What would you think if I told you that there is a tool that brings together the most widespread techniques of vulnerability assessment, penetration testing, digital forensics and so on and so forth?
“Metasploit” is a framework for penetration testing, developed by Rapid 7 LCC1, which provides information on vulnerabilities, simplifies pentesting operations and facilitates the development of IDS (intrusion detection systems).
A framework is a software infrastructure that provides a basic structure and a set of tools, libraries and guidelines (a set of functions and tools already "ready to use"), so that the user can concentrate on the problem at hand. solve/action to take, without having to implement features that someone else has already created or rewrite code already written for similar tasks.
Here are basic principles of Metasploit:
1. Large community and support: Being open source and pre-installed (in its free version) on all Linux-based systems, it is supported by a large community of developers and security researchers who contribute new modules. This active community helps keep Metasploit updated and responsive to new threats and emerging vulnerabilities.
2. Exploit database: Metasploit includes a database of exploits (definition of which will be given shortly) that allows users to search, filter and use them against a variety of systems and services. This database is constantly updated to include the latest vulnerabilities and corresponding exploits.
3. User Interface: Metasploit offers several user interfaces, including a command line version and a GUI (Metasploit Community Edition and Metasploit Pro2) which simplify the use of the framework even for less experienced users.
4. Ethical use: Although Metasploit can be used for illegal purposes in the wrong hands, most users use it to test and improve the security of their systems, or as a training tool to better understand vulnerabilities and attack techniques (blue team but also red team).
In essence, Metasploit is a powerful and flexible tool used by cybersecurity professionals, researchers, businesses, and government organizations to evaluate and improve the security of computer systems. However, it is crucial to use it ethically and legally.
FEAT
In general, a exploit is a set of instructions or code specifically designed to exploit a particular vulnerability or weakness within a computer system or application. When successfully executed, an exploit allows the attacker to gain unauthorized access to the target system, execute arbitrary code, compromise system security, or engage in other malicious action. These exploits can exploit various types of vulnerabilities, hardware or software, such as intentional and non-intentional programming errors (backdoors), buffer overflows, code injection, etc.
Specifically, Metasploit offers a series of exploits that can be used based on existing vulnerabilities in the target system, revealed to the attacker following a specific scan.
Using Metasploit scan modules, such as “auxiliary/scanner/portscan/tcp”, you can run a scan for open ports and listening services on the target system. This provides an overview of potential entry points into the system.
Exploits can be classified into two types:
-
Feat active: They are executed on a target system, exploit the system, perform the specific task and cease to exist.
-
Feat passive: they will wait until the target system connects to the exploit; This approach is often used by attackers on the Internet who ask to download files or software.
PAYLOAD
Un payload, literally “paying charge” is a piece of code that is executed via the exploit. The difference between the two is that exploits are used to enter a system and payloads are used to perform specific actions.
For example, a keylogger can be used as a payload in conjunction with an exploit. Once the exploit is successful, it will install the keylogger into the target's system.
AUXILIARIES
- auxiliaries are modules that help you perform custom functions other than exploiting a system. This includes port scanners, fuzzers, sniffers and more.
Here are some examples:
-
msfconsole: The Metasploit console is the main command-line interface for interacting with the framework. It allows you to execute commands, load modules, launch exploits and conduct penetration tests.
-
msfvenom: A tool for generating custom payloads. Allows users to create payloads to exploit specific vulnerabilities or for reverse shell purposes.
-
meterpreter: A multi-purpose Metasploit payload that provides a wide range of post-exploitation functionality on compromised systems. It includes features such as filesystem access, remote system control, screen capture, and more.
-
autopwn: A module that automates the process of finding and exploiting vulnerabilities on a host or network. It uses a variety of exploits to automatically test systems for known vulnerabilities.
How is it used?
Before the attack phase, there is obviously the reconnaissance and analysis of the opponent's vulnerabilities, as in any conventional attack.
Virtually every reconnaissance tool you can imagine integrates with Metasploit, making it possible to pinpoint the weak point you're looking for.
Once a weakness is identified, the vast and modular Metasploit database is automatically searched for the exploit that will open that flaw and allow entry into the victim's device. For example, the exploit EternalBlue3 of NSA (US National Security Agency), has been adapted perfectly for Metasploit and is a reliable choice when dealing with unpatched Legacy Windows systems. EternalBlue uses a technique called pool grooming, which is a type of attack heap spray (technique used to facilitate the execution of arbitrary code on the victim machine) to the kernel memory structure. By targeting vulnerable Windows systems, it injects a shellcode that allows the attacker to use the machine's IP address to communicate directly with the Server Message Block (SMB) protocol, a file sharing protocol that allows Windows systems connected to the same network or domain to share files and folders; it also allows computers to also share printers and serial ports from other computers within the same network. It was used by attackers to install ransomware in victim devices, i.e. a type of malware that encrypts the data of the victim, asking for a ransom to decipher them.
But how does it work in practice?
The process is very simple and intuitive: just start Metasploit using the command “start msfconsole” and search for (search) the exploit of interest, in this case “Eternalblue”.
We will be shown the available exploits with their descriptions. Now we just have to decide which one to use and who to redirect it to.
The commands I used allow you to create a reverse shell on the victim's machine... simple right? Yes and no!
There are countless commands that can be used (not counting the combination with exploits and payloads) the only solution is to "fiddle around" and get involved in the sea of possibilities that this tool offers!
Another example could be related to the perfect integration between Metasploit and its integrated module John The Ripper (password cracking tool that I talked about in the previous article4).
The module 'auxiliary/analyze/jtr_crack_fast' was created to facilitate the use of JTR in the framework. It works against known Windows hashes (NTLM and LANMAN). Simply use the hashes in the database as input, then make sure you have “hashdumped” a database before starting the cracking phase. The module collects the hashes in the database and passes them to John's binaries which are now included in the Metasploit framework via a file in the format “pwdump” generated.
Once the initial bruteforcing of the wordlist is complete, incremental bruteforce rules, called “All4 & Digits5,” are used to force additional combinations. These rulesets are shown below and can be found in the same john.conf configuration file in the framework itself. Cracked values are added to the wordlist as they are found. This is advantageous:
The previously cracked hashes are extracted from the file “john.pot” when starting any operation and these are used as values seed for subsequent executions, possibly allowing other previously uncracked hashes to be broken. Finally, discovered username/password combinations are reported to the database and associated with the host/service
Final thoughts on the uniqueness of Metasploit
There are several aspects that contribute to Metasploit's fame in the field of cybersecurity:
-
Wide range of features: Metasploit offers a wide range of tools and modules that cover all phases of penetration testing, from reconnaissance to exploit execution to elevation of privilege and beyond. This comprehensive suite of tools makes it an essential resource for cybersecurity professionals.
-
Ease of use: Despite the complexity of the security tasks it can perform, Metasploit is designed to be accessible even to beginners. It offers intuitive user interfaces, such as command line console and GUI version for Metasploit Community Edition and Metasploit Pro, which make it easier to navigate and use the framework.
-
Constant updating: Metasploit is supported by a large community of developers and security researchers who constantly contribute new modules, exploits, and updates to keep the framework abreast of the latest threats and vulnerabilities.
-
Flexibility and adaptability: Thanks to its modular architecture, Metasploit can be extended and adapted to specific user needs. This allows users to customize the framework and develop new modules to meet unique security requirements.
-
Community support and documentation: Metasploit enjoys a large user base and solid community support. There are forums, detailed documentation, and online resources that help users learn and solve problems.
-
Open source and free: The core of the Metasploit framework is open source and distributed under the “BSD” license, which means it is free from download, use e change. This makes it accessible to a wide range of users, regardless of financial resources.
Overall, it is this combination of power, ease of use, flexibility, and community support that makes Metasploit one of the most famous and widely used cybersecurity frameworks in the world.