In this section, we will discuss how to gain access to any computing device such as a phone, laptop, TV, etc. This enables us to set up a web server and make our computer or laptop work like TV or anything we wish.
Server-side Attacks
These attacks can be used with web servers and do not necessarily require user interaction. When we attack the web server, we can access the IP address that the web server has and get all the information on a particular target. For this purpose, we will target our Metasploitable device to make it work as a website and then launch an attack on computers or websites that we can ping. We can launch the server-side attacks if we can ping the ID.
The simplest way to execute this is using Zenmap. The Zenmap application can test any IP we want. Since we are using a Metasploitable device as our target, we will go to Scan and check the list of all applications. In the same window, navigate to the Nmap Output tab and you can check the open ports and services. We can check the details of services on Google.
Metasploit basics
Metasploit is an impactful execution and penetration testing tool created by the company called Rapid7. It consists of a large number of exploits that can be exploited or users can even create their custom exploits.
Some of the basic commands on Metasploit are -
Msfconsole - The most popular interface command to the Metasploit framework, it is used to run and access all options within the MSF program.
Show - This command shows the available auxiliaries and payloads.
Help - It gives information on commands and how to use them.
Use - This command lets us use something that we selected. For example, using this command we can run a certain exploit.
Set -This is used to set options for exploit.
Exploit - After we are done configuring, this command helps to execute the exploit.
Exploiting a Code Execution Vulnerability
The code execution vulnerability can be exploited to gain access over a computer. For this purpose, Metasploit is used to exploit the existing weakness in a particular service. The first step involves going to Metasploit. Then run the msfconsole and using the ‘use’ command along with a particular exploit, we can see the displayed options as the output.
The flaws in the target system will let us run small pieces of code, also called Payloads. We need to create a payload and if needed, different payloads can be used. After that, we run that payload on the target computer exploiting the loophole that we found. The two main types of payloads are - Bind payloads and Reverse payloads.
Installing MSFC
Metasploit Unleashed (MSFC) is a GUI using Metasploit and some additional features apart from exploiting vulnerabilities.
Using the following link, you can download the Metasploit service-
https://www.rapid7.com/products/metasploit/metasploit-community-registration.jsp
After that, finish the installation process which is roughly five steps long. After it gets installed, it prompts the user to insert a username and password. Once we finish this process, we can smoothly run the Metasploit service which got installed as a web server.
To use the Metasploit community, we can use the following command in Linux -
root@kali:~/Desktop# service metasploit start