08 More Sessions

Metasploit Pro Added to the PWB Labs

We are very happy to announce that our Penetration Testing with BackTrack online labs now include installations of Metasploit Pro. Deep within our lab network, students who Try Harder™ will encounter credentials for these installations that will allow them to enjoy the use of a tool that simplifies many of the tasks that they had to perform manually.

We wanted to take this opportunity to showcase a small sampling of the features available in Metasploit Pro and to perhaps provide a little more incentive to our students to penetrate deeper into the PWB labs

Upon first connecting to MSF Pro and creating a new project, we want to perform reconnaissance on our target and perform a port scan. In this case, we are scanning a single external host.

One of the excellent time-saving features of MSF Pro is that we can conduct concurrent activity so once a scan, exploit, or audit has been launched, we can proceed to do other activities rather than waiting for each step to finish. Since we know that our initial target does not have any known remotely-exploitable vulnerabilities, we set up a social engineering campaign to create an executable payload that the victim will need to launch in order for us to receive our initial foothold in the network.

Very shortly after our target runs our executable, we are presented with a new session on the Sessions tab complete with a nice layout including the session type and how the system was exploited.

Selecting any active sessions, we can even interact with it via a command shell. This enables us to run commands of our choosing such as determining if there are other attached networks as shown in the output of the dual-homed host below.

In addition to being able to interact with a shell, there are also options within our session to browse the victim file system, search for files, collect system data such as password hashes, and more.

One of the most publicized features, and rightly so, is the VPN pivot functionality. As we saw previously, our initially compromised host was dual-homed so creating a VPN pivot allows us to interact with targets deeper in the internal network. The VPN pivot creates a new interface on our host system that lets us run whatever tools we like through the pivot.

root@bt:~# ifconfig tap0
tap0      Link encap:Ethernet  HWaddr 00:0c:29:5d:59:6c
inet addr:10.1.13.246  Bcast:10.1.13.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1514  Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1544 (1.5 KB)  TX bytes:146 (146.0 B)

root@bt:~#

After running an Nmap scan against the internal network and importing it via the Metasploit Pro interface, we are now able to get a better idea of what lies behind our initial foothold.

The Linux system on the inside network is running a number of services so we start brute-forcing logons before taking any further actions against the Windows systems.

Since we collected the system hashes from the perimeter system, we can use the psexec Metasploit exploit module to attempt to take advantage of password re-use throughout the internal network.

Our psexec attack delivers even more sessions to us and while it was running, our brute-force logon attack was also successful against the Linux system

While sessions are exciting, they are essentially a standard component of exploit frameworks. Where Metasploit Pro really stands out from the open-source framework is in its reporting functionality. In our Pentesting with BackTrack course, it is frequently emphasized to students the need for proper documentation and MSF Pro reflects this important business requirement with a number of different reporting templates.

This is just a subset of features demonstrated against a small subset of our lab systems. Our students have a far more target-rich environment where they will be able to leverage Metasploit Pro to its true potential.

On a more personal note, like many people, I was a little uncertain when hearing about the acquisition of Metasploit by Rapid7 but they have demonstrated that they are dedicated to keeping the open-source version of Metasploit alive and well and Metasploit Pro is clearly an excellent product. From the ability to import multiple external file formats to the VPN pivoting to the wide range of reporting options, MSF Pro will be a great timesaver for those who choose to use it as their penetration testing tool of choice.