Unit III

System Security and Hacking

Content
• Introduction to Metasploit

• Reconnaissance with Metasploit

• Port Scanning with Metasploit

• Compromising a Windows Host with Metasploit

• Client Side Exploitation Methods

• E– Mails with Malicious Attachments

• Creating a Custom Executable

Introduction to Metasploit
• Metasploit is one of the most powerful tools used for penetration
testing.

• It comes in two versions: commercial and free edition. There are no

major differences between the two versions, so in this tutorial, we
will be mostly using the Community version (free) of Metasploit. As
an Ethical Hacker, you will be using “Kali Distribution” which has the
Metasploit community version embedded in it along with other
ethical hacking tools.
Reconnaissance with Metasploit
Information gathering or reconnaissance (recon) is the most crucial
and time-consuming phase in the penetration testing cycle. When pen-
testing a web application, you are required to gather as much
information as you can. The more information you have, the better.
Information can be of any type – a web server banner, an IP address, a
list of open ports that are running a web application service, any
supported HTTP headers, and so on. This kind of information will help
a penetration tester to perform testing checks on a web application.
Reconnaissance with Metasploit
Passive information gathering

• Using passive information gathering, you can discover information about targets
without touching their systems. For example, you can identify network boundaries,
operating systems, open ports, and web server software in use on the target without
touching their system.

Active information gathering

• In active information gathering, we interact directly with a system to learn more about
it. We might conduct port scans for open ports on the target or conduct scans to
determine what services are running. Each system or running service that we discover
gives us another opportunity for exploitation.
Starting msfconsole
• First, we start the database

#service postgresql start

• then start metasploit service

#service metasploit start

• now start msfconsole.

#msfconsole

•now, we’ll use db_status to make sure that we’re connected correctly.
Starting msfconsole
Importing Nmap Results into Metasploit
When you are working with other team members, with various individuals scanning
at different times and from different locations, it helps to know how to import a
basic nmap generated XML export file into the Framework.
First, we scan the Windows virtual machine using the -oX option to generate a
Target.xml file.
#nmap -Pn -sS -A -oX Target 192.168.20.0/24
After generating the XML file, we use the db_import command to import it into our
database. We can then verify that the import worked by using
the “hosts” command, which lists the entries of the system that have been created,
as shown here:
msf > db_import Subnet1.xml
msf> hosts
Preparing Metasploit for Port Scanning
Scanners and most other auxiliary modules use the ‘RHOSTS’ option instead of ‘RHOST’.
RHOSTS can take IP ranges (192.168.1.20-192.168.1.30), CIDR ranges (192.168.1.0/24),
multiple ranges separated by commas (192.168.1.0/24, 192.168.3.0/24), and line-
separated host list files (file:/tmp/hostlist.txt). This is another use for a groupable Nmap
output file.
By default, all of the scanner modules will have the ‘THREADS’ value set to ‘1’. The
‘THREADS’ value sets the number of concurrent threads to use while scanning. Set this
value to a higher number in order to speed up your scans or keep it lower in order to
reduce network traffic but be sure to adhere to the following guidelines:
• Keep the THREADS value under 16 on native Win32 systems
• Keep THREADS under 200 when running MSF under Cygwin
• On Unix-like operating systems, THREADS can be set as high as 256.
Nmap & db_nmap
• We can use the db_nmap command to run Nmap against our targets
and our scan results would than be stored automatically in our
database. However, if you also wish to import the scan results into
another application or framework later on, you will likely want to
export the scan results in XML format. It is always nice to have all
three Nmap outputs (xml, grepable, and normal).
• So we can run the Nmap scan using the -oA flag followed by the
desired filename to generate the three output files, then issue
the db_import command to populate the Metasploit database.
• Run Nmap with the options you would normally use from the
command line. If we wished for our scan to be saved to our database,
we would omit the output flag and use db_nmap. The example
below would then be db_nmap -v -sV 192.168.1.0/24.
Port Scanning