Kali Linux is pre-equipped with all the necessary tools for penetration testing. One such tool is the Metasploit framework which enables red teams to perform vulnerability reconnaissance, analysis, enumeration and exploitation for all types of applications, networks, servers, operating systems and platforms.
Even though the core functionality of Metasploit focuses on pre- and post-exploit penetration testing tasks, it is also useful in developing exploits and finding vulnerabilities.
This article introduces the main components of the Metasploit framework. It demonstrates how to use Metasploit modules for analysis, enumeration, and exploitation of a vulnerable MySQL database hosted on a machine known as Metasploitable 2.
Metasploit is the most commonly used pentesting tool that comes pre-installed in Kali Linux. The main components of Metasploit are msfconsole and the modules it offers.
What is msfconsole?
msfconsole is the most commonly used all-in-one shell-like interface that lets you access all of Metasploit’s features. It supports Linux-like command line as it offers command auto-completion, tabbing and other bash shortcuts.
This is the main interface that will allow you to work with Metasploit modules to analyze and launch an attack on the target machine.
Metasploit has small code snippets that enable its core functionality. However, before explaining the modules, you should be clear about the following recurring concepts:
- Vulnerability: This is a flaw in the target’s design or code that makes it vulnerable to exploitation leading to the disclosure of confidential information.
- Feat: A code that exploits the vulnerability found.
- Payload: This is code that helps you achieve the goal of exploiting a vulnerability. It runs inside the target system to access target data, such as maintaining access through Meterpreter or reverse shell.
Now let’s move on to the five main modules of Metasploit:
- Auxiliary: The auxiliary module contains a set of programs such as fuzzers, scanners and SQL injection tools to collect information and deepen the understanding of the target system.
- Encoders: Encoders encrypt payloads/exploits to protect against signature-based antivirus solutions. Since payloads or exploits contain null or incorrect characters, there is a high chance that they will be detected by an antivirus solution.
- Feat: As stated earlier, an exploit is code that exploits targeted vulnerabilities to ensure system access via payloads.
- Payload: As mentioned earlier, payloads help you achieve the desired goal of attacking the target system. This means that they will either help you get an interactive shell or maintain a backdoor, execute a command or load malware, etc. Metasploit offers two types of payloads: stepless payloads and staged payloads.
- To post: The post-operation module will help you gather more information about the system. For example, it can help you dump password hashes and search user credentials for lateral movement or privilege escalation.
You can use the following commands to display each module and its categories:
tree -L 1 module-name/
To start using the Metasploit interface, open the Kali Linux terminal and type msfconsole.
By default, msfconsole opens with a banner; to remove this and start the interface silently, use the msfconsole order with the -q flag.
The interface looks like a Linux command line shell. Some supported Linux Bash commands are ls, clear, grep, history, jobs, kill, cd, exit, etc.
Type to help or a question mark”?to see the list of all available commands that you can use in msfconsole. Some of the most important ones that we will use in this article are:
|to look for||Allows you to search Metasploit database based on given protocol/application/parameter|
|use||Allows you to choose a particular module and change the context to module-specific commands|
|information||Provides information about the selected module|
|Pin up||Displays information about the given module name and current module options|
|Check||Checks if the target system has a vulnerability|
|together||It is a context-specific variable that configures the options for the current module|
|not defined||Deletes previously defined settings|
|Course||Execute the current module|
Before you begin, configure the Metasploit database by starting the PostgreSQL server and initializing the msfconsole database as follows:
systemctl start postgresql
Now check the status of the database by initializing msfconsole and running the db_status order.
For demonstration purposes, configure the open source vulnerable Linux machine Metasploitable2.
MySQL discovery with msfconsole
First find the IP address of the Metasploitable machine. Then use the db_nmap command in msfconsole with Nmap flags to scan MySQL database at 3306 Harbor.
db_nmap -sV -sC -p 3306
You can run the regular nmap -p-
Use the to look for option to find an auxiliary module to analyze and enumerate the MySQL database.
search type:auxiliary mysql
In the list above, you can use the auxiliary/scanner/mysql/mysql_version module by entering the module name or associated number to parse the version details of MySQL.
Now use the show options command to display the parameters needed to run the current module:
The output shows that the only option required and not set is RHOSTS which is the IP address of the target machine. Use the set rhosts to set the parameter and run the module, as follows:
The output shows similar MySQL version details as db_nmap a function.
Bruteforce MySQL root account with msfconsole
After the scan, you can also brute force the MySQL root account via Metasploit helper(scanner/mysql/mysql_login) module.
You will need to set the PASS_FILE parameter to the path of the list of words available inside /usr/share/wordlists:
set PASS_FILE /usr/share/wordlistss/rockyou.txt
Next, specify the IP address of the target machine with the RHOSTS command.
Together BLANK_PASSWORDS to true if no password is defined for the root account.
set BLANK_PASSWORDS true
Finally, run the module by typing Course in the airport.
MySQL enumeration with msfconsole
msfconsole also allows you to enumerate the database using the auxiliary (admin/mysql/mysql_enum) module. It returns all accounts with details such as associated privileges and password hashes.
To do this, you will need to specify the password, username and rhosts variable.
set password ""
set username root
Finally, launch the module by typing:
Exploiting MySQL with msfconsole
From the enumeration phase, it is clear that the root account has file privileges that allow an attacker to run the load file() a function. The function makes it possible to exploit the MySQL database by loading all the data from the /etc/password file via the auxiliary(/admin/mysql/mysql_sql) module:
Again, set username, password and rhosts variable. Then run a query that invokes the load_file() function and loads the /etc/passwd to file.
set sql select load_file("/etc/password")
Metasploit modules help in all phases of penetration testing. Metasploit also allows users to create their own modules.
This article summarizes some core modules of the Metasploit framework and shows how to parse, enumerate, and mine a MySQL database on the Metasploitable 2 machine.
Metasploit isn’t the only penetration testing tool you’ll use as a cybersecurity professional. There are several other utilities you will need to become familiar with if you want to become a security expert.
If you’re wondering how the pros test penetration, this guide will help.
About the Author