Question

An exploit is a program that takes advantage of a vulnerability that is on a device. Exploits can be either remote or client‐side. A remote exploit will be the type that will focus on services running on network‐connected machines that you have decided to target. A client‐side exploit is the type of exploit that takes advantage of vulnerability in software you have installed on a computer system. There are software packages that have a reputation for being vulnerable even after you run a patch on them. I have experienced the frustration of patching systems, running a vulnerability scan, and then finding the patch I just used has a vulnerability.

If you look at the data your first scan retrieved by navigating to the Overview page, you will see there are four quadrants. So far, I have done only a discovery scan to try to figure out what is running on my network. As you see in Figure 10.10 , the initial scan returned 7 hosts and 26 services with 0 vulnerabilities and 0 applicable modules identified. Let's dig deeper into this example.

Figure 10.10 : Overview after discovery of assets and services on a network

If you click the number next to the hosts identified, you will open a detailed list of the IP address of the asset followed by a possible hostname. It includes information such as if it was able to be followed by the operating system, purpose, and services running. For a Metasploit user, the last column is most important: What is the current host status of these devices? The status could be scanned, shelled, looted, or cracked. The status will change depending on the last action successfully performed on that asset.

• Scanned—A discovery scan or import was completed.
• Shelled—A session was opened.
• Looted—Data, files, hashes, or screenshots were collected.
• Cracked—The password was cracked and is now available in plain text.

Next to Hosts on your project page, you have the Notes tab that tells you the type of data that was retrieved on each asset. The Services tab lists the name and protocol, port number, and current state of each service. The Vulnerabilities tab may populate this project with a few exploited vulnerabilities found during the discovery scan that are considered low‐hanging fruit that can be easily exploited. The Applicable Modules tab lists the Metasploit modules that are possible avenues of exploitation. Captured data will help you build a report on what was found in the environment during the discovery and future scans of the selected IP address range. With the paid version, Network Topology will draw a picture of the environment like Zenmap. Zenmap is the GUI Nmap tool that was used in Chapter 3 .

Now that you have all this information about the network, the big question is, “What's next?” If you are interested in pursuing a client‐side or remote exploit, you will have to investigate which module is best for you to attempt. This is the stage of a penetration test where patience is a virtue. Go to the Modules tab at the top of your project and go down to the Search field.

From the Search Modules dialog box, it is easy to query the operating system or ports. The exploits that have been written for specific vulnerabilities will be ranked by which has the best chance of working. For example, as you see in Figure 10.11 , in my environment, I have added an old legacy laser jet printer on my home network that has port 23 open. Port 23 is telnet. Telnet is a network protocol that allows you to log into another device if it is on the same network. Telnet is hardly used anymore since it is totally lacking in security, but it can still be used if you want to send your credentials in clear text. In my opinion, it's a vulnerability, and it's only on my network temporarily so that I can show you how this works.

Figure 10.11 : Finding open ports in the network

It may take a little research on Metasploit forums, but you can look for a Metasploit module that may work well to compromise port 23 on a laser printer. This is how you start building your repertoire with this tool. As you can see in Figure 10.12 , I have searched for laser jet . I could have easily searched for telnet or port 23 to see a list of possible options. After I searched for a specific topic, I used the Module Ranking column to sort the modules that have a higher ranking, as shown in Figure 10.12 . Now the process of using different modules against different vulnerabilities becomes trial and error.

Figure 10.12 : List of possible exploits to be launched sorted by starred rankings

My personal strategy is to open the higher ranking modules—because at this point, I'm just trying to gain access or get a foothold in the network. By opening the link to the module, you get a detailed description of exactly what the exploit will be doing and possible options to configure the module. These modules were created by subject‐matter experts and configured for general best practice. I will try them out of the box first, and then if I have an idea for reconfiguring, I will try different parameters. As you see in Figure 10.13 , there is an HP LaserJet Printer SNMP Enumeration module that allows you to possibly enumerate previously printed files. I know that the asset in my environment IP address is 192.168.1.93.

Figure 10.13 : Configuring a Metasploit auxiliary module for possible exploitation against a printer

As you can see in Figure 10.14 , in less than 5 seconds, the connection was refused and forcibly closed. It's time to move to the next most applicable module.

Figure 10.14 : Failure of an auxiliary module

Another strategy is to search for operating systems you know exist on your network and, rather than sort by ranking, sort them by date. What are the odds that everything in your network has the newest patches delivered to it on a schedule? Here you are counting on security administrators being incredibly busy and not getting the newest and latest upgrades and patches on their machines in a timely way. Another strategy is to search the web for the best, most frequently used Metasploit modules. In Figure 10.15 , you see the exploits displayed by date when searched for a specific platform.

Figure 10.15 : Windows server, auxiliary, and post‐exploitation exploits organized by disclosure to the public date