Exploitation

An exploit executes a sequence of commands that target a specific vulnerability found in a system or application to provide the attacker with access to the system. Exploits include buffer overflow, code injection, and web application exploits.

Metasploit Pro offers automated exploits and manual exploits. The type of exploit that you use depends on the level of granular control you want over the exploits.

Automated Exploits

When you run an automated exploit, Metasploit Pro builds an attack plan based on the service, operating system, and vulnerability information that it has for the target system. Automated exploits cross reference open ports, imported vulnerabilities, and fingerprint information with exploit modules. The attack plan defines the exploit modules that Metasploit Pro will use to attack the target systems.

An automated exploit uses reverse connect or bind listener payloads and does not abuse normal authenticated control mechanisms.

To run an automated exploit, you must specify the hosts that you want to exploit and the minimum reliability setting that Metasploit Pro should use. The minimum reliability setting indicates the potential impact that the exploits have on the target system. If you use a high ranking, such as excellent or great, Metasploit Pro uses exploits that will be unlikely to crash the service or system. Exploits that typically have a high reliability ranking include SQL injection exploits, web application exploits, and command execution exploits. Exploits that corrupt memory will most likely not have a high reliability ranking.

You can also specify the payload type that you want the exploit to use. By default, automated exploits use Meterpreter, but you can choose to use a command shell instead.

Running Automated Exploits

  1. From within a project, click the Analysis tab.
  2. When the Hosts window appears, select the hosts that you want to exploit and click the Exploit button.
  3. When the New Automated Exploitation Attempt window appears, verify that target address field contains the addresses that you want to exploit.
  4. Select the minimum reliability for the exploit.
  5. Define the hosts that you want to exclude from the exploit.
  6. Define the payload options. This determines the type of payload the exploit uses, the type of connection the payload creates, and the listener ports that the exploit uses.
  7. Define the exploit selection options. This determines the ports that the exploit includes and excludes from the attack.
  8. Define the advanced options. The advanced options lets you define the number of exploits you can run concurrently, the time out for each exploit, and evasion options.
  9. Run the exploit.

Configuring Auto-Exploitation Options

The following options can be configured for exploitation:

Dry Run: Prints a transcript of the exploits in the attack plan without running them.

Collect Evidence: Collects loot, such as screenshots, system files, passwords, and configuration settings from open sessions.

Clean Up Sessions: Closes all sessions after all tasks have run.

Payload Type: Specifies the type of payload that the exploit will deliver to the target. Choose one of the following payload types:

  • Command: A command execution payload that enables you to execute commands on the remote machine.
  • Meterpreter: An advanced payload that provides a command line that enables you to deliver commands and inject extensions on the fly.
  • PowerShell: A payload type that can be used to open a PowerShell session and run a PowerShell script. PowerShell sessions are only supported on Windows targets.

Connection Type: Specifies how you want your Metasploit instance to connect to the target. Choose one of the following connection types:

  • Auto: Automatically uses a bind connection when NAT is detected; otherwise, a reverse connection is used.
  • Bind: Uses a bind connection, which is useful when the targets are behind a firewall or a NAT gateway.
  • Reverse: Uses a reverse connection, which is useful if your system is unable to initiate connections to the targets.

Listener Ports: Defines the ports that you want to use for reverse connections.

Listener Host: Defines the IP address you want to connect back to.

Auto Launch Macro: Specifies the macro that you want to run during post-exploitation.

Concurrent Exploits: Specifies the number of exploit attempts you want to launch at one time.

Timeout in Minutes: Defines the number of minutes an exploit waits before it times out.

Transport Evasion: Choose from the following transport evasion levels:

  • Low: Inserts delays between TCP packets.
  • Medium: Sends small TCP packets.
  • High: Sends small TCP packets and inserts delays between them.

Application Evasion: Adjusts application-specific evasion options for exploits involving DCERPC, SMB and HTTP. The higher the application evasion level, the more evasion techniques are applied.

Included Ports: Defines the specific ports you want to target for exploitation.

Excluded Ports: Defines the specific ports you want to exclude from exploitation.

Manual Exploits

A manual exploit is a module that you can select and run individually. You perform a manual exploit when you want to exploit a known vulnerability.

You choose the exploit module based on the information you have about the host. For example, if you know that the host runs Windows Service Pack 1, you can run an exploit that targets Windows Service Pack 1 vulnerabilities. Or if you know that the target system has a specific vulnerability that you want to test, you can run the exploit that targets that particular weakness.

Manual exploitation provides granular control over the module and evasion options that an exploit uses. Whereas automated exploits enable you to run simultaneously multiple exploits, manual exploits enable you to run one exploit at a time.

The options and instructions that you perform for manual exploits vary based on the exploit that you choose to run. Therefore, use the following instructions as a guideline to manually run exploits.

Searching for Exploits

The module search engine searches the module database for the keyword expression and returns a list of results that match the query. Use the module search engine to find the module that you want to run against a target system.

  1. From within a project, click the Modules tab.
  2. In the Search Modules field, enter a keyword expression to search for a specific exploit.
  3. Use the keyword tags to define the keyword expression.
  4. Press Enter to perform the search.

Module Rankings

Module rankings provide details about the reliability and impact of an exploit on a target system. Every module in the Metasploit Framework has a ranking, which is based on how likely the exploit will disrupt the service.

There are six possible rankings. The higher rankings indicate that the exploit is less likely to cause instability or crash the target system.

Use the following rankings to determine the reliability of a module:

  • Excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances (WMF Escape()).
  • Great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check.
  • Good: The exploit has a default target and it is the "common case" for this type of software (English, Windows XP for a desktop app, 2003 for server, etc).
  • Normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect.
  • Average: The exploit is generally unreliable or difficult to exploit.
  • Low: The exploit is nearly impossible to exploit (or under 50%) for common platforms.

Setting Up a Listener

  1. Select Administration > Global Settings from the main menu.
  2. Click New Listener, which is located under Persistent Listeners.
  3. When the Create a Listener window appears, choose an associated project for the listener.
  4. Define the listener payload type.
  5. Enter an IP address for the listener.
  6. Enter a port for the listener.
  7. Choose a post-exploitation macro to deploy after the listener connects to the target system. Enable the listener.
  8. Save the listener.