Perform simple security tests yourself - using Metasploit Framework and nma

[harlan4096]

Even with little effort, the security of your own network can be put to the test. We present two tools that make this possible. The best thing about it: the tools are freely available.

The Metasploit Framework from Rapid7 is one of the best-known frameworks in the area of vulnerability analysis, and is used by many Red Teams and penetration testers worldwide. It is freely available and can be extended individually, which makes it very versatile and flexible. It is often used in combination with a port scanner such as nmap, one of the most prominent tools in this area, which is also freely available.

In this article we give a small insight into both tools. For this, we will show a short example to demonstrate how you can perform simple tests against your systems yourself.

Please note that you may only perform attacks against systems where the owner has given you permission. Failure to do so could result in criminal penalties, depending on the legislation in your country. Moreover, make sure that you coordinate your tests and do not unexpectedly interfere with or block a service that other people are using.

 

Prerequisites - Installation

Prerequisites

The Metasploit Framework is a console application and nmap is executed from the command line. Therefore you should have basic knowledge in this area (e.g. bash).

Installation

You can download the Metasploit Framework from here and install it afterwards.

Caution: Antivirus softwares and firewalls sometimes detect the files as malware, because they contain code that is also found in malicious software.

Therefore, you should either disable these protection components or configure them so that they do not prevent the use of the Metasploit Framework.

When installing the Metasploit Framework, related tools (including nmap) are also installed, so no further installation is needed for our example.

Alternatively, you can use Kali Linux, a Linux distribution that has many offensive security tools pre-installed. The Metasploit Framework and nmap are among them. When using Kali Linux, be aware that some EDR solutions are sensitive to the default hostname of a Kali system and trigger an alarm.

Convenient: Kali Linux is available as a virtual machine for VirtualBox or VMware, so you do not have to install a whole new system.

Metasploit Framework

The Metasploit framework has a modular structure. The modules can be divided into different categories, which are combined in various ways.

Three of the categories are briefly explained below:

1. Auxiliaries: This includes auxiliary tools such as scanners, fuzzers, etc., which are used to detect which services are running on a target system and whether vulnerabilities are present.

2. Exploits: Exploits, like the name says, include all modules that can be used to exploit vulnerabilities. These range from denial-of-service exploits that block a service to remote code execution exploits that allow an attacker to execute arbitrary code on the target system.

3. Payloads: Payloads can be used in exploits to execute code and establish a connection between the attacker and the target system. This is usually done via shell. Payloads can be used to control which type of shell is used in which way. There are two basic distinctions:

3.1 Staged vs. non-staged payload

For some exploits, the size of the usable payload is limited. This can imply that a staged payload has to be used. In this case, only a small piece of code (stager) is transmitted to the target system. Then a connection back to the attacker is established via the stager. Finally, further payloads (stages) are received and executed.

Non-staged payloads, on the other hand, are self-contained and come with all the required code. Therefore, they are larger, but at the same time more stable, i.e. they function more reliably because no further dependencies exist.

The two different types can be easily recognized by the module name. Staged payloads contain one "/" more, while non-staged payloads have an underscore "_" at the corresponding position.

Examples:

staged: windows/x64/shell/reverse_tcp
non-staged: windows/x64/shell_reverse_tcp

3.2 Bind or reverse Shells

When a bind shell is used, a service that listens on a specific port is started on the target system. The attacker then connects to this system via the specified port.

Depending on the configuration of the target system, firewalls block incoming network traffic so that the connection cannot be established via bind shell. In addition, if the attacker and the target system are not on the same network, the target system's (private) IP address and ports may be changed by NAT, which also prevents the usage of a bind shell.

If, on the other hand, a reverse shell is chosen, a service is started on the attacker's device that listens on a specific port. The target system then connects back to the attacker.

Examples:

bind shell: windows/x64/shell_bind_tcp
reverse shell: windows/x64/shell_reverse_tcp
...

Continue Reading