Metasploit framework

The Metasploit Framework is a penetration testing framework that you can use to test a system.

Scripts to exploit vulnerabilities are written in Ruby 💎. There are many scripts already available.

Learn 🎓

Scripts are divided into modules 📌

Auxiliary: test the availability of an exploit
Payloads: the data sent to perform the attack
- Single/inline/stageless payloads (1 exchange)
- Staged payloads (2 exchanges)
- See msfvenom for details and payload creation.
Exploits: code exploiting a vulnerability
Encoders/Evasion/NOPs
Post: scripts that you can use once on the target

msfconsole

The msfconsole is a component of the metasploit framework used to search and configure modules to exploit a vulnerability, and eventually, spawn a remote shell, which may be a meterpreter shell.

$ msfconsole -q
msf6> help
msf6> help <command>
msf6> help help # example

You can see every command you used with history.

Searching exploits (search)
Learn about an exploit (info)
Select an exploit (use, back)
Configure an exploit (options, show, set, setg, unset)
Execute an exploit (run/exploit, check)

Each remote access is wrapped in a session.

You can also configure and execute an exploit in one go:

exploit> run opt=value opt2=value [...]
exploit> check opt=value opt2=value [...]

meterpreter

The meterpreter is one of the components of the metasploit framework. It's a reverse shell with common scripts loaded to make Privilege escalation and Post-exploitation easier.

It's an in-memory reverse shell using encrypted communications. To upgrade a normal shell (note down the sid when using background), use:

# upgrade
msf6 exploit('module_used')> sessions -u -1
# kill the non-meterpreter session
msf6 exploit('module_used')> sessions -k old_session_id
# move to the meterpreter session
msf6 exploit('module_used')> sessions -i new_session_id
# done
meterpreter>

Commands that you can use in the meterpreter are different based on the payload that you used.

Call help to see what you can use given the current payload.

meterpreter > help # list commands that you can use

Common commands 🪴

Uncommon usages

Metasploit database

$ sudo systemctl start postgresql
$ sudo msfdb init
$ msfconsole -q
msf6> db_status
[*] Connected to msf. Connection type: postgresql.

You can export results using: db_export -f xml db.xml.

workspaces

To keep things clean and tidy, it's better to create a workspace, so that results from other scans don't get mixed up.

msf6> workspace # list workspaces
msf6> workspace -a xxx # create xxx
msf6> workspace xxx # move to xxx
msf6> workspace -d xxx # delete xxx

port scanner

The command db_nmap is the same as nmap. You will have to first set up metasploit database.

msf6> db_nmap -sV -p- -A IP
msf6> db_import nmap_result.xml # or, load scan result

banner grabbing

msf6> use auxiliary/scanner/http/http_version # HTTP

SQL utility

msf6> use auxiliary/scanner/mysql/mysql_schemadump # dump cols+tables
msf6> use auxiliary/scanner/mysql/mysql_hashdump # dump dump users+hash
msf6> use mysql_sql # send SQL queries
msf6> use auxiliary/scanner/postgres/postgres_schemadump # ...
msf6> use auxiliary/admin/postgres/postgres_sql # ...

nessus

The msfconsole can be used along Nessus. See this tutorial and these tips. Note that you need to start metasploit database first.

msf6> load nessus
msf6> nessus_help # list commands
msf6> # Connect
msf6> nessus_connect user:pass@localhost:8834
msf6> # List the scans that you did
msf6> nessus_scan_list
msf6> # Import the result of a scan
msf6> nessus_db_import id_you_found_in_the_list

Useful commands

Once you stored something in the database (nmap/nessus/...), you can use these commands to operate on the saved data.

msf6> help hosts
msf6> help services
msf6> help vulns
msf6> help creds
msf6> help loot

👻 To-do 👻

Stuff that I found, but never read/used yet.

Commands:
- Jobs are cancellable processes (kill): run -j, jobs, jobs -i 0
- exploit -k -z
get xxx
spool
run autoroute -h (autoroute module)
- socks
- proxychains
- set PROXIES HTTP:127.0.0.1:8080
show advanced options, advanced
search type:exploit platform:windows target:xp smb
exploit/windows/smb/ms08_067_netapi
multi/ssh/sshexec

You can prepend any command using grep to filter lines. You can chain them too. grep x grep y <command>.

Meterpreter: steal_token <pid>
Hashdump not working on some Windows: load kiwi then lsa_dump_sam do the job. See also: lsa_dump_secrets.
Plugins: /usr/share/metasploit-framework/plugins
use /path/to/xxx.rb (tested: relative to exploit)

Metasploit framework ¶

msfconsole ¶

meterpreter ¶

Uncommon usages ¶

Metasploit database ¶

workspaces ¶

port scanner ¶

banner grabbing ¶

SQL utility ¶

nessus ¶

Useful commands ¶

👻 To-do 👻 ¶