Metasploit Pro Added to the PWB Labs

Metasploit Pro Added to the PWB Labs

Since July 2016, this has been removed from our PWK labs.

We are very happy to announce that our Penetration Testing with BackTrack online labs now include installations of Metasploit Pro. Deep within our lab network, students who Try Harder™ will encounter credentials for these installations that will allow them to enjoy the use of a tool that simplifies many of the tasks that they had to perform manually.

We wanted to take this opportunity to showcase a small sampling of the features available in Metasploit Pro and to perhaps provide a little more incentive to our students to penetrate deeper into the PWB labs

Upon first connecting to MSF Pro and creating a new project, we want to perform reconnaissance on our target and perform a port scan. In this case, we are scanning a single external host.

01_scan_host

One of the excellent time-saving features of MSF Pro is that we can conduct concurrent activity so once a scan, exploit, or audit has been launched, we can proceed to do other activities rather than waiting for each step to finish. Since we know that our initial target does not have any known remotely-exploitable vulnerabilities, we set up a social engineering campaign to create an executable payload that the victim will need to launch in order for us to receive our initial foothold in the network.

02_campaign_setup

Very shortly after our target runs our executable, we are presented with a new session on the Sessions tab complete with a nice layout including the session type and how the system was exploited.

03_session_delivered

Selecting any active sessions, we can even interact with it via a command shell. This enables us to run commands of our choosing such as determining if there are other attached networks as shown in the output of the dual-homed host below.

03a_shell_on_pivot

In addition to being able to interact with a shell, there are also options within our session to browse the victim file system, search for files, collect system data such as password hashes, and more.

04_session_details

One of the most publicized features, and rightly so, is the VPN pivot functionality. As we saw previously, our initially compromised host was dual-homed so creating a VPN pivot allows us to interact with targets deeper in the internal network. The VPN pivot creates a new interface on our host system that lets us run whatever tools we like through the pivot.

root@bt:~# ifconfig tap0
tap0 Link encap:Ethernet HWaddr 00:0c:29:5d:59:6c
inet addr:10.1.13.246 Bcast:10.1.13.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1514 Metric:1
RX packets:9 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:1544 (1.5 KB) TX bytes:146 (146.0 B)

root@bt:~#

After running an Nmap scan against the internal network and importing it via the Metasploit Pro interface, we are now able to get a better idea of what lies behind our initial foothold.

05_inside_hosts

The Linux system on the inside network is running a number of services so we start brute-forcing logons before taking any further actions against the Windows systems.

06_bruteforce_config

Since we collected the system hashes from the perimeter system, we can use the psexec Metasploit exploit module to attempt to take advantage of password re-use throughout the internal network.

07_psexec_config

Our psexec attack delivers even more sessions to us and while it was running, our brute-force logon attack was also successful against the Linux system

08_more_sessions

While sessions are exciting, they are essentially a standard component of exploit frameworks. Where Metasploit Pro really stands out from the open-source framework is in its reporting functionality. In our Pentesting with BackTrack course, it is frequently emphasized to students the need for proper documentation and MSF Pro reflects this important business requirement with a number of different reporting templates.

09_exec_summary

This is just a subset of features demonstrated against a small subset of our lab systems. Our students have a far more target-rich environment where they will be able to leverage Metasploit Pro to its true potential.

pwb_dashboard

On a more personal note, like many people, I was a little uncertain when hearing about the acquisition of Metasploit by Rapid7 but they have demonstrated that they are dedicated to keeping the open-source version of Metasploit alive and well and Metasploit Pro is clearly an excellent product. From the ability to import multiple external file formats to the VPN pivoting to the wide range of reporting options, MSF Pro will be a great timesaver for those who choose to use it as their penetration testing tool of choice.

 

Since July 2016, this has been removed from our PWK labs.