How much info can you get with a single tool? A lot, actually.
While working on some individual PenTesting this week, I decided to challenge myself and see how much information gathering I could do with just a single tool — MetaSploit Framework, one of the most popular hacking tools out there. This is a nonrealistic limitation, of course, since almost all PenTesting involves using as many tools at your disposal as possible, but it proved to be a fun challenge with a couple surprises and one unexplained issue, which I will lay out below.
Like my interest in digital forensics, the information gathering (or “reconnaissance”) phase of hacking has proven to be one of my favorite steps in PenTesting. Gathering data and growing to understand the makeup of a system is a gratifying process, which probably explains why I like cybersecurity so much — there is constant opportunity to learn more.
I also wanted to use this opportunity to lay out some basic steps to follow when beginning a PenTest and gathering information. As you’ll see near the end of this post, however, I ended up a running in to some issues that I don’t yet have an answer for (so, if you have any thoughts to share, I’d love to hear them).
Given the popularity and robustness of Metasploit, it is perhaps unsurprising that this is the go-to tool for many PenTesters. There are many other tools that are perhaps more powerful, but they are often more specialized and focused on specific protocols or services; whereas Metasploit has a variety of uses and modules for a number of scenarios.
For this exercise, I downloaded and started the VM “SoSimple” (found at VulnHub here) and I will be gathering info on this install with a separate VM running the latest version of Kali Linux (which comes with many tools preinstalled, Metasploit Framework among them).
One under-appreciated feature of Metasploit is that it can actually track and catalog data automatically while you’re sleuthing. This is done with “workspaces,” which you can create yourself (or you can just use the default one). As a sort of cheat sheet, here’s some database commands you can use in Metasploit to view the information you’ve collected so far:
hosts
loot
notes
services
vulns
To start the exercise, I created a new workspace titled “SoSimple” and moved over to that workspace (and confirmed that I had, in fact, changed workspaces).
Next, we move over to the ubiquitous tool, nmap, which can run directly within Metasploit. The command db_nmap ensures that any information gathered is automatically added to the current database.
For the purpose of brevity, I’m not showing an initial nmap scan I did to find the IP address of the “SoSimple” VM. For now, assume that I did that and found it residing at IP address 192.168.5.13.
(nmap -A performs an aggressive scan for as much information as an IP address will give up)
If we type the command “hosts” into metasploit, you can see that the Linux machine at 192.168.5.13 has been added to the database.
So, what have we learned so far? Well, “SoSimple” isn’t particularly chatty, as there aren’t many open ports, but we can see OpenSSH on port 22 and an Apache installation running through the http port of 80. We also know that “SoSimple” is a Linux installation. Despite the lack of a variety of attack vectors, we at least have a good place to start. Let’s scan port 22 a little deeper and see if we can learn anything in more detail. We can find an SSH scanner within MetaSploit by running the command:
search ssh
After that, you can simply say “use <number>” replacing <number> with the actual number of whatever module you found in your search (this method will save you a lot of time). For clarity, however, I have written out the full path of the scanner. After loading the scanner, we need to see what parameters need to be entered (nothing just runs by default in Metasploit — you have to enter information). Use the command:
show options
As you can see, we’ve learned a little more about the SSH installation in this VM, and we now know for sure that the machine is an Ubuntu linux machine. Typically, you probably won’t try to mount an attack through SSH because it tends to be pretty secure, but we can put that knowledge in our back pocket — it’s very possible we may need it later. Let’s use the command “services” to see what we’ve found so far.
Let’s move on to port 80. Weaknesses on http are much more common, so we will probably have an easier time acquiring data through this vector.
SoSimple is running an Apache installation on port 80, which means it has some sort of web server capabilities. One of the first things we may want to do with this knowledge is ascertain any sort of directory to move around in. Fortunately, MetaSploit has several tools for this. We’ll use the directory scanner utility.
Aha! It would appear SoSimple is running some form of Wordpress. That’s some specific knowledge that will certainly help us understand the environment. At this point, we could turn our attention to more Wordpress-specific tools, or we could keep checking out some http-related information.
I want to call attention to a standalone module that can also be loaded into MetaSploit — wmap. I ran the directory scanner earlier to show how we can go about ascertaining information in a very straightforward way within Metasploit. However, in the interest of saving time, we can actually automate a lot of discovery with wmap. Wmap is web-application scanner (perfect for this scenario) which uses several scanning tools at once to produce a lot of information. We must first load the tool with the simple “load wmap” command. From there, we specify the target with:
wmap_targets -t <file path>
The command “wmap_run -t” will run a preliminary scan of the specified target and show us all of the various scanners wmap can load and deploy against that specific target. I won’t post everything here, but, as you can see, wmap takes a lot of individual scanners from Metasploit and automatically runs through all of them.
We can then execute the program (once the target has been specified) with the command:
wmap_run -e
Ok, so what did wmap find? A decent amount, actually, including that it supports several http request types, including GET and POST, which are not encrypted. Let’s check if there are any vulnerabilities with
wmap_vulns -l
This will list several findings and highlight any immediately obvious vulnerabilities. As you can see, it didn’t find any vulnerabilities in our instance, but we did discover some more directory paths through some basic http requests
Let’s use the “notes” command to see what our MetaSploit database has catalogued so far:
At this point, we probably have enough information about the VM in order to begin researching vulnerabilities (outside of MetaSploit) and attempt at penetrating the system — moving our information gathering phase into the weaponization/exploitation phase. Note that we never really stop gathering information, but it is at this stage that we may begin to read online and formulate ways to further penetrate the system. This begins a different phase of the project and isn’t really the scope of this article, but I do want to go into some initial detail for how we might compromise this system (it also leads into the difficulty I came across and have yet to solve).
One easy way compromise a wordpress setup is to enumerate usernames and passwords — a common vulnerability with a large amount of wordpress setups. Basically, many wordpress configurations don’t place a limit on number of login attempts, and, through the use of error messages, can even confirm whether or not a username actually exists within the database. We can use this particular knowledge to potentially gain a valid username and maybe even brute-force a password. I’m sure you can think of how much easier it will be to crack this system once we acquire that kind of information.
After digging around in a web browser, I managed to find the login page — at /wordpress/wp-login.php (coincidentally, this is the default location for the login page).
It’s at this point that I ran into an issue with MetaSploit. Metasploit has a login enumeration tool that can supposedly find users and passwords by brute forcing enumeration through wordlists (there are many wordlists available on the internet, but Metasploit also comes with several by default). The difficult part is I haven’t been able to get the scanner to work. I’m not sure if it’s because the scanner is deprecated and no longer supported, or if I’m just entering the information wrong, but I spent quite awhile trying to get some results without any success. I know that it’s the scanner within Metasploit that isn’t functioning correctly, however, because when I used the standalone tool WPScanner (a Wordpress-specific PenTest tool found in Kali Linux installations), I was able to successfully enumerate the user “max” and brute-force the password “opensesame.”
Even more curious, when I specifically enter those exact credentials into Metasploit’s login enumerator tool, it says that they’re invalid.
I’ve tried both this, and the login username “admin” (also discovered through WPScanner) and, both times, the login enumerator says the users are invalid. I’ve also tried various TargetURI settings without any changes in results.
I can confirm that the usernames and settings are legit, however, as I was able to login through a web browser with the credentials enumerated via WPScanner. I’d be curious to see if anyone else has run into these issues.
Nevertheless, as you can see, we’ve still found a good deal of information about the VM through Metasploit. However, as the snag I’ve talked about here at the end has illustrated, we probably can’t be too devoted to any single tool when PenTesting — A good PenTester is flexible enough to switch tools when needed. However, MetaSploit gives us a good baseline, and it is crucial enough that anyone seeking information about specific systems will need a comfortable familiarity with such a powerful utility.
Next week, we will take this PenTest to the next stage and go through the steps of crafting an exploit and officially penetrating the system!