Metasploit
List of modules and categories
In Kali Linux, this can be found from the: /usr/share/metasploit-framework/modules directory.
It can be found on a Linux system with the following command:
$ sudo find / -path '*metasploit-framework*modules' 2>/dev/null Auxiliary
Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
Encoders
Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Evasion
While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand,
evasionmodules will try that, with more or less success.
Exploits
A piece of code that uses a vulnerability present on the target system
NOPs
NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family with
0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.
Payloads
Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be; getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report.
There will be four different directories under payloads: adapters, singles, stagers and stages.
a) Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.
b) Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
c) Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. βStaged payloadsβ will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
d) Stages: Downloaded by the stager. This will allow you to use larger sized payloads.
Refer to the Naming conventions section below for more information
Post
Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.
View sub-categories under each main module
To list all the sub-categories under each main module in a neat pattern, run the following command from the folder directory.
Eg. to view all the options provided under Exploits, simply run the following command from the /usr/share/metasploit-framework/modules/exploits directory:
Naming conventions
General naming convention
Refer to Msfvenom section for more info.
How to identify single and staged payloads?
single and staged payloads?Metasploit has a subtle way to help you identify single (also called inline) payloads and staged payloads.
windows/x64/shell_reverse_tcp(inline)windows/x64/shell/reverse_tcp(staged)
Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the underscore character (_) between the words shell and reverse. While the latter is a staged payload, as indicated by the slash character (/) between the same two words.
msfconsole
msfconsole is the main interface to the Metasploit framework.
Commands overview
Common shell commands
a) ls
b) ping
c) clear
d) exit
help
historysearch
Search by CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system. The search function can be directed using keywords such as type and platform.
Eg. Search for reverse shell payload for Linux
use
Eg. windows/ssh/freeshd_authbypass module
show
a) show options
b) show paylods
c) show targets
set
a) set payload
b) set target
From the same windows/ssh/freeshd_authbypass module above:
Use the unset command to remove option values:
info
Global option values
Use the setg and unsetg options.
exploit/run/check
-z flag to the exploit command will run the exploit and background the session as soon as it opens
The exploit and run command can be executed from the module after all relevant module parameters/options have been set with the set command (see above). The exploit and run command does the same thing.
Some modules supports the check command. This command will check if the target system is vulnerable without exploiting it.
background
The background command can be used to background the session prompt and go back to the msfconsole prompt.
sessions
The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.
The sessions -i command can be used to interact with a session:
back
Typical workflow
Identify service that is running
Eg. RDP service on port 3389
Search (
searchcommand) for auxiliary module (eg. scanner) and select using theusecommand
View information about the module using the
infoorshow optionscommand: identify required parameters andsetthe values: rhosts, etc.
Run auxiliary module to discover if target system is vulnerable (
run/exploitcommand)
Suppose the system is vulnerable to the particular vulnerability
Search (
searchcommand) for related exploit and select using theusecommand
Read information about the exploit using the
infoorshow optionscommand: identify required parameters and set the values
Search for payload, read information about it, and set the payload
Alternatively, use the default payload selected
View the targets and select the relevant one
Run exploit
Gain Meterpreter
Other useful commands
set ReverseListenerBindAddress
With this option, we can specify the address to which we want the reverse shell connection to be tunneled through
Eg.
This can be useful when we tunnel an exploit via a jump/intermediary server listening on 127.0.0.1.
Content and knowledge from TryHackMe:
Last updated