Metasploit for Windows
Metasploit for Windows is a penetration testing framework that allows security professionals to exploit vulnerabilities in Windows systems. It provides a collection of tools, exploits, and payloads that can be used to test the security of Windows hosts. By identifying and leveraging security gaps, Metasploit enables security teams to gain access, test defenses, and understand potential security risks within a Windows environment.
This blog covers using Metasploit on Windows, including setup, essential commands, and the pre-and post-exploitation phases.
Why Use Metasploit on Windows?
Using Metasploit on Windows offers several advantages for penetration testing and security assessments. Windows provides a familiar and user-friendly
interface, making it easier for users who are already comfortable with the platform. Metasploit’s compatibility
with Windows allows seamless integration with other tools and applications native to the operating system.
Additionally, Windows environments are common in enterprise networks, so running Metasploit on Windows can simulate real-world attacks more accurately. This setup also enables testing in mixed-OS
environments, where both Windows and Linux systems
may be present, enhancing the scope of penetration testing.
Setting up Metasploit on Windows
To set up Metasploit on Windows, ensure the system meets the following hardware and software requirements: at least 4GB of RAM
, 1GB
of available disk space, and Windows 7 or later. Download the Metasploit installer from the official Rapid7
website and run the file to begin the installation.
Follow the prompts to choose the installation path and the necessary options. After installation, configure the environment for optimal performance, including setting up the database
and environment variables. To initialize the database, open a command prompt
or the Metasploit Console and run the following command:
This command starts the PostgreSQL
database, which Metasploit relies on to store and manage data
collected during penetration testing activities. After the database is initialized, verify the connection to ensure proper setup before beginning any tests.
Essential Metasploit Commands for Windows
Here are some essential Metasploit commands for Windows that every penetration tester should know:
msfconsole
This command starts the Metasploit Framework console, giving access to a wide range of exploits and tools.
search <keyword>
It helps find modules
related to a particular vulnerability or attack type. Replace <keyword>
with specific terms to narrow the search.
use exploit/<exploit_name>
Selects a specific exploit module
from the Metasploit library. Replace <exploit_name>
with the name of the exploit.
set RHOST <target_ip>
Sets the remote host (target IP
) where the exploit will be directed. Replace <target_ip>
with the IP address of the target.
exploit
Executes the selected exploit against the target with the defined parameters and payload.
sessions -i <session_id>
Lists and interacts with active sessions
opened by successful exploits. Use <session_id>
to specify a particular session to control.
By understanding and using these commands, security teams can effectively navigate the Metasploit console to exploit vulnerabilities in a target system.
Pre-Exploitation
Pre-exploitation is the phase in penetration testing where security professionals gather detailed information about the target system to identify potential vulnerabilities and attack vectors. This phase involves reconnaissance
and scanning activities to map the target’s network, services, and applications. Key tasks include identifying open ports
, active services, operating system details
, and potential entry points
such as weak authentication mechanisms or outdated software
versions.
Information Gathering
Information gathering forms the foundation of successful penetration testing, enabling security professionals to collect crucial data about the target system and network.
Network Scanning
To perform a network scan and identify live hosts and open ports, use the following command:
This command initiates a TCP port
scan over the specified range (RHOSTS
). It defines the range of ports (e.g., 1-65535
) with PORTS
and executes the scan to discover open ports.
Service Fingerprinting
To identify services running on discovered hosts, use this command:
This auxiliary module fingerprints HTTP services
. It uses RHOSTS
to specify the target range and provides detailed information on HTTP
versions and server details for each host in the range when executed.
Windows Exploits
To find exploits for Windows, use the following command in Metasploit:
This command searches for all available Windows exploits within the Metasploit Framework. It helps to quickly identify which exploits
are relevant to the target's platform.
Once an exploit is identified, configure and prepare it for use:
Use
loads the specified exploit module. Set RHOST
specifies the target's IP, and set PAYLOAD
determines how the reverse connection is established. LHOST
is set to your IP to receive the connection, and LPORT
defines the listening port.
Finally, execute the exploit:
This command runs the configured exploit against the specified target, attempting to exploit the vulnerability and deliver the payload.
Post-Exploitation
Post-exploitation is the phase in penetration testing that occurs after gaining initial access to a system. During this phase, the focus shifts
from breaking into the system to understanding the scope and impact of the compromise. Security professionals attempt to escalate privileges
, move laterally across the network, and gather sensitive data like passwords, files, or confidential information
.
Payloads
Payloads and post-exploitation techniques allow attackers to maintain access and extract valuable information from compromised systems. Let’s explore various payload types and post-exploitation methods
available in Metasploit for Windows.
Types of Payloads
In Metasploit, you can choose various payloads to deliver the exploit. For example, to use the Meterpreter reverse TCP payload
, use this command:
This command selects the reverse_tcp
payload, which creates a reverse connection from the target system to the attacker's machine, providing a Meterpreter shell.
Using Meterpreter
After exploiting a target, Meterpreter allows advanced control over the system:
sessions -i
interacts with the open session. sysinfo
shows system details, and getuid
retrieves the user ID of the session.
Persistence and Data Extraction
For maintaining access and extracting data:
Run persistence
sets up a persistent backdoor that reconnects every 5 minutes. Download
fetches files from the compromised system and sends them to the local machine.
Metasploit Post-Exploitation Modules
Metasploit provides several post-exploitation modules that security teams can use to gather more information about the target network.
arp_scanner
Use the arp_scanner
post module to perform an ARP scan
for a specified range through a compromised host. This module helps discover other devices on the network.
The command meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
initiates an ARP scan
across the specified subnet (192.168.1.0/24
). It identifies active devices within that range, displaying their IP
and MAC addresses
. The arp_scanner
module within Metasploit's Meterpreter session provides a quick way to map devices on the local network, useful for identifying potential targets or understanding the network topology.
checkvm
With the checkvm
post module, you can determine if the compromised host is running on a virtual machine. This module supports Hyper-V
, VMWare
, VirtualBox
, Xen
, and QEMU virtual machines
.
The command meterpreter > run post/windows/gather/checkvm
is used to determine if the compromised system is running within a virtual machine
(VM). In this example, it checks the machine and confirms that it is a VMware virtual machine
. Identifying the presence of a VM is important for understanding the environment, as penetration testers and attackers may adjust their techniques if they detect a virtualized environment.
credential_collector
The credential_collector
module allows you to harvest password hashes and tokens from the compromised host. This is useful for further exploitation and lateral movement.
The command meterpreter > run post/windows/gather/credentials/credential_collector
is used to collect credentials from the target Windows machine. It extracts password hashes and security tokens from the system.
In this case, the command retrieves NTLM hashes for various user accounts, such as Administrator
and Guest
. It also lists available tokens for different system services like LOCAL SERVICE
and SYSTEM
. The collected credentials can be used for further attacks, such as privilege escalation or lateral movement within a network.
dumplinks
By using the dumplinks
module, you can parse the .lnk files in a user's Recent Documents folder. This information can be valuable for understanding the user's recent activity. Note that you must first migrate into a user process before running this module.
The meterpreter > run post/windows/manage/migrate
command migrates the Meterpreter session from its current process (svchost.exe
) to a more stable one like explorer.exe
. This process migration is done to maintain access and avoid detection, as explorer.exe
is less likely to be terminated by system defenses.
The meterpreter > run post/windows/gather/dumplinks
command gathers .lnk
(shortcut) files from the Recent
folder of a specific user (in this case, Administrator
). This allows the tester to see recently accessed files, potentially revealing sensitive information or user activity that could aid in further exploitation.
enum_applications
The enum_applications
module enumerates the applications installed on the compromised host. This helps in identifying potential targets for further exploitation.
The output of the run post/windows/gather/enum_applications
command shows a list of installed applications on the compromised Windows machine (WIN7-X86
). Each application is listed by name and version, which can help the attacker identify potentially vulnerable software to exploit further. For example, outdated versions of Adobe Flash Player, Google Chrome, .NET Framework, and other programs may have known vulnerabilities. Security updates and patches for .NET
Framework are also listed, providing a full overview of the software environment. The results are saved in a file for further review.
enum_logged_on_users
You can use the enum_logged_on_users
post module to get a list of current and recently logged-on users, along with their SIDs. This information is useful for understanding user activity and privileges.
The run post/windows/gather/enum_logged_on_users
command in Meterpreter identifies both the currently active and recently logged-on users on a Windows system. It provides the SID
(Security Identifier) and User
for active sessions, indicating which accounts are logged in.
It also lists recently logged-on users with their profile paths, including both user and system accounts like LocalService
and NetworkService
. This information is saved to a file for further analysis, offering insight into the users who have accessed the machine.
usb_history
By using the usb_history
module, you can enumerate the USB drive history on the compromised system. This helps in identifying removable drives that have been connected to the system.
The output of run post/windows/gather/usb_history
in Metasploit provides details about the USB devices that have been connected to the target machine. It includes information like the drive letters assigned (e.g., C:
, E:
), the device types (e.g., removable media, disk drives), and specific details such as the manufacturer, last write times, and volume information. This data can help trace the usage of USB devices and identify external drives connected to the system, which could be useful in forensic analysis or incident response scenarios.
Final Thoughts
Mastering Metasploit significantly boosts penetration testing capabilities by offering a comprehensive suite of tools for various phases of testing, from information gathering to exploitation and post-exploitation.
Utilizing its vast array of modules, testers can efficiently identify vulnerabilities and launch targeted attacks. To conduct effective penetration tests, it is essential to thoroughly understand Metasploit’s functionalities and apply them strategically. Regular practice, combined with the exploration of new modules and features, is crucial for refining skills. Staying updated on the latest vulnerabilities and exploits ensures that testers can respond proactively to emerging threats, maximizing the impact of their assessments.
Explore more from Akto
Blog
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Events
Browse and register for upcoming sessions or catch up on what you missed with exclusive recordings
CVE Database
Find out everything about latest API CVE in popular products
Test Library
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Documentation
Check out Akto's product documentation for all information related to features and how to use them.