0% found this document useful (0 votes)
468 views30 pages

Metasploit Pro Certified Specialist Student Lab Guide

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
468 views30 pages

Metasploit Pro Certified Specialist Student Lab Guide

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Metasploit Pro Certified Specialist

Student Lab Guide




Version 21.07

DISCLAIMER: Unless otherwise indicated, this lab guide and its design, text, content, selection and arrangement of elements, organization,
graphics, design, compilation, digital conversion and other matters related to this document are protected under applicable copyrights,
trademarks and other proprietary (including, but not limited to, intellectual property) rights and are the property of Rapid7 LLC or the
material is included with the permission of the rights owner and is protected pursuant to copyright and trademark laws. ALL RIGHTS
RESERVED. If you have any questions about the use of this material, please contact [email protected].

21.07

Table of Contents
Understanding this Document................................................................................................................................... 4
Lab Environment - Virtual Machines ......................................................................................................................... 5
Lab 1: Login, Global Settings, New Project.............................................................................................................. 6
Task 1: Log In ......................................................................................................................................... 6

Task 2: Configure Global Settings ........................................................................................................ 6

Task 3: Create a New Project ................................................................................................................ 6

Lab 2: Scanning and Smart Exploitation .................................................................................................................. 7


Task 1: Run an MSP Scan...................................................................................................................... 7

Task 2: Smart Exploitation .................................................................................................................... 7

Task 3: Manual Exploitation .................................................................................................................. 7

Lab 3: Meterpreter....................................................................................................................................................... 8
Task 1: Using Meterpreter on Linux ..................................................................................................... 8

Task 2: Using Meterpreter on Windows ............................................................................................... 8

Task 3: Rerun an Attack(s) .................................................................................................................... 8

Task 4: Establish a Proxy Pivot ............................................................................................................ 9

Task 5: Scan Using the Pivot Proxy ..................................................................................................... 9

Task 6: Cleanup Sessions for Project ................................................................................................. 9

Lab 4: Agent Persistence ......................................................................................................................................... 10


Task 1: Establishing Persistence........................................................................................................ 10

Task 2: Confirming Persistence .......................................................................................................... 10

Task 3: Cleaning Up Persistence ........................................................................................................ 11

Lab 5: Vulnerability Validation and AdHoc Scans ................................................................................................. 12


Task 1: Vulnerability Validation .......................................................................................................... 12

Task 2: Start Nexpose/InsightVM AdHoc Scan.................................................................................. 13

Lab 6: Creating a Dynamic Payload ........................................................................................................................ 14


Task 1: Generating a Dynamic Payload ............................................................................................. 14

Task 2: Deploy and Listen for Executed Payload.............................................................................. 14

21.07

Task 3: Run a Quick PenTest .............................................................................................................. 15

Task 4: Cleanup Sessions .................................................................................................................. 15

Lab 7: Leveraging Credentials – Pass the Hash .................................................................................................... 16


Task 1: Collecting Password Hashes with a Post Exploitation Module .......................................... 16

Task 2: Manual “Pass the Hash”......................................................................................................... 16

Task 3: Collecting System Data in Bulk ............................................................................................. 16

Task 4: Reporting – Collected Evidence ............................................................................................ 17

Task 5: Cleanup Active Sessions ....................................................................................................... 17

Lab 8: Leveraging Credentials................................................................................................................................. 18


Task 1: Validate the ‘rocky’ Credentials ............................................................................................. 18

Task 2: Run the Single Credentials Testing Metamodule................................................................. 18

Task 3: Run the Credentials Domino Metamodule ............................................................................ 18

Task 4: Cleanup Active Sessions ....................................................................................................... 18

Lab 9: Exploit a vulnerable program ....................................................................................................................... 19


Task 1: Set up your attack ......................................................................... Error! Bookmark not defined.

Task 2: Exploit the software ................................................................................................................ 19

Task 3: Keystroke Logging (Key Logging, Keyboard Logging)....................................................... 20

Lab 10: Exploiting Web Apps .................................................................................................................................. 21


Task 1: WebApp Scanning .................................................................................................................. 21

Task 2: WebApp Auditing .................................................................................................................... 21

Task 3: WebApp Exploitation .............................................................................................................. 21

Lab 11: Phishing Campaign ..................................................................................................................................... 22


Task 1: Creating a Phishing Campaign .............................................................................................. 22

Task 2: Run a Phishing Campaign...................................................................................................... 23

Lab 12: Reporting, Exporting Data, CLI and Backups........................................................................................... 24


Task 1: Reporting ................................................................................................................................. 24

Task 2: Export Data – PWDUMP.......................................................................................................... 24

Task 3: Using Command Line Interface ............................................................................................. 25

21.07

Task 4: Stop All Tasks and Create a Full Backup ............................................................................. 25

Appendix A: Practice Exam Answer Key .......................................................................................... 26

Appendix B: Change Log..................................................................................................................... 30

Understanding this Document


To better understand the Rapid 7 Lab Guide instructions, please note the following:

This font style is instructional and provides direction in the lab.

Any text entered in a bold font indicates that you will be clicking on a button, menu, drop down or
item.

(Any text entered in italics inside parenthesis are considered special instructions, tips, or best practices that
may not be specific instructions.)

Any text entered in this Courier font indicates that you will be typing the
text into a form, field, or command line interface.

‘Any text entered in italics inside a single quote indicates that the student should be looking for this item,
section, or heading to continue the exercise steps.’

21.07

Lab Environment - Virtual Machines

At any time, you can auto-fill passwords in the VM by clicking the password button.

VM IP Username Password
Gateway 192.168.1.1
Metasploit Console 192.168.1.100 rapid7 r@pid7!
Linux Mail Server 192.168.1.101 rapid7 r@pid7!
Student Win7 192.168.1.102 rapid7 r@pid7!
Ubuntu_12 192.168.1.112 rapid7 r@pid7!
Metasploitable2 – Linux 192.168.1.104 msfadmin msfadmin
Windows Server 2008 r2 - SQL 192.168.1.105 rapid7 r@pid7!
Windows Server 2008 r2 192.168.1.106 rapid7 r@pid7!
Nexpose Console 192.168.1.110 rapid7 r@pid7!

21.07

Lab 1: Login, Global Settings, New Project


Task 1: Log In
(In this lab you will be using Metasploit_Console VM)

1. From the Cloudshare Lab page, select the Metasploit_Console VM.


2. Open Terminal application the Launcher Bar on the left.
3. From Terminal check Metasploit status with “sudo /etc/init.d/metasploit status” command.
a. Type password as r@pid7!
b. If Metasploit services failed to start - restart VM with sudo reboot command.
4. Open the Firefox Browser using the icon in the Launcher Bar on the left.
5. From the Firefox Browser, select the Metasploit bookmark.
6. Log to Metasploit using the user1:pa$$word1 credentials.

Task 2: Configure Global Settings


1. From the Metasploit home page, hover over Administration in the top menu.
2. From the Administration menu, select Global Settings.
3. Select the SMTP Settings tab.
4. Enter the Address of 192.168.1.101
5. Keep the default port of 25
6. Keep the Use SSL option unchecked.
7. Enter the Domain of rapid7lab.com
8. Keep the Username and password fields blank.
9. Keep the Authentication option plain.
10. Save the settings by selecting the Update Settings button.

Task 3: Create a New Project


1. Navigate to the Home page, select the Project down arrow and create a new Project.
2. Enter the Project name MSP1.
3. Enter Description: Scanning using Smart Exploitation and Manual Exploitation.
4. Enter the Network range 192.168.1.100-110
5. Keep the default Restrict to network range Option unchecked.
6. Keep the default User Access settings.
7. Create the project using the Create Project button.
8. This will navigate you to the MSP1 Project Dashboard.

End of this lab. Stop for now.

21.07

Lab 2: Scanning and Smart Exploitation


Task 1: Run an MSP Scan
1. Select the Scan button in the MSP1 Project.
2. Keep the default Target Settings.
3. Select the Launch Scan button.
4. This will automatically navigate you to the Task View screen where you can monitor the scan status.
5. After a few minutes, select Overview in the Navigation Bar to review broad scan information.
6. Use the Analysis menu from the Navigation Bar to explore the granular information about specific Hosts,
Notes, Services, and Network Topology.

Task 2: Smart Exploitation


1. Once the Discovering task is complete, click the Exploit button in the upper right hand corner.
2. Click the Show Advanced Options button.
3. Uncheck Ignore known-fragile devices.
4. Change the concurrent exploits from 5 to 10.
5. Deselect the Only obtain one session per target option.
6. Keep all other default options.
7. Click the Exploit button.
8. This will automatically navigate you to the Task View where you can monitor exploitation status.
9. When a number appears inside a circle next to Session, click on that tab. Take note of:
a. Session Number
b. Host
c. Attack Module
10. Investigate the attack module by clicking on the link and reading what the exploit targeted, the ranking of
the exploit and the variables you can configure should you decide to launch this exploit again.

Task 3: Manual Exploitation


1. Navigate to the Analysis page.
2. Notice the machines discovered and look for the Windows systems. One machine is named Win2K8-
SQL. Assume that SQL Server is installed on this machine.
3. Hover on Modules Tab and slide down to Search.
4. In the Search Modules box, type in mssql. (MS = Microsoft)
5. In the list, look for the 5-star modules and click on Microsoft SQL Server Payload Execution.
6. Under Target Systems, edit the address to represent the machine you suspect SQL is loaded on.
7. Under Module Options, change Method to ps.
8. Click Run Module.
9. Watch for an additional session to open on the 192.168.1.105 machine.

End of this lab. Stop for now.

21.07

Lab 3: Meterpreter
Task 1: Using Meterpreter on Linux
1. In MSP1, select Sessions from the Navigation Bar. Review Active and Closed Sessions.
2. Select an active session corresponding to the host 192.168.1.104 – Metasploitable .
3. Click on the Session, not the Host IP.
4. Select the Command Shell button to start the Meterpreter shell or you can right click and open in new tab.
5. Enter the ? character to view help options for the Meterpreter shell. When you type in a Meterpreter shell
and the cursor is blinking in red, please wait.
6. View system data by running the follow Meterpreter commands available:
a. sysinfo d. ps
b. getuid e. localtime
c. getwd f. ls

Task 2: Using Meterpreter on Windows


1. Open the Sessions tab again.
2. Open the Session ## for the Windows Server 2008r2 - SQL link on machine 192.168.1.105.
3. Select the Command Shell button to start the Meterpreter shell or you can right click and open in new tab.
4. Observe the difference between a Linux shell and a Windows shell.
5. Type in ? and try the following commands:
a. sysinfo d. ipconfig
b. getuid e. run post/windows/gather/smart_hashdump
c. getpid f. ps

Task 3: Rerun an Attack(s)


1. Navigate to the Sessions page.
2. Select the Cleanup button.
3. Select all sessions in the list.
4. Select the Cleanup Sessions button.
5. Navigate to the Sessions page.
6. Under the Closed Session, click the Rerun button.
7. This will navigate you to the Automated Attack Replay Settings. Keep the defaults.
8. Click Replay Attacks.
9. Watch the Task Log to see which ones reopen.
10. Select the Cleanup button.
11. Select all sessions in the list.
12. Select the Cleanup Sessions button.
13. Navigate to the Sessions page.
14. Select the Attack Module: MSSQL_PAYLOAD, scroll to the bottom of the page and click Run Module.
15. Watch the Task Log to see when it opens.

Continue to Task 4, next page

21.07

Task 4: Establish a Proxy Pivot


1. Select the active session on the WINDOWS SERVER 2008R2 - SQL host, which has Meterpreter listed in
the Type column.
2. Select the Create Proxy Pivot button in the Available Actions section.
3. Select OK in the confirmation prompt.
4. The session page will refresh to indicate a route is successfully created.
5. Note the Create Proxy Pivot button is replaced with a Delete Pivot Point button.

Task 5: Scan Using the Pivot Proxy


1. Once the proxy pivot is established, switch to the Windows Server 2008r2 - SQLServer VM.
a. Open the Start menu.
b. Select Command Prompt.
c. Maximize the Command Prompt window.
d. Run the command netstat -an to view active network connections.

2. In the Metasploit Console:


a. Select Modules Tab in the Navigation Bar.
b. In the Search Modules box enter the following: type:auxiliary portscan
c. Select TCP Port Scanner module
d. Set Target Address to 192.168.1.101
e. Set Ports to 21-25,80,110-900
f. Set Threads from 1 to 5
g. Click on the Run Module button.
3. This will automatically navigate you to the Task View screen where you can monitor progress.
4. In the Windows Server 2008r2 - SQLServer console:
a. Re-run the netstat -anp tcp command several times while the Metasploit Scan Task is running.
b. During the Portscanning phase of the Scan Task, observe the large number of TCP SYN_SENT
entries.
c. As the scan progresses you may see new TCP connection statuses such as TIME_WAIT,
FIN_WAIT, FIN_WAIT_2.
d. You can run netstat -anp tcp to filter for only TCP network connections.
5. In the Metasploit Console
a. Select Tasks in the Navigation Bar and select the newly completed Discovering task.
b. Review the Task Log for the pivoted discovery run, considering the network traffic observed on the
Windows Server 2008r2 - SQLServer system.

Task 6: Cleanup Sessions for Project


1. Select Sessions in the Navigation Bar.
2. Select the Cleanup button.
3. Select all sessions in the list and click the Cleanup Sessions button.
End of this lab. Stop for now.

21.07 9

Lab 4: Agent Persistence


Task 1: Establishing Persistence
1. Select Global Settings from the Administration menu.
2. Select the Persistent Listeners tab.
3. Select the New Listener button.
4. The Associated Project will be MSP1.
5. Enter 192.168.1.100 for Listener Address.
6. Enter 10101 for Listener Port
7. Keep all other default selections.
8. Select the Save Listener button.
9. Browse to the MSP1 Project Dashboard and select Sessions in the Navigation Bar.
10. On the WINDOWS SERVER 2008R2 - SQL host, click on the Attack Module MSSQL_Payload.
11. Scroll to the bottom and click Run Module. Open the session when it becomes available.
12. Select the Post-Exploitation Modules tab.
13. Select the Metasploit Pro Persistent Agent module, which has the Module Name ‘post/pro/multi/agent’.
14. Enter 192.168.1.100 for AGENT_LHOST
15. Select the open Meterpreter session on the WINDOWS SERVER 2008R2 - SQL host in the sessions list.
16. Keep all other default settings.
17. Select the Run Module button.
18. This will automatically navigate you to the Task View where you can observe the progress.
19. Upon successful completion, you will observe a new Session has opened on the WINDOWS SERVER
2008R2 - SQL host.

Task 2: Confirming Persistence


1. Navigate to the Windows Server 2008r2 – SQL VM
a. Reboot the WINDOWS SERVER 2008R2 - SQL host.
b. Go back to Metasploit and hit the refresh button in the Firefox browser.
c. Wait for the target host to restart completely. Hit refresh again.
2. Return to the Metasploit Console:
a. Observe the persistent session re-opens when the WINDOWS SERVER 2008R2 - SQL host fully
reboots. The original session acquired with the MSSQL_Payload does not.
b. Select Sessions in the Navigation Bar.
c. Choose Cleanup and Cleanup Sessions.
d. Watch the sessions tab for the target host and a new session appears.
e. Select the active persistent session on the WINDOWS SERVER 2008R2 - SQL host.
f. Select Terminate Session and OK.
g. Observe the persistent session has re-opened again.

Continue to Task 3, next page

21.07 10

Task 3: Cleaning Up Persistence


1. Select Sessions in the Navigation bar.
2. Select the persistent session on the WINDOWS SERVER 2008R2 - SQL host.
3. Select the Post-Exploitation Modules tab.
4. Select the Metasploit Pro Persistent Agent Cleanup module, which has the Module Name
‘post/pro/multi/agent_cleaner’
5. Select the active persistent session on the WINDOWS SERVER 2008R2 - SQL host from the session list.
6. Select the Run Module button.
7. This will automatically navigate you to the Task View where you can observe the progress.
8. Once cleanup is complete, select Sessions in the Navigation Bar.
9. Observe the persistent session is still open.
10. Select the persistent session on the WINDOWS SERVER 2008R2 - SQL host.
11. Select Terminate Session.
12. Select Sessions in the Navigation Bar.
13. Observe that the session has not reopened, because the persistent agent has been removed.

End of this lab. Stop for now.

21.07 11

Lab 5: Vulnerability Validation and AdHoc Scans


Task 1: Vulnerability Validation
1. Navigate to the Home page, select the Vulnerability Validation button from the Home page.
2. In the Project Name field, enter the name Vuln Validation Project
3. In Description, add This lab will match MSP exploits with NXP vulns.
4. Click on the Pull from Nexpose tab. The Nexpose Consoles page appears.
5. Select the Configure a Nexpose Console button.
6. Name the Console Nexpose
7. Enter the Console Address of 192.168.1.110
8. Keep the default Console Port of 3780.
9. Enter the Console Username of user1.
10. Enter the Console Password of password1.
11. Save the settings by selecting the Connect to Nexpose button.
12. Confirm your Nexpose Console Status is ‘Successful’. It will appear briefly in the lower right hand corner
after connection is successful. Choose the MSP Lab
13. Under Tag, choose Automatically Tag by OS.
14. Under Exploit, check Collect evidence.
15. Uncheck Clean up sessions when done. This is important; we will be using the sessions generated in
future exercises.
16. Click Start.
17. Metasploit Pro imports any vulnerability that matches a Metasploit remote exploit module that has a ranking
of Great or Excellent. Import will complete in 1-2 minutes. View each tab:
a. Hosts Imported
b. Vulns found
c. Remote Exploit Matches
d. Vuln validations
e. Vuln exceptions
18. Click the Push to Nexpose in the upper right hand corner. This will allow MSP to push vulnerabilities back
as validated or as exceptions. Leave the defaults and click PUSH.
Continue to Task 2, next page

21.07 12

Task 2: Start Nexpose/InsightVM AdHoc Scan


1. Navigate to the Home page, select the Project down arrow and create a new Project.
2. Name the Project Nexpose AdHoc Scan.
3. In the Description, add Launching a scan in Nexpose from MSP
4. Change the Network range to 192.168.1.100-110.
5. This will take you to the Overview page.
6. Under Discovery, choose Nexpose Scan.
7. Under Import Data, leave the default - From Nexpose.
8. Under from Nexpose, choose the Nexpose console.
9. Choose Scan and import data. Leave the default scan targets.
10. Use the scan template “Full Audit without Web spider” and choose Import Data in the lower right hand
corner.
11. The task pane will show the progress of the running scan in Nexpose.
End of this lab. Stop for now.

21.07 13

Lab 6: Creating a Dynamic Payload


This lab must be run from within the virtual machines.

Task 1: Generating a Dynamic Payload


1. From the Projects page, launch the Payload Generator.
2. The default is Dynamic Payload (AV evasion)
3. Leave the defaults but explore the dropdown menus for Architecture, Stager, Stage.
4. Configure the LHOST as 192.168.1.100 and keep LPORT as 4444.
5. When you are ready to build the payload, click the Generate button. The Generate button will be active if all
required options for the payload are configured properly.
6. Be careful to download and save the file - do not open it.
7. Minimize Metasploit and your payload is on the desktop.
8. Right click and rename the file: microsoft_update.exe.
9. To configure your MetasploitPro host to listen for this payload, go to Administration.
10. Under Global Settings, choose Persistent Listeners.
11. Click New Listener.
a. Configure your Listener on project MSP1
b. The Listener payload will match the payload you created: Windows Meterpreter (TCP)
c. The Listener address is 192.168.1.100
d. The Listener port is 4444
e. Make sure there is a check mark in Enabled.
f. Save Listener.

Task 2: Deploy and Listen for Executed Payload


1. Open a new tab and click on the Webmail link in Firefox Browser Toolbar.
a. It will navigate to https://192.168.1.101/mail
b. If prompted:
i. Expand the I Understand the Risks section of the ‘This Connection is Untrusted’ page.
ii. Select the Add Exception button.
iii. Select the Confirm Security Exception button in the Add Security Exception window.
c. Log in to the Webmail UI using the metasploituser1:rapid7 credentials.
2. Compose an email to [email protected] .
a. Subject: Patch Tuesday
b. Body: We need to run this update for latest security concerns.
c. Click Attach a file, navigate to your desktop and open microsoft_update.exe. Upload and send.
3. Open the Windows 7 machine.
a. Navigate to https://192.168.1.101/mail
b. If prompted:
i. Expand the I Understand the Risks section of the ‘This Connection is Untrusted’ page.
ii. Select the Add Exception button.
iii. Select the Confirm Security Exception button in the Add Security Exception window.
c. Log in to the Webmail UI using the metasploituser1:rapid7 credentials.
d. Open the email, double click on microsoft_update.exe and download.
Task continues next page

21.07 14

e. Once file completes downloading, double click and Run the file.
4. While still on the Windows7 box, right-click the Windows 7 VM taskbar.
a. Click Start Task Manager.
b. Move to the processes tab and look for microsoft_update.exe.
5. Return to the Metasploit Pro system.
a. Open the MSP1 project.
b. Note the session that is now open on the Windows7 box.

Challenge: Run the same payload on the WINDOWS SERVER 2008 R2 machine. Are you able to get a session?

Task 3: Run a Quick PenTest


1. Browse to the Metasploit VM and open the homepage.
2. Select the Quick PenTest icon from the Home page.
3. In the Target Settings tab:
a. Select Everything for Target Profile.
b. Enter QPT for Project Name.
c. Enter 192.168.1.1-110 for Target Addresses.
d. Deselect the Restrict to network range option.
4. In the Configure Scan tab:
a. Select the Import option.
b. Select the Choose Import button.
c. Select the MSPLab.xml file on the Desktop.
d. Select the Open button.
5. Keep all default selections in the Run Exploits and Generate Report tabs.
6. Select the Start Scan button.
7. This will automatically navigate you to the Task View screen where you can monitor the progress.

Task 4: Cleanup Sessions


1. Navigate to your Home page.
2. For any project that has a session open, select Sessions in the Navigation Bar inside the project.
3. Select the Cleanup button.
4. Select all sessions in the list.
5. Select the Cleanup Sessions button.
End of Day One

21.07 15

Lab 7: Leveraging Credentials – Pass the Hash


Task 1: Collecting Password Hashes with a Post Exploitation Module
1. Rerun a mssql_payload attack on the WINDOWS SERVER 2008R2 - SQL machine in the ‘MSP1’ project.
2. Enter the Session View for your WINDOWS SERVER 2008R2 - SQL session.
3. Select the Post-Exploitation Modules tab, below the Available Actions section.
4. Select the Windows Gather Local User Account Password Hashes (Registry) Post-Exploitation Module
in the list. Tip: All modules are listed alphabetically by module name. This module is named
‘post/windows/gather/hashdump’.
5. Select the session for a WINDOWS SERVER 2008R2 - SQL (192.168.1.105) host.
6. Run the module by selecting the Run Module button.
7. This will automatically navigate you to the Task View screen where you can monitor module run status.
8. When completed, hover on the Credentials tab and go to Manage.
9. For the user Administrator, select the more link under the Private column.
10. In the Private Data pop-up, right click and select Copy. We will use this hash for the Pass the Hash
exercise.
11. Close the pop-up.

Task 2: Manual “Pass the Hash”


1. Select Search from the Modules menu in the Navigation Bar.
2. Enter the term psexec in the Search Modules field. Hit Enter to run the search.
3. Select the Microsoft Windows Authenticated User Code Execution module.
4. Target Addresses will be 192.168.1.100-110
5. Keep the default Exploit Timeout, Target Settings, Payload Options.
6. In Module Options, change the following fields:
a. For SMBUser enter Administrator.
b. For SMBPass, right click and select paste.
Confirm that the hash does not contain any additional leading or trailing characters
7. Keep all other default Module Options.
8. Run the module by selecting the Run Module button.
9. This will automatically navigate you to the Task View screen where you can monitor module run status. (This
module takes 4-6 minutes to complete)

Task 3: Collecting System Data in Bulk


1. Select Sessions in the Navigation Bar. There should be a number next to the word ‘Sessions’ indicating the
number of active sessions.
2. Select the Collect button.
3. Select all sessions in the Active Sessions list.
4. Keep the default Evidence to collect options.
5. Select the Collect System Data button.
6. This will automatically navigate you to the Task View screen where you can monitor collection status. (Data
collection will take about 2-4 minutes)
7. When collection concludes, browse to the Hosts view from the Analysis menu in the Navigation Bar.

21.07 16

Task 4: Reporting – Collected Evidence


1. Select Reports in the Navigation Bar.
2. Select Create Standard Report.
3. Select Collected Evidence for Report Type.
4. Select 192.168.1.100-192.168.1.110 for Included addresses.
5. Keep all other default values.
6. Select Generate Report button in lower right.
7. Wait several moments for the report to generate, and then view the generated report.

Task 5: Cleanup Active Sessions


1. Select Sessions in the Navigation Bar.
2. Select the Cleanup button.
3. Select all sessions in the list.
4. Select the Cleanup Sessions button.

End of this lab. Stop for now.

21.07 17

Lab 8: Leveraging Credentials


Task 1: Validate the ‘rocky’ Credentials
1. In the MSP1 Project, select Manage from the Credentials menu in the Navigation Bar.
2. Select the credentials for rocky by clicking on the username hyperlink.
3. For each item, use the Key icon on the right to validate the credential.
4. Observe for which systems the credential is valid.

Task 2: Run the Single Credentials Testing Metamodule


1. Select MetaModule from the Module menu in the Navigation Bar.
2. In the Single Credentials Testing box, select Launch.
3. Enter 192.168.1.100-192.168.1.110 for the Address Range.
4. Keep all default selections in the Services and Ports tab.
5. Select the Credentials tab
6. Select the Choose an existing credential pair option.
7. Select a ‘rocky’ credential that was validated.
8. Keep all default selections in the Generate Report tab.
9. Select the Launch button at the bottom of the Single Credentials Testing pane.
10. This will automatically navigate you to the MetaModule status view where you can observe the progress.
(Note: There are more details available in the “Task Log” tab of this view.)
11. Once the MetaModule execution is finished, select Reports from the Navigation Bar.
12. View the newly generated report, which has the ‘Credential MetaModule’ Report Type.

Task 3: Run the Credentials Domino Metamodule


1. Please rerun the psexec attack module on Student-Win7 VM.
2. Select MetaModules from the Module menu in the Navigation Bar.
3. In the Credentials Domino box, select Launch.
4. Select 192.168.1.102 as the initial host.
5. After selecting an initial host, a list of user login accounts and active sessions appears.
6. Select the rocky credential you validated in a previous step.
7. On the Scope page make the following changes:
a. Exclude 192.168.1.100.
b. In the High Value Hosts box, enter 192.168.1.106. Add AD as the tag.
8. On the Settings page, clear the Clean up sessions checkbox.
9. On the Generate Report page, change the report type from PDF to HTML.
10. Click the Launch button.
11. Watch as other machine names populate in the result window that appears.

Task 4: Cleanup Active Sessions


1. Select Sessions in the Navigation Bar.
2. Select the Cleanup button.
3. Select all sessions in the list.
4. Select the Cleanup Sessions button.

End of this lab. Stop for now.

21.07 18

Lab 9: Exploit vulnerability in MS Office Word and start Keylogger


Task 1: Generate MS Office Word Payload
a. Navigate to Metasploit Pro main page by clicking on the metasploit pro icon.
b. From Global Tools area click on the Payload Generator button.
c. Select Classic Payload.
d. In Payload Options tab set LHOST to 192.168.1.100
e. Set LPORT to 14444
f. Leave the rest as is.
g. Navigate to Output Options tab.
h. Change Format from exe to vba-exe.
i. Click Generate button.
j. From Payload generated notification popup click Download button.
k. Save the file with default name.

Task 2: Share payload directory through web


a. On Metasploit_Console VM start Terminal.
b. In the command line type cd Desktop && ls
c. Confirm that you can see your vbs-exe payload.
d. Type python -m SimpleHTTPServer 12345
e. Confirm that HTTP server on port 12345 is running then minimize the Terminal window.

Task 3: Configure Persistent Listener to accept connections


a. From the top navigation area click on Administration | Global Settings | Persistent Listeners
b. Click New Listener button.
c. Confirm that Associated Project is MSP1
d. Enter Listener Address as 192.168.1.100
e. Enter Listener Port as 14444
f. Confirm that Enable checkbox is ticked and click Save Listener button.

Task 4: Build and execute malicious file


a. From Windows Server 2008r2 – SQL VM open Firefox bowser.
b. Open http://192.168.1.100:12345 link.
c. Click on vbs-exe payload link and save the file.
d. Open saved vba-exe payload in the Notepad and use Word Wrap.
e. Copy the all MACRO CODE starting from Sub Auto_Open() till last Auto_OpenEnd Sub
f. Open new Microsoft Word document.
g. From the View ribbon create a new macro and paste the previously copied payload macro code in
the macro editor then click save button from the top navigation area.
h. Reopen Notepad and this time copy the PAYLOAD DATA starting starting from the last star symbol
till the end of the file.
i. Paste the copied payload data as a text in a word document.
j. Save MS Word document as an Invoice-14444 on the Desktop and close the program.
k. Reopen Invoice-14444 document.
l. Navigate to Metasploit_Console VM and open MSP1 project.

21.07 19

m. Observe Sessions tab and confirm that you have a meterpreter session from Windows Server
2008r2 – SQL VM with IP address 192.168.1.105

Task 5: Keystroke Logging (Key Logging, Keyboard Logging)


1. In the Metasploit VM Console:
a. Navigate and click on Sessions in the Navigation Bar.
b. Select the Handler sessions with a Meterpreter shell.
c. Select the Command Shell button to start the Meterpreter shell.
d. Run keyscan_start.
2. In the Windows Server 2008r2 – SQL VM console:
a. Open a new tab in Firefox.
b. In the URL Address Bar of Firefox, enter https://192.168.1.101/mail
c. If prompted:
i. Expand the I Understand the Risks section of the ‘This Connection is Untrusted’ page.
ii. Select the Add Exception button.
iii. Select the Confirm Security Exception button in the Add Security Exception window.
d. Log in to the Webmail UI using the metasploituser1:rapid7 credentials.
3. Return to the Metasploit Console:
a. Run keyscan_dump.
b. Observer the captured keystrokes from the target system’s Firefox browser.
4. Return to the Windows Server 2008r2 – SQL console:
a. Select the Start menu.
b. Type note.
c. Select Notepad.
d. In Notepad, type whatever text you choose.
e. Close Notepad.
5. Return to the Metasploit Console:
a. Run keyscan_dump.
b. Observer that all user keystrokes are captured, not just those in Firefox.
c. Run keyscan_stop.

End of this lab. Stop for now.

21.07 20

Lab 10: Exploiting Web Apps


Task 1: WebApp Scanning
1. Navigate to ‘default’ project .
2. Select Web Apps in the Navigation Bar.
3. Select the WebScan button.
4. Select the 192.168.1.101 system running Apache.
5. Expand the Advanced Options section.
6. Select Report if SSL is not enabled in the Transport Layer Security section.
7. Select Report if weak SSL ciphers are allowed in the Transport Layer Security section.
8. Select the Launch Scan button.
9. This will automatically navigate you to the Task View where you can observe the discovery progress.

Task 2: WebApp Auditing


1. Once the WebApp Scan completes, select Web Apps in the Navigation Bar.
2. Select the Audit Web Apps button.
3. Open Advanced Options.
4. Unselect All Targets by checking the top orange checkmark.
5. Choose only http://192.168.1.104/phpMyAdmin/test/index.php.
6. Keep all default selections.
7. Select the Launch Audit button.
8. This will automatically navigate you to the Task View where you can observe the vulnerability auditing of a
form.
9. This process will take a very long time. Please hit stop in the upper right hand corner after 2 minutes.

Task 3: WebApp Exploitation


1. The WebApp Audit can take upwards of 18+ hours to complete. A completed WebApp Audit has been
completed for training purposes.
2. Select Web Apps in the Navigation Bar.
3. Select the Exploit Web Apps button.
4. Uncheck Obtain one session per target & skip targets w/session.
5. Keep all default selections.
6. Select the Launch Exploits button.
7. You will automatically navigate to the Task View where you can observe the progress and the sessions that
open.
8. Open the session and Terminate.

End of this lab. Stop for now.

21.07 21

Lab 11: Phishing Campaign


Task 1: Creating a Phishing Campaign
1. Go to Quick Start Wizards on the home page.
2. Select Phishing Campaign in the Navigation Bar.
3. Enter the Name Going Phishing and click Next.
4. Select the Phishing Campaign option.
5. Name the campaign Human Resources.
6. Select the E-mail icon in the Campaign Components section.
a. Select Create a new Target List… in the Choose a Target List dropdown menu.
b. Enter Training Targets for the List Name.
c. In the Manually Add Targets section:
i. Enter [email protected] in the Email Address field.
ii. Enter Target in the First Name field.
iii. Enter User in the Last Name field.
iv. Select the Submit button.
d. Keep all other default settings in the Configure E-mail Settings pane.
e. Select the Next button.
f. Keep all default settings in the Create E-mail Content pane.
g. Select the Preview button to view a preview of the phishing e-mail.
h. Select the Save button.
7. Select the Landing Page icon in the Campaign Components section.
a. Enter the Path extension phishing1.
b. Select the Campaign Redirect Page option.
c. Select the Next button.
d. Select the Preview button to view a preview of the landing page.
e. Select the Save button.
8. Select the Redirect Page icon in the Campaign Components section.
a. Enter the Path extension redirection.
b. Select the Next button.
c. Select the Preview button to view a preview of the redirect page.
d. Select the Save button.
9. Select the E-mail Server icon in the Server Configurations section.
a. Confirm that the pre-populated Configure E-mail Server settings match the SMTP Server Global
Settings we configured in Lab 1 Task2.
b. Select the Save button.
10. Select the Web Server icon in the Server Configurations section.
a. Change the port number to 8181
b. Keep all other default settings in the Configure Web Server pane.
c. Select the Save button.
11. At the bottom of the Configure a Campaign tab, select the Save button.
12. This will automatically navigate you to the Manage Campaigns tab where you can see the newly created
Phishing campaign.

Continue to Task 2, next page

21.07 22

Task 2: Run a Phishing Campaign


1. In the Metasploit Console:
a. Select Campaigns in the Navigation Bar.
b. Select the Manage Campaigns tab.
c. Select the Start button for the Phishing campaign.
d. Select the OK button for the ‘Are you sure’? prompt.
e. You will automatically be taken to the Findings View where you can observe the progress.
2. Switch to the Student Win7 Virtual Machine
3. In the Student Win7 console:
a. Click once on the Student Win7 window to view the desktop.
b. If necessary, log in to Windows 7 using the rapid7:r@pid7! credentials.
c. Open the Firefox Browser using the icon in the Task Bar on the bottom.
d. In the URL Address Bar of Firefox, enter https://192.168.1.101/mail
e. If prompted:
i. Expand the I Understand the Risks section of the ‘This Connection is Untrusted’ page.
ii. Select the Add Exception button.
iii. Select the Confirm Security Exception button in the Add Security Exception window.
f. Log in to the Webmail UI using the metasploituser1:rapid7 credentials.
g. Select the URGENT e-mail.
4. In the Metasploit Console:
a. Review the Campaign Facts in the Phishing Findings View.
5. In the Student Win7 console:
a. Select the Display images button in the Webmail UI.
6. In the Metasploit Console:
a. Review the Campaign Facts in the Phishing Findings View.
7. In the Student Win7 console:
a. Select the Click here link in the Phishing E-mail.
8. In the Metasploit Console:
a. Review the Campaign Facts in the Phishing Findings View.
9. In the Student Win7 console:
a. Fill out any non-sensitive information for the Phishing Landing Page form.
b. Select the Submit button.
c. This will automatically navigate you to the Phishing Redirection Page.
10. In the Metasploit Console:
a. Review the Campaign Facts in the Phishing Findings View.
11. Select the Done button in the Phishing Findings View.
12. Select the Stop button for the Phishing Campaign in the Manage Campaigns tab.
13. Select the Findings link for the Phishing Campaign.
14. Select the Generate Report in the Phishing Campaign Findings View.
15. Keep all default settings for the report and scroll to the bottom and select the Generate Report button.
16. Select Reports from the Navigation Bar.
17. View the newly generated report, which has the ‘Social Engineering Campaign Details’ Report Type.

End of this lab. Stop for now.

21.07 23

Lab 12: Reporting, Exporting Data, CLI and Backups


Task 1: Reporting
1. Browse to the ‘MSP1’ Project Dashboard. Select Reports in the Navigation Bar.
2. Select Create Standard Report.
3. Select Collected Evidence under Report type.
4. Under File Formats, keep PDF selected.
5. Under Options, include charts
6. Generate Report in the lower right hand corner.
7. Select Reports in Navigation Bar, select Create Standard Report.
8. For the second report, select Web Application Assessment, change format to HTML and generate report.
9. For the third report, select Services under Report Type.
10. Change File Format to RTF and under Options, choose to Include Charts.
11. Generate Report.
12. Navigate to Reports and take a moment to look at the report you just made.
13. Under Report Actions in the lower right hand corner, email report to
[email protected].

Task 2: Export Data – PWDUMP


1. Select Exports in the Navigation Bar.
2. Select the Export Data button.
3. Select Password Dump from the “Export type” dropdown menu in the Export Type section.
4. Rename this file PWDUMP. It will generate as a .txt file.
5. Click the Export Data button.
6. This will automatically navigate you back to the Exports page.
7. After a minute, the Exports page will refresh to show the completed export file.
8. Select the Download link in the Actions column.
9. Select the default Open with option.
10. Select the OK button. The file opens in the gedit text editor.
11. This file is the Metasploit Pro PWDump file format, which is consumable by other password cracking tools.
12. Exit the gedit text editor when you have finished reviewing the PWDump file.

Continue to Task 3, next page

21.07 24

Task 3: Using Command Line Interface


1. Open and maximize the terminal window.
2. At the command prompt, type:
a. cd /opt/metasploit
b. sudo msfpro
c. The password is r@pid7! The service will spin up in approximately 1 minute.
3. When you see the msf-pro> prompt, type in help
4. Try the following commands:
a. version e. pro_bruteforce
b. banner (type this in multiple times) f. vulns
c. ? g. services
d. hosts
5. Close the terminal.

Task 4: Stop All Tasks and Create a Full Backup


1. Select Administration, then Global Settings
2. Choose the Stop All Tasks tab
3. Choose Stop All Tasks
4. Confirm stop by selecting OK
5. Select the Backups Tab
6. Select New Backup
7. Enter a name and description
8. Select Create Backup. You would be able to restore once the status of the backup becomes: ‘Complete’.

End of this lab. Stop.

21.07 25

Appendix A: Practice Exam Answer Key


1. What is the definition of an exploit?


a) A security flaw or weakness in an application or system that enables an attacker to compromise the
target system.
b) A program that takes advantage of a specific vulnerability and provides an attacker with access
to the target system.
c) Information returned from a system, which aids in identifying potential weaknesses
d) Code that is executed on a compromised system, usually used to increase access, such as through a shell
or creation of an account, or to retrieve sensitive information.

2. For client-side exploitation, a _LISTENER__ receives inbound connections from persistent agents on
compromised systems.

3. A persistent listener can be configured:


a) In the Global Settings page
b) In the Project Settings page
c) In the Quick PenTest Wizard
d) None of the above

4. The primary network tool Metasploit Pro uses for discovery:


a) netstat
b) Nexpose
c) nmap
d) Netcat
e) None of the Above

21.07

26

5. Match the following host statuses to their description:

Status Name Description

1- Cracked a. Host has been exploited successfully

2- Shelled b. Host data has been collected

3- Scanned c. Host credentials have been compromised

4- Looted d. Host details have been discovered

1=c, 2=a, 3=d, 4=b

6. Metasploit Pro refers to collected system data as _______.


a) rubble
b) creds
c) stash
d) loot

7. Metasploit Pro offers the following type of social engineering techniques, EXCEPT for:
a) Phishing
b) Client-side exploits
c) Cloud connection
d) USB storage
e) All are offered by MSP

8. What is the definition of a client-side exploit?


a) An exploit that targets workstations over the network with vulnerable services.
b) An exploit that takes advantage of desktop software, such as web browsers, mail clients, or
document viewers and editors.
c) An exploit that cannot be used against a server target under any circumstances.
d) None of the above

9. When running automated exploits, the _________ defines the exploit modules that Metasploit Pro will use
to attack the target system.
a) Scan data
b) Network map
c) Vulnerability analysis
d) Attack plan

21.07

27

10. The _________ uses a compromised system to route network traffic.


a) Botnet
b) Meterpreter
c) VPN Pivot
d) Routing Module

11. _______ is an attack method that attempts to use a looted password hash to authenticate to a remote
system.
a) Hash authenticate module
b) Pass the Hash
c) Loot authenticate
d) Hash login
e) None of these

12. By default, Metasploit Pro automatically updates.


a) True
b) False

13. Project data can be exported as XML.


a) True
b) False

14. You can get a session via SQL Injections.


a) True
b) False

21.07

28

15. Match the Web Application task to its definition:



Task Name Definition

1-Web Scan A-Takes advantage of known vulnerabilities

2-Web Exploit B-Performs vulnerability checks for injection flaws

3-Web Audit C-Recursively parses website to find valid URLs

1=c, 2=a,3=b

16. Meterpreter can only be run on Windows Targets.


a) True
b) False

17. During a Phishing campaign, the Target Addresses are automatically restricted to the network range of
the project.
a) True
b) False

18. What are the two Pivot types in Metasploit Pro?


a) Forward and reverse
b) SSH and telnet
c) VPN and proxy
d) All of the above are valid
e) None of the above are valid

19. How does the Browser autopwn work?


a) It sends all known exploits at a targeted browser
b) Only relevant exploits are sent after the browser and OS are fingerprinted
c) A Java applet is sent to all browsers
d) All of the above are features of the browser autopwn

20. Metasploit Projects require that a specified network range is entered.


a) True
b) False

21.07

29

Appendix B: Change Log


Version* Updates & Changes
18.4.1 Added new badges
Added IP scheme of Lab
18.6.0 Updated WebAppScanning
18.7.0 Updated Acclaim and Link for Review
20.03.01, 27 Mar 20 Updated for new lab provider
20.04.02, 6 Apr 20 (Includes interim changes) Updated reference information
20.04.03, 10 Apr 20 Fixed typo in reference information
20.04.04, 15 Apr 20 Upgraded the MSP and NXP VMs to Ubuntu 16. Metasploit
and Nexpose products up to date. Fixed browser autopwn
and IP address issues in lab environments. Restored the
MSP Lab site and ran a scan to provide data.
20.05.01, 8 May 20 Fixed instruction that named a deprecated module.
20.05.02, 21 May 20 Updated exam instructions in the slide deck.
20.07.01, 10 Jul 20 Fixed typos in lab guide. Replaced poorly performing
Known Credentials lab, replaced failing Browser Autopwn
lab.
Replaced a poorly performing VM in the environment.
Fixed the R7 branding format issue in the slide deck.

21.07

30

You might also like