Kali Linux comes pre-equipped with all the tools necessary for penetration testing. One such tool is the Metasploit framework that allows red teamers to perform reconnaissance, scan, enumerate, and exploit vulnerabilities for all types of applications, networks, servers, operating systems, and platforms.
Even though the main functionality of Metasploit focuses on pre- and post-exploitation pentesting tasks, it is also helpful in exploit development and vulnerability research.
This article introduces the main components of the Metasploit framework. It demonstrates how to use Metasploit modules for scanning, enumeration, and exploitation on a vulnerable MySQL database hosted on a machine known as Metasploitable 2.
Metasploit is the most commonly used pentesting tool that comes pre-installed in Kali Linux. The main components of Metasploit are msfconsole and the modules it offers.
What Is msfconsole?
msfconsole is the most commonly used shell-like all-in-one interface that allows you to access all features of Metasploit. It has Linux-like command-line support as it offers command auto-completion, tabbing, and other bash shortcuts.
It’s the main interface that’ll allow you to work with Metasploit modules for scanning and launching an attack on the target machine.
Metasploit has small code snippets that enable its main functionality. However, before explaining the modules, you must be clear about the following recurring concepts:
- Vulnerability: It is a flaw in the design or code of the target that makes it vulnerable to exploitation leading to the disclosure of confidential information.
- Exploit: A code that exploits the found vulnerability.
- Payload: It’s a code that helps you achieve the goal of exploiting a vulnerability. It runs inside the target system to access the target data, like maintaining access via Meterpreter or a reverse shell.
Now moving towards the five main modules of Metasploit:
- Auxiliary: The auxiliary module contains a set of programs such as fuzzers, scanners, and SQL injection tools to gather information and get a deeper understanding of the target system.
- Encoders: Encoders encrypt the payloads/exploits to protect them against signature-based antivirus solutions. As payloads or exploits contain null or bad characters, there are high chances for them to be detected by an antivirus solution.
- Exploit: As discussed earlier, an exploit is a code that leverages the target vulnerabilities to ensure system access via payloads.
- Payload: As mentioned before, payloads help you achieve the desired goal of attacking the target system. That means they will either help you get an interactive shell or help you maintain a backdoor, run a command or load malware, etc. Metasploit offers two types of payloads: stageless payloads and staged payloads.
- Post: The post-exploitation module will help you gather further information about the system. For instance, it can help you dump the password hashes and look for user credentials for lateral movement or privilege escalation.
You can use the following commands to view each module and its categories:
tree -L 1 module-name/
To begin using the Metasploit interface, open the Kali Linux terminal and type msfconsole.
By default, msfconsole opens up with a banner; to remove that and start the interface in quiet mode, use the msfconsole command with the -q flag.
The interface looks like a Linux command-line shell. Some Linux Bash commands it supports are ls, clear, grep, history, jobs, kill, cd, exit, etc.
Type help or a question mark “?” to see the list of all available commands you can use inside msfconsole. Some of the most important ones that we will use in this article are:
|search||Allows you to search from the Metasploit database based on the given protocol/application/parameter|
|use||Allows you to choose a privado module and changes the context to module-specific commands|
|info||Provides information about the selected module|
|show||Displays information about the given module name and options for the current module|
|check||Checks if the target system has a vulnerability|
|set||It’s a context-specific variable that configures options for the current module|
|unset||Removes previously set parameters|
|run||Executes the current module|
Before beginning, set up the Metasploit database by starting the PostgreSQL server and initialize msfconsole database as follows:
systemctl start postgresql
Now check the database status by initializing msfconsole and running the db_status command.
For demonstration purposes, set up the open-source vulnerable Linux machine Metasploitable2.
MySQL Reconnaissance With msfconsole
Find the IP address of the Metasploitable machine first. Then, use the db_nmap command in msfconsole with Nmap flags to scan the MySQL database at 3306 port.
db_nmap -sV -sC -p 3306 <metasploitable_ip_address>
You can run the regular nmap -p- <metasploitable_ip_address> command to confirm MySQL database’s port number.
Use the search option to look for an auxiliary module to scan and enumerate the MySQL database.
search type:auxiliary mysql
From the above list, you can use the auxiliary/scanner/mysql/mysql_version module by typing the module name or associated number to scan MySQL version details.
Now use the show options command to display the necessary parameters required for executing the current module:
The output displays that the only required and unset option is RHOSTS which is the IP address of the target machine. Use the set rhosts command to set the parameter and run the module, as follows:
The output displays the similar MySQL version details as the db_nmap function.
Bruteforce MySQL Root Account With msfconsole
After scanning, you can also brute force MySQL root account via Metasploit’s auxiliary(scanner/mysql/mysql_login) module.
You’ll need to set the PASS_FILE parameter to the wordlist path available inside /usr/share/wordlists:
set PASS_FILE /usr/share/wordlistss/rockyou.txt
Then, specify the IP address of the target machine with the RHOSTS command.
set RHOSTS <metasploitable-ip-address>
Set BLANK_PASSWORDS to true in case there is no password set for the root account.
set BLANK_PASSWORDS true
Finally, run the module by typing run in the terminal.
MySQL Enumeration With msfconsole
msfconsole also allows you to enumerate the database with the help of the auxiliary(admin/mysql/mysql_enum) module. It returns all the accounts with details such as associated privileges and password hashes.
To do that, you’ll have to specify the password, username, and rhosts variable.
set password ""
set username root
set rhosts <metasploitable-ip-address>
Finally, run the module by typing:
MySQL Exploitation With msfconsole
From the enumeration phase, it’s clear that the root account has file privileges that enable an attacker to execute the load_file() function. The function allows you to exploit the MySQL database by loading all data from the /etc/password file via the auxiliary(/admin/mysql/mysql_sql) module:
Again, set the username, password, and rhosts variable. Then, execute a query that invokes the load_file() function and loads the /etc/passwd file.
set sql select load_file("/etc/password")
Metasploit modules help in all phases of penetration testing. Metasploit also enables users to create their own modules.
This article summarizes some main modules of the Metasploit framework and demonstrates how to scan, enumerate, and exploit a MySQL database on the Metasploitable 2 machine.
Metasploit isn’t the only penetration testing tool that you’ll use as a cybersecurity professional. There are several other utilities that you’ll need to familiarize yourself with if you want to become a security expert.
If you’re wondering how the pros test for penetration, this guide will give you a helping hand.
About The Author