing Test Machines Making sure that Virtual Box and the Metasploit Framework are installed correctly, one can now turn to creating the three virtual environments. The steps for all three are the same, so the instructions below refer to setting up just one of the three, Windows XP, and the rest should be done in the same manner. Figure 2.20 2.29 explain the setup process. Christopher Steiner Florida Gulf Coast University Page 18
Figure 2.20 Select New. Figure 2.21 Select Next. Christopher Steiner Florida Gulf Coast University Page 19
Figure 2.22 Enter the name of the VM. Select the Operating System and Version. Select Next. Figure 2.23 Set the allocated RAM. For these VMs 1024 megabytes will suffice. Select Next. Christopher Steiner Florida Gulf Coast University Page 20
Figure 2.24 Select Next. Figure 2.25 Select Next. Christopher Steiner Florida Gulf Coast University Page 21
Figure 2.26 Select Next. Figure 2.27 Select Next. Christopher Steiner Florida Gulf Coast University Page 22
Figure 2.28 Select Create. Figure 2.29 Select Create again. Once the virtual machine is created, one needs install an operating system onto it. For this example it is a lightweight version of Windows XP that is only 360MB. Any version of XP can also be used and it is recommended that it be from an image file (.iso) so that it is easily Christopher Steiner Florida Gulf Coast University Page 23
accessible in case a new virtual machine needs to be created from the same image. The process is shown in Figures 2.30 2.34. Figure 2.30 - First open Virtual Box and select New. Figure 2.31 Select Next. Christopher Steiner Florida Gulf Coast University Page 24
Figure 2.32 Select the Media Source. Select Next. Figure 2.33 Select Start. Christopher Steiner Florida Gulf Coast University Page 25
Figure 2.34 Highlight the newly created VM and select Start. Once the Virtual Machine loads, there are other usual steps in order to install the operating system. Following the on screen instructions and installing each operating system in its own way will do it. Now one can start each of the three operating systems simultaneously. Configuring network settings and Metasploit Framework is described in Section 3. 2.2.4 Preparing Metasploitable Test Machine This project uses the Metasploitable test machine from Rapid7, which is an environment built specifically to focus on network-layer vulnerabilities. The Metasploitable machine is in torrent format so a BitTorrent software is needed in order to download the virtual machine [7]. The steps to use an existing virtual machine are similar to creating a new one and are described in Figures 2.35-2.40. The first is to open Virtual Box as shown in Figure 2.35. Christopher Steiner Florida Gulf Coast University Page 26
Figure 2.35 Select New. Christopher Steiner Florida Gulf Coast University Page 27
Figure 2.36 Select Next. Christopher Steiner Florida Gulf Coast University Page 28
2.37 Set the Name of the VM and Select Linux and Ubuntu for the Metasploitable VM. Select Next. Christopher Steiner Florida Gulf Coast University Page 29
Figure 2.38 Set the amount of Memory to use. Suggested 2048MB. Select Next. Christopher Steiner Florida Gulf Coast University Page 30
Figure 2.39 Select Use Existing Hard Disk and use the option to search for the Metasploitable.vmdk. Select Next. Christopher Steiner Florida Gulf Coast University Page 31
Figure 2.40 Select Create. Once the Metasploitable virtual machine is created one can start it and use it for testing exploits and payloads. In Section 3 there is a discussion of setting up the network settings in order to create a link between the host Test Machine and the Target Exploitable Machine. 2.2.5 Downloading and Installing Armitage Armitage is a user interface for metasploit to be used in this project. In order to install Armitage it must be downloaded from the Armitage website [10]. The screenshots in figures 2.41 and 2.42 show the download process. Christopher Steiner Florida Gulf Coast University Page 32
Figure 2.41 Click the Download Link On the download page we will be selecting the.zip link. Figure 2.42 Click the.zip link and download Armitage. Once Armitage.zip has been downloaded it must first be unzipped. Figure 2.40 Contents of the.zip Christopher Steiner Florida Gulf Coast University Page 33
The steps below is describe taking the contents of the Armitage.zip file that was downloaded and moving them to the correct location. After that, it is a matter of updating the Metasploit Framework and initializing the database. 1. Copy the contents into a folder called Armitage on the C: drive. 2. Start -> Programs -> Metasploit -> Framework -> Framework Update 3. Start -> Programs -> Metasploit -> Framework -> Framework Console (do this once to initialize the database) To run Armitage one needs to follow these steps: Start -> Programs -> Metasploit -> Framework -> Armitage Click Connect Click Yes when asked whether or not to start Metasploit's RPC daemon If asked where Metasploit is installed, select the Metasploit directory. You will only need to do this once. Figure 2.41 Armitage is successfully installed and running. Christopher Steiner Florida Gulf Coast University Page 34
3. Test / Preparation 3.1 Overview This project utilizes the Metasploit Framework in unison with Oracle VM Virtual Box software in order to create a formidable test environment for penetration testing. The virtualization of multiple computers is needed in order to show the power and functionality of the Metasploit Framework. This project requires that all of the virtualized machines (VMs) be on the same network. Once these VMs have been created the Metasploit Framework is then used in order to find vulnerabilities, create exploits and deliver payloads to the VMs. The output of these tests is then documented and different test cases are to be monitored. The test environment will be runs off of a machine in the FGCU Computer Science Lab. This test environment is loaded with the Metasploit Framework and hosts all three of the VMs. Once testing of the virtual machines has been accomplished a test on the FGCU Computer Science Lab network will be run. This will attempt to scan and find vulnerabilities in the network and attempt to exploit them. 3.2 Current Testing Environment Currently the Metasploit Test Lab includes the host machine with one Virtual Machine running with Metasploit s own test server, Metasploitable. After downloading the Metasploitable image from Metasploit s website [1], the image is loaded into Virtual Box and booted up, as shown in Figure 3.1. Christopher Steiner Florida Gulf Coast University Page 35
Figure 3.1 Booted Metasploitable image. Once the Metasploitable virtual machine is ready for action, the Metasploit framework can be started in order to start exploiting our target machine. The image in Figure 3.2 shows the launched msfconsole. Msfconsole is launched by going to the Start menu and under Metasploit choosing Metasploit console. Figure 3.2 msfconsole ready and waiting for input Christopher Steiner Florida Gulf Coast University Page 36
Once the msfconsole is ready one needs to set up the virtual network and then can start doing some penetration testing on the Metasploitable virtual machine. The implementation of this testing is discussed in Section 4. Christopher Steiner Florida Gulf Coast University Page 37
4. Implementation 4.1 Setting up the Virtual Network When Virtual Box is installed a new network adapter is created. This network adapter is called VirtualBox Host-Only Network. This is the network adapter that will be used in order to create a local area network with virtual target machines. Figure 4.1 shows the VirtualBox Host- Only Network adapter that will be used. Figure 4.1 VirtualBox Host-Only Network The virtual target machines need to be created next, in order to change the network settings. The Metasploitable virtual machine is used to show how to change the network settings to use the virtual local network. Christopher Steiner Florida Gulf Coast University Page 38
Figure 4.2 Highlight the Metasploitable Virtual Machine. Click Settings. Christopher Steiner Florida Gulf Coast University Page 39
Figure 4.3 Select Network and in the dropdown for Attached to: Select Host-Only Adapter. This is shown in Figures 4.2 and 4.3. It will allow the virtual machine to connect to the network adapter created by Virtual Box, establishing a link to the virtual local network. To verify network connectivity, the Metasploitable virtual machine has to be started first. Once started, the user has to log in with credentials msfadmin: msfadmin. Christopher Steiner Florida Gulf Coast University Page 40
Figure 4.4 Screen that appears after logging in. After logging in, the screen shown in Figured 4.4 should appear. The ifconfig command should be run next, as shown in Figure 4.5. Since this machine was created first and is the only one on the virtual network it was given an IP address of 192.168.56.101. One can now use this IP address to run a ping in the Host machine, which is shown in Figure 4.6 Figure 4.5 Response from ifconfig on Metasploitable Christopher Steiner Florida Gulf Coast University Page 41
Figure 4.6 Successful ping attempt. The virtual network has been created and the Host and Target machine are communicating. Now exploits can be created and executed between the machines. 4.2 Selecting an Exploit Before selecting or using exploits it is advisable to take a snapshot of the Target machine so that it may be reverted back to default. This will save time later as a complete reinstall might be needed after some exploits. To do this on the target machine select Machine > Take Snapshot. This will bring up the screen shown in Figure 4.7. Christopher Steiner Florida Gulf Coast University Page 42
Figure 4.7 Taking a snapshot. Put in Snapshot name and hit Ok. In order to discover vulnerabilities to exploit, the first thing that must be done is discovering machines on the network. This would be done in a normal testing environment so it should be included here in order to know the function. First one would sweep the network with a simple Ping scan to determine which hosts are online. This is done with the command: nmap sp 192.168.56.1/24, as shown in Figure 4.8. Figure 4.8 NMAP scan results Christopher Steiner Florida Gulf Coast University Page 43
There are three hosts on this network, 192.168.56.1, 192.168.56.101 and 192.168.56.101. Since it is known that the Metasploitable target machine is 192.168.56.101 the remainder of the exploit will be using this IP address as the Target. Now that the IP address is known, the next step is to scan out what programs are running on which ports. The program chosen this way will be used in the exploit to gain access to the machine, so one must know the port numbers. The respective command is: nmap sv 192.168.56.101, as shown in Figure 4.9 Figure 4.9 NMAP port scan results For this example the Apache Tomcat/Coyote JSP engine 1.1 is used next, to exploit. It has an open port on 8180. Christopher Steiner Florida Gulf Coast University Page 44
This example named 'Tomcat Application Manager Login Utility', is provided by Matteo Cantoni, and jduck, to test credentials against a Tomcat application. Figure 4.10 Select Exploit Setting up the exploit includes: using the exploit location, setting the RHOSTS which one will be exploiting (in this case 192.168.56.101), setting the RPORT (in this case 8180) and entering the exploit command, as shown in Figure 4.10. The results of this are a huge list of attempts of username/password pairs. The following diagram in Figure 4.11 shows a viable username/password pair. Figure 4.11 Found successful login Now that a successful username/password has been found, an exploit can be set up to send a payload. Christopher Steiner Florida Gulf Coast University Page 45
4.3 Payloads Metasploit contains many different types of payloads, each serving a unique role within the framework. Let's take a brief look at the various types of payloads available and get an idea of when each type should be used. Inline (Non Staged) A single payload containing the exploit and full shell code for the selected task. Inline payloads are by design more stable than their counterparts because they contain everything all in one. However some exploits won t support the resulting size of these payloads. Staged Stager payloads work in conjunction with stage payloads in order to perform a specific task. A stager establishes a communication channel between the attacker and the victim and reads in a stage payload to execute on the remote host. Meterpreter Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted payload that operates via dll injection. The Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques. Scripts and plugins can be loaded and unloaded dynamically as required and Meterpreter development is very strong and constantly evolving. PassiveX PassiveX is a payload that can help in circumventing restrictive outbound firewalls. It does this by using an ActiveX control to create a hidden instance of Christopher Steiner Florida Gulf Coast University Page 46
Internet Explorer. Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses. NoNX The NX (No execute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory. In Windows, NX is implemented as Data Execution Prevention (DEP). The Metasploit NoNX payloads are designed to circumvent DEP. Ord Ordinal payloads are Windows stager based payloads that have distinct advantages and disadvantages. The advantages are that it works on every flavor and language of Windows dating back to Windows 9x without the explicit definition of a return address. They are also extremely tiny. However two very specific disadvantages make them not the default choice. The first one is that it relies on the fact that ws2_32.dll is loaded in the process being exploited before exploitation. The second one is that it's a bit less stable than the other stagers. IPv6 The Metasploit IPv6 payloads, as the name indicates, are built to function over IPv6 networks. As soon as valid credentials have been found, jduck's Tomcat Manager Application Deployer (tomcat_mgr_deploy) can be used against it, as shown in Figure 4.12. Christopher Steiner Florida Gulf Coast University Page 47
Figure 4.12 Setting up tomcat_mgr_deply Once these settings have been set up correctly, a payload can be set and exploited. In order to find a valid payload one can use the command show payloads, as presented in Figure 4.13. 4.13 Valid Payloads Since Apache Tomcat is using a JSP engine the best exploit to use would be java/shell/bind_tcp in order to open a connection to Metasploitable and control the shell. The Christopher Steiner Florida Gulf Coast University Page 48
respective command to set a payload is: set PAYLOAD java/shell/bind_tcp, then exploit, as shown in Figure 4.14. Figure 4.14 Successful payload delivery After this, control of the shell of the target is possible, as shown in Figure 4.15. Figure 4.15 ls command on remote shell Christopher Steiner Florida Gulf Coast University Page 49
4.4 FGCU Computer Science Lab Network Penetration Test After the virtual test environment has been successfully exploited, Armitage can be used as a tool in order to scan and locate vulnerabilities on the FGCU Computer Science Lab network using the designated lab computer in the FGCU Computer Science Lab to conduct the scan. The lab computer must be on the FGCU Computer Science Lab network in order to exclude the main FGCU network. The IP address used for the designated lab computer is 69.88.163.15. To start Armitage on the FGCU Lab Computer, follow this step as shown in Figure 4.16. Go to Start -> Metasploit -> Framework -> Armitage in order to start Armitage. Figure 4.16 Location of Armitage on Lab Computer When running Armitage a prompt will come up as shown in Figure 4.17, click Connect. Christopher Steiner Florida Gulf Coast University Page 50
Figure 4.17 Connect screen for Armitage Once Armitage is running go to Hosts -> Nmap Scan -> Quick Scan, as shown in Figure 4.18. Figure 4.18 Quick Scan Christopher Steiner Florida Gulf Coast University Page 51
Then enter the IP range you wish to run the scan on. This example uses the CS network 69.88.163.0/24. Then click OK, as shown in Figure 4.19. Figure 4.19 Scan range. Once the scan is completed the discovered targets will appear in the upper part of the console. As shown in Figure 4.20 IP addresses will also appear. One can dig down into each individual target by right clicking the target and clicking on Scan. This will run a multitude of scans on the individual target and show what is running on the open ports. It will also show what type of operating system the target is running, in case there are ports open. If there are no open ports or Armitage cannot gather enough information about the target, the icon for the target will Christopher Steiner Florida Gulf Coast University Page 52
remain blank. It will show a Windows symbol for Windows targets and a Tux Penguin for Linux targets. Figure 4.20 After a scan of the network. There are two ways to initiate attacks. One way is by going to Attacks -> Find Attacks. This will give a list of attacks by target. This list can be accessed by right clicking on the target and going to the Attacks menu item from the drop down as shown in Figure 4.21. The other way is to do a Hail Mary as shown in Figure 4.22. The Hail Mary will generate a list of all possible exploits that pertain to the current network setup. It will then execute each exploit one by one until a vulnerability is found. Christopher Steiner Florida Gulf Coast University Page 53
Figure 4.21 Attack menu of one of the targets. Figure 4.22 A Hail Mary attempt. Christopher Steiner Florida Gulf Coast University Page 54
In Figure 4.22 the Hail Mary attempt yielded no vulnerabilities on the network. It tried all of the exploits and no sessions were created. If a session had been created it would be a sign that one of the exploits completed correctly. Even though this attempt isn t the most in depth scan of the vulnerabilities, each target can be checked individually in the Attack dropdown menu. This network yielded no vulnerabilities that Metasploit and Armitage could find. 4.5 Using Armitage with Metasploitable Another example is to use the Metasploitable virtual machine in order to replicate the attempt on the Tomcat web server. A quick scan can be done for the virtual network by using 192.168.56.0/24. Figures 4.23 and 4.24 show this process. Figure 4.23 Quick Scan (OS Detect) Christopher Steiner Florida Gulf Coast University Page 55
Figure 4.24 Entering the IP range for the virtual network. Click OK. Once the scan is completed the Metaploitable virtual machine, which is 192.168.56.102, will show under the targets screen along with the machine that the scan was run from. Figure 4.25 shows the two machines in the targets screen. Christopher Steiner Florida Gulf Coast University Page 56
Figure 4.25 Local machine and Metasplotiable virtual machine Right clicking on the Metasploitable machine will yield a drop down menu that is shown in Figure 4.26. The menu includes Login, Services, Scan and Host. Since no intensive scan has been done on this machine, one will need to be run. In the drop down menu select Scan. Figure 4.26 Drop down menu options for this machine. Select Scan. Once the scan has finished one can see which services this machine is running by selecting the Services option from the drop down shown in Figure 4.26. This brings a new tab in the console section of Armitage with a list of currently running processes. Figure 4.27 shows this tab. Christopher Steiner Florida Gulf Coast University Page 57
Figure 4.27 Services tab for Metasploitable machine The list in 4.27 shows all of the open ports that the Metasploitable machine is running. In order to see which attacks can be used one must first Find Attacks. Figure 4.28 and 4.29 show how this is done. Figure 4.28 Select Attacks, then Find Attacks. Figure 4.29 After the analysis is complete, click OK. Christopher Steiner Florida Gulf Coast University Page 58
Armitage has provided a list of attacks that can now be accessed when right clicking the Metasploitable machine as shown in Figure 4.30. This list of attacks can be used intuitively to initiate attacks immediately or run auxiliary scans before these attacks. Such is the case with tomcat_mgr_deploy. This exploit will not work without a user name and password entered into the options. One must find a valid user name and password pair. The tomcat_mgr_login exploit is used for brute forcing log-in attempts until a successful log-in is found. Figure 4.30 Attack list showing available exploits. In order to search for this auxiliary scan, one can use the exploit database on the left hand side of Armitage. Figure 4.31 shows how to use this search feature to find tomcat_mgr_login. Christopher Steiner Florida Gulf Coast University Page 59
Figure 4.31 Type tomcat into the search and hit enter. Double clicking the tomcat_mgr_login scanner will bring up an options window. This options window is used for managing the exploits individual options and once these are all set, launching the exploit. Figure 4.27 shows the services that are currently running on the Metasploit virtual machine, the tomcat server is running on port 8180. This is important to understand because the port needs to be set correctly in the options. Figure 4.32 shows how the option window looks. Christopher Steiner Florida Gulf Coast University Page 60
Figure 4.32 Set the correct port and then click Launch. The tomcat_mgr_login scanner will run and detect the user name and password combination tomcat/tomcat as a valid login. This is then used in the attack itself. Following Figure 4.30, select tomcat_mgr_deploy and once again set the correct settings for username, password and port as shown in figure 4.33. Christopher Steiner Florida Gulf Coast University Page 61
Figure 4.33 Set the Username, password and port. Then click Launch Once the exploit finishes running, it should complete successfully and then the Metasploitable machine's icon that shows in the target section of Armitage will turn red and lightning bolts will surround it. This will also allow for a new drop down menu item to be seen called Meterpreter which is uses in order to gain access to the machine. Figures 4.33 and 4.34 show this change in icon and new drop down option. 4.33 Exploited Metasploitable machine. Christopher Steiner Florida Gulf Coast University Page 62
Figure 4.34 Meterpreter session opened, showing explore options. Once the session has been opened, one can browse files on the remote machine, show the processes, take a screenshot if applicable or even access a web cam on the machine to take a picture. Clicking on Post Modules will show other payloads that can be delivered with the current session. These will show up in the left hand of Armitage under the module database section. Figure 4.35 shows the list for this particular machine. Some of the other options are interacting by using a shell and pivoting which allows the user to make this machine a pivot point of access in the network. With multiple machines on the network this would allow the user to attempt to use the privileges that are currently accessed in order to gain access to other machines. Christopher Steiner Florida Gulf Coast University Page 63
Figure 4.35 List of post modules for Metasploitable machine. Christopher Steiner Florida Gulf Coast University Page 64
5. Conclusion The Metasploit Framework is a useful tool in checking vulnerabilities on the network. It works quite well with Armitage when used on Rapid7 s Metasploitable Virtual Machine. However a real world test was unsuccessful when Armitage and Metasploit were used on the FGCU Computer Science Lab Network. The assumption is that there are no known vulnerabilities on this network. The virtualized test with Metsploitable and Armitage yielded success. This was a test that was expected to work and was only used to show the capabilities of Metasploit used in unison with Armitage. This successful test shows that the frameworks work together and that future attempts may follow this project in order to enhance the functionality of exploits. The ability to keep track of information that is found by the Metasploit Framework is not available in the free version that was used in this project. However, a commercial version is available that has an extensive database to store previously found exploits and vulnerabilities for the tester to refer back to. An excellent edition to this project would be to use these tools in order to further detect currently unseen and untested vulnerabilities. The commercial version can be found from Rapid7 s Metasploit website. The activation is done through email and purchase can be done online. [4] Christopher Steiner Florida Gulf Coast University Page 65
6. References [1] Metasploit, September, 2011 URL: http://www.metasploit.com/ [2] Virtual Box, September, 2011 URL: http://www.vitrualbox.org/ [3] Virtual Box Downloads, September, 2011 URL: http://www.vitrualbox.org/wiki/downloads/ [4] Metasploit, September, 2011 URL: http://www.metasploit.com/download/ [5] D. Maynor, K.K. Mookhey; Metasploit Toolkit: For Penetration Testing, Exploit Development, and Vulnerability Research, Syngress Publishing, Inc., Burlington, MA, 2007 [6] D. Kennedy, J. O Gorman, D. Kearns, and M. Aharoni, Metasploit: The Penetration Testers Guide, No Starch Press, Inc., San Francisco, CA, 2011 [7] Metasploitable Image, September, 2011 URL: http://updates.metasploit.com/data/metasploitable.zip.torrent [8] Ultimate LAMP Image, September, 2011 URL: http://ronaldbradford.com/tmp/ultimatelamp-0.2.zip [9] Ubuntu 11.10 Image, September, 2011 URL: http://www.ubuntu.com/startdownload?distro=desktop&bits=32&release=latest [10] Armitage, November, 2011 URL: http://www.fastandeasyhacking.com Christopher Steiner Florida Gulf Coast University Page 66