Most recent

Red Team 102: Understanding Metasploit

By Tom Skeen

Welcome back to our series on red teams! Here, we’re explaining the tools and concepts behind the in-house organizations designed to test a company’s defenses. We started by introducing Kali Linux, a foundational operating system for penetration testing.

Let’s say you’ve rounded up two or more read team candidates, given them laptops, and configured a copy of Kali Linux for each of them. You’re off to a good start! Now it’s time to start using the tools contained therein – of which Metasploit is one of the most important.

For context, the Metasploit Project is itself an open-source library of exploit commands and applications. It is primarily known for a singular application – the Metasploit Framework. This program can help attackers and penetration testers automatically generate malicious code to exploit vulnerable websites and applications. Here’s how to get started:

Your First Attack Using Metasploit Framework

When you first use Metasploit, you’ll realize that hacking tools can give relatively unskilled users the power to literally dial in powerful attacks. Mechanically, the Metasploit Framework works like this:

  • Identify the Target
    Reconnaissance is an important part of any penetration test. You need to identify the system that you’re attacking to understand whether it has any vulnerabilities. Metasploit has some reconnaissance capabilities built in. For example, it can find open ports using either a TCP, SYN, or XMAS scan. You can even perform a scan using server message block (SMB), which is much quieter than a traditional port scan. These scans should find you the operating systems and version numbers of the endpoints you’re trying to attack.

  • Identify Vulnerabilities
    Once you have the version number of the machines you’re attacking, your next step is to find a bug that affects that version number, alongside a matching exploit. The Metasploit Framework makes this process almost as simple as using Google – just plug in the operating system and version number and watch Metasploit pull up a list of malicious code.

  • Find Even More Vulnerabilities
    Let’s say that Metasploit didn’t immediately spit out a vulnerability for you to use. Your target isn’t out of the woods yet. You have additional tools – such as a VNC scanner that finds any servers without any authentication set up. If you happen to have found a username or password, you can use a different SMB search to find the endpoint that the authentication belongs to.

  • Make it Easy
    Let’s say you’re in a hurry. You can do a complete vulnerability scan that incorporates many of the techniques above using a single command: WMAP. All you need to do is plug in your target URL, refine your test methods, and wait. Since this is a vulnerability scan, you are more likely to encounter inaccurate results, but it’s still among the easiest ways to get started.

  • Exploit Away
    So, now you’ve finally found a vulnerability that’s exploitable. What’s next? Metasploit makes this easy too. Let’s say you’re identified a server with a vulnerable operating system. Step two is to find a list of payloads that fit the vulnerability. Step three is to select the payload you want and type EXPLOIT to have it sent to your target. If you’ve done everything right, you will now have a remote command shell on your target.

The above is simply a basic list of what’s possible with Metasploit. Power users have access to plenty of additional features, such as the ability to generate custom payloads or obfuscate their attacks from antivirus platforms. With that being said, even a relative neophyte has a great deal of power when using this tool.

Safe-T Mitigates Metasploit

One of the advantages of Metasploit is that it’s simple to use, both for attackers and pen testers alike. This may not seem like an advantage at the outset – it makes it easier for low-skill attackers to generate sophisticated attacks! – but hear us out.

So many attacks are generated with Metaspoit nowadays that if you manage to harden your network against Metasploit attacks, you’ll end up thwarting a majority of script kiddies. This leaves you free to focus your efforts on defending against real dangers. Most importantly of all, Safe-T can defend you against both script kiddies and APTs alike.

Once again, the most important phase of any attack is reconnaissance. The first step of every attack with Metasploit is to find your network and identify what operating systems it’s running. If they don’t have that, then your attackers don’t have anything else. Among other things, this capability is what Safe-T takes away – our solution obfuscates your network from traditional reconnaissance, screening out all but the most dedicated attackers. For more information, contact Safe-T today!
Software Defined Access WP
All posts

Get Email Updates

Sign up for our monthly newsletter and latest blog posts....keep up to date on the latest security data news!