Metasploit, A Tool That Hacker Must Know Hi friends, Let us review little about Metasploit. I think Metasploit is a great tool which could be used for security auditing and could be applied from home computer to enterprise computer network. I could say most of IT security use this for self testing of theirs network. This have to be done to find any security hole/exploit exist on network computer, before a bad guy/cracker find this hole. Meanwhile, hacker use this for own purpose to check or attack computer target over there with some payloads. As stated on its website, Metasploit provides useful information to people who perform penetration testing, IDS signature development, and exploit research. This project was created to provide information on exploit techniques and to create a useful resource for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only. Metasploit is a community project managed by Metasploit LLC. In the old days, upon finding a vulnerability, the attacker either had to create custom exploit code from scratch or scour the Internet to find such code to exploit the hole. Today, instead of scraping together a bunch of individual exploits, these integrated exploit frameworks include around one hundred or more exploits to compromise target systems. One of the nicest properties of the exploit tools from an attacker's perspective is the separation of the exploit from the payload. An exploit is the software that takes advantage of a flaw, letting the attacker load and execute machine language instructions [that is, a program] of the attacker's choosing. The code triggered by the exploit is known as the payload. The Metasploit framework includes several payloads worth mentioning. One of the flashiest is its Virtual Network Computing [VNC] DLL injection tool. This payload, which can be run against vulnerable Windows machines, inserts the remote GUI-control tool VNC inside of the vulnerable running process. The attacker can then remotely control the GUI across the network. An even more interesting Metasploit payload is the Meterpreter. This little baby is a complete command shell environment which gets injected inside of a vulnerable running process. Attackers like to use this kind of payload for three reasons: stealthy,meterpreter lets an attacker stay entirely in memory, some systems are configured to hide their command shell. Another very promising Metasploit payload is called PassiveX. This one loads any ActiveX control of the attacker's choosing into the victim machine and runs it. When used by an attacker, the payload fires up Internet Explorer on the victim system, which could be a workstation or server system. The payload then makes IE fetch code in the form of an ActiveX control from the attacker's Web site, using normal, outbound HTTP. Once the ActiveX control gets loaded into the browser, it runs. This code then uses the browser to fetch other commands from the attacker and run them. But all of the payloads we've discussed so far -- from simple command shells through the Meterpeter and PassiveX -- all suffer from one limitation: They have a predefined set of functions built into them when they are developed. What if the attacker wants something even more flexible, a magic payload that can do anything, even changing its function after it is loaded into a target system's memory? What could an attacker do with such a magic payload? Such a magic payload does exist, and is included in the commercial tool CORE IMPACT. To understand this so-called "agent" payload, though, we need to quickly review how programs run on a local system. When a program runs, it relies on user mode and kernel mode code. The user mode code is the program itself, doing what the program is supposed to do. But, when the program needs to access the hardware [e.g., to send a packet, read the hard drive, allocate memory, start other programs, etc.] it must make a call into kernel mode to invoke special software included in the operating system. These calls are named "system calls" and the magic payload relies heavily on this concept. The CORE IMPACT agent payload injects a little software stub into the target machine. This stub receives system calls across the network. So in a sense, the victim machine has its kernel interface exposed, waiting for system calls sent from the attacker. The attacker can then run any program locally on the attacker's own machine. But all system calls made by this program are redirected, not executed in the attacker machine's kernel, but instead sent across the network to the victim. When received by the agent payload in the victim machine, the system calls take place within the kernel of the victim system. Thus, the program runs [from a user-mode perspective] on the attacker's machine, but all of its interactions with the world around it happen on the victim machine. Once loading the agent payload on a victim, the attacker can then run a sniffer [locally on the attacker's machine], and sniff packets going by on the victim's network. Or, the attacker could run a port or vulnerability scanner to look for other flawed systems, for the perspective of the current victim machine! # Basic Common Commands There are some common msfconsole commands you should know about: * help (or '?') â shows the available commands in msfconsole * show exploits â shows the exploits you can run (in our case here, the ms05_039_pnp exploit) * show payloads â shows the various payload options you can execute on the exploited system such as spawn a command shell, uploading programs to run, etc. * info exploit [exploit name] â shows a description of a specific exploit name along with its various options and requirements (ex. info exploit ms05_039_pnp shows information on that specific attack) * info payload [payload name] â shows a description of a specific payload name along with its various options and requirements (ex. info payload win32_reverse shows information on spawning a command shell) * use [exploit name] â instructs msfconsole to enter into a specific exploit's environment (ex. use ms05_039_pnp will bring up the command prompt ms05_039_pnp > for this specific exploit * show options â shows the various parameters for the specific exploit you're working with * show payloads â shows the payloads compatible with the specific exploit you're working with * set PAYLOAD â allows you to set the specific payload for your exploit * show targets â shows the available target OSs and applications that can be exploited * set TARGET â allows you to select your specific target OS/application * set RHOST â allows you to set your target host's IP address * set LHOST â allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell * back â allows you to exit the current exploit environment you've loaded and go back to the main msfconsole prompt # Download Metasploit U can download this Metasploit at the official link : http://metasploit.com/framework/download/ Or u can use online Metasploit with ofcourse minimized feature rather than launching attack from ur own box. See here : http://www.metasploit.com:55555/ Metasploit could be installed on Windows, BSD, Mac OS C, Linux, Windows (using Cygwin). Ref. : http://metasploit.com/framework/download/ http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214475,00.html http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1135581,00. html http://www.cgisecurity.net/2008/11/metasploit-fram.html http://searchsqlserver.techtarget.com/tip/1,289483,sid87_gci1159718,00.html http://www.metasploit.com:55555/ http://en.wikipedia.org/wiki/Payload_(software)