Metasploit from Scratch

Introduction

Metasploit Framework is a penetration testing technology that has new and enhanced capabilities, including automation APIs, evasion modules, and usability enhancements, and provides security researchers with a variety of tools and capabilities to validate the security of a given application or infrastructure deployment. With Metasploit, researchers can also test exploits against targets to see if they are at risk in an attempt to penetrate existing defensive measures.

Paragraphs:

1. Features

Among Metasploit's key new features is the extensibility of the framework's database back-end, which can now run as a REST web service. By extending the database as a web service, multiple external tools can extract data from the same database and interact with each other; it also adds a common web service framework to expose both the database and automation APIs supporting advanced authentication and concurrent operations.

2. Create a virtual laboratory

The virtualized network is conformed by a Linux distribution called Kali, which can be downloaded from https://www.kali.org/get-kali/, the other operating system used has to do with a computer built from scratch with specific vulnerabilities to perform penetration tests, or pentests, in this sense; Metasploitable 2, available at https://docs.rapid7.com/metasploit/metasploitable-2/ is used.  

3. Validation of operating systems in a controlled environment

After the downloads described above and their corresponding virtualization, we proceed to validate that both operating systems are within the same network segment, therefore, a ping is performed to confirm it, as shown in Figure 1.

Figure 1. Testing of the virtualized controlled environment and in the same network segment.

In this regard, the computer with the Linux operating system (Kali) has a network address of 172.16.109.130, while the Metasploitable 2 has a network address of 172.16.109.132.

4. Identification of ports and vulnerabilities

We proceed to identify the ports and applications with vulnerabilities on the compromised computer (Metasploitable 2) (see Figure 2), using the following command: nmap -sV + IP remote computer.

Figure 2. List of ports and applications on the compromised equipment.

According to the above list, the first column (PORT) shows the network protocols and ports according to the available and open (running) services; as well as the versions used that present specific vulnerabilities to perform penetration tests in an illustrative manner.

If we want to search for a particular port, we must use the following command: nmap -sV -p 21 + IP remote computer as shown in Figure 3.

Figure 3. Searching for a specific service.

5. Compromising the FTP service

We use the service located above, that is, we will see which vulnerabilities are present in the vsftpd 2.3.4 service, for this we invoke the Metasploit framework by using the following command msfconsole from the terminal (see Figure 4).

Figure 4. Metasploit Framework.

Once the Framework is invoked, we start searching for any available exploit for the FTP service by using the search vsftpd command as shown in Figure 5.

Figure 5. Identification of available exploits for the FTP service.

As can be seen, we have a backdoor exploit for the identified service and even its version, i.e. VSFTPD v2.3.4 Backdoor Command Execution. To use it, we must type the command use + name of the exploit or otherwise make use of the number indicated in the first column, as shown in Figure 6.

Figure 6. Use of the exploit identified.

Now, we must know which are the configuration options of the selected exploit and for this purpose, the show options command is used (see Figure 7).

Figure 7. Configuration options of the selected exploit.

It is observed that it is mandatory to set values in RHOST (remote computer) and RPORT (remote port), in this sense, automatically by using an exploit for an FTP service; it is shown with the value of 21 (port reserved by the operating system) for the vsftpd service. Therefore, to set the IP of the remote computer (RHOST), the command set RHOST + IP remote computer is used, as shown in Figure 8.

Figure 8. Setting up the remote computer in the exploit.

Once the parameters required by the exploit have been set, we must locate the available PAYLOADs by using the show payloads command as shown in Figure 9.

Figure 9. Visualization of available PAYLOADs.

Likewise, to use the identified PAYLOAD, the following command set PAYLOAD + required is applied (see Figure 10).

Figure 10. Setting up the PAYLOAD.

Finally, once the above parameters have been configured, the exploit is performed as shown in Figure 11.

Figure 11. Compromising the remote computer through the exploit.

The exploited vulnerability has been successfully exploited and we are now inside the remote computer, as shown in Figure 12; some ifconfig commands are used to confirm the remote computer's IP and property listing.

Figure 12. Access to remote equipment.

6. Prevention or response strategies

Undoubtedly, the best task is to mitigate information security incidents, therefore, we must remember that we mainly have national and international instances that provide frameworks and standards aligned to confidentiality, integrity and availability (CID triad), however, currently two elements are added: non-repudiation and authentication.

In this sense, we find in COBIT, ISO/IEC 27000, NIST, ITIL and other instruments the optimal measures for each specific situation, i.e., in the case of prevention or response to security incidents, we can rely on the DS5 domain of COBIT, in the 27000 family of ISO/IEC and in the SP-800 series of NIST.

Regardless of the policies established through the frameworks and standards mentioned above, we must use specific software, an example of which may be an intrusion detection system (IDS), an intrusion prevention system (IPS), firewalls implemented logically and physically, a network analyzer and network traffic monitoring, in addition to the policies defined and established in general in the organization.

Conclusion:

The risks associated with the use of obsolete applications facilitate scenarios in which attackers compromise organizations, systems, and assets of greater value. In this sense, it is essential to have infrastructures according to the needs of the organizations considering the main objective and knowing the processes within them. With this, the technological strategies implemented will be more valuable because they will be specific and unambiguous.

IT infrastructure managers must permanently monitor the systems, even by IT security policies, including business continuity (BCP) as a backbone and, at some point, apply disaster recovery (DRP).

Vulnerabilities are permanent and will remain in force, however, IT security experts must remain alert, updated, and sensitive to technological changes, therefore, policies must ensure the safeguarding of the most valuable assets for organizations.

References:

David Maynor. (2007). Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress.

Dissanayaka, A. M., Mengel, S., Gittner, L., & Khan, H. (2020). Security assurance of MongoDB in singularity LXCs: an elastic and convenient testbed using Linux containers to explore vulnerabilities. Cluster Computing, 23(3), 1955–1971.

Kerner, S. M. (2019). Open-Source Metasploit Framework 5.0 Improves Security Testing. EWeek, N.PAG.

Nipun Jaswal. (2014). Mastering Metasploit. Packt Publishing.

Nipun Jaswal. (2016). Mastering Metasploit - Second Edition: Vol. Second edition. Packt Publishing.

Okamoto, T. (2015). SecondDEP: Resilient Computing that Prevents Shellcode Execution in Cyber-Attacks. Procedia Computer Science, 60(1), 691–699.

Pen-Testing Toolset Elevates Service Providers Game. (2010). Channel Insider, 1.

Rahalkar, S., & Jaswal, N. (2017). Metasploit Revealed: Secrets of the Expert Pentester. Packt Publishing.

Sagar Rahalkar. (2017). Metasploit for Beginners: An Easy to Digest Practical Guide to Metasploit Covering All Aspects of the Framework From Installation, Configuration, and Vulnerability Hunting to Advanced Client Side Attacks and Anti-forensics. Packt Publishing.

About the Author:

Jorge Vázquez del Río

He has more than 25 years of professional experience in the IT area in private initiative and federal government in Mexico. In addition, he is a professor of the master's degree in IT security at the Technological University of Mexico. His academic background is described below.

ORC ID 000-0003-4620-9099

• Article published: https://dx.doi.org/10.35429/JTI.2020.21.7.1.18  

• PhD Candidate in Information Technology and e-Business
  • Popular Autonomous University of the State of Puebla - UPAEP

• Master's Degree in Information Technology Security
  • Technological University of Mexico - UNITEC, Graduate

• Electronics and Communications Engineering, Degree in Electronics and Communications, Degree
  • Technological University of Mexico - UNITEC, Graduate

Courses:

• Training Workshop on Internet Drug Trafficking Investigation, INTERPOL - OAS/CICAD.

• Course on Applied Biostatistics and Epidemiology in the Field of Drugs, OAS/CICAD/COPOLAD.

• Global Lynx Ethical Hacking Foundation.

• Introduction to Artificial Intelligence with Python by Harvard University.

• Machine Learning by Stanford University.

• Machine Learning from the University of Michigan.

• Cryptography by Stanford University.

• Bitcoin and Cryptocurrency Technologies by Princeton University.

• Cybersecurity and its ten domains by the University of Georgia.

• Official Associate Certificate GNS3.

• Cisco CCNA (200-125).

• Cisco CCNA Security 210-260.

• Wireshark: Packet Analysis and Ethical Hacking.

• Linux for Network Engineers.

• CompTIA Security + (SY0-401).

• Introduction to Cisco Network Cybersecurity.

• Essential elements of cybersecurity in Cisco networks.

• Network Security.

• Pentesting with Metasploit.

• Recipes of Exploitation of the Windows API: Processes, Tokens and RW Memory.

• Exploitation of Simple Buffer Overflows in Win32.

• Scripting of Wi-Fi Pentesting Tools in Python.

• Wi-Fi Security and Pentesting.

• Wi-Fi Monitoring.

• Network Pentesting.

• Introduction to machine learning.

• Intermediate machine learning.

• Data Visualization.

• Enterprise Java Diploma.