Ethical Hacking & Intrusion

Prevention

Network & System Exploits II

Metasploit
 Learning Objectives

• Metasploit
• Post Exploitation Activities

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Metasploit Framework
• Created by H.D. Moore in 2003

• Originally intended to ease the effort to create and develop

exploits

• Currently includes modules to perform most of the

penetration testing activities

• Metasploit was acquired by Rapid7 in 2009 and there are

commercial versions of Metasploit known as Metasploit
Express and Metasploit Pro

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Metasploit Framework Architecture

Source: https://www.cybrary.it/0p3n/metasploit-advanced/
TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT
 Metasploit Terminology

Term Definition

Exploit A method to take advantage of a flaw in a

system, an application or a service to perform
unintended activities
Payload The actual malicious code to be executed by
the exploit
Session Remote access established on the target
machine
Listener A component listening for incoming
connection from target machine after
exploitation
TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT
 Metasploit Basic Commands

Command Description
help [COMMAND] List the commands in Metasploit. It also displays
the command usage if a command is specified

search [KEYWORD] Search for modules that contain the specified

keyword
use [MODULE] Interact with the module name
info [MODULE] Display information of a module
options Display the current options
show [options | payloads] Show the available options
set [OPTION] [VALUE] Set the value of a specific option
run OR exploit Execute the module
sessions Manage sessions established

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Metasploit Modules

Module General Functionality

Auxiliary Miscellaneous modules for Port scanning,

Password bruteforcing, Services, Denial of
Service
Exploits Exploitation modules

Payloads Malicious code used in exploit modules

Post Post exploitation modules

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Metasploit Modules

• Can be found in /usr/share/metasploit-

framework/modules

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Starting Metasploit Right

• Starting msfconsole with database connected and

initialised for quick search and data storage

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Auxiliary

• Any modules that are not related to exploitation or post

exploitation are classified under auxiliary
• Port scanning
• Service Fingerprint
• Launch services
• Denial of Service

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Auxiliary – Port Scan

• Modules for performing port scans in

Metasploit

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Auxiliary – Admin Portal Bruteforce

• Modules for performing password brute forcing

for admin portals

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Auxiliary – Server

• Modules to launch commonly known services

for MITM or exfiltration of data

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Auxiliary - DoS

• Modules to launch DoS attack on known vulnerabilities

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Exploit

• Module to gain remote access onto target machine

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Payload

• Payload naming convention:

• Staged Payload
• PLATFORM/[ARCHITECTURE]/SHELL/CONNECTION-
DIRECTION_PROTOCOL

• Single Payload
• PLATFORM/[ARCHITECTURE]/SHELL_CONNECTION-
DIRECTION_PROTOCOL

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Payload

• Staged vs Stageless (Single) Payload

Stager Payload

Stageless Payload

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Bind Single Payload

• Bind Payload will start a listener on the target machine

and MSF will connect to the listener

Attacker Machine Target Machine

MSF Service
1. Exploit + Single Payload
2.
Listener
3. MSF Connects to Listener Started

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Reverse Single Payload

• Reverse payload will make the target machine connect

back to the listener on attacker machine

Attacker Machine Target Machine

MSF Service
1. Exploit + Stage 0 Payload

2.
3. Payload connects to Listener Single
Listener
Started Payload

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Bind vs Reverse Payload

• Reverse payload is usually used to bypass firewall and

NAT controls as outbound traffic are usually allowed

• Use common ports such as 80, 8080, 443

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Stageless (Single) Payload

• All functions are included in the payload and does not

require additional process to obtain full functionalities

Attacker Machine Target Machine

MSF Service
1. Exploit + Single Payload

Listener Single
2. Payload Connects to
Listener Payload

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Staged Payload

• Payload is divided into multiple parts and loaded over

multiple stages

Attacker Machine Target Machine

MSF Service
1. Exploit + Stage 0 Payload

2. Stage 0 Connects to Listener

Stage 0
Listener
3. Stage 1 Payload
Stage 1

*Depending on the size of the payload, there may be more staged

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT
 Stageless vs Staged Payload

• Staged payload is usually used because the stager fits

better into exploit code with smaller memory
requirement and additional stage can be loaded via the
stager (Stage 0)

• However Stageless payload is usually more reliable as it

contains all the required functionalities and does not
need to load additional modules via the network

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Shell Payload

• Shell payload provides the basic command

prompt/terminal of the target’s operating system

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Meterpreter Payload

• Meterpreter is a full featured, stealthy and

extensible payload meant for post exploitation
activities

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Meterpreter Commands

Source:
https://www.blueliv.com/downloads/Meterpreter_c
heat_sheet_v0.1.pdf

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Meterpreter Commands

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Shell vs Meterpreter Payload

• Meterpreter is always preferred over normal

shell due to it’s stealthiness and the number of
functionalities available

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Post Exploitation

• Post Exploitation phase is normally considered to be the

start of a penetration test as it is the phase that
demonstrates the maximum impact of a vulnerability

• The thought process is how can you utilise the current

access to obtain more information and user credentials
that can expand your foothold and access

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Post Exploitation Activities
• Privilege Escalation
• Gain SYSTEM/root privilege to gain full control of the compromised machine
and access to all files

• Persistence
• Persist access even after the system restarts

• Discovery and Collection

• Gather information about the system and network
• Hunt for confidential files or plaintext user credentials stored
• Retrieve password hashes and crack them
• Retrieve user tokens

• Pivoting
• Gain access into other parts of the network
TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT
 Privilege Escalation

• Local privilege escalation modules are located at

“exploits/OPERATING SYSTEM/local/”

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Persistence

• Persistence modules are mostly located at

“exploits/OPERATING SYSTEM/local/”

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Discovery and Collection

• Most discovery modules are found at “post/OPERATING

SYSTEM/gather/”

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Windows Post Exploitation Commands

• Commonly used Windows Post-Exploitation Commands

can be found at:
• http://www.handgrep.se/repository/cheatsheets/postexploi
tation/WindowsPost-Exploitation.pdf

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Linux Post Exploitation Commands

• Commonly used Linux Post Exploitation Commands can

be found at:
• http://www.handgrep.se/repository/cheatsheets/postexploi
tation/LinuxUnixBSDPost-Exploitation.pdf

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Pivoting

• When an attacker has successfully compromised a host,

it can be used as a foothold to attack other machines in
the same network

DMZ
Network Internal Network
Attacker

Compromised
Internet Web Server

Internal
Server

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Pivoting

• Compromised Web server is connected to both DMZ

and Internal networks, allowing an attacker to use the
compromised server to pivot into the Internal network

DMZ
Network Internal Network
Attacker

Compromised
Internet Web Server

Internal
Server

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Pivoting

• Read/Watch the following links to understand pivoting

better:
• https://www.offensive-security.com/metasploit-
unleashed/pivoting/
• https://www.tutorialspoint.com/metasploit/metasploit_pivo
ting.htm
• https://www.youtube.com/watch?v=CBQ3gJ4L1Ek

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT

 Summary

• Metasploit is a framework that provides full range of

functionalities for penetration testing activities

• Post exploitation activities are the key to demonstrating

the maximum impact of a vulnerability

• Don’t stop when you get a shell, think about how you
can expand your access

TEMASEK POLYTECHNIC • SCHOOL OF INFORMATICS & IT