Metasploit is a tool that can do everything in a penetration test from start to finish.
- Metasploit Pro: Commercial version which facilitates the automation and management of tasks. Also has a GUI.
- Metasploit Framework: Open-source version that works from the CLI.
- msfconsole: The main command-line interface
- Modules: Supporting modules such as exploits, scanners, payloads, etc
- Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing.
To complete the first section, deploy the machine and access it via the AttackBox console or the VPN.
If you're going through the Attackbox, Metasploit can be launched in the terminal using the msfconsole command.
Note: Before running msfconsole you may want to run msfupdate to update Metasploit Framework
- Click on the Terminal icon
- Type
msfconsoleinto the command line
Let's go over a few things before we get carried away:
- Exploits: Pieces of code that use vulnerabilities present on the target system
- Vulnerabilities: Flaws in the system that can be exploited.
- Payloads: The code that runs on a target system and grabs the information we want.
- Auxiliary: Any supporting module, such as scanners, crawlers, and fuzzers.
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 auxiliary/ auxiliary/
- Encoders: Allow encoding of the exploit and payload in the hopes that a signature-based antivirus might miss them. Encoders might have a limited success rate since a signature-based antivirus might perform additional checks.
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 encoders/ encoders/
- Evasion: Modules that will specifically try to evade antivirus software.
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 evasion/ evasion/
- Exploits: List of exploits organized by target system.
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 exploits/ exploits/
- NOPs: Stands for No OPeration and they will do nothing and are used as a buffer for payload size consistency
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 nops/ nops/
- Payloads: Codes that run on target systems
- In the Attackbox, located in /opt/metasploit-framework/embedded/framework/modules
- List all with the command
tree -L 1 payloads/ payloads/ - Four different directories under Payloads:
- Adapters: Wraps single payloads to convert them into different formats
- Singles: Self-contained payloads that do not need to download an additional component to run.
- Stagers: Set up a connection between Metasploit and the target system, which can be useful when running staged payloads. These payloads upload stagers then download the rest of the payload, referred to as the stage. This allows the payload to be split up so that the initial size is way lower than the whole payload at once.
- Stages: Downloaded by the stager
- Single and staged payloads follow this naming convention
- generic/shell_reverse_tcp - Inline (single) payload, look for a "_" between "shell" and "reverse"
- windows/x64/shell/reverse_tcp - Staged payload, look for a "/" between "shell" and "reverse"
- Post: Useful in the final stage of penetration testing, "Post Exploitation"
Hint: Read the text above
The msfconsole CLI will support most Linux commands. One exception is help, which follows the convention help [command]
The history command shows commands that have been typed earlier
Context is also important. Unless defined at the global level, variables will be lost when going from one module to another.
To use an exploit, type the use command into the terminal followed by the exploit
- For example,
use exploit/windows/smb/ms17_010_ethernalblue show optionswill show the module options available, along with which ones are required and a description of each.- You can use
showfollowed by a module type in any context - The command
infofollowed by a module's path can also be used to show information on the modue such as its author, relevant sources, etc. - The context can be exited using the
backcommand - The
searchcommand searches the database for modules relevant to the given parameter, such as CVE numbers, exploit names, or target systems
Exploits are ranked in the search menu based on their reliability:
- ExcellentRanking
- GreatRanking
- GoodRanking
- NormalRanking
- AverageRanking
- LowRanking
- ManualRanking
Hint: Read the text above
After entering a module's context using the use command followed by the module name, it's a good practice to use show options to see which parameters need to be set.
Parameters are set using the command set [PARAMETER_NAME] [VALUE]
show options can also be used to verify if a parameter was set correctly
Remember to always check the context of the CLI to make sure you are in the right spot
Commonly used parameters:
- RHOSTS: "Remote Host", or the IP address of the target system. Can also be a CIDR range like 192.168.0.0/24
- RPORT: "Remote Port", the port on the target system where the vulnerable application is running
- PAYLOAD: Payload used with the exploit
- LHOST: "Localhost", or the IP address of the attacking machine
- LPORT: "Local Port", the port used for a reverse shell on the attacking machine
- SESSION: Each connection established to a target system gets a session ID which can be used with post-exploitation modules to connect to a target system using an existing connection.
Any set parameter can be overridden using unset for a specific parameter or unset all for all of them at once
The setg command sets a value for all modules (or a global value)
In a similar fashion to set, setg values can be overridden using unsetg
After all parameters are set, the module is launched using the exploit command, and exploit -z can launch a module without using any parameters.
Some modules support the check option to check if a target system is vulnerable without exploiting it.
Sessions are created after vulnerabilities have been successfully exploited and serve as a communication channel between the target system and Metasploit
The background command backgrounds the session prompt and returns you to the msfconsole prompt. This also works with CTRL+Z
The sessions command can be used from the msfconsole prompt or any context to see the existing sessions
Interact with any sessions using sessions -i followed by the ID number
What command is used to set parameters?
What command is used to set parameters globally?
How do you override a set parameter?
What command is used after parameters are set?
Take note of this in the Summary section: "It would be best if you also had used the ms17_010_eternalblue exploit to gain access to the target VM."
Give it a shot! Go back to the "Working with modules" section and see if you can get it to work.