Implementing Scripts in Metasploit (Proof of Concept)
1. Introduction and Objectives
In this article, we will demonstrate how we can implement Ruby-written scripts in the Metasploit Framework, in order to subsequently utilize them in our cybersecurity audits. It’s worth noting that when we refer to ‘scripts,’ we are talking about various tools, whether they are exploits, auxiliary modules, or any other type.
2. Metasploit & Ruby
Ruby is a dynamic, object-oriented, open-source programming language focused on simplicity and productivity.
The significance of this language within Metasploit is evident, as we can see in the following image, the entire core of the Metasploit framework is developed in Ruby. This can be observed in the installation directory, where we can find all the tools that comprise the framework.
Before delving into the objectives of this article, let’s briefly touch upon some programming concepts in this language.
If we discuss the concept of “Instances” in Ruby, we can say that their main function is to use previously created classes. So, after creating a class, if we want to invoke it, we must make that call through an instance as follows:
- call = clasecreada.new
This is read as “call” is a “new object” of the “createdclass” class. Therefore, “call” is said to be an instance of the “createdclass” class. It’s now an object and, of course, also a variable that stores an object of the “createdclass” class. In this context, “new” is used to indicate that the “createdclass” class creates a new object, which must be stored somewhere. So, “call” is a variable that stores this “new createdclass,” which is why this action defines “call” as an object.
Furthermore, when creating a new object of “createdclass” named “call,” Interactive Ruby (IRB) assigns a unique “id” identifier to ensure that the new “createdclass” objects are not replaced with each other when they are instantiated.
If we talk about an instance variable, we can say that it has a name that starts with ‘@’, and its usage is limited to the object it references, which is “self.” Thus, it’s important to clarify that two different objects belonging to the same class can have different values in their instance variables. From outside the object, instance variables cannot be altered or observed since, in Ruby, instance variables are not public.
With these concepts clarified, we can now move on to the next point, where we will proceed to create a Ruby script for its subsequent implementation in the Metasploit framework.
3. Scripting and Implementation in Metasploit
a) Creating a Ruby Script
First, let’s create a small script in “ruby” that, when executed, will give us a reverse shell from the victim machine. You can see the script below.
b) Execution of the script manually
Here we can see how, with the attacker machine set to IP 192.168.238.130 and port 6000 listening, upon executing the script on the victim machine (which, in this case, is the same), it returns its command shell without any issues.
As the PoC is being conducted on the same machine, it’s evident that both the attacker and victim IP addresses are the same.
c) Implementing the Script in Metasploit
Having successfully programmed the previous script, let’s now make the necessary modifications to implement it in Metasploit.
In order to execute the code defined in the “run” function directly, we will implement it as an “Auxiliary” using modules of the “Exploit” type. If we were to implement it differently, when configuring the attack in Metasploit, we would be prompted to assign other variables like payloads, among other things. This could complicate the execution to some extent.
As seen in the following image, where the script has been migrated to Metasploit, we’ve included “Exploit” type modules to make use of functions like “connect,” among others.
Subsequently, following the standard structure of a Metasploit script, we define the script information as well as the registered variables (RPORT) and unregistered variables (RHOST). Finally, we define the “run” function, where we’ll place our source code to receive the reverse shell from the victim machine.
Here we can see how we’ve completed the script, which we named “script.rb,” and proceed to place it in ‘/usr/share/metasploit-framework/modules/auxiliary’.
d) Starting Metasploit
At this point, we start “Metasploit” and can observe that it doesn’t show any errors. This indicates that we have created the script correctly and that it’s loaded properly for use and execution within Metasploit.
e) Configuration and Execution of the Script
Without further ado, let’s “use” it and call the “info” command to see the description and configuration of the script.
Once we’ve studied the script, we move on to configuring it for subsequent execution. To do this, we input the IP of the attacking machine in the RHOST field. The attacking machine will be listening on port 6000, waiting for the victim machine to connect and provide its command shell.
Once the script is configured and launched, we can observe how we have indeed successfully received the command shell from the victim machine.
In this article, we have briefly explored how to implement a Ruby script within the Metasploit framework and subsequently execute it through the platform.
This approach allows us to integrate exploits or other tools into Metasploit for use in our audits, harnessing the power and versatility the framework provides to conduct various offensive operations exercises.
If you’re interested in gaining introductory knowledge about Metasploit, you can enroll in our basic ethical hacking course. Conversely, if you prefer to acquire more advanced knowledge in offensive cybersecurity, you can opt for our advanced course.