πMetasploit
The main components of the Metasploit Framework can be summarized as follows;
msfconsole: The main command-line interface.
Modules: supporting modules such as exploits, scanners, payloads, etc.
Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create and pattern_offset. We will cover msfvenom within this module, but pattern_create and pattern_offset are tools useful in exploit development which is beyond the scope of this module.
The console will be your main interface to interact with the different modules of the Metasploit Framework. Modules are small components within the Metasploit framework that are built to perform a specific task, such as exploiting a vulnerability, scanning a target, or performing a brute-force attack.
Metasploits remote procedure call (RPC) server and web server are a function for msfconsole.
RHOST
The RHOST option refers to the remote host you are trying to attack / exploit. Usage of this would be set RHOST 192.168.1.20
RPORT
RPORT refers to the remote port to attack.
Exploit Target
Metasploit allows you to quickly identify some critical vulnerabilities that could be considered as βlow hanging fruitβ. The term βlow hanging fruitβ usually refers to easily identifiable and exploitable vulnerabilities that could potentially allow you to gain a foothold on a system and, in some cases, gain high-level privileges such as root or administrator.
Metasploit may provide you. For example, if you identify a VNC service running on the target, you may use the search function on Metasploit to list useful modules. The results will contain payload and post modules. At this stage, these results are not very useful as we have not discovered a potential exploit to use just yet. However, in the case of VNC, there are several scanner modules that we can use.
You can view the available targets on the modules' info page.
Auxiliary is Any supporting module, such as scanners, crawlers and fuzzers.
Encoders
Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Signature-based antivirus and security solutions have a database of known threats. They detect threats by comparing suspicious files to this database and raise an alert if there is a match. Thus encoders can have a limited success rate as antivirus solutions can perform additional checks. While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand, βevasionβ modules will try that, with more or less success.
Exploits
Exploits, neatly organized by target system.
NOPS
NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family they are represented with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes. This is helpful with buffer overflow.
Payloads
Payloads are codes that will run on the target system.
Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be; getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report. Starting the calculator on the target system remotely by launching the calc.exe application is a benign way to show that we can run commands on the target system.
Running command on the target system is already an important step but having an interactive connection that allows you to type commands that will be executed on the target system is better. Such an interactive command line is called a "shell". Metasploit offers the ability to send different payloads that can open shells on the target system.
You will see four different directories under payloads: adapters, singles, stagers and stages.
Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.
Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. βStaged payloadsβ will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
Stages: Downloaded by the stager. This will allow you to use larger sized payloads.
Metasploit has a subtle way to help you identify single (also called βinlineβ) payloads and staged payloads.
generic/shell_reverse_tcp
windows/x64/shell/reverse_tcp Example use case of reverse shell
The show command can be used in any context followed by a module type (auxiliary, payload, exploit, etc.) to list available modules. The example below lists payloads that can be used with the ms17-010 Eternalblue exploit.
Msfvenom
Msfvenom will allow you to access all payloads available in the Metasploit framework. Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many different target systems (Apple, Windows, Android, Linux, etc.)
If used from the msfconsole prompt, the show command will list all modules.
The use and show options commands we have seen so far are identical for all modules in Metasploit.
You can leave the context using the back command.
Alternatively, you can use the info command followed by the moduleβs path from the msfconsole prompt (e.g. info exploit/windows/smb/ms17_010_eternalblue). Info is not a help menu; it will display detailed information on the module such as its author, relevant sources, etc.
Search
One of the most useful commands in msfconsole is search. This command will search the Metasploit Framework database for modules relevant to the given search parameter. You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system.
A context prompt: Once you have decided to use a module and used the set command to chose it, the msfconsole will show the context. You can use context-specific commands (e.g. set RHOSTS 10.10.x.x) here.
A shell on the target system: Once the exploit is completed, you may have access to a command shell on the target system. This is a regular command line, and all commands typed here run on the target system.
As you can see in the screenshot above, some of these parameters require a value for the exploit to work. Some required parameter values will be pre-populated, make sure you check if these should remain the same for your target. For example, a web exploit could have an RPORT (remote port: the port on the target system Metasploit will try to connect to and run the exploit) value preset to 80, but your target web application could be using port 8080.
Once you have set a parameter, you can use the show options command to check the value was set correctly.
Parameters you will often use are:
RHOSTS: βRemote hostβ, the IP address of the target system. A single IP address or a network range can be set. This will support the CIDR (Classless Inter-Domain Routing) notation (/24, /16, etc.) or a network range (10.10.10.x β 10.10.10.y). You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt, as you can see below.
RPORT: βRemote portβ, the port on the target system the vulnerable application is running on.
PAYLOAD: The payload you will use with the exploit.
LHOST: βLocalhostβ, the attacking machine IP address.
LPORT: βLocal portβ, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.
You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the unset command or clear all set parameters with the unset all command.
The setg command sets a global value that will be used until you exit Metasploit or clear it using the unsetg command.
From this. The first thing you will want to do is to scan the network using a host of options. An example of this would be Nmap; you can then find any open ports to run them by a scanner. This will then return with some varunibilties and ways you can exploit them. Then, configure the payload to use the payload on the host. Then, once connected and you have a reverse shell, you can then use meterpture to get control.
To use Nmap in msfconsoule, you can run db_nmap. This will allow you to avoid exiting Metasploit and do everything from the console.
Last updated
