Metasploit framework
The Metasploit Framework is a penetration testing framework that you can use to test a system.
Scripts to exploit vulnerabilities are written in Ruby π. There are many scripts already available.
Learn π
Scripts are divided into modules π
- Auxiliary: test the availability of an exploit
-
Payloads: the data sent to perform the attack
- Single/inline/stageless payloads (1 exchange)
- Staged payloads (2 exchanges)
- See msfvenom for details and payload creation.
- Exploits: code exploiting a vulnerability
- Encoders/Evasion/NOPs
- Post: scripts that you can use once on the target
msfconsole
The msfconsole
is a component of the metasploit framework used to search and configure modules to exploit a vulnerability, and eventually, spawn a remote shell, which may be a meterpreter shell.
$ msfconsole -q
msf6> help
msf6> help <command>
msf6> help help # example
You can see every command you used with history
.
-
Searching exploits (
search
) -
Learn about an exploit (
info
) -
Select an exploit (
use
,back
) -
Configure an exploit (
options
,show
,set
,setg
,unset
) -
Execute an exploit (
run
/exploit
,check
)
Each remote access is wrapped in a session.
You can also configure and execute an exploit in one go:
exploit> run opt=value opt2=value [...]
exploit> check opt=value opt2=value [...]
meterpreter
The meterpreter is one of the components of the metasploit framework. It's a reverse shell with common scripts loaded to make Privilege escalation and Post-exploitation easier.
It's an in-memory reverse shell using encrypted communications. To upgrade a normal shell (note down the sid when using background
), use:
# upgrade
msf6 exploit('module_used')> sessions -u -1
# kill the non-meterpreter session
msf6 exploit('module_used')> sessions -k old_session_id
# move to the meterpreter session
msf6 exploit('module_used')> sessions -i new_session_id
# done
meterpreter>
Commands that you can use in the meterpreter are different based on the payload that you used.
Call help
to see what you can use given the current payload.
meterpreter > help # list commands that you can use
Common commands πͺ΄
Uncommon usages
Metasploit database
$ sudo systemctl start postgresql
$ sudo msfdb init
$ msfconsole -q
msf6> db_status
[*] Connected to msf. Connection type: postgresql.
You can export results using: db_export -f xml db.xml
.
workspaces
To keep things clean and tidy, it's better to create a workspace, so that results from other scans don't get mixed up.
msf6> workspace # list workspaces
msf6> workspace -a xxx # create xxx
msf6> workspace xxx # move to xxx
msf6> workspace -d xxx # delete xxx
port scanner
The command db_nmap
is the same as nmap
. You will have to first set up metasploit database.
msf6> db_nmap -sV -p- -A IP
msf6> db_import nmap_result.xml # or, load scan result
banner grabbing
msf6> use auxiliary/scanner/http/http_version # HTTP
SQL utility
msf6> use auxiliary/scanner/mysql/mysql_schemadump # dump cols+tables
msf6> use auxiliary/scanner/mysql/mysql_hashdump # dump dump users+hash
msf6> use mysql_sql # send SQL queries
msf6> use auxiliary/scanner/postgres/postgres_schemadump # ...
msf6> use auxiliary/admin/postgres/postgres_sql # ...
nessus
The msfconsole can be used along Nessus. See this tutorial and these tips. Note that you need to start metasploit database first.
msf6> load nessus
msf6> nessus_help # list commands
msf6> # Connect
msf6> nessus_connect user:pass@localhost:8834
msf6> # List the scans that you did
msf6> nessus_scan_list
msf6> # Import the result of a scan
msf6> nessus_db_import id_you_found_in_the_list
Useful commands
Once you stored something in the database (nmap/nessus/...), you can use these commands to operate on the saved data.
msf6> help hosts
msf6> help services
msf6> help vulns
msf6> help creds
msf6> help loot
π» To-do π»
Stuff that I found, but never read/used yet.
- Commands:
- Jobs are cancellable processes (
kill
):run -j
,jobs
,jobs -i 0
-
exploit -k -z
- Jobs are cancellable processes (
-
get xxx
-
spool
-
run autoroute -h
(autoroute module)- socks
- proxychains
-
set PROXIES HTTP:127.0.0.1:8080
-
show advanced options
,advanced
-
search type:exploit platform:windows target:xp smb
-
exploit/windows/smb/ms08_067_netapi
-
multi/ssh/sshexec
You can prepend any command using grep
to filter lines. You can chain them too. grep x grep y <command>
.
- Meterpreter:
steal_token <pid>
- Hashdump not working on some Windows:
load kiwi
thenlsa_dump_sam
do the job. See also:lsa_dump_secrets
. - Plugins:
/usr/share/metasploit-framework/plugins
-
use /path/to/xxx.rb
(tested: relative to exploit)