# Metasploit * `msfconsole` to start it
CommandDescription
search exploit <term>Searches for the term in the exploits
use <exploit_path> Selects the exploit to use (or use the number after a search)
show optionsShows the selected exploit's options
set <variable> <value>Sets the option's value
checkChecks if the server is vulnerable
exploitRuns the exploit
## Useful exploits * `multi/handler` to catch shells from msfvenom * `windows/smb/ms17_010_psexec` EternalBlue (scan with `auxiliary/scanner/smb/smb_ms17_010`) * `post/multi/recon/local_exploit_suggester` After successful shell, suggests possible exploits * `multi/manage/shell_to_meterpreter` Upgrade generic shell to meterpreter, more [here](https://docs.metasploit.com/docs/pentesting/metasploit-guide-upgrading-shells-to-meterpreter.html) ## Adding exploits to msfconsole For example, find it from `searchsploit`: ``` searchsploit Lightweight Facebook-styled blog 1.3 ``` the script has a [metasploit module](https://www.exploit-db.com/exploits/50064) but it's not included by default so we have to import it ``` cd /usr/share/metasploit-framework/modules/exploits # optionally mkdir php searchsploit -m php/webapps/50064.rb msfconsole -m /usr/share/metasploit-framework/modules/ # OR from metasploit msf6> loadpath /usr/share/metasploit-framework/modules/ # OR msf6> reload_all ``` The critical folders are also symlinked in our home and root folders in the hidden `~/.msf4/` location. {% hint style="info" %} Always use snake-case, alphanumeric characters, and underscores instead of dashes. {% endhint %} To write a custom script all necessary information about Metasploit Ruby coding can be found on the [Rubydoc.info Metasploit Framework](https://www.rubydoc.info/github/rapid7/metasploit-framework) related page. ## Search ```shell-session help search ``` ```shell-session search type:exploit platform:windows cve:2021 rank:excellent microsoft ``` ### GREP ```shell-session grep meterpreter show payloads ``` ```shell-session grep meterpreter grep reverse_tcp show payloads ``` ## Payload Types The table below contains the most common payloads used for Windows machines and their respective descriptions. | **Payload** | **Description** | | --------------------------------- | ---------------------------------------------------------------------- | | `generic/custom` | Generic listener, multi-use | | `generic/shell_bind_tcp` | Generic listener, multi-use, normal shell, TCP connection binding | | `generic/shell_reverse_tcp` | Generic listener, multi-use, normal shell, reverse TCP connection | | `windows/x64/exec` | Executes an arbitrary command (Windows x64) | | `windows/x64/loadlibrary` | Loads an arbitrary x64 library path | | `windows/x64/messagebox` | Spawns a dialog via MessageBox using a customizable title, text & icon | | `windows/x64/shell_reverse_tcp` | Normal shell, single payload, reverse TCP connection | | `windows/x64/shell/reverse_tcp` | Normal shell, stager + stage, reverse TCP connection | | `windows/x64/shell/bind_ipv6_tcp` | Normal shell, stager + stage, IPv6 Bind TCP stager | | `windows/x64/meterpreter/$` | Meterpreter payload + varieties above | | `windows/x64/powershell/$` | Interactive PowerShell sessions + varieties above | | `windows/x64/vncinject/$` | VNC Server (Reflective Injection) + varieties above | ## Encoders Shikata Ga Nai (`SGN`) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it. The name (`仕方がない`) means `It cannot be helped` or `Nothing can be done about it`, and rightfully so if we were reading this a few years ago. However, there are other methodologies we will explore to evade protection systems. [This article from FireEye](https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html) details the why and the how of Shikata Ga Nai's previous rule over the other encoders. Flags to add encoding for `msfvenom` ```shell-session -b "\x00" -e x86/shikata_ga_nai ``` * `-b` for bad bytes * `-e` encoding For `msfconsole`: ``` show encoders ``` {% hint style="warning" %} If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment. {% endhint %} Iterating encoders: `-i 10` ## Databases Metasploit supports PostgreSQL by default. Check status: ```bash sudo msfdb status ``` Configure if not already present: ```bash sudo service postgresql status sudo systemctl start postgresql sudo msfdb init ``` ### Workspaces ```shell-session workspace -a Target_1 workspace Target_1 workspace ``` ``` workspace -h ``` ### Importing nmap scans You can import XML (preferably) nmap outputs: ```shell-session db_import Target.xml ``` Or scan directly from inside msfconsole: ```shell-session db_nmap -sV -sS 10.10.10.8 ``` See saved target hosts: ```shell-session hosts ``` See discovered services: ```shell-session services ``` ### Save Found Credentials ```shell-session creds -h ``` ## Backup data After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service. To do so, use the `db_export` command. ```shell-session db_export -f xml backup.xml ``` ## Loot The `loot` command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more. ``` loot -h ``` ## Plugins Listed in `/usr/share/metasploit-framework/plugins` Loading plugins (example with nessus): ```shell-session load nessus nessus_help ``` ### Installing new plugins ```shell-session git clone https://github.com/darkoperator/Metasploit-Plugins sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb ``` Afterward, launch `msfconsole` and check the plugin's installation by running the `load` command. After the plugin has been loaded, the `help menu` at the `msfconsole` is automatically extended by additional functions. ### Some plugins Many people write many different plugins for the Metasploit framework. They all have a specific purpose and can be an excellent help to save time after familiarizing ourselves with them. Check out the list of popular plugins below: | | | | | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | | [nMap (pre-installed)](https://nmap.org) | [NexPose (pre-installed)](https://sectools.org/tool/nexpose/) | [Nessus (pre-installed)](https://www.tenable.com/products/nessus) | | [Mimikatz (pre-installed V.1)](http://blog.gentilkiwi.com/mimikatz) | [Stdapi (pre-installed)](https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Extensions/Stdapi/Stdapi) | [Railgun](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Railgun-for-Windows-post-exploitation) | | [Priv](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb) | [Incognito (pre-installed)](https://www.offensive-security.com/metasploit-unleashed/fun-incognito/) | [Darkoperator's](https://github.com/darkoperator/Metasploit-Plugins) | ## Sessions To change out of the current meterpreter (or other stages) session use: ``` background ``` List with: ``` sessions ``` Switch to session ID with: ```shell-session sessions -i ``` `post` modules often require to specify a session in the options ## Jobs If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using `[CTRL] + [C]`. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the `jobs` command to look at the currently active tasks running in the background and terminate the old ones to free up the port. ```shell-session jobs -h ``` When we run an exploit, we can run it as a job by typing `exploit -j`. Per the help menu for the `exploit` command, adding `-j` to our command. Instead of just `exploit` or `run`, will "run it in the context of a job." ```shell-session exploit -h ``` Listing running jobs: ```shell-session jobs -l ``` Use the `jobs -K` command to kill all running jobs. or `kill [index no.]` to kill a specific one ## Useful meterpreter commands ```shell-session hashdump lsa_dump_sam lsa_dump_secrets ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/metasploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.