Create a Budget-Friendly Virtual Private Server with a Metasploit Instance

Whether a requirement for anonymity arises during a penetration test or simply to stand up another Metasploit instance, we can do so easily with VPS providers such as Digital Ocean, Amazon Elastic Cloud and Google Cloud. In this post, I am going to walk through the process of setting up Metasploit on a Digital Ocean Droplet (i.e., server instance). This is more for my own documentation purposes but hopefully will help alleviate a few problems that I ran into for others.

Register for DO VPS Service

First things first, we need to get our VPS instance by signing up with a provider. In this case, we are using Digital Ocean. The subscription plans are as follows:

I went with the $5 plan and assumed it would be adequate to run a Metasploit handler. Although, there were some issues with MSF and using more memory than allocated by the DO server plan. That was resolvable, and I will discuss that shortly.

Next we need to build our droplet. Essentially, this is what DO calls the virtual server instance. I am not going to go into details about how to configure an Ubuntu 14.04 server as there are plenty of tutorials online. I will show you how simple it is to select the type of server and initiate the droplet creation process.

At this point, we select our plan and name the droplet. Easy enough. If we scroll further on down on the “Create Droplet” webpage, we see that we can select our operating system. Clicking on the OS will provide a number of different Ubuntu versions. I have chosen the 14.04 x64 version for this demonstration.

Also note that there is an “Applications” tab that can be used to install various applications such as LAMP stacks and NODE.JS. We are trying to keep the server lean and mean, so we can skip that.

Once we have the operating system installed, which is literally unattended and automatic, the server can be configured using the root account. The root password is dynamically generated and emailed to the email address that was provided upon registration. If that doesn’t happen, navigate to the following tab and initiate a password reset.

The Ubuntu server can be accessed through the console access tab (i.e., VNC connectivity) or we can SSH directly to it, but note that the instance is wide open and not protected by a firewall, so all services are exposed at this point.

Install the Metasploit Framework

With our newly acquired Ubuntu VPS root access, we can now install the Metasploit Community Edition, but first we need to make sure that an appropriate version of Ruby and Rails is installed on the server. I recommend using the Ruby Version Manager (RVM) so that we can leverage multiple versions of Ruby and Rails on the same system. The following command can be used to install RVM.

root@packetresearch:# \curl -L https://get.rvm.io | bash -s stable

If an error is presented about not being able to find or verify the signing key, run the following command to import the key:

root@packetresearch:# command curl -sSL https://rvm.io/mpapis.asc | gpg --import -

At this point you may need to close the current shell and launch a new one to make sure RVM loads. We will also want to run the following command to pull down any additional dependencies required for RVM.

root@packetresearch:~# rvm requirement

We can make sure that RVM is ready to use by checking the version as follows:

root@packetresearch:~# rvm --version

rvm 1.26.9 (master) by Wayne E. Seguin , Michal Papis [https://rvm.io/]

Now we are ready to leverage RVM to install the Ruby, Rubygems and Rails. The following screenshot provides the process to:

• Install a ruby version. (i.e., version 1.9.3)
• Create a gemset for Rails version 3. Note: Gemsets are an easy way to install multiple versions of Rails to be used with a specific version of Ruby. For example, we could install “gemset Rails3” and “gemset Rails2” and quickly switch to the specified version using “rvm use 1.9.3@”
• Associate the Rails version with the specific Ruby version. (i.e., Ruby 1.9.3 and Rails3)
• Install Rails. In our example, I have installed without docs to keep the install size to a minimum.

Finally, we have reached the point were we can install Metasploit using the binary installer as follows:

If everything has gone well, we should have a final installation message like the following:

First Attempt at Running MSF (FAIL)

Now type “msfconsole”, and you should get a glorious stacktrace reassuring us that we must have done something wrong.

If we look closely at the trace, it has the following line indicating that the server could not allocate enough memory.

Cannot allocate memory - infocmp -C (Errno::ENOMEM)

I was skeptical about this, so I went digging and started increasing DO VPS plans until I got to the 2GB memory option. Sure enough, the msfconsole loaded without a problem.

Fix the Problem and Load the Console

Now, I didn’t really want to pay for the 2GB a month plan (sorry, DO), so I set out to solve the low memory issue. Not too difficult at all. It is actually well documented on DO’s website.

Essentially, DO uses Solid State Drives, which have very high seek rates and paging is much faster than traditional hard drives. We can leverage this fact to create larger swap file space and tell the server to use that when we run out of the 512MB of memory statically allocated to our Ubuntu instance. The downside is that it dynamically reduces the amount of actual SSD drive space at times of heavy memory usage.

In order to add another gigabyte of memory, we will create a dedicated swap file. The following screenshot provides the necessary steps, but we are:

• Creating a swap image within the /var folder.
• Setting restrictive 600 permissions.
• Writing zeros to the swap.img file within the capacity of 1GB.
• Declaring that our new swap.img is to be used as swap.
• Enabling swap so that it is used each time our system boots.

The last invocation of the “free” command should now show that we have approximately 1GB of swap space.

No better time than the present to retry the msfconsole and see if things load correctly.

Success! Now all that is left is to register the Metasploit instance with Rapid7 so that plugin updates are kept current.

Conclusion

Digital Ocean provides a very nice VPS platform and makes standing up servers quick and painless. As penetration testers performing covert engagements such as FishNet Security’s Breach Assessment, it makes standing up reverse multi-handlers very efficient. Overall, I hope this post finds it to a reader that needs help solving the out of memory issue and also provides a simple guide to setting up a VPS image. As always, please ping me with any questions or comments.