Metasploit Framework Introduction (i)

Metasploit System Framework

V4 Version Architecture:

The Metasploit design adopts the concept of modularization as much as possible, and provides support for some core framework functions based on the basic library; The body code that implements the function of penetration testing is organized in a modular way and divided into 6 types of modules according to different uses. To extend the support features of the Metasploit framework to the entire process of penetration testing, Metasploit also introduces plug-in mechanisms to support the integration of external security tools into the framework, and the Metasploit framework's penetration testing capabilities for integrated modules and plug-ins, It is provided to the penetration tester through the user interface and the function program.

Base Library Files

　　The Metasploit base library file is located in the Libraries directory under the source root path, including the Rex,framework-core and framework-base three parts.

Rex is the most basic component that the framework relies on, such as packaged network sockets, network Application Protocol client and server implementations, log subsystem, penetration attack support routines, PostgreSQL, and MySQL database support.

The Framework-core Library is responsible for implementing all interfaces with various types of upper modules and plug-ins;

The Framework-base library extends the Framework-core, provides a simpler wrapper routine, and does not handle various aspects of the framework to provide functional classes to support user interface and function program call framework itself and framework integration module;

Module

　　Modules are implemented with the most core penetration testing capabilities that are loaded, integrated, and externally available through the Metasploit framework. It is divided into auxiliary module (AUX), Penetration attack module (exploits), Post penetration attack module (POST), Attack load module (payloads), encoder module (encoders), and empty instruction module (nops). These modules have a very clear structure and a pre-defined interface, and can be combined to support information collection, infiltration attacks and post-infiltration attack development.

• Auxiliary modules

In the infiltration of information to provide a large number of auxiliary module support, including for various network services scanning and enumeration, the construction of false services to collect login password, password guessing modules. In addition, the auxiliary module also includes a number of non-load attack load, but often not get the target system remote control of the infiltration attacks, such as: denial of service attacks.

• Penetration Attack module

Attacks on remote target systems with discovered security vulnerabilities or configuration weaknesses to implant and run attack payloads, resulting in code components for access control over the target system. The penetration attack module in Metasploit Framework can be divided into two categories: active infiltration attack and passive infiltration attack, according to the location of the exploited security holes.

Active infiltration attacks: the security vulnerabilities exploited are located in the upper-level applications hosted by the network server software and server-side software, because these services usually open some listening ports on the host and wait for the client to connect, by connecting the target system Network service, injecting some special constructs containing "evil" The network request content that attacks the data, triggers a security vulnerability, and causes the remote service to perform the attack payload contained in the "evil" data, thereby acquiring the control session of the target system. The active infiltration attack on the network service side belongs to the traditional infiltration attack. There are also web application infiltration attacks, SCADA industrial control system service infiltration attacks.

Passive infiltration attacks: exploit vulnerabilities in client software, such as browsers, browse plugins, email clients, office and Adobe, and many other documents and editing software. For this kind of security flaw that exists in the client software, we can't take the data from the remote input to the client software actively, so we can only adopt the passive penetration attack mode. It constructs "evil" web pages, e-mail or document files, and by erecting a server containing such malicious content, sending mail attachments, distributing and tricking the target user into opening, combining network spoofing and hijacking technology, and so on, and so on, the users on the target system access these evil content. This triggers a security vulnerability in the client software and gives a shell session that controls the target system. Client software passive infiltration attacks can bypass the firewall and other network boundary protection measures, the most common types of passive infiltration attacks are browser software vulnerability attacks and file format Class vulnerability attacks.

• Attack Load Module

An attack payload is a piece of implant code that drives a target system to run after a successful penetration attack, usually to open a control session connection on the target system for infiltration attackers. In the traditional development of penetration code, the attack load is just a simple shellcode code, which is compiled in assembly language and converted into machine code supported by the CPU architecture of the target system, after the penetration attack triggers the vulnerability, the program executes the process hijack and jumps into the machine code to execute, This completes the single function implemented in the Shellcode.

Metasploit attack load module is divided into independent (single), transmitter (Stager), Transmission body (Stage) three types.

The standalone attack payload is fully self-contained and can be directly implanted into the target system for execution, such as "windows/shell_bind_tcp", which is applicable to the Windows operating system platform and is capable of binding the shell control session to the attack payload on the specified TCP port. In some special cases, it is possible to limit the size and operating conditions of the attack payload, such as the small amount of free space that can be populated with the evil attack buffer when a particular security vulnerability is exploited, the NX (stack unenforceable), DEP (Data Execution Protection), and other security defenses introduced by new operating systems such as Windows 7. In these scenarios, the Metasploit provides a phased implant technology for both the transmitter and the transmission, where the penetration attack module first implants the code's short, very reliable transmitter loads and then further downloads and executes the transport payload when the transmitter load is running.

• Empty instruction Module

A null instruction (NOP) is an empty operation or an unrelated operation instruction that does not have any real effect on the state of the program, the most typical null instruction is an empty operation, and the opcode on the X86 CPU architecture platform is ox90.

When a penetration attack constructs an evil data buffer, it is often necessary to add an empty command area before the shellcode that are actually executed, so that when a penetration attack is triggered to jump to execute shellcode, there is a large secure landing area to avoid being randomized by memory address, Return address calculation deviation and other reasons caused by Shellcode execution failure, improve the reliability of penetration attacks.

• Encoder Module

After the attack load and the empty instruction module are assembled to complete a sequence of instructions, the Metasploit framework also needs to complete a very important process----coding before this instruction is added to the target system by the infiltration attack module into the evil data buffer.

The first mission of the coding module is to ensure that the "bad characters" that should be avoided during the penetration attack are not present in the attack payload.

Encoder The second mission is to "kill" the attack load, that is, to evade the detection and blocking of anti-virus software, IDS intrusion detection system and IPS intrusion prevention system.

• Rear penetration Module

The main support after the penetration attack to obtain the target system remote control, in the controlled system to carry out a variety of post-infiltration attack action, such as access to sensitive information, further including the exhibition, the implementation of springboard attack.

　　　

Plug - ins

　　Plug-ins can extend the functionality of a framework, or assemble components that already have features that make up advanced features. Plug-ins can integrate existing external security tools, such as nessus, OpenVAS vulnerability scanners, and so on, to provide some new functionality for the user interface.

Interface

　　Includes Msfconsole control terminal, msfcli command line, Msfgui graphical interface, Armitage graphical interface, and MSFAPI remote call interface.

Function program

　　In addition to user interface access to the Metasploit framework body functionality, Metasploit provides a range of functions that can be run directly, enabling penetration testers and security personnel to quickly take advantage of the Metasploit framework's internal capabilities to accomplish specific tasks. For example, Msfpayload, Msfencode, and Msfvenom can encapsulate attack payloads in many forms, such as executables, C, JavaScript, and various types of encoding.

The Msf*scan Series feature program provides the ability to search for specific instructions in various types of files such as PE, ELF, etc., and can help infiltrate code developers to locate command addresses.

Metasploit Framework Introduction (i)