Cybersecurity
by Pablo Clemente Pérez

Metasploit

Introduction to Metasploit

            Metasploit is an extremely powerful and versatile tool that can be used by virtually anyone with minimum tech knowledge and that allows a variety of tasks ranging from auditing a system, to perform penetration testing or even gaining unauthorized access into it. We will be analyzing the many uses it has and how it can be applied to improve our security.

            It is important to note that when a framework is made available in such a public way it becomes a sink or swim situation with vulnerability issues. The longer it takes you to fix them, the higher the probability of someone exploiting it.

            Metasploit is a framework written in Ruby and the de facto tools for both ethical hackers and cybercriminals to detect and exploit vulnerabilities. Due to its open source nature, it can be easily customized and extended with new options.

            Using Metasploit, a team of pen-testers can use ready-made code or create their own algorithms based on available frameworks to scan networks and attack systems. The catalogue of available exploits is extremely broad, and they are very easy to browse and run.

Brief history of Metasploit

            The Metasploit project was born in 2003 when H.D. Moore created a portable tool to perform network analysis in Perl. He received a lot of development help in the first years from Matt Miller, until in 2007 it was completely rewritten in Ruby and the license was acquired by Rapid 7 in 2009. Since then it has become part of the IDS (Intrusion Detection System) of the company established in Boston. Rapid 7 is specialized in remote attack and evasion software.

            Since the acquisition by Rapid 7, there are many tools that have been added to the Metasploit framework, which is distributed as part of the Kali Linux distribution. Rapid 7 has developed two paid options for Metasploit: Metasploit Pro and Metasploit Express. They are currently only maintaining Metasploit Pro, the express variation has been deprecated. The Pro version offers a series of advantages when compared to the open-source version which are shown in the following image.

            Between the many advantages we can find being able to use it with a GUI (Graphical User Interface) which is much simpler to use, has the ability to automatize tasks and processes, perform network explorations, or even use variable payloads in attacks to avoid antivirus software.

Who uses Metasploit

            Given the multiple use cases for Metasploit, since it is even creating a new field called DevSecOps (which consists of orienting dev ops to security)  -and bearing in mind it has over 1677 exploits available and fully tested among 25 platforms including Android, PHP, Java, Cisco and many more- it is virtually used anywhere, from ethical hackers, to companies testing their security or governments and crackers.

            Metasploit also includes over 500 payloads (sets of malicious code) that include:

  • Shell commands that trigger remote scripts in the victim’s equipment.
  • Dynamic systems that change their metadata to avoid antivirus software.
  • The possibility of using Meterpreter (which will be analysed later due to its importance) to control the user session.
  • Systems that allow traffic replication from one port to another to capture information.

Metasploit’s architecture

            Metasploit’s architecture is shown below. The main architecture is composed by libraries (which make up the main nucleus), interfaces which allow interaction with the system, tools and plugins to customize the framework and modules. Modules are the key to Metasploit and include:

  • Payloads: Malicious code sets.
  • Exploits: Tools to attack vulnerabilities available in systems.
  • Auxiliary functions: Tools and additional commands.
  • Encoders: Systems to convert code or information.
  • Listeners: Malicious software that is hidden in systems to gain Access.
  • Shellcode: Code that triggers once it is deployed in the victim’s system.
  • Post-exploitation code: Once inside the system, it allows post-penetration testing or keeping back doors open.
  • Nops: Instructions to prevent payloads from not executing.

Once installed Metasploit allows us to obtain a huge amount of information on the target, this can be done via port scanning, seeing logs that identify the operating system and metadata or using software vulnerability analysis tools. Once identified, the user can select an exploit and a payload to attack the system and gain access.

The framework consists of many different models and interfaces, among which are msfconsole, msfcli, and the graphical interface Armitag written in Java as well the web interface from the community that allows remote pen testing.

Meterpreter

            Meterpreter is a command interpreter that allows a secure and easy access to the objective machine by leveraging the power of stagers (execution of multiple commands in a payload) and by using stealth procedures to avoid detection by IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) like running as a system process and avoiding writes. All the traffic sent between Meterpreter and the victim is encrypted using SSL.

This notably improves the interactions with the machine that we want to gain access to since the terminal used bears a very close resemblance to a typical UNIX one, in the sense that it allows basic file copy operations, directory navigation, and viewing and modifying files.

            In addition to the classic UNIX commands, from Meterpreter we can use the following commands to control the target computer to which we have gained access to:

  • getuid – Get the user that is currently logged in.
  • getprivs – Returns the privileges available in the instance.
  • sysinfo – Information on the attacked system.
  • ipconfig – Network information on the attacked system.
  • screenshot – Takes a screenshot of the victim’s screen and sends it securely to the attacker.
  • uictl disable/enable keyboard/mouse – Allows the attacker to enable or disable the use of the mouse and keyboard. This is very typical in ransom procedures.
  • getgui – This allows the attacker to take full control of the user’s session by giving access to the mouse, keyboard and streaming the current desktop to the attacker.
  • hashdump – Returns the current hashes of the passwords and accounts that are stored in the computer.
  • idletime Provides information on if the user is using the computer and how much time the system has remained idle without interaction.
  • record_mic – Allows the attacker the initiate a recording using the microphone.
  • webcam_chat – Initiates a video chat with the victim.
  • webcam_list – Returns a list of the available webcams.
  • webcam_stream – Initiates a webcam stream from the victim’s webcam without notifying him.
  • reboot – Reboots the victim’s PC.
  • shutdown – Shuts down the victim’s PC.
  • kill – This allows the attacker to kill processes in the victim’s computer, which is very useful to disable processes that could detect the malware.
  • clearenv – This command deletes all the footprints like registries and logs left in the system by the malicious actions taken.
  • run persistence – This command essentially creates a backdoor into the victim’s computer by adding an entry to the registry that is run every time the computer starts. This way, when the system is started, it will automatically connect to the attacker.
  • run get_application_list – Returns the list of applications that are currently running in the victim’s computer.
  • run keylogrecorder – This command logs everything the user types on the keyboard to a text file. This is a way to obtain personal information like passwords. The files are stored encrypted using Hash algorithms to prevent the user from discovering them.

As the above list proves, having a Meterpreter session is an extremely dangerous risk to the victim, as the attacker can easily gain full control of his computer.

Exploring the Exploit Library

            Installing Meterpreter is very straightforward, from any Linux distribution it can be done with apt-get install metasploit-framework and initialized using msfconsole -L. Once the system has loaded it renders the screen shown in below.

            The easiest way to find an exploit is searching the framework’s library using the search command. It is very curious and daunting to see the number of exploits available for a particular platform, which showcases how dangerous a tool like Metasploit could be. Some examples are:

  • WordPress– It is one of the most used CMS (Content Management System) in websites, since it covers a range of professional websites, personal sites, blogs and even stores. According to W3Techs (2018) it represents 35.5% of the total websites and 62.3% of websites with a CMS. A quick search in the Metasploit framework reveals 81 vulnerabilities that can be exploited, some with an extremely high reputation. This is shown in below and once again proves how important and powerful a tool this is.

It is even more frightening to see that if we do a generic search for PHP, the default programming language in most web hostings, it returns 437 results.

  • PostgreSQL – In the last years PostgreSQL has gained a huge amount of popularity and has become the most used relational database. This is mainly due to its open-source nature that avoids license fees compared to Oracle or the commercial version of MySQL. It has 13 vulnerabilities that can be exploited using Metaexploit.
  • Android – Android is the most used and extended mobile operating system in the world and has always accused severe vulnerabilities due to lack of updates. This happens because many vendors customize Android and need to add that layer to the version Google releases. This greatly delays updates from reaching the final user. This has yielded some very worrying results like shown below.

            The most popular versions are Marshmallow, Nougat and Oreo that were launched in 2015, 2016 and 2017 respectively. So effectively the vast majority of Android users have not had an updated software suite from 3 to 5 years. This is mainly why it does not come as a big surprise that there are 27 critical vulnerabilities available.

  • AWS – Amazon Web Services (AWS) is without a doubt the most used and extended Cloud service according to a study undertaken in Sky High Networks where 41,5% of the web is run there.

            Searching for AWS renders 35 vulnerabilities, mainly related to API keys to access the system and taking control from there. Something that needs to be addressed. As well as direct attacks to EC2 instances, which we worked on securing in the previous section.

            Seeing the huge amount of attacks available in the framework, this will be a great tool to test the security of different systems.

Thanks for reading, in the next post in this series we will be looking at Metasploit from a practical approach, seeing how it can be used to hack an elasticsearch cluster! Feel free to drop me a line in the comments with any future suggestions!