Metasploit Framework v3.

The new MSF 3.0 Architecture

MSF 3.0 Architecture

Multitasking through Ruby threads

. Share single instance with many users
. Great for team-based penetration testing
. Multi-user plugin is only ~20 lines of code :-)

Concurrent exploits and sessions

. Support for passive exploits and recon mods
. Multiple payload sessions open at once
. Suspend and restore payload sessions
. Share payload sessions with other users
. Handle multi-victim exploits :-)

Rewrite of all exploit modules

. Massive number of bug fixes
. Improved randomness, use of Mixins

Exploit module structure

. Single exploit can target many platforms
. Simplified the meta-information fields
. Mixins can also modify exploit behavior
. Target brute forcing
. Passive exploits
MSF Plug-ins
Msfd plugin
“This plugin provides an msf daemon interface that spawns a listener on a defined port (default
55554) and gives each connecting client its own console interface. These consoles all share the
same framework instance. Be aware that the console instance that spawns on the port is entirely
unauthenticated, so realize that you have been warned.”

Loading the msfd plugin and connecting to the daemon

The default is to set up a listener on 127.0.0.1, that won’t do ☺ change the default
hostname to the IP of the box running msfd in plugins/msfd.rb and connect to it that way
# The default local hostname that the server listens on.
#
DefaultHost = "192.168.0.105"
 Connecting to the msfd daemon on an IP
To unload the plugin, just type unload “plugin name”

Unloading the plugin

 Recon Modules

UDP Sweep

Using the sweep_udp recon module

SMB Version

Using the SMB version recon module

Using the Metasploit v3 console

MSF 3 console
Show exploits

Output of the show exploits command

Selecting an exploit and showing the options

Selecting the exploit and showing the options

Showing the available payloads

Listing the available payloads

Select your payload and target

Selecting the payload and the target (automatic)

Launch the exploit

Launching the exploit

Using the MSF v3 Meterpreter
The Meterpreter help menu and options

Meterpreter help menu

Downloading a file from the remote host

Downloading a file from a remote host

Reading a file on the remote host

Reading a file on the remote host using cat

Executing a command

Starting a hidden cmd.exe and interacting with it

Loading the “priv” extension

Loading the “priv” extension

The priv extension help menu

The priv extension help menu

Using the priv extension

The priv module allows us to dump the SAM hashes and use the timestomp command.

Hashdump command
 Output of the hashdump command

Timestomp Command

Output of the timestomp help menu

Output on the timestomp command with various options

Process Migration
You can hide MSF in another process by either migrating to an existing process or by
starting a normal process like calc.exe and migrating to it.

Getting the current PID and creating another process (calc.exe)

Migrating the meterpreter process to the process we created

In the Future for MSF

Turning Metasploit into Nessus
. Database backend provides “KB” function
. Auxiliary modules for assessment/discovery
. Event coordinator for triggering modules
. Report generator uses the database

Creating a professional mass-rooter

. Auxiliary modules perform discovery
. Exploit modules perform vuln checks
. Plugins automate exploitation
. Plugins automate post-exploitation
. Dump XML reports via ActiveRecord

Resources
“Metasploit completes license change, updates framework”
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1210976,00.html