Testing Metasploit against a vulnerable service

When learning security and hacking, one of the key tools that *everyone* uses is Metasploit. The downside is that to really play with it you need a vulnerable system, which unless you download some is a little harder to do. A few choices are (there are more I am sure, feel free to comment for others):

Metasploitable2
https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fmetasploitable%2Ffiles%2FMetasploitable2%2F

Metasploitable3
https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploitable3

Broken Web Applications Project
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Kioptrix
http://www.kioptrix.com/blog/test-page/

OWASP WebGoat Project
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Graceful VulnVM
https://www.gracefulsecurity.com/vulnvm/

DVWA
http://www.dvwa.co.uk/

Of course, the key here is that you have to build out a pen testing lab, to host all of the other Virtual Machines. To get an idea of where to start you can use this great article from the team at the InfoSec Institute: http://resources.infosecinstitute.com/building-your-own-pentesting-environment/

This will get you started on this approach. If you don’t want to, or don’t have the infrastructure to actually build out a full lab, then great news, as the Rapid7 team have released the Metasploit Vulnerable Service Emulator. The idea behind this is to help with training while learning how to use Metasploit, as well if testing new Metasploit modules you may be creating. You can find the project here in GitHub: https://github.com/rapid7/metasploit-vulnerability-emulator

To get started I have spun up a simple Ubuntu Desktop VM, you can use other versions of Linux or even utilize the service as part of a core Metasploit install you already have. I chose a single Ubuntu VM, as I can isolate it on my network and run both the emulator and Metasploit components for testing. If you have never installed Metasploit you can use the following guides:

https://community.rapid7.com/docs/DOC-2100
https://www.darkoperator.com/installing-metasploit-in-ubunt/

On my Ubuntu machine, I ran the following command to ensure the dependency packages are installed.

sudo cpanm install IO::Socket::SSL Try::Tiny IO::Compress::Gzip Compress::Zlib Storable JSON

If you hit an issue with using “cpanm“, then this command: curl -L http://cpanmin.us | perl – –sudo App::cpanminus

Now we need to actually get the emulator down to the machine. This done by cloning it down using Git, the same as we did for getting Metasploit itself.

cd /opt
sudo git clone https://github.com/rapid7/metasploit-vulnerability-emulator.git
sudo chown -R ‘your user account’ /opt/metasploit-vulnerability-emulator

Now we can run the emulator by running the perl script and passing in what we want to run.

perl vulEmu.pl

This will then allow us to actually activate any of the exploits available and make it work within the Virtual Machine without the need to move off box. The exploits that are available by default in the emulator are listed in the “Service.cfg” file. You can modify this to add whatever you want to test, picking any of the existing exploit modules from Metasploit, or creating your own. To test one of the in-built ones, you can open the “Service.cfg” file and select one.

We will use one of the auxiliary scanners by typing:

activate auxiliary/scanner/ftp/anonymous

Within Metasploit we now enter the following:

use auxiliary/scanner/ftp/anonymous
setg RHOSTS 127.0.0.1
setg RPORT 80
run


This will then return a successful response, nothing spectacular I know, however shows the principle. You can of course see the full list that is available in the “Service.cfg” or even add new ones as needed by following the JSON format outlined in GitHub.

https://github.com/rapid7/metasploit-vulnerability-emulator/blob/master/README.md

All in all, this has great potential, as more of the JSON structures are added then testing any of the exploits or scanners could be possible. Great job by the Rapid7 team

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...