CINTI 2014 • 15th IEEE International Symposium on Computational Intelligence and Informatics • 19–21 November, 2014 • Budapest, Hungary

Effective penetration testing with Metasploit

framework and methodologies
Filip Holik, Josef Horalek, Ondrej Marik, Sona Neradova, Stanislav Zitta
Faculty of electrical engineering and informatics
University of Pardubice
Pardubice, Czech Republic
[email protected], [email protected], [email protected], [email protected]

Abstract — Nowadays, information security is very important, On the other hand, danger can be hidden in environments,
because more and more confidential information, like medical where it is not expected at first sight. Consequences of such
reports, is being stored electronically on computer systems and situations can be therefore more fatal – e.g. industry
those systems are often connected to computer networks. This production lines.
represents new challenges for people working in information
technology. They have to ensure that those systems are as much This article outlines what tools and aids can be adopted for
secure as possible and confidential information will not be better and more effective workflow of penetration test
revealed. One possible way how to prove system security is to procedures. At the end of this article, a case study, which
conduct regular penetration tests – e.g. simulate attacker’s demonstrates a penetration test conducted against a network in
malicious activity. This article briefly introduces the basics of pharmaceutical company where automated lines used for
penetration testing and shows how to deploy and use Metasploit production of medicaments reside, is presented.
framework when conducting penetration testing. Finally, a case
study in production environment is shown. S oftware tools and II. M ET HODOLOGIES AND SOFT WARE T OOLS
techniques described in this work are also valid and applicable
One of the aids which can be used is penetration testing
for S CADA systems and moreover in any other field where
methodology. Two common methodologies used for
computer networks are used.
penetration testing are introduced in part A of this chapter. In
Keywords — penetration testing, vulnerability, exploit, Nmap, part B of this chapter the most common tools for penetration
Nessus, OpenVAS, Metasploit testing are described and the most attention is given to
Metasploit framework.

I. INT RODUCT ION A. Methodologies and benefits stemming from their usage
As there are many penetration testing methodologies
Today’s society is often called information society. That
available, it could be sometimes difficult to choose the right
is because people who have the right information have power,
one. The more experienced penetration tester is and the better
and value of some information is immeasurable. If such
knowledge about the tested environment he has, the more
information is stored in a computer system, it somehow must
accurate choice of appropriate methodology he makes. There
be proven that this system is safe and not vulnerable. One way
are plenty of penetration testing methodologies penetration
how to do so is called penetration testing. Although
tester can choose from. Possible representatives of current
penetration testing is an approach to how to increase and
modern penetration testing methodologies are Open Source
strengthen information system security, it definitely does not
Security Testing Methodology Manual created and maintained
prove that the system is completely safe and not prone to
by ISECOM and Open Web Application Security Project.
hacker attacks. Penetration testing is able to detect publicly
Each of abovementioned methodologies is suitable for
known security issues [1] that have been previously revealed
different kinds of penetration tests.
and published.
OWASP project is created and maintained by OWASP
In the quite short history of computers and computer
foundation – it is a non-profit organization and its members
networks, there was plethora of incidents related to security
are inter alia experts from web application development
and computers in general. Although these incidents differ in
industry or software experts. Numerous details about OWASP
impact and level of danger, none of them was insignificant. In
target audience and project targets can be found o n OWASP
publication dealing with basics of hacking and penetration
project webpage [4].
testing [2] one such example of harmful security incident is
noted. Administrator of a medium sized serverfarm was OWASP foundation released numerous publications and
suffering from random server restarts. Problem he was not one of them is A Guide to Building Secure Web Applications
aware of was that the restart is only collateral damage and is and Web Services [5], where what should be done in each
caused by the attacker ending his remote shell session he phase of software development if resulting product targets to
should not have access to, of course. be as much secure as possible can be found. OWASP project
adopted Microsoft’s threat modeling because of its simplicity

978-1-4799-5338-7/14/$31.00 ©2014 IEEE

237
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.
 F. Holik et al. • Effective Penetration Testing with Metasploit Framework and Methodologies

and efficiency. More detailed description of OWASP is out of seen if security of this environment has been improved or has
scope of this article and readers who are interested in this topic deteriorated.
can find more information on OWASP project web page [4] in
The truth is, OSSTMM is quite comprehensive. It takes
OWASP testing guide [7].
considerable amount of time to get familiar with all the details
OSSTMM is another penetration testing methodology. It and new terms defined there. Despite that fact, OSSTMM
was first introduced in 2000 and is maintained in current offers complete guideline for penetration testing to non-
version 3.0 by Institute for Security and Open Methodologies. experienced penetration testers . More information about
This methodology is heavily reputable in penetration testers OSSTMM can be found on [9].
community. This methodology aims to be up to date with
modern software trends and technologies. Therefore it is Both abovementioned methodologies are suitable for
different purposes and penetration tests. Although there has to
updated half-yearly. Although this methodology introduces a
lot of new terminology and theory, its practical outcomes are be some initial effort to understand terms and procedures
defined in methodologies, this effort is often worth the result,
highly valuable. Philosophy of this methodology is as follows:
OSSTMM claims that infrastructure elements interact. especially for testers who have little or no experience with
commercial penetration testing. What needs to be done before
Approach to how to increase security is seen as controlling
and restricting those interactions. This methodology h as the starting penetration test is shown, what a contract should
contain, and what steps need to be taken during the penetration
broadest area of activity. Security is discussed in five areas
test. Some methodologies even give some tips regarding final
here:
reporting. There are often different audiences, thus different
x Physical security, kinds of reports have to be created – more comprehensive for
technical staff and less detailed for managers. Methodologies
x human factor, often contain hints of what each kind of report should contain
x wireless communication, and how it should be structured. Paper by authors Pradini and
Ramili [1] analyses diverse penetration testing methodologies
x telecommunication, more thoroughly and more information can be found there.
x data networks and operating systems. B. Software tools for penetration testing
Like the other two methodologies, this methodology also Some of the methodologies outlined in the preceding
establishes penetration test workflow that helps to better paragraphs often give hints of how to structure a penetration
organize penetration test procedures. Phases of penetration test. Moreover, they often suggest to divide the test into
test, in accordance with OSSTMM, are: phases, where the output from each phase servers as an input
for the next phase. Consequences of such approach are that
x Induction phase, different kinds of tools are suitable for different phases of the
penetration test. The following paragraphs outline and
x interaction phase,
introduce these tools briefly.
x inquest phase,
Different approaches can be taken when choosing what
x intervention phase. toolsets can be used for performing individual phases of the
penetration test. There are plenty of tools and toolsets for
Main tasks of each phase can be easily deducted from its penetration testing and can be used for testing various ty pes of
name, however brief introduction of each phase follows. The products and conducting diverse types of attacks. The
induction phase should clarify time range for penetration test following paragraphs introduce briefly some of these toolsets
and types of tests to be used. The interaction phase determines and discuss what benefits they bring into penetration testing.
which targets are in scope of particular penetration test. The
inquest phase searches and gathers as much data as possible Backtrack is a Linux Debian-based distro. Nowadays, its
about the target systems. And last but not least – the development has been discontinued and is superseded by Kali
intervention phase verifies the functionality of security and Linux, which has the same purpose and way of use. Kali‘s or
alerting mechanisms. Backtrack’s feature is that it can run on tester’s computer
without installation, in so-called live mode. On the other hand,
After the penetration test has been finished, the reporting changes in operating system made in live session are lost after
phase, where the results are processed, begins. Compared to reboot. Above mentioned distros are pre-loaded with large
the other methodologies, OSSTMM has one immense amount of software for different areas of penetration testing.
advantage. It has a toolset to process results Kali contains numerous tools and frameworks for penetration
effectively – Security Test Audit and Reporting. Usage of this testing. These tools are usually used for:
toolset is simple – it is a predefined spreadsheet where inputs
are identified interactions and controls of said interactions, and x Database security audit,
output is a numerical value called rav. Rav expresses if there
is need for additional controls (value below 100) or everything x SQL injection techniques,
is properly balanced (value equal 100), or if there are more x network traffic eavesdropping or tampering,
controls of interactions than necessary (value above 100).
Therefore, if one environment is tested twice, it can be easily x network infrastructure attack,

238
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.
 CINTI 2014 • 15th IEEE International Symposium on Computational Intelligence and Informatics • 19–21 November, 2014 • Budapest, Hungary

x network stress testing, thousands of dollars per year. Free alternative to Nessus is
OpenVAS. Years ago, Nessus was free and its source code
x DoS attacks, was available. OpenVAS developers got inspired by Nessus'
x manipulating user data, source code, thus OpenVAS and Nessus share some
similarities.
x web application penetration testing,
The responsibility of Nessus and OpenVAS is to determine
x and many more tasks. if there are any exploitable vulnerabilities in the tested system.
The next step when performing penetration test is to attempt to
Further info about Kali linux can be found at Kali project
exploit the vulnerabilities. For these purposes, snippet of
webpage [10].
source code - so-called exploit - is needed. After successful
The first goal of each penetration test is to find systems on exploitation, a sequence of steps is usually performed. As
network that reply to network communication and thus are a result of vulnerability exploitation, tester often gets
interesting from penetration tester’s perspective in further permission to execute arbitrary commands on target system.
phases of the penetration test, because there could be
Tasks like vulnerability exploitation or post-exploitation
vulnerable software. This can be done using a network
exploration of the target system can be automated to a certain
scanner. The most known network scanner is Nmap. extent. For these purposes Metasploit project toolkit is
The most valuable information Nmap provides the available. Its development began in 2003. Since 2003,
penetration tester with is usually the version and type of Metasploit went through rapid development and in 2009 was
operating system running on the target system, state of acquired by Rapid7 company. Nowadays, Rapid7 is in charge
network ports, types and versions of services operated on the of funding and development of Metasploit. Metasploit is
particular system. After finding a list of applications and a list designed with an emphasis on scalability. Metasploit's
of versions, the penetration tester has to determine whether architecture aims to be modular and it's depicted on figure 1.
any vulnerability of either operating system itself or Libraries provide basic services like networking and files
vulnerability of any installed application is present.
manipulation to neighboring components, thus the developer
Vulnerabilities can be found with e.g. Nmap or OpenVAS
does not need to take care of routine tasks like communicating
(these tools will be briefly introduced in further paragraphs of
via network - it is already programmed in libraries. Via
this chapter), or fulltext search engines can be used and last
interfaces, Metasploit core is controlled by users. There are
but not least, Metasploit framework itself contains a database
many interfaces and the following paragraphs introduce them
of vulnerabilites and associated exploits.
briefly.
It is obvious that the scanning procedure and initial
Msfcli is used directly from command line. It is suitable
analysis of open ports reveal lot of valuable data to the
for beginners and newcomers to Metasploit, because it helps
penetration tester. The article by authors Kalia and Singh [11]
to understand how Metasploit internals work. Msfcli is
deals with introduction of network scanning techniques and
controlled via command line parameters and arguments. There
deployment of countermeasures against revealing info about
are detailed tutorials for Msfcli usage on Metasploit unleashed
operating systems with these network scanning techniques.
website [13].
When all the relevant systems have been scanned, the
Msfconsole is another interface available for Metasploit
penetration tester gets some basic idea about services
interaction. Compared to Msfcli, Msfconsole is more
(including their version) used in the network. The next step is
robust, scalable, and easier to use. It allows defining global
to determine whether these services are somehow vulnerable.
This can be done with assistance of tools like Nessus or
OpenVas. Both tools are briefly introduced in the following
paragraph.
Nessus can be controlled via web interface. There are
default policies that can be used for scanning right after install Plugins
or one can implement and fine-tune their own policies. If the
second option is chosen, it must be defined which techniques
will be used for port scanning or what plugins will be used for
site vulnerability survey. Once the test is finished, a summary
of results follows. Individual vulnerabilities are shown and Modules Libraries
each vulnerability is categorized depending on its severity.
Obviously, the highest attention should be paid to the
vulnerabilities in category labeled critical. Nessus can be
extended with plugins that are written in NASL - Nessus
Attack Scripting Language. There is also a possibility to buy
professional edition which has some extended capabilities like Interfaces
SCADA systems scanning compared to free edition. Accurate
comparison between Nessus versions can be found at official
Nessus website [12]. Professional license costs are in Figure 1. Metasploit architecture overview

239
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.
 F. Holik et al. • Effective Penetration Testing with Metasploit Framework and Methodologies

x Control of clipboard,
variables, perform lookups in exploit database, and more.
Meterpreter sessions can be maintained in a single Msfconsole x Control of services,
- practical usage is shown in Metasploit unleashed tutorial. x Stealing tokens,
There is also GUI for Metasploit - it is called Armitage. It's x User creation,
suitable for users who do not have so much experience with
command-line usage and displays connection topology of x …and much more.
tested systems.
Even though a detailed description of each possible way
One can benefit from using Metasploit in several ways. how Meterpreter and target machine can interact is out of the
There is an effective exploit management (lookup, update, scope of this article, let’s go briefly through the most
documentation) or plethora of payloads (tasks that are important abilities of Metasploit. One can upload, download
performed after successful exploitation of target system). or manipulate files with Metasploit. Depending on the target
Payloads can either perform one specific task (e.g. user system, this can have serious consequences. One can
creation) or can be more complex and offer more advanced manipulate processes and services on the target machine.
functionality (Meterpreter, which is described later, is one Killing antivirus software and installing backdoor can be done.
such example). Figure 2 shows sequence of steps that are One can manipulate routing tables of hosts with Metasploit.
necessary to establish two-way communication channel This can result in the man in the middle attack. One can delete
between tester‘s and tested system in order to be able to event logs. This is useful when diagnostics and investigation
control the tested system remotely. of a security breach should be made more difficult. One can
steal tokens – either local or domain. Tokens can be
The most crucial part of figure two is the transmission of considered to be keys to resources (e.g. folder). When a token
special DLL library with Meterpreter shell, which will be
is stolen, the thief usually has access to all the resources which
described in the next paragraph. Few conditions have to be can be accessed by the legitimate owner of the token.
met in order to succeed when control of the target is needed
Fileservers can usually be considered as storehouses of tokens,
and that control has to be achieved with taking running because various users usually access files stored in there.
antivirus software into consideration. Creating a new process Metasploit offers much more possibilities of manipulation
has to be avoided (it has to run in context of the exploited with the target system. More detailed info can be found at
process) and creating a new file has to be avoided too. Both Metasploit Unleashed webpage [13].
can be considered a red flag for antivirus software. These
conditions are met through DLL injection technique. Communication protocol between target and tester's
Meterpreter is also designed with extensibility in mind, it machine is built on type-length-value (TLV) model. TLV
allows to load different modules which perform different tasks approach is chosen because Meterpreter and Metasploit are
(e.g. network traffic sniffing). developed with scalability in mind. There are other
applications of type-length-value model, too. One such
When the above mentioned steps were completed and example is EIGRP routing protocol developed by Cisco
Meterpreter DLL is successfully loaded via DLL injection company. If a protocol based on type-length-value model
technique, the person who has access to the Meterpreter shell needs to be extended, a new type is defined and the current
has literally unlimited control over the target system. Lis t of source code implementing the current protocol behavior does
all the possibilities of Meterpreter would be too long, therefore
not need to be changed, only extended. Traffic between
only the most important and the most interesting possibilities Meterpreter the client (tester) and the server (target) is
are listed:
encrypted, thus, privacy is ensured.
x Directory listing,
x Upload or download of files,
x File attributes manipulation, Tester sends 1st stage payload

x Editing files,
x Hash dumps, System connects back to Metasploit

x Event logs deletion,

x Routing table alteration, 2nd stage payload with DLL is sent
x Command execution,
x Taking screenshots,
Connection is established
x Migrate between various processes,
x Keyboard/mouse control,
Figure 2. Metasploit connection establishment
x Launch WMI query,

240
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.
 CINTI 2014 • 15th IEEE International Symposium on Computational Intelligence and Informatics • 19–21 November, 2014 • Budapest, Hungary

Metasploit Framework is also updated on regular

basis – new malicious code used for exploiting system
vulnerabilities is added when an update is triggered. Despite
its initial complexity for newcomers to penetration testing,
tools like Metasploit Project offer many valuable tools to
conduct penetration testing and simplify some tasks that
would have to be solved programmatically without
framework. Production subnet

III. CASE ST UDY

This case study aims to demonstrate the usage of above
mentioned tools and utilities. This particular case study takes
place in a production environment of a pharmaceutical
company and its outcome should be verification whether
machines at production subnet are safe and the production can
run smoothly. It can be stated that computers and information Figure 3. Case study – network topology
technology is not always in the state of art, particularly in
cases, when core business of corporation has nothin g to do operating system of the target machine seems to be Windows
with information technology as in case of mentioned XP-SP1.
pharmaceutical company. The network topology is depicted Thus, assumption that this system is vulnerable to MS03-026
on figure 3. The cloud represents unexplored production DCOM exploit is made and this assumption is not investigated
subnet. It is not known which systems are present and whether further (with tools like Nessus or OpenVAS). Consequently,
they are somehow vulnerable. msfconsole is launched and exploit for DCOM vulnerability is
searched.
The only thing known is the subnet range, where the
production network resides. Let’s look at this subnet from the msf > search dcom
penetration tester’s point of view. His laptop is connected to
the production subnet, has a valid IP and booted KALI Linux.
Let’s begin with the discovery of hosts which are alive, their Matching Modules
OS versions and open ports (list of hosts and output were ================
shortened). Name: exploit/windows/dcerpc/ms03_026_dcom
Disclosure Date:2003-07-16
root@kali:~# nmap -PS 192.168.1.96/27 -O Rank:great
Description: MS03-026 Microsoft RPC DCOM
Starting Nmap 6.46 ( http://nmap.org )
Interface Overflow
Nmap scan report for 192.168.1.107
Host is up (0.00010s latency). Lookup was successful, exploit has been found. Next steps are
Not shown: 995 closed ports quite straightforward. This particular exploit is chosen, the
target IP address is set with appropriate commands and finally
PORT STATE SERVICE
the exploit is launched. After few seconds of data processing,
135/tcp open msrpc prompt changes from msf> to meterpreter>. This
139/tcp open netbios-ssn indicates that the exploitation was successful and the
penetration tester is now able to control the remote system via
445/tcp open microsoft-ds
set of advanced commands or launch the command line on
1025/tcp open NFS-or-IIS that target system. This is also a very simple task:
5000/tcp open upnp
meterpreter > shell
MAC Address: 00:0C:29:6F:41:69 (VMware)
Process 132 created.
Device type: general purpose Channel 1 created.
Running: Microsoft Windows 2000|XP Microsoft Windows XP [Verze 5.1.2600]
OS details: Microsoft Windows (C) Copyright 1985-2001 Microsoft Corp.
2000 SP0 - SP4 or
Windows XP SP0 - SP1 C:\WINDOWS\system32>
Network Distance: 1 hop
It can be clearly seen, that the host with IP address From now on, behavior of the target system can be influenced
192.168.1.107 is up and running. It is also observable, that in several ways – e.g. files can be deleted or replaced,
additional processes can be launched, and so on. It is up to
imagination of individual penetration tester.

241
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.
 F. Holik et al. • Effective Penetration Testing with Metasploit Framework and Methodologies

This case study has shown that penetration testing is [6] Offensive Security. (2013). A Guide to Building Secure Web
important also in production environment, where systems like Applications and Web Services. Available:
https://www.owasp.org/images/6/6b/OWASP_Blue_Book-
XP embedded can still be present nowadays. These systems Educational_Institutions.pdf. Last accessed 14th Jan 2014.
can control large production lines and can be connected to the [7] Owasp foundation. (2008). OWASP T esting Guide. Available:
network for easier management. When exploitation of these https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_o
systems is successful, serious issues can occur. If this f_Contents. Last accessed 14th Jan 2014.
particular system would be a part of the production line used [8] Karen Scarfone, Murugiah Souppaya, Amanda Cody, Angela Orebaugh
for creating mixture for medicaments, the penetration tester or (2008). T echnical Guide to Information Security T esting and
a malicious hacker could easily alter the formula for that Assessment. Gaithersburg: NIST . 1-80.
mixture. Consequence of that would be a situation in which [9] ISECOMM. 2010. Open Source Security T esting Methodology Manual
the production runs and medicaments are being produced, but (OSST MM). [ONLINE] Available at:
http://www.isecom.org/mirror/OSST MM.3.pdf. [Accessed 26 January
using a different formula. If these medicaments with different 14].
formulas would get outside the factory and would be sold to [10] Kali Linux. 2014. Kali Linux | Rebirth of BackT rack. [ONLINE]
patients, the consequences could be lethal. Available at: http://www.kali.org/. [Accessed 26 January 14].
[11] S. Kalia & M. Singh, "Masking approach to secure systems from
IV. CONCLUSION Operating system Fingerprinting," Tencon 2005 2005 Ieee Region 10,
In the modern world, there is a need for a proactive Dec. 2005.
approach to information security in order to avoid potential [12] T enable network security. 2014. Nessus editions | T enable network
security. [ONLINE] Available at:
security breaches. It is so, because a security breach and a http://www.tenable.com/products/nessus/editions. [Accessed 26 January
consequent data loss or data tampering usually cost huge 14].
amounts of money and cause loss of reputation for the [13] Metasploit Unleashed. 2014. Metasploit Unleashed. [ONLINE]
company. There are often increased costs for security Available at: http://www.offensive-security.com/metasploit -
unleashed/Main_Page. [Accessed 26 January 14].
measures, but advantages brought by these measures are worth
it. Level of security can be determined by a discipline called
penetration testing. There are many toolsets and utilities
which can be used – from methodologies to software utilities
introduced in this article. Usually, it is desirable to spend some
time learning and getting familiar with methodologies and
software tools, because cumbersome tasks are automated and
done in a few clicks or with a few commands. Thoughts about
complex and rigorous preparation for a penetration test can be
emphasized by quoting the former US president, Abraham
Lincoln, who said:”If I had eight hours to chop down a
tree, I'd spend six hours sharpening my axe”.

A CKNOWLEDGMENT
This work and contribution is supported by the project of
the student grant competition University of Pardubice, Faculty
of Electrical Engineering and Informatics No. 60140 / 20 /
SG640009.

REFERENCES
[1] T owards a practical and effective security testing
methodology. Proceedings - IEEE Symposium on Computers and
Communications [online]. 2010, č. 1, s. 320-325 [cit. 2013-04-03]. DOI:
10.1109/ISCC.2010.5546813. Available:
http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5546813f49b
[2] Mati Aharoni ([2011]). Penetration testing with Backtrack . 3rd ed.
Cornelius, NC: Offensive Security. 12. SP800-115. T echnical Guide to
Information Security T esting and Assessment.
[3] Gaithersburg: [NIST Computer Security Division], 2008. Available:
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
[4] Owasp foundation. (2014). Owasp project web page. Available:
https://www.owasp.org/index.php/Main_Page. Last accessed 14th Jan
2014. OWASP foundation. (2011). A Guide to Building Secure Web
Applications and Web Services [Online]. Available:
http://sourceforge.net/projects/owasp/postdownload?source=dlp
[5] Owasp foundation. (2005). A Guide to Building Secure Web
Applications and Web Services. Available:
prdownloads.sourceforge.net/owasp/OWASPGuide2.0.1.pdf?download.
Last accessed 14th Jan 2014.

242
Authorized licensed use limited to: Yildirim Beyazit Univ. Downloaded on October 10,2021 at 17:12:03 UTC from IEEE Xplore. Restrictions apply.