If you have been following along with our Hacker Methodology series you’ll remember that conducting a hack on a target is a logical process. So far we have completed recon of our target machine in our hack lab. Our next step in hacker methodology is the exploitation phase. This is the phase where we gain access to the target machine.
We will go deeper into metasploit, its commands and its features a bit later, this is a brief overview combined with an example to get you thinking about some of the things that you can do.
What is an Exploit?
An exploit is designed to take advantage of a flaw or vulnerability in a computer system. To explain in other terms, exploitation would be similar to using a lock pick on a door to gain access to a house.
Vulnerabilities within a system lie with poor coding, bugs, or misconfiguration. These are the points where hackers or pentesters try to drive a wedge into so they can gain access to a system. Zero-day exploits are exploits that are created that have not yet had a patch created to mitigate the vulnerability.
Exploit development, especially zero-day’s are extremely difficult and expensive to create. You first find a flaw in a system, and then develop software to exploit it. A lot of people mistakenly believe that the big hacks that are in the news are a result of a zero-day. Usually these hacks are due to system misconfigurations, phishing, or attacking non-updated systems. This is why keeping your system updated is the BEST thing you can do to harden your computer security.
Hacking With Metasploit
Metasploit is a hacking “framework” that was developed by HD Moore in 2003. Metasploit is simply a repository of exploits that have been packaged to work with a common formatted syntax to exploit. Custom exploits can be written and added to metasploit to be used.
Metasploit exploitation is a very simple concept. The structure of an exploit is essentially the exploit combined with a payload. The exploit is what is used to leverage the vulnerability to gain access and the payload is what is “thrown” at the distant machine once the hole has been created. A meterpreter shell or a root level shell on the target is often the goal as it will allow you privileges and functionality to do whatever you want. This could include data extraction, malware transfer, backdoor creation or lateral movement to another machine on the network.
Example
Earlier we conducted a scan of a target machine in our Hack Lab and discovered several services open.
During our recon phase we took note of all the services running. We then research each of those services further to see if they have any known vulnerabilities. This would include searching for Common Vulnerabilities and Exposures (CVE’s) or searching Exploit-DB. This is also the point where a very advanced and experienced hacker could begin to construct an exploit of their own.
Taking the first service from the top I see a version number and the name of the service running. This information is crucial as we can now tailor our search to find more information about the specific version. Searching in Exploit-DB we find that there is already an exploit written and that it is a backdoor that was written into the source download file for vsftp.
Moving over to our metasploit console lets check to see if the exploit has been entered into our database. Search commands within metasploit are very useful as the database is very large.
As you can see, I searched for an exploit that held the name vsftp in the title. You can see that the version number matches the version number in our nmap scan. By typing “info” with the exploit name I can see more information about the exploit.
Again, I’ll go into detail on metasploit commands and syntax more at a later time. This is an overview of the exploitation process.
To use the exploit we type the command “use” followed by the name of the exploit. This loads the exploit into our metasploit platform. By typing “show options” I can see what type of settings I need to set before launching this exploit. Usually this is mostly targeting information, IP address, port, OS type etc. Before we launch the exploit we need to select a payload type. This is going to tell us how the target computer is going to communicate with us once we’ve leveraged the backdoor vulnerability. To do this we type “show payloads”
In this case there is only one payload for us to chose from and so we combine it with our exploit by typing “set payload” followed by the name. Now when we type “show options” we’ll see options for both the exploit and the payload.
As you can see the only setting we really need to put in here is the IP address of our target. To do that we type “set RHOST” followed by the IP address and then we check our options again to verify the settings are correct.
Now all we have to do is type “exploit” to launch the packaged up exploit and payload against the target.
Success! As you can see our exploit spawned the backdoor against the vsftp service and granted us a command shell session. Once inside I want to verify where I am and who I am logged in with, which I do so with the hostname and whoami commands. As you can see I’m in my metasploitable VM as root. Now I can set up backdoors to sustain persistence, extract information or do recon on further nodes/hosts within the network.
Conclusion
As we discussed exploitation is simply leveraging a vulnerability in order to gain access to a target. In order to illustrate this I’ve used metasploit to show you how an exploit can be used. Is metasploit the only way to use an exploit? No, absolutely not. It’s just a framework that CAN be used to simplify the process. I urge you to follow this process in your own Hack Lab for the other services to see other ways you can possibly exploit the metasploitable VM.