Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Web Application Penetration Testing Tutorials- Using Metasploit and Web


Metasploit is probably the most versatile, freely available, Web Application Penetration Testing.

The frame should never be created It is currently Rapid7, Inc. It has been developed by The outline was started in 2003. D. Moore was created by a security professional Since then, this framework has gone through a lot of research and development.

Metasploit Framework is often shortened to MSF in written or oral form. The framework comes with various modules which are its main parts. 

They help in Customizing and writing different types of exploits - software, web applications, And so on. 

We are going to cover the following topics:
  • Metasploit module
  • Msfconsole
  • Assistant modules related to web applications
  • WMAP - Metasplight's web application security scanner
  • Creating Web Backdoor Payload with Metasploit

How to Discover Metasploit Modules 

As mentioned, the Metasploit Framework contains various types of modules, modules help the admission tester to make its exploitation modular. The following are the important modules that make up our approach:



Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

  • Metasploit Framework Auxiliary Module: Assistant modules are built-in scripts that perform Different types of scanning, fuzzing, and whitespace. However, these scripts Do not return a shell when they move. The main purpose of this module is Give the passphrase a wide array of scripts that can help in penetrating Goal efficiently. For example, mysql_enum will be an auxiliary module Collecting a basic level of information on a given MySQL server
  • Metasploit Framework Exploitation Module: Probably the most exciting part of exploitation module Outline for a newcomer The exploitation module includes various scripts There are codes to take advantage of a vulnerability and return a shell. exploitation There are tons of scripts in the module that exploit popular weaknesses An extensive set of software, from browser to web server, and operating Systems ranging from Windows to Android. For example, ms08_067_ The netapi exploitation module is a script that gives a shell after exploitation MS08-067 vulnerability in Microsoft Windows computers.
  • Metasploit Framework Encoder Module: For more sophisticated users of Framework, encoder Modules come in very handy. Are different from encoder module The last two modules are due to the fact that encoder modules are basically Scripts that prevent or obstruct such exploitation and payload The way they are not easily detected by IDS / IPS or antivirus programs. Although it may sound terrible at first, it develops security solutions Some hands may experience, practice and require the Encoder module Experiment.
  • Metasploit Framework Payload Module: Payload modules are right for their name, they are Payloads that run when an exploitation module successfully exploits A vulnerability There are different types of payloads; some of them are- OS-specific command shell (bind/reverse), meter operator, VNC payload, Download and execute, and much more While talking about payload, this It should be noted that there are various modes in which Metasploit is executed A payload on the target machine. 

Some important Metasploit Framework Payloads have been mentioned in the table:


Method Description
Inline The inline category of payloads containi their entire payload code inside them.
This basically means that the exploit executes in one shot and is heavier in size.
Although this variety of payload is very stable.
Staged In staged payloads, when the exploit runs, it launches a little piece of code known as stager which re-establishes contact with the framework
and thenn downloads the remaining basically this is a two-staged process.
Meterpreter The Meterpreter is the de-facto payload in Metasploit. It is a very advanced payload and it is executed in such a way that no file is ever written, basically by in-memory
execution in the target. Once loaded, Meterpreter provides  a plethora of post-exploitation modules.
Reflective DLL Injectin This is specific to the Windows platform only. Here, a staged payload is executed in-memory. The payloads which make use of this never hit the file system of the target.
IPv6 Modules These modules work with the newer IPv6 networks.

  • Other Metasploit Modules: There are also other modules in the framework, i.e. Nodes and Post Exploitation Module We will cover some posts Metasploit exploitation module later in this tutorials.

Interacting with Msfconsole

Msfconsole is an interactive console of Metasploit. We will mostly use Msfconsole This tutorial is to begin exploitation and negotiate with Shell. To Launch Msfconsole In Kali Linux, we can just open a terminal window and enter msfconsole order. This will result in a classic geeky banner and msf prompt (msf>):

Root @packet: ~ # msfconsole

Running the command will be a shell like this:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

To see a list of exploits, payloads, encoders, and generators, hit the following command:

Show [module]


[Module] is to be replaced by the adventures, payloads, encoders, and so on.

For example, the causes of the command show will result in a list of such exploits:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

There is a very specific set of commands in the Msfconsole which allows us to deactivate it with its shell.

The complete list of orders can be seen with the help command. In the table shown here, I have briefly told what the Mets plight says to the core command:


Command Description
help / ? Display the help menu containing the list of commands
back Go one step backword from the current context
banner Display the typical geeky MsF
cd Change working directory
color Enable or Disable colored output
connect Communicate with a supplied host/port pair
exit/quit Exit the MSF Console
irb Ineract with the Ruby IRB shell
get Fetch the value of a set variable in the loaded context
getg Fetch the value of a set variable from the global context
jobs List the different jobs and modules currently running
kill Terminate a running job or module
load Import a plugijn into MSF
save Save the current context and variable into its datastore.

Using Auxiliary Modules related to Web Applications

In this sub-section, we will look at the use of various types of support modules
Help us in the reconnaissance of the goal.

Mainly, will be listed under reconnaissance related modules
Framework auxiliary/scanner/http/structure It will be equal
For the following screenshot:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Let's now use a helper module for brute-force for directories. For this, I will use the auxiliary/scanner/http/brute_dirs module.

We need to set the fire on MSFConsole and hit the following command:

Use auxiliary/scanner/http/brute_dirs


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Showing a comprehensive list of options supported by the Running show option Module

Various variables are self-explanatory.

  • RHOST: This is a list of remote goals or goals.
  • RPORT: This is the variable for the port of the remote host.
  • Threads: This is the number of parallel threads to use for brute-force.
  • Format: This is an animal-force format: alphabet, uppercase, and digits
  • Path: This is the starting directory from which animal force should start.

In this picture, we are successfully running the Brute-Force module and can see With the traffic generated by the module in Wireshark.


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Because this method is taking a little time, we can use another assistant The module for that, but using a generic dictionary-based broute-forse. 

Module auxiliary/ scanner / http / under is dir_scanner.

The options of the dir_scanner module are shown in the following screenshots:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

We can configure and run this module to obtain a dictionary-based directory brute-fan. The following screenshots are shown, the module was able to search the directory of the target domain:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Going forward, there is an assistant module named files_dir to search The presence of juicy and interesting files on the range of a goal or goal. 

This is one auxiliary/scanner/located under http/. The module performs a dictionary-based Animal force for files, by default it comes with a default dictionary, but we can change By setting the DICTIONARY variable for the full path for this custom dictionary.

We set the ten, host and virtual host fields of threads to 192.168.4.2.11, and run the module. In return, it gave us an interesting file, admin.null:

Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Similarly, we can use other helpful modules, which can lead to some loss While testing. 

By this, I am referring to the helper module for DoS testing (Denial-of-service) vulnerabilities in web server software or server-side frameworks Apache is a very popular web server, it was killed in 2011 with the DoS vulnerability That was exploited in the wild by the attackers. 

To test this specific vulnerability, We have a ready module. Available at module-auxiliary/dos/http/ Comes with apache_range_dos and the following options:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

If options are much more like before but RLIMIT is a new optin here. It basically instructs the module to limit the number of DoS packets for the value set in RLIMIT. Let's now configure and run the module:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Running a script produces the same output as the following screenshot:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Fortunately, in this case, the server was patched but if it did not, then it would have been Crashed and resumed. By increasing RLIMIT, we can force the server to restart Constantly, it's killing. Therefore, such DoS modules are risky and should only be run
When the gravity of action and related consequences are known.

Understanding WMAP – Metasploit's Web Application Security Scanner

WMAP is a fast, lightweight and feature-rich script that is present inside Metasploit. 

this Originally was a fork from SQLMap. I do not encourage automatic scanning Find out the weaknesses, there are lots of work to find fewer scanners built in this way Hanging vulnerability in web applications. 

Imagine that you have to conduct a security Evaluation of a large network in which most web applications are like tools If scanners are actually, then web applications can actually report how vulnerable they are.

Puts or eliminates vulnerabilities (except for false positives) in a quick time It's a big red flag that tells you that the security of the web application is bad. 

This is It became clear by the fact that the automated scanners cannot really find difficult bugs;

So if it finds a good set of bugs, then you know how to carry out the evaluation.

To start WMAP, we have to start MSFconsole first because it will be our Shell option for interacting with WMAP After the MSFconsole is up, we just type Load Wamp to fire the WMAP plug-in:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Following is a list of commands that will help us communicate with WMAP, after loading this plugin, can be seen in the msfconsole help command:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web


Now, we will add a site to WMAP to begin the scanning process.
The command wmap_sites -a protocol is: // host: port.

For example, wmap_sites -a http://192.168.4.211:8080.

Similarly, after the site is connected, we can verify it by running wmap_sites -l order. It will present us with a good table listing of the sites currently added The following screenshots are shown in:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

one step forward, we will choose one of the above sites as a goal. Act up This, now we will use the wmap_targets command. 

In Order to add a site to The target is wmap_targets -t proto: // host: port and to list the goals we can use wmap_targets -l

For example, to add http://192.168.4.211 as a target, we will hit wmap_targets -t http://192.168.4.211. It can be clearly seen here:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Now we are all set to set WMAP to run a scan on the target
But listing the module is always a good idea to actually be used. For this, We use the wmap_run -t command. Once run, the output will be similar The following screenshots:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

We can see that different types of modules have been loaded under the assistant and Web server classified under test. WMAP also does other tests Web servers are also displayed with the test. They are shown in the following imagination. 

They are also helpful modules that are specific to directories and files Animal-forced (which has been mentioned earlier), and query parameter-based testing To discover weaknesses.

Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web


Now, it seems that we did all the families of the WMAP checklist; Now is the right time to launch a scanner and bring it into life. It is done through wmap_run -e command. Once run, it presents output similar to the following:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web


Generating Web backdoor payload with Metasploit

Metasploit provides a variety of payloads that can be used to expand Post-exploitation functionality through file-based backdoors. 

For this section, I think the reader searches for a vulnerability on a server that allows File upload without any type of white list. Assume that a LAMP server is running 162.243.85.82 and Metasploit is running on a computer with NAT'ed internal IP
Of 192.168.4.211

First of all, we will generate a PHP meter binder payload, which will drop us A basic PHP mprater shell. The business tool is msfvenom. 

Msfvenom is To make and encode various payloads, use the D-Facto tool in the Metasploit structure. 

Msfvenom crosses the old tool to generate payload and encoding, i.e. msfpayload and msfencode Let's now use msfvenom to see the command Everything in action.

A list of payloads available under Msfvenom can be seen by the following order:

msfvenom -l payload


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

The above output has been trim because there are too many payloads to display (over 400) But we will basically use the payload named php / meterpreter / bind_tcp Listens on a compromised server on a pre-specified port and gives a meterpreter
Once a connection is made to that port. 

Now we will mention Payloads as PHP scripts. Initially, we should first see what is different To do this, there are configuration options in the payload, so we can use it - To load -upload-option to load -p to select the payload, to list the options.

msfvenom -p php / meterpreter / bind_tcp --payload-options

It gives a page with all the configuration options, payload metadata, and discipline.


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

We will now generate our payload and set LPORT to 60000 as shown in the following screen:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Through any file upload vulnerability, we upload the script that was generated as a php-msf.php file on any weak directory within Webbert or Webbert in a weak server.

In addition, we need to create a payload handler which will allow us to send one Will listen for a connection that requests to pack the payload. We will need to extinguish the fire Set up Msfconsole and our handler payload, which will establish a connection with A
Tie the shell when running:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

We can verify this configuration by running Show Options command in the console:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

best! Let us now execute the uploaded PHP Metpreter by calling it through Execute Apache, as well as handler via a web browser. Will result in one The distance of meters through PHP You can see the output in the following screenshots:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Once we have done MSF, we can do a lot of things, some of the basic things include a native command hell, getting dumping system information included.

Below we see system information and command line shell through Metpreter:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

One major problem with native PHP-based payload is that they are fair Unstable; This means that the session may end after some time. This is not It is unusual to see such error messages when handling PHP-based payloads:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

To fix this, we can create a Linux-only (or whatever host server is running) Payload We can make Linux Meter Payloads like this
First PHP mpg payload. We will use linux /x86 /meterpreter / bind_tcp Payload and configure it in the same way, but only 500km to Lot Save production as linux-msf.backdoor:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Once done, we will respond to the meterpoint and upload the native Linux payload and execute it to obtain the second, but more stable meterpreter. Initially we upload the Linux payload and leave the current MSF session behind:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

Then we reconfigure our handlers and run it in the background with exploitation -J:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

We go back to our basic PHP session and then execute the Linux payload.


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

And we get a more stable Linux Meterpreter session:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web


Using Metpreter, we can easily control and dump a lot of juicy information.

With easy scripts such as enum_configes, enum_network, and many more In the following screenshot, we can see enum_configs in action:


Web Application Penetration Testing Tutorials 7 | Using Metasploit and Web

This is for this tutorial. It is very important for readers to experiment with various post exploitation scripts.

Summary

Metasploit will be more powerful in the coming years. To learn more about MSF, It is recommended that the Metasploit run by the readers be known through the Free Courses Manufacturers of Kali Linux, which is aggressive security - Metasploit was brought here:

https://www.offensive-security.com/metasploit-unleashed/

A meterpeter is a wonderful shell and when a user post is operated by exploitation Module, it becomes a cakewalk to dump and collect large amounts of data a server. 

I suggest readers practice and experiment with Meterpreter in one
Fake environments like Metasploitable - A weak Linux server to find Hidden treasures inside it

In the last section of these tutorials, I showed how we can dive into Linux Through the background of the existing PHP session, a normal PHP one-meter distance.

Although it works effectively, in some cases the session ends before our death Configure the handler for the Linux session. To avoid this, please run two separate Terminals for each type of payload, to run handler for PHP meterpreter, and one to run Linux Meterpreter.

The next tutorial relates to XML Attack Vectors, where we will exploit XML Parsers For our benefit.

Hi'i'm Rahim Ansari ,from India, I Love to Blogging, Desing Website, Web Developing and Desiging I Like to Learn and share Technical Hacking/Security tips with you,I Love my Friends.

Please Ask Question on Comment Box

Related Posts

Previous
Next Post »