metasploit penetration testing in a virtual environment

Metasploit Penetration Testing in a Virtual Environment

Christopher Steiner Florida Gulf Coast University P a g e | 1

Fall 2011

Metasploit:

Penetration Testing in a Virtual Environment

(Final Draft)

Christopher Steiner

Dr. Janusz Zalewski

CNT 4104 Fall 2011 – Networks

Florida Gulf Coast University

Fort Myers, Florida

11-20-11



Fall 2011

1. Introduction

1.1 Project Overview

The purpose of this project is to initially create a series of virtual servers using Oracle

VM Virtual Box in order to create a test environment to run Metasploit and then repeat it in the

actual environment of the Computer Science network. The Metasploit Framework is considered

the de-facto standard for penetration testing. Metasploit is used to create a test environment in

order to better defend a network against hackers or cyber criminals. The penetration tests are

often run in a virtual test environment as to not interfere with actual network usage.

1.2 Metasploit

In order to understand the Metasploit Framework one needs to understand the basics of

penetration testing. A penetration test, sometimes referred to as pentest, is the equivalent of

hacking a secure network for the sole purpose of finding weaknesses for the betterment of the

network. These tests are usually run by the person in charge of the network security or the person

asked to find these vulnerabilities in the network and fix them. One thing that needs to be made

clear is that these pentests are to be done with the consent of the owner of the network, otherwise

it would just be hacking.

Metasploit was developed by H.D. Moore. He developed a framework for creation and

development of exploits and released a Perl-based Metasploit in October 2003. In 2004 H.D.

rewrote the Metasploit project with the help of Spoonm which included 19 exploits and 27

payloads. More about exploits, payloads and vulnerabilities is explained later in this report.

Metasploit was rewritten in Ruby in 2007. It grew rapidly due to an increasingly interested

security community and user contributions. Rapid7, a widely known vulnerability-scanning

firm, got a hold of Metasploit in 2009. With the acquisition both H.D. and Rapid7 were able to



Fall 2011

focus on the deployment of the Framework and commercial lines of Metasploit: Metasploit Pro

and Metasploit Express. [6]

The need for penetration testing is ever increasing as the external and internal threats to

network security have become more prevalent over the past decade. While the rapidly increasing

technological advances in networks are pushing our knowledge and abilities further, they are also

allowing a whole new breed of hacker to infiltrate and compromise networks. Frameworks such

as Metasploit allow network pentesters to provide the correct defense against the attacks.

1.2.1 Vulnerability

“A vulnerability is a security hole in a piece of software, hardware or operating system

that provides a potential angle to attack the system. A vulnerability can be as simple as weak

passwords or as complex as buffer overflows or SQL injection vulnerabilities.” [1]

As the name implies the vulnerable state of the network is in discussion here. One must

determine where these holes in security are and close them before they are found by an unwanted

intruder. These vulnerabilities are not limited to software, hardware or operating systems that are

in use in the system. They may be operating procedures of the company in question. As a

penetration tester, finding as much information about the inner workings of a company may lead

to possible vulnerabilities in their network. These days the intelligence gathering phase usually

includes Google hacking, social-media networks such as Facebook and other methods as well.

The old saying, “Loose lips, sink ships” stands true here as even employees have the

opportunity to be a vulnerability in a network. They may leak a secure password to the wrong

person. These holes in the security process are a little harder to close up. They have to be dealt

with in a different way than Metasploit works, but can be dealt with before other kinds of

penetration testing have started.



Fall 2011

Once the greatest threats to the network have been identified the vulnerability analysis

starts with which attack would be the most viable. All of the information gathered from the

intelligence gathering phase, coupled with port and vulnerability scans will give the penetration

tester the best place to start in exploiting the network.

1.2.2 Exploits

Once the best vulnerability has been discovered in a network, a small and specialized

computer program, called an exploit, is used to take advantage of the vulnerability and give the

penetration tester access to the computer system. The exploits are used to deliver the payloads to

the target system. These payloads are the way that the penetration tester gains access to the

computer system. Payloads are introduced in the next section.

There are approximately over 180 exploits in the Metasploit Framework. Since the

security community is encouraged to get involved in the continuing development of exploits

there is currently a public database of usable exploits. The exploit database is constantly being

updated by community support and when new exploits are found they are posted.

1.2.3 Payloads

“Payloads are pieces of code that get executed on the target system as part of an exploit

attempt. A payload is usually sequence of assembly instructions, which helps achieve a specific

post-exploitation objective, such as adding a new user to the remote system, or launching a

command prompt and binding it to a local port. Traditionally, payloads were created from

scratch or modifying existing pieces of assembly code. This requires an in-depth knowledge not

only of assembly programming, but also of the internal workings of the target operating system.

But a number of scripts now enable payloads to be developed without needing to modify any

assembly code at all.” [5]



Fall 2011

The different types of payloads allow for different types of control the penetration tester

has over the target system. The most commonly used payload is called the Meterpreter. This

payload allows the penetration tester to turn on the target systems webcam, take control of the

mouse, keyboard and even take screenshots. All of these options are for the penetration tester to

see what exact holes there are in the system. Having access to key functions on one computer

may not necessarily mean control over the whole network, but it is a start in determining which

aspects of the network are the most vulnerable.

1.3 Oracle VM Virtual Box

In order to properly run a penetration test, a suitable network must be in place in order to

test. Instead of having physical machines, this project initially aims to run these penetration tests

in a completely virtual environment of the Oracle VM Virtual Box.

As processing power and memory management on server machines becomes more

powerful and easy to acquire, the opportunity to host these virtual networks becomes a more

likely candidate. The Oracle VM Virtual Box allows the user to be able to create virtualizations

of physical machines in order to either run them full time or do testing outside of a live

environment. Since this project is using multiple virtual environments from Ubuntu to Windows

Server 2003, there is a need to tap into the power that Oracle VM Virtual Box provides.

There are other programs out there such as VMWare Workstation, but for our purposes in

this experiment the free and easy access to Virtual Box will do just fine. There is even the

possibility of virtualizing the entire project with the Metasploit Test Lab as a virtualized machine

itself; however this goes beyond the scope of this project and perhaps may constitute an

extension to it.



Fall 2011

This virtual network, even though it is hosted a single machine, will include multiple

operating systems in strong isolation from each other. This gives a great ease of access when

dealing with multiple hosts. If one had to go from machine to machine in order to check a part of

the test, it would be very time consuming and maybe, if the test was large enough, not feasible.

With access to any of the virtualized machines at any time, this test will cut down on significant

foot traffic and allow for a test environment that is secured and off the grid.

With the network being as isolated as it is, there is also the protection to the network the

Test Lab is hosted on. All of the network traffic is localized to the host Test Lab itself.

1.4 Armitage

Armitage is an open source graphical user interface for the Metasploit Framework. It

allows the user to see a visual representation of the network as well as allows point and click

exploitation and payload sending. In order to start using Armitage it must be installed on the

same test environment that the Metasploit Framework is installed.



Fall 2011

2. Problem Description and Project Setup

2.1 Project Objective

The Metasploit Framework environment is created on a central server which will then

house three additional virtual machines. These virtual machines have different images on them

such as Ubuntu and Windows XP. The purpose of setting up these three different types of virtual

machines is to create a real world scenario in which a hacker might attempt to penetrate. Once

this test environment has proved itself a real test will be done on the FGCU Computer Science

Lab network.

2.1.1 Basic Configuration

It is assumed that all virtual machines will be running simultaneously and that the

penetration tests will be executed on all virtual machines. A sample Metasploit layout is

presented in Figure 2.1.

Figure 2.1 – Metasploit Example Layout

The following configureation items are needed in order to create a working test lab on a

single machine with Metasploit:

Metasploit Framework [1]



Fall 2011

Computer with the following specifications

o Intel Core 2 Quad @2.66 GHZ

o 8GB of RAM

o 500GB HDD

o Windows 7 x64

Oracle VM Virtual Box [2]

Metasploitable Image [7]

Ultimate LAMP Image [8]

Windows XP Image

Armitage [10]

2.2 Setting Up a Test Lab on a Single Machine

In order to create a test lab on a single machine we first need to set up the three different

virtual machines. For this test lab a Virtual Box is used to emulate a network to penetrate. The

first thing one needs to do is to download and install Virtual Box and the next step is to

download and install Metasploit. After these two applications have been downloaded and

installed, one then needs to set up the Virtual Machines for each of the three operating systems.

2.2.1 Installing Oracle VM Virtual Box

The process of virtualizing the three test environments to create the overall test lab starts

with downloading Virtual Box [3]. Since the Test Lab is running on a Windows based machine

one needs to download the Virtual Box 4.1.4 for Windows hosts x86 the process is shown in



Fall 2011

figures 2.2-2.7. It starts with clicking on the x86/amd64 link and save the file. Once Virtual Box

is downloaded, double click the executable to start the install process.

Figure 2.2 – Select Next




Fall 2011

Figure 2.4 – Select Yes

Figure 2.5 Select Install

After selecting install in Figure 2.5 Virtual Box will install, Once it is completed Next

and Finish have to be selected as in Figures 2.6 and 2.7.



Fall 2011


Figure 2.7 – Select Finish



Fall 2011

Figure 2.8 – Virtual Box is installed.

If the screen shown in Figure 2.8 appears then Virtual Box has successfully installed. One

can close this for now since next, one needs to set up Metasploit and get images ready to

continue setting up the Test Lab.

2.2.2 Installing Metasploit

Now that the Virtual Box is installed and ready to go, it is time to set up the penetration

testing software, Metasploit. The Metasploit Framework is to be installed on a Windows based

test environment so one needs to download the Latest Windows Installer [4] executable setup for

Windows machines. Save the executable and once it is downloaded the install process can start.

This is shown in Figures 2.9-2.19



Fall 2011

Figure 2.9 – Turn off antivirus software. Select Ok.

Figure 2.10 – Turn off Windows firewall. Select Ok.



Fall 2011


Figure 2.12 – Select “I accept the agreement”. Select Next.



Fall 2011

Figure 2.13 – Select a folder to install. Select Next.

Figure 2.14 –Select Next.



Fall 2011

Figure 2.15 – This will generate SSL certificate for this server. Select Next.

Figure 2.16 – Select Next.



Fall 2011


Figure 2.18 – Wait for Metasploit to install.



Fall 2011

Figure 2.19 – Uncheck “Access Metasploit Web UI?”. Select Finish.

Once the screen shown in Figure 2.19 appears, the Metasploit Framework has been

successfully installed. It is recommended to do a reboot of the Test Lab computer before moving

to the next step.

2.2.3 Preparing Test Machines

Making sure that Virtual Box and the Metasploit Framework are installed correctly, one

can now turn to creating the three virtual environments. The steps for all three are the same, so

the instructions below refer to setting up just one of the three, Windows XP, and the rest should

be done in the same manner. Figure 2.20 – 2.29 explain the setup process.



Fall 2011

Figure 2.20 – Select New.




Fall 2011

Figure 2.22 – Enter the name of the VM. Select the Operating System and Version. Select

Next.

Figure 2.23 – Set the allocated RAM. For these VMs 1024 megabytes will suffice. Select

Next.



Fall 2011





Fall 2011

Figure 2.28 – Select Create.

Figure 2.29 – Select Create again.

Once the virtual machine is created, one needs install an operating system onto it. For this

example it is a lightweight version of Windows XP that is only 360MB. Any version of XP can

also be used and it is recommended that it be from an image file (.iso) so that it is easily



Fall 2011

accessible in case a new virtual machine needs to be created from the same image. The process is

shown in Figures 2.30 – 2.34.

Figure 2.30 - First open Virtual Box and select New.




Fall 2011

Figure 2.32 – Select the Media Source. Select Next.

Figure 2.33 – Select Start.



Fall 2011

Figure 2.34 – Highlight the newly created VM and select Start.

Once the Virtual Machine loads, there are other usual steps in order to install the

operating system. Following the on screen instructions and installing each operating system in its

own way will do it. Now one can start each of the three operating systems simultaneously.

Configuring network settings and Metasploit Framework is described in Section 3.

2.2.4 Preparing Metasploitable Test Machine

This project uses the Metasploitable test machine from Rapid7, which is an environment

built specifically to focus on network-layer vulnerabilities. The Metasploitable machine is in

torrent format so a BitTorrent software is needed in order to download the virtual machine [7].

The steps to use an existing virtual machine are similar to creating a new one and are described

in Figures 2.35-2.40. The first is to open Virtual Box as shown in Figure 2.35.



Fall 2011

Figure 2.35 – Select New.



Fall 2011




Fall 2011

2.37 – Set the Name of the VM and Select Linux and Ubuntu for the Metasploitable VM.

Select Next.



Fall 2011

Figure 2.38 – Set the amount of Memory to use. Suggested 2048MB. Select Next.



Fall 2011

Figure 2.39 – Select Use Existing Hard Disk and use the option to search for the

Metasploitable.vmdk. Select Next.



Fall 2011

Figure 2.40 – Select Create.

Once the Metasploitable virtual machine is created one can start it and use it for testing

exploits and payloads. In Section 3 there is a discussion of setting up the network settings in

order to create a link between the host Test Machine and the Target Exploitable Machine.

2.2.5 Downloading and Installing Armitage

Armitage is a user interface for metasploit to be used in this project. In order to install

Armitage it must be downloaded from the Armitage website [10]. The screenshots in figures 2.41

and 2.42 show the download process.



Fall 2011

Figure 2.41 – Click the Download Link

On the download page we will be selecting the .zip link.

Figure 2.42 – Click the .zip link and download Armitage.

Once Armitage.zip has been downloaded it must first be unzipped.

Figure 2.40 – Contents of the .zip



Fall 2011

The steps below is describe taking the contents of the Armitage.zip file that was

downloaded and moving them to the correct location. After that, it is a matter of updating the

Metasploit Framework and initializing the database.

1. Copy the contents into a folder called Armitage on the C: drive. 2. Start -> Programs -> Metasploit -> Framework -> Framework Update 3. Start -> Programs -> Metasploit -> Framework -> Framework Console (do this once to

initialize the database)

To run Armitage one needs to follow these steps:

Start -> Programs -> Metasploit -> Framework -> Armitage Click Connect Click Yes when asked whether or not to start Metasploit's RPC daemon If asked where Metasploit is installed, select the Metasploit directory. You will only need

to do this once.

Figure 2.41 – Armitage is successfully installed and running.



Fall 2011

3. Test / Preparation

3.1 Overview

This project utilizes the Metasploit Framework in unison with Oracle VM Virtual Box

software in order to create a formidable test environment for penetration testing. The

virtualization of multiple computers is needed in order to show the power and functionality of

the Metasploit Framework. This project requires that all of the virtualized machines (VMs) be

on the same network. Once these VMs have been created the Metasploit Framework is then used

in order to find vulnerabilities, create exploits and deliver payloads to the VMs.

The output of these tests is then documented and different test cases are to be monitored.

The test environment will be runs off of a machine in the FGCU Computer Science Lab. This

test environment is loaded with the Metasploit Framework and hosts all three of the VMs.

Once testing of the virtual machines has been accomplished a test on the FGCU

Computer Science Lab network will be run. This will attempt to scan and find vulnerabilities in

the network and attempt to exploit them.

3.2 Current Testing Environment

Currently the Metasploit Test Lab includes the host machine with one Virtual Machine

running with Metasploit’s own test server, Metasploitable. After downloading the

Metasploitable image from Metasploit’s website [1], the image is loaded into Virtual Box and

booted up, as shown in Figure 3.1.



Fall 2011

Figure 3.1 – Booted Metasploitable image.

Once the Metasploitable virtual machine is ready for action, the Metasploit framework

can be started in order to start exploiting our target machine. The image in Figure 3.2 shows the

launched msfconsole. Msfconsole is launched by going to the Start menu and under Metasploit

choosing Metasploit console.

Figure 3.2 – msfconsole ready and waiting for input



Fall 2011

Once the msfconsole is ready one needs to set up the virtual network and then can start

doing some penetration testing on the Metasploitable virtual machine. The implementation of

this testing is discussed in Section 4.



Fall 2011

4. Implementation

4.1 Setting up the Virtual Network

When Virtual Box is installed a new network adapter is created. This network adapter is

called VirtualBox Host-Only Network. This is the network adapter that will be used in order to

create a local area network with virtual target machines. Figure 4.1 shows the VirtualBox Host-

Only Network adapter that will be used.

Figure 4.1 – VirtualBox Host-Only Network

The virtual target machines need to be created next, in order to change the network

settings. The Metasploitable virtual machine is used to show how to change the network settings

to use the virtual local network.



Fall 2011

Figure 4.2 – Highlight the Metasploitable Virtual Machine. Click Settings.



Fall 2011

Figure 4.3 – Select Network and in the dropdown for Attached to: Select Host-Only

Adapter.

This is shown in Figures 4.2 and 4.3. It will allow the virtual machine to connect to the

network adapter created by Virtual Box, establishing a link to the virtual local network.

To verify network connectivity, the Metasploitable virtual machine has to be started first.

Once started, the user has to log in with credentials “msfadmin: msfadmin.



Fall 2011

Figure 4.4 – Screen that appears after logging in.

After logging in, the screen shown in Figured 4.4 should appear. The ifconfig command

should be run next, as shown in Figure 4.5. Since this machine was created first and is the only

one on the virtual network it was given an IP address of 192.168.56.101. One can now use this IP

address to run a ping in the Host machine, which is shown in Figure 4.6

Figure 4.5 – Response from ifconfig on Metasploitable



Fall 2011

Figure 4.6 – Successful ping attempt.

The virtual network has been created and the Host and Target machine are

communicating. Now exploits can be created and executed between the machines.

4.2 Selecting an Exploit

Before selecting or using exploits it is advisable to take a snapshot of the Target machine

so that it may be reverted back to default. This will save time later as a complete reinstall might

be needed after some exploits.

To do this on the target machine select Machine > Take Snapshot. This will bring up the

screen shown in Figure 4.7.



Fall 2011

Figure 4.7 – Taking a snapshot. Put in Snapshot name and hit Ok.

In order to discover vulnerabilities to exploit, the first thing that must be done is

discovering machines on the network. This would be done in a normal testing environment so it

should be included here in order to know the function.

First one would sweep the network with a simple Ping scan to determine which hosts are

online. This is done with the command: nmap –sP 192.168.56.1/24, as shown in Figure 4.8.

Figure 4.8 – NMAP scan results



Fall 2011

There are three hosts on this network, 192.168.56.1, 192.168.56.101 and 192.168.56.101.

Since it is known that the Metasploitable target machine is 192.168.56.101 the remainder of the

exploit will be using this IP address as the Target.

Now that the IP address is known, the next step is to scan out what programs are running

on which ports. The program chosen this way will be used in the exploit to gain access to the

machine, so one must know the port numbers. The respective command is: nmap –sV

192.168.56.101, as shown in Figure 4.9

Figure 4.9 – NMAP port scan results

For this example the Apache Tomcat/Coyote JSP engine 1.1 is used next, to exploit. It

has an open port on 8180.



Fall 2011

This example named 'Tomcat Application Manager Login Utility', is provided by Matteo

Cantoni, and jduck, to test credentials against a Tomcat application.

Figure 4.10 – Select Exploit

Setting up the exploit includes: using the exploit location, setting the RHOSTS which one

will be exploiting (in this case 192.168.56.101), setting the RPORT (in this case 8180) and

entering the “exploit” command, as shown in Figure 4.10.

The results of this are a huge list of attempts of username/password pairs. The following

diagram in Figure 4.11 shows a viable username/password pair.

Figure 4.11 – Found successful login

Now that a successful username/password has been found, an exploit can be set up to

send a payload.



Fall 2011

4.3 Payloads

Metasploit contains many different types of payloads, each serving a unique role within

the framework. Let's take a brief look at the various types of payloads available and get an idea

of when each type should be used.

Inline (Non Staged)

A single payload containing the exploit and full shell code for the selected task.

Inline payloads are by design more stable than their counterparts because they

contain everything all in one. However some exploits won’t support the resulting

size of these payloads.

Staged

Stager payloads work in conjunction with stage payloads in order to perform a

specific task. A stager establishes a communication channel between the attacker

and the victim and reads in a stage payload to execute on the remote host.

Meterpreter

Meterpreter, the short form of Meta-Interpreter is an advanced, multi-faceted

payload that operates via dll injection. The Meterpreter resides completely in the

memory of the remote host and leaves no traces on the hard drive, making it very

difficult to detect with conventional forensic techniques. Scripts and plugins can

be loaded and unloaded dynamically as required and Meterpreter development is

very strong and constantly evolving.

PassiveX

PassiveX is a payload that can help in circumventing restrictive outbound

firewalls. It does this by using an ActiveX control to create a hidden instance of



Fall 2011

Internet Explorer. Using the new ActiveX control, it communicates with the

attacker via HTTP requests and responses.

NoNX

The NX (No eXecute) bit is a feature built into some CPUs to prevent code from

executing in certain areas of memory. In Windows, NX is implemented as Data

Execution Prevention (DEP). The Metasploit NoNX payloads are designed to

circumvent DEP.

Ord

Ordinal payloads are Windows stager based payloads that have distinct

advantages and disadvantages. The advantages are that it works on every flavor

and language of Windows dating back to Windows 9x without the explicit

definition of a return address. They are also extremely tiny. However two very

specific disadvantages make them not the default choice. The first one is that it

relies on the fact that ws2_32.dll is loaded in the process being exploited before

exploitation. The second one is that it's a bit less stable than the other stagers.

IPv6

The Metasploit IPv6 payloads, as the name indicates, are built to function over

IPv6 networks.

As soon as valid credentials have been found, jduck's Tomcat Manager Application

Deployer (tomcat_mgr_deploy) can be used against it, as shown in Figure 4.12.



Fall 2011

Figure 4.12 – Setting up tomcat_mgr_deply

Once these settings have been set up correctly, a payload can be set and exploited. In

order to find a valid payload one can use the command show payloads, as presented in Figure

4.13.

4.13 – Valid Payloads

Since Apache Tomcat is using a JSP engine the best exploit to use would be

java/shell/bind_tcp in order to open a connection to Metasploitable and control the shell. The



Fall 2011

respective command to set a payload is: ‘set PAYLOAD java/shell/bind_tcp’, then exploit, as

shown in Figure 4.14.

Figure 4.14 – Successful payload delivery

After this, control of the shell of the target is possible, as shown in Figure 4.15.

Figure 4.15 – ls command on remote shell



Fall 2011

4.4 FGCU Computer Science Lab Network Penetration Test

After the virtual test environment has been successfully exploited, Armitage can be used as a

tool in order to scan and locate vulnerabilities on the FGCU Computer Science Lab network

using the designated lab computer in the FGCU Computer Science Lab to conduct the scan. The

lab computer must be on the FGCU Computer Science Lab network in order to exclude the main

FGCU network. The IP address used for the designated lab computer is 69.88.163.15.

To start Armitage on the FGCU Lab Computer, follow this step as shown in Figure 4.16.

Go to Start -> Metasploit -> Framework -> Armitage in order to start Armitage.

Figure 4.16 – Location of Armitage on Lab Computer

When running Armitage a prompt will come up as shown in Figure 4.17, click Connect.



Fall 2011

Figure 4.17 – Connect screen for Armitage

Once Armitage is running go to Hosts -> Nmap Scan -> Quick Scan, as shown in Figure

4.18.

Figure 4.18 – Quick Scan



Fall 2011

Then enter the IP range you wish to run the scan on. This example uses the CS network

69.88.163.0/24. Then click OK, as shown in Figure 4.19.

Figure 4.19 – Scan range.

Once the scan is completed the discovered targets will appear in the upper part of the

console. As shown in Figure 4.20 IP addresses will also appear. One can dig down into each

individual target by right clicking the target and clicking on Scan. This will run a multitude of

scans on the individual target and show what is running on the open ports. It will also show what

type of operating system the target is running, in case there are ports open. If there are no open

ports or Armitage cannot gather enough information about the target, the icon for the target will



Fall 2011

remain blank. It will show a Windows symbol for Windows targets and a Tux Penguin for Linux

targets.

Figure 4.20 – After a scan of the network.

There are two ways to initiate attacks. One way is by going to Attacks -> Find

Attacks. This will give a list of attacks by target. This list can be accessed by right clicking on

the target and going to the Attacks menu item from the drop down as shown in Figure 4.21. The

other way is to do a Hail Mary as shown in Figure 4.22. The Hail Mary will generate a list of all

possible exploits that pertain to the current network setup. It will then execute each exploit one

by one until a vulnerability is found.



Fall 2011

Figure 4.21 – Attack menu of one of the targets.

Figure 4.22 – A Hail Mary attempt.



Fall 2011

In Figure 4.22 the Hail Mary attempt yielded no vulnerabilities on the network. It tried all

of the exploits and no sessions were created. If a session had been created it would be a sign that

one of the exploits completed correctly. Even though this attempt isn’t the most in depth scan of

the vulnerabilities, each target can be checked individually in the Attack dropdown menu. This

network yielded no vulnerabilities that Metasploit and Armitage could find.

4.5 Using Armitage with Metasploitable

Another example is to use the Metasploitable virtual machine in order to replicate the

attempt on the Tomcat web server. A quick scan can be done for the virtual network by using

192.168.56.0/24. Figures 4.23 and 4.24 show this process.

Figure 4.23 – Quick Scan (OS Detect)



Fall 2011

Figure 4.24 – Entering the IP range for the virtual network. Click OK.

Once the scan is completed the Metaploitable virtual machine, which is 192.168.56.102,

will show under the targets screen along with the machine that the scan was run from. Figure

4.25 shows the two machines in the targets screen.



Fall 2011

Figure 4.25 – Local machine and Metasplotiable virtual machine

Right clicking on the Metasploitable machine will yield a drop down menu that is shown

in Figure 4.26. The menu includes Login, Services, Scan and Host. Since no intensive scan has

been done on this machine, one will need to be run. In the drop down menu select Scan.

Figure 4.26 – Drop down menu options for this machine. Select Scan.

Once the scan has finished one can see which services this machine is running by

selecting the Services option from the drop down shown in Figure 4.26. This brings a new tab in

the console section of Armitage with a list of currently running processes. Figure 4.27 shows this

tab.



Fall 2011

Figure 4.27 – Services tab for Metasploitable machine

The list in 4.27 shows all of the open ports that the Metasploitable machine is running. In

order to see which attacks can be used one must first Find Attacks. Figure 4.28 and 4.29 show

how this is done.

Figure 4.28 – Select Attacks, then Find Attacks.

Figure 4.29 – After the analysis is complete, click OK.



Fall 2011

Armitage has provided a list of attacks that can now be accessed when right clicking the

Metasploitable machine as shown in Figure 4.30. This list of attacks can be used intuitively to

initiate attacks immediately or run auxiliary scans before these attacks. Such is the case with

tomcat_mgr_deploy. This exploit will not work without a user name and password entered into

the options. One must find a valid user name and password pair. The tomcat_mgr_login exploit

is used for brute forcing log-in attempts until a successful log-in is found.

Figure 4.30 – Attack list showing available exploits.

In order to search for this auxiliary scan, one can use the exploit database on the left hand

side of Armitage. Figure 4.31 shows how to use this search feature to find tomcat_mgr_login.



Fall 2011

Figure 4.31 – Type tomcat into the search and hit enter.

Double clicking the tomcat_mgr_login scanner will bring up an options window. This

options window is used for managing the exploits individual options and once these are all set,

launching the exploit. Figure 4.27 shows the services that are currently running on the Metasploit

virtual machine, the tomcat server is running on port 8180. This is important to understand

because the port needs to be set correctly in the options. Figure 4.32 shows how the option

window looks.



Fall 2011

Figure 4.32 – Set the correct port and then click Launch.

The tomcat_mgr_login scanner will run and detect the user name and password

combination tomcat/tomcat as a valid login. This is then used in the attack itself. Following

Figure 4.30, select tomcat_mgr_deploy and once again set the correct settings for username,

password and port as shown in figure 4.33.



Fall 2011

Figure 4.33 – Set the Username, password and port. Then click Launch

Once the exploit finishes running, it should complete successfully and then the

Metasploitable machine's icon that shows in the target section of Armitage will turn red and

lightning bolts will surround it. This will also allow for a new drop down menu item to be seen

called Meterpreter which is uses in order to gain access to the machine. Figures 4.33 and 4.34

show this change in icon and new drop down option.

4.33 – Exploited Metasploitable machine.



Fall 2011

Figure 4.34 – Meterpreter session opened, showing explore options.

Once the session has been opened, one can browse files on the remote machine, show the

processes, take a screenshot if applicable or even access a web cam on the machine to take a

picture. Clicking on Post Modules will show other payloads that can be delivered with the

current session. These will show up in the left hand of Armitage under the module database

section. Figure 4.35 shows the list for this particular machine.

Some of the other options are interacting by using a shell and pivoting which allows the

user to make this machine a pivot point of access in the network. With multiple machines on the

network this would allow the user to attempt to use the privileges that are currently accessed in

order to gain access to other machines.



Fall 2011

Figure 4.35 – List of post modules for Metasploitable machine.



Fall 2011

5. Conclusion

The Metasploit Framework is a useful tool in checking vulnerabilities on the network. It

works quite well with Armitage when used on Rapid7’s Metasploitable Virtual Machine.

However a real world test was unsuccessful when Armitage and Metasploit were used on the

FGCU Computer Science Lab Network. The assumption is that there are no known

vulnerabilities on this network.

The virtualized test with Metsploitable and Armitage yielded success. This was a test that

was expected to work and was only used to show the capabilities of Metasploit used in unison

with Armitage. This successful test shows that the frameworks work together and that future

attempts may follow this project in order to enhance the functionality of exploits.

The ability to keep track of information that is found by the Metasploit Framework is not

available in the free version that was used in this project. However, a commercial version is

available that has an extensive database to store previously found exploits and vulnerabilities for

the tester to refer back to. An excellent edition to this project would be to use these tools in order

to further detect currently unseen and untested vulnerabilities. The commercial version can be

found from Rapid7’s Metasploit website. The activation is done through email and purchase can

be done online. [4]



Fall 2011

6. References

[1] Metasploit, September, 2011 URL: http://www.metasploit.com/

[2] Virtual Box, September, 2011 URL: http://www.vitrualbox.org/

[3] Virtual Box Downloads, September, 2011 URL: http://www.vitrualbox.org/wiki/Downloads/

[4] Metasploit, September, 2011 URL: http://www.metasploit.com/download/

[5] D. Maynor, K.K. Mookhey; Metasploit Toolkit: For Penetration Testing, Exploit

Development, and Vulnerability Research, Syngress Publishing, Inc., Burlington, MA, 2007

[6] D. Kennedy, J. O’Gorman, D. Kearns, and M. Aharoni, Metasploit: The Penetration Testers

Guide, No Starch Press, Inc., San Francisco, CA, 2011

[7] Metasploitable Image, September, 2011 URL:

http://updates.metasploit.com/data/Metasploitable.zip.torrent

[8] Ultimate LAMP Image, September, 2011 URL:

http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip

[9] Ubuntu 11.10 Image, September, 2011 URL: http://www.ubuntu.com/start-

download?distro=desktop&bits=32&release=latest

[10] Armitage, November, 2011 URL: http://www.fastandeasyhacking.com

metasploit penetration testing in a virtual environment

Documents