Metasploit
yup, this who page is just for it :3
Last updated
yup, this who page is just for it :3
Last updated
msfconsole
to start it
Command | Description |
---|---|
multi/handler
to catch shells from msfvenom
windows/smb/ms17_010_psexec
EternalBlue (scan with auxiliary/scanner/smb/smb_ms17_010
)
post/multi/recon/local_exploit_suggester
After successful shell, suggests possible exploits
For example, find it from searchsploit
:
the script has a metasploit module but it's not included by default so we have to import it
The critical folders are also symlinked in our home and root folders in the hidden ~/.msf4/
location.
Always use snake-case, alphanumeric characters, and underscores instead of dashes.
To write a custom script all necessary information about Metasploit Ruby coding can be found on the Rubydoc.info Metasploit Framework related page.
The table below contains the most common payloads used for Windows machines and their respective descriptions.
Shikata Ga Nai (SGN
) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it. The name (仕方がない
) means It cannot be helped
or Nothing can be done about it
, and rightfully so if we were reading this a few years ago. However, there are other methodologies we will explore to evade protection systems. This article from FireEye details the why and the how of Shikata Ga Nai's previous rule over the other encoders.
Flags to add encoding for msfvenom
-b
for bad bytes
-e
encoding
For msfconsole
:
If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment.
Iterating encoders: -i 10
Metasploit supports PostgreSQL by default.
Check status:
Configure if not already present:
You can import XML (preferably) nmap outputs:
Or scan directly from inside msfconsole:
See saved target hosts:
See discovered services:
After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service. To do so, use the db_export
command.
The loot
command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.
Listed in /usr/share/metasploit-framework/plugins
Loading plugins (example with nessus):
Afterward, launch msfconsole
and check the plugin's installation by running the load
command. After the plugin has been loaded, the help menu
at the msfconsole
is automatically extended by additional functions.
Many people write many different plugins for the Metasploit framework. They all have a specific purpose and can be an excellent help to save time after familiarizing ourselves with them. Check out the list of popular plugins below:
To change out of the current meterpreter (or other stages) session use:
List with:
Switch to session ID with:
post
modules often require to specify a session in the options
If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]
. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the jobs
command to look at the currently active tasks running in the background and terminate the old ones to free up the port.
When we run an exploit, we can run it as a job by typing exploit -j
. Per the help menu for the exploit
command, adding -j
to our command. Instead of just exploit
or run
, will "run it in the context of a job."
Listing running jobs:
Use the jobs -K
command to kill all running jobs. or kill [index no.]
to kill a specific one
search exploit <term>
Searches for the term in the exploits
use <exploit_path>
Selects the exploit to use (or use the number after a search)
show options
Shows the selected exploit's options
set <variable> <value>
Sets the option's value
check
Checks if the server is vulnerable
exploit
Runs the exploit
Payload
Description
generic/custom
Generic listener, multi-use
generic/shell_bind_tcp
Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp
Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec
Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary
Loads an arbitrary x64 library path
windows/x64/messagebox
Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp
Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp
Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp
Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$
Meterpreter payload + varieties above
windows/x64/powershell/$
Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$
VNC Server (Reflective Injection) + varieties above