📝
Home
Pentesting
  • 📝Home
  • ⚒️PENTESTING
    • Foundational
      • Gaining Access
      • Session Hijacking
      • Buffer Overflows
        • Finding the Offset
        • Spiking
        • Fuzzing
      • Attack Basics
        • Brute Force Attacks
        • Credential Stuffing and Password Spraying
        • Netcat Shell Stabilization
        • Reverse Shells vs Bind Shells
        • Staged vs Non-Staged Payloads
      • Footprinting
    • Reconnaissance
      • Discovering Email Addresses
      • Hunting Subdomains
    • Scanning and Enumeration
      • Banner Grabbing
      • Enumerating HTTP and HTTPS
      • Enumerating SMB
      • Enumerating SSH
      • NetBIOS Enumeration
      • SNMP Enumeration
      • Sniffing
    • Privilege Escalation
      • 🐧Linux Privilege Escalation
      • 🪟Windows Privilege Escalation
        • Initial Enumeration
    • Defense Evasion
      • Hiding Files and Covering Tracks
      • Network Evasion
    • Attacking Services
      • Attacking Kerberos
      • Attacking VPNs
      • Denial of Service
      • Exploiting FTP
      • Exploiting NFS
      • Exploiting SMTP
      • Exploiting Telnet
    • Attacking Active Directory
      • Initial Attack Vectors
        • Gaining Shell Access
        • LLMNR Poisoning
        • SMB Relay
        • Passback Attacks
        • IPv6 Attacks
      • Post-Compromise Enumeration
        • Bloodhound
        • ldapdomaindump
        • PowerView
        • PlumHound
      • Post-Compromise Attacks
        • GPP Attacks
        • Print Nightmare
        • Token Impersonation using Incognito
        • URL File Attack
        • Pass Attacks
        • Kerberoasting
        • LNK File Attacks
        • Mimikatz
      • Post-Domain Compromise Attacks
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
      • Post Exploitation
    • Toolkit
      • Burp Suite
        • Intruder
      • Hping
        • Crafting TCP and UDP Packets
      • Metasploit
        • Meterpreter
        • Shell Handler
        • Gather Information
        • Gaining Root
    • Web Application Hacking
      • Attack Methodology
      • Attacking Web Applications
      • Authentication Bypass
      • Cross-Site Scripting
      • Cross-Site Request Forgery
      • File Inclusion
      • Server-Side Request Forgery
      • Injection
        • Command Injection
        • LDAP Injection
        • SQL Injection
  • 👽MALWARE ANALYSIS
    • Malware Analysis Primer
    • Malware Types
      • Rootkits
      • Viruses
      • WannaCry
    • Analyzing Malicious Windows Programs
    • Static Analysis
      • Basic Static Techniques
      • Advanced Static Analysis
    • Reverse Engineering
      • Crash Course in x86 Disassembly
      • Recognizing Code in Assembly Language
    • Dynamic Analysis
    • Detecting Malware
      • Evasion Techniques
      • Detecting Mimikatz
      • Hunting Malware
      • Hunting Metasploit
      • Hunting Persistence
  • 🏹THREAT HUNTING
    • Foundational
      • ATT&CK Framework
      • CIA Triad
    • APTs
  • 🐍PROGRAMMING & SCRIPTING
    • Foundational
      • Computer Memory
    • C Programming
    • Assembly Language
      • Assembly File Structure
      • Debugging with gdb
    • Bash
    • Python
      • Foundational
        • Booleans and Operators
        • Comprehensions
        • Conditionals
        • Dictionaries
        • Exceptions and Error Handling
        • Functions
        • Lambdas
        • Lists
        • Loops
        • Modules
        • Numbers
        • Reading and Writing Files
        • Sets
        • Sockets
        • String Formatting
        • Tuples
        • User Input
        • Variables
      • Extending Python
        • Virtual Environments
        • Sys Module
        • Requests
        • pwntools
    • Regular Expressions
    • SQL
  • 🕵️DIGITAL FORENSICS
    • Anti-Forensic Techniques
    • 🪟Windows Security Internals
      • Windows Security Internals
        • Kernel
          • Security Reference Monitor (SRM)
          • Object Manager
            • System Calls
            • NTSTATUS Codes
            • Object Handles
            • Query and Set Information System Calls
          • The I/O Manager & The Process and Thread Manager
          • The Memory Manager
          • The Configuration Manager
  • 💼GRC (CISSP Notes)
    • Security Assessment and Testing
    • Security Governance Principles
    • Security Policies Standards and Procedures
    • Preventing and Responding to Incidents
    • Organizational Roles and Responsibilities
    • Organizational Processes
  • 📦Networking
    • Foundational
      • DHCP
      • DNS Basics
      • HTTP Protocol
      • IPSec
      • IPv6 Fundamentals
    • Wireless Technologies
      • 802.11
      • Bluetooth
      • Wireless Authentication
      • Wireless Encryption
Powered by GitBook
On this page
  • Things it can do
  • Metasploit Actions
  • Metasploit Architecture
  • Metasploit Modules
  • Payload Types
  • Exploit Ranking
  • Command Cheat Sheet
  1. PENTESTING
  2. Toolkit

Metasploit

Things it can do

  • Exploit known vulnerabilities

  • Attack passwords over Telnet, SSH and HTTP

Metasploit Actions

  1. 1.Select exploit

  2. 2.Configure options

  3. 3.Select target

  4. 4.Select Payload

  5. 5.Launch exploit

Metasploit Architecture

  • Framework base - Accepts inputs from custom plug-ins

  • Interfaces - How you interact with the framework

  • Security Tools

  • Web Services

  • Modules - Holds the actual exploits

  • Payloads - combines the arbitrary code executed if the exploit is successful

  • Auxiliary - used to run one-off actions (like a scan)

  • NOPS - used mainly for buffer-overflow-type operations

  • REX - library for most tasks, such as handling sockets, protocols, and text transformations

Metasploit Modules

  • Exploit - Holds all of the exploit code

  • Payload - Holds the various bits of shellcode sent to have execute after exploitation

  • Auxiliary - Used in scanning and verification are exploitable

  • Post - Provides capabilities of looting and pivoting

  • Encoder - Used for payload obfuscation and avoid signature detection

  • NOP - used with buffer overflow and ROP attacks

Payload Types

  • Singles: self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run

  • Stagers:

    • Responsible for setting up a connection channel between Metasploit and the target system.

    • Useful when working with staged payloads.

    • Staged payloads will first upload a stager on the target system then download the rest of the payload.

    • Provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once

  • Stages: Downloaded by the stager, allows us to use larger sized payloads

  • How to identify single payloads vs staged payloads

    • Single payloads have a _ between "shell" and "reverse" (Ex. generic/shell_reverse_tcp)

    • Staged payloads have a / (Ex. windows/x64/shell/reverse_tcp)

Exploit Ranking

  • Exploits are rated based on their reliability

Ranking

Description

Excellent Ranking

The exploit will never crash the service. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances.

Great Ranking

The exploit has a default target AND either auto-detects the appropriate target or uses an application specific return address AFTER a version check

Good Ranking

The exploit has a default target and it is the "common case" of this type of software

Normal Ranking

The exploit is otherwise reliable, but depends on a specific version and can't reliably autodetect

Average Ranking

The exploit is generally unreliable or difficult to exploit

Low Ranking

The exploit is nearly impossible to exploit (or under 50% success rate) for common platforms

Manual ranking

The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user

Metasploit Utilities

Utilities are direct interfaces to particular features of the Framework that can be useful in some situation, especially in exploit development.

  • MSFpayload

    • Allows you to generate shellcode, executables and more

    • Use msfpayload -h to see which options the utility takes

    • Append the letter O for a list of required and optional variables - msfpayload windows/shell_reverse_tcp O

  • MSFencode

    • Helps avoid bad characters and evade antivirus and IDSs by encoding the original payload

    • Enter msfencode -h to see a list of options

    • Can't go wrong with x86/shikata_ga_nai

  • Nasm Shell

    • Useful when you need to make sense of assembly code and need to identify the opcodes (assembly instructions) for a given assembly command

Command Cheat Sheet

# Start metasploit without printing banner 
msfconsole -q 

# Check db connection 
db_status 

# Search modules 
search 

# Use module 
use

# Change the value of a variable 
set 

# Change the value of a variable globally 
setg

# View the value of single variables 
get

# Change the value of a variable to null / no value 
unset

# Write console output into a file as well as the screen 
spool 

# Save active datastores 
save

# load different modules
load 

# Set meterpreter payload 
set PAYLOAD windows/meterpreter/reverse_tcp 

# Check if you are in a VM 
run post/windows/gather/checkvm 

# Force RDP 
run post/windows/manage/enable_rdp
PreviousCrafting TCP and UDP PacketsNextMeterpreter

Last updated 1 year ago

⚒️
Nasm Shell