Testing Metasploit against a vulnerable service
When learning security and hacking, one of the key tools that *everyone* uses is Metasploit. The downside is that to really play with it you need a vulnerable system, which unless you download some is a little harder to do. A few choices are (there are more I am sure, feel free to comment for others):
Broken Web Applications Project
OWASP WebGoat Project
Of course, the key here is that you have to build out a pen testing lab, to host all of the other Virtual Machines. To get an idea of where to start you can use this great article from the team at the InfoSec Institute: http://resources.infosecinstitute.com/building-your-own-pentesting-environment/
This will get you started on this approach. If you don’t want to, or don’t have the infrastructure to actually build out a full lab, then great news, as the Rapid7 team have released the Metasploit Vulnerable Service Emulator. The idea behind this is to help with training while learning how to use Metasploit, as well if testing new Metasploit modules you may be creating. You can find the project here in GitHub: https://github.com/rapid7/metasploit-vulnerability-emulator
To get started I have spun up a simple Ubuntu Desktop VM, you can use other versions of Linux or even utilize the service as part of a core Metasploit install you already have. I chose a single Ubuntu VM, as I can isolate it on my network and run both the emulator and Metasploit components for testing. If you have never installed Metasploit you can use the following guides:
On my Ubuntu machine, I ran the following command to ensure the dependency packages are installed.
sudo cpanm install IO::Socket::SSL Try::Tiny IO::Compress::Gzip Compress::Zlib Storable JSON
If you hit an issue with using “cpanm“, then this command: curl -L http://cpanmin.us | perl – –sudo App::cpanminus
Now we need to actually get the emulator down to the machine. This done by cloning it down using Git, the same as we did for getting Metasploit itself.
sudo git clone https://github.com/rapid7/metasploit-vulnerability-emulator.git
sudo chown -R ‘your user account’ /opt/metasploit-vulnerability-emulator
Now we can run the emulator by running the perl script and passing in what we want to run.
This will then allow us to actually activate any of the exploits available and make it work within the Virtual Machine without the need to move off box. The exploits that are available by default in the emulator are listed in the “Service.cfg” file. You can modify this to add whatever you want to test, picking any of the existing exploit modules from Metasploit, or creating your own. To test one of the in-built ones, you can open the “Service.cfg” file and select one.
We will use one of the auxiliary scanners by typing:
Within Metasploit we now enter the following:
setg RHOSTS 127.0.0.1
setg RPORT 80
This will then return a successful response, nothing spectacular I know, however shows the principle. You can of course see the full list that is available in the “Service.cfg” or even add new ones as needed by following the JSON format outlined in GitHub.
All in all, this has great potential, as more of the JSON structures are added then testing any of the exploits or scanners could be possible. Great job by the Rapid7 team