What is a vulnerability?
A vulnerability is a weakness that can be exploited to gain unauthorised access or perform unauthorised actions on a computer system.
Vulnerabilities can come in many different forms, for example, a missing patch that leaves the system vulnerable to a known issue, or a misconfiguration of a service may allow an attacker unauthorised access
What is an exploit?
An exploit is a program, or piece of code, designed to find and take advantage of a security flaw or vulnerability. Exploits can come in many forms, such as installing software, and even enticing the user to click on a link.
What are the different shell types?
What are the difference between staged and non-staged payload types?
One of the first distinctions when using a Metasploit payload is whether the payload is staged or non-staged shellcode. The difference can be spotted from how the directory is displayed when in Metasploit; for example:
§ windows/shell_reverse_tcp – Connect back to attacker and spawn a command shell
§ windows/shell/reverse_tcp – Connect back to attacker, Spawn cmd shell (staged)
As you can see the non-staged payload is separated with “_” as opposed to “/”.
A non-staged payload is sent in one go and a staged payload is usually sent within two sections. The first part is a small primary payload which cause the target system to connect back to the attacker to then accept a longer secondary payload containing the remaining shellcode, to finally, execute it.
See below for examples of why it may be beneficial to use a staged payload:
§ The particular vulnerability we are exploiting does not have enough memory, also known as “buffer space”, to hold a full payload. The first section of the payload is usually smaller than the full payload, therefore delivering the payload in smaller chunks can help for targets with limited memory
§ Antivirus software, as it evolves, is getting better at detecting shellcode within an exploit. By replacing the embedded shellcode with a staged payload, it is possible to remove most of the malicious part of the shellcode that the antivirus would detect.
What are the non-shell payload types?
There are payload types that don't provide access via a shell, like the ones mentioned when talking about stages vs non-staged payload types. For example, we may just want an action performed, like a user being created for then further access/persistent access to be granted to us. You may use a payload, like the following:
With the details correctly inputted, we should be able to legitimately log into the host without the use of an exploit to gain shell, etc. The ideal time to use this payload type, would be if the stability of the shell was not great and kept loosing connection or the connection died.
Meterpreter Basics
Background
Now we have shell, amazing! But, how do we operate within the Meterpreter shell?
One key questions we get asked a lot is, "How do we go back to Metasploit and keep the shell?". Nice and easy, we can background a session to go back to later on, if we need to use another module within Metasploit. Whilst being in the session, simply type: "background".
<insert screenshot>
Shell
We already have Meterpreter shell but, we just want access to a normal, either a Windows command prompt shell or Linux terminal shell. How do we drop into the default shell on that system?
When operating within the Meterpreter session, we can use the command "shell" and it will drop you as the user into the default shell on the system.
<insert screenshot>
Common Meterpreter Commands
See the below table to provide support on common commands that can aid you when using Meterpreter shell. Meterpreter shell is very similar to Linux terminal, with added functionality.
Command
Info
Ifconfig
Pulls back the network information of the target host
Download
Downloads a file from the target host
Upload
Uploads a file from your local machine to the target host
Background
Backgrounds the Meterpreter session for the full use of the Metasploit framework.
Ls
Lists the fills with the directory
Cd
Change directory
Help
Provides a help menu of what is possible within Meterpreter
Hashdump
Will dump the password hashes of the target host
Getsystem
Getsystem will attempt to perform a set number of actions to further compromise the target host
Meterpreter Modules
Meterpreter modules can be loaded to increase the capability of your Meterpreter session, allowing you to potentially retrieve sensitive information, having the use of a programming interpreter and more.
The most popular ones include, loading Mimikatz, PowerShell, and Python. Mimikatz is a tool that allows for an attacker to pull password out of memory, abuse Microsoft's authentication system, and can be loaded within Meterpreter session using the command "load kiwi".
<insert screenshot>
PowerShell module can be loaded by using "load powershell", allowing the use of Windows powerful scripting language.
<insert screenshot>
The Python module can be loaded to execute python function or to run code on the target host. To load the module within a Meterpreter session, use the command "load python".
<insert screenshot>
Managing Sessions
A big part of using the Metasploit Framework and the use of Meterpreter sessions is the ability to compromise multiple target hosts, to then jump to and from the different targets. To do this, we need to manage the sessions that allow us as the attacker to jump from one target host to another.
Whilst we are in the Meterpreter session and use the command "background" to background the session, but now we need to manage the session and try and reconnect. To do this we can use the command, "sessions" to view what available sessions we have.
<insert screenshot>
To reconnect to a sessions we can use the same command but with the addition of the "-i" flag, to create the following command "sessions -i 1". It is incredibly important to make a note of what session ID number you are inputting after the command, otherwise you may be interacting with the wrong session.
<insert screenshot>
You may want to kill a session, therefore closing that connection to the target host. To complete that task, you will need to use the "-k" flag representing kill; the full command will look the following "sessions -k 1". Again, make sure you have the session ID correct, otherwise you maybe killing the incorrect session.
<insert screenshot>
Upgrading Sessions
There will be instances where you may have used an auxiliary module like the SSH login one to gain SSH access. What if we want to upgrade that to a Meterpreter shell to have the extended capabilities like the use of modules? We can upgrade the session! To upgrade the session we can use the "-u" flag, the full command would look like: "sessions -u 1".
