Metasploit

Things it can do

• Exploit known vulnerabilities

• Attack passwords over Telnet, SSH and HTTP

Metasploit Actions

1. 1.Select exploit

2. 2.Configure options

3. 3.Select target

4. 4.Select Payload

5. 5.Launch exploit

Metasploit Architecture

• Framework base - Accepts inputs from custom plug-ins

• Interfaces - How you interact with the framework

• Security Tools

• Web Services

• Modules - Holds the actual exploits

• Payloads - combines the arbitrary code executed if the exploit is successful

• Auxiliary - used to run one-off actions (like a scan)

• NOPS - used mainly for buffer-overflow-type operations

• REX - library for most tasks, such as handling sockets, protocols, and text transformations

Metasploit Modules

• Exploit - Holds all of the exploit code

• Payload - Holds the various bits of shellcode sent to have execute after exploitation

• Auxiliary - Used in scanning and verification are exploitable

• Post - Provides capabilities of looting and pivoting

• Encoder - Used for payload obfuscation and avoid signature detection

• NOP - used with buffer overflow and ROP attacks

Payload Types

• Singles: self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run

• Stagers:

  • Responsible for setting up a connection channel between Metasploit and the target system.

  • Useful when working with staged payloads.

  • Staged payloads will first upload a stager on the target system then download the rest of the payload.

  • Provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once

• Stages: Downloaded by the stager, allows us to use larger sized payloads

• How to identify single payloads vs staged payloads

  • Single payloads have a _ between "shell" and "reverse" (Ex. generic/shell_reverse_tcp)

  • Staged payloads have a / (Ex. windows/x64/shell/reverse_tcp)

Exploit Ranking

• Exploits are rated based on their reliability

Metasploit Utilities

Utilities are direct interfaces to particular features of the Framework that can be useful in some situation, especially in exploit development.

• MSFpayload

  • Allows you to generate shellcode, executables and more

  • Use msfpayload -h to see which options the utility takes

  • Append the letter O for a list of required and optional variables - msfpayload windows/shell_reverse_tcp O

• MSFencode

  • Helps avoid bad characters and evade antivirus and IDSs by encoding the original payload

  • Enter msfencode -h to see a list of options

  • Can't go wrong with x86/shikata_ga_nai

• Nasm Shell

  • Useful when you need to make sense of assembly code and need to identify the opcodes (assembly instructions) for a given assembly command

Command Cheat Sheet

# Start metasploit without printing banner 
msfconsole -q 

# Check db connection 
db_status 

# Search modules 
search 

# Use module 
use

# Change the value of a variable 
set 

# Change the value of a variable globally 
setg

# View the value of single variables 
get

# Change the value of a variable to null / no value 
unset

# Write console output into a file as well as the screen 
spool 

# Save active datastores 
save

# load different modules
load 

# Set meterpreter payload 
set PAYLOAD windows/meterpreter/reverse_tcp 

# Check if you are in a VM 
run post/windows/gather/checkvm 

# Force RDP 
run post/windows/manage/enable_rdp