Cyber Attack Phases using Metasploit

In this laboratory we will practice the phases of a Cyber Attack using Metasploit.

Metasploit is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Pre Lab: Setting up the VMs

• Kali
  • Virtual Machine with Metasploit
  • username/password root/ccom4088 or the username/password of the vm computer used in class
• Metasploitable
  • from the Metasploit project
  • a vulnerable Ubuntu VM
  • username/password msfadmin/msfadmin

Since we are using VBox we have to set up the network interface for internal network.

In VBox create a NAT Network for the two VMs. Example: Metasploit

Go to Virtual Box Preferences:

Add NAT Network Metasploit

Set the two VMs Network Adapters to use the Metasploit NAT Network

Check the IP Address of the machines to obtain network information.

ifconfig

Using metasploit

To run metasploit:

msfconsole

Some usefull Metasploit commands are:

• ?
  
  • will give you available command options
• search keyword
  • search keyword in the metasploit file system.

Creating a workspace

To create a new workspace to perform the lab execute:

ccom4088 for this laboratory.

workspace -a ccom4088

Scanning

You can either use nmap or metasploit’s own port scanners to scan networks, but machines scanned with msf will be stored in the db.

To search the port scanners

search portscan

Normally these are the steps of the commands used to run a metaploit module.

1. Select a module

   use <module path>
   

2. Show the module options

   show options
   

3. Set the module variables

   set <variable> <value>
   

4. Run the module

   run
   

For example:

Select the tcp port scanner

use auxiliary/scanner/portscan/tcp
show options
set INTERFACE eth0
set PORTS 1-1024
set RHOSTS 10.0.2.15
set THREADS 20
run

The next figures illustrate the use of the previous commands.

The results of the port scan to the metasploitable machine.

Note: These results are stored in the metasploit database under your workspace.

After you have scanned a network some useful commands are:

• services -u
  
  • will display the open ports (after a scan)
• hosts -R set the RHOSTS options to the hosts in the database

From the previous results we find that FTP is open in the metasploitable machine. Lets now scan the FTP version.

use auxiliary/scanner/ftp/ftp_version
show options
hosts -R
run

The following figure illustrates the results of the FTP scan.

Exercise 1: Scanning VNC

1. Follow the steps used in the FTP example to find the ftp_version scanner, and to find the default password of the vnc server running in Metasploit.
2. Connect to the VNC server with command:

vncviewer metasploit-ip:5900

Replace metasploit-ip with the IP of the metasploitable machine.

Exercise 2: Scanning TOMCAT

1. Look at the list of open ports. Find the one that is running Apache Tomcat
   • Hint: Try the ones that are more likely. 8000 up.
2. Similar to the previous examples find a suitable tomcat login scanner.
3. Setup the scanner and run it.
   • Take a careful look in the results to obtain the management username and password.

Exercise 3: Exploit TOMCAT

1. Search a Tomcat exploit. (use the search command)
2. Set the exploit options with the information gathered in the previous steps.
3. Exploit (command: exploit)

See Tomcat options example:

See Tomcat exploit running example:

Meterpreter

Meterpreter - is a command interpreter.
Play for sometime with it.

?

References:

1. Metasploit Unleashed
   • http://www.offensive-security.com/metasploit-unleashed/
2. Armitage presentation BSidesPR 2013