Basic Metasploit flow:

  • use $MODULE_NAME
  • set $OPTIONS
  • run

You can use msfconsole as a shell, but there’s no redirect functionality.

Commands

  • back — exit the current module
  • db_nmap $FLAGS $IP — run Nmap and dump the results into the Metasploit DB; all Nmap $FLAGS are supported and Metasploit will elevate privileges if necessary
  • help — get Metasploit help
  • history — display command history
  • hosts — display known hosts in DB
  • hosts -d — delete saved hosts from DB
  • info — show module information (including exploit target options)
  • jobs — check the status of background jobs
  • options (advanced) — show module/exploit options (or “advanced” options)
  • run/exploit — run the selected exploit
  • run -j — run the selected exploit as a background job
  • search — search modules; query to a particular type of module using the type: parameter (e.g., search type:exploit wordpress)
  • services — display services discovered in known hosts in DB
  • sessions — list open meterpreter sessions on a box
  • sessions -i $SESSION_NUMER — connect to meterpreter session $SESSION_NUMBER
  • show auxiliary — show auxiliary modules, filtered by relevancy if called from within a module
  • show exploits — show exploit modules
  • show options — show module options
  • show payloads — show payload modules, filtered by relevancy if called from within a module
  • spool — save all console output to a log file (useful for record-keeping)
  • use — select a Metasploit module/exploit
  • vulns — display vulnerabilities discovered in known hosts in DB
  • workspace — use workspaces; keeps database results isolated per engagement

Note that you can also call regular shell commands (ip, ls, etc.) from msfconsole. You can also background processes using Ctrl + Z (Metasploit will trap this, so you don’t have to worry about backgrounding the entire msfconsole).

Modules

Module categories:

  • Auxiliary (odds-n-ends)
  • Encoders (re-encode exploits to thwart signature-based anti-malware solutions)
  • Evasion (attempt to directly evade anti-malware solutions)
  • Exploits
  • NOPS (no-op code that can be used to pad exploits to a needed size)
  • Payloads (what you want to run if the exploit is successful; often, but not always, some kind of shell)
  • Post (additional post-exploitation tools)

Note that Metasploit 6 apparently calls these “framework plugins” now.

  • Remember: Open up the port Metasploit’s going to use in your firewall before running the exploit. Generally this is port 4444 by default (set with LPORT).
  • Also Remember: Be sure to set LHOST (and, when applicable, SRVHOST) correctly, even if it’s not indicated by the module. Metasploit’s guesses about which interface to use aren’t always correct… (I find using the explicit IP address works better than specifying the interface device or leaving SRVHOST at the default of 0.0.0.0.)
  • Also also Remember: Sometimes you might find yourself in the position of trying to exploit a service over an SSH tunnel (for example, if you’re trying to exploit a service that’s not exposed externally in order to elevate your privileges). When doing this, remember that LHOST is still your machine’s external address, as the exploit won’t be connecting back over the SSH tunnel (obviously)! Since LHOST is also used to determine where the exploit’s listener binds to, it’s sometimes necessary to set the optional ReverseListenerBindAddress in these cases (typically when you do this, LHOST will be some remote system you’re tunneled into, and ReverseListenerBindAddress will be 127.0.0.1).

Options

The common RHOSTS option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt).

Most modules support the ARCH, PAYLOAD, and SESSION options (for specifying target architecture, the payload to deliver, or session number to connect to). However, these are not shown when running show options.

You can reset individual parameters using unset, and reset the entire module using unset all.

Equivalent module commands:

  • set -g = setg
  • unset -g = unsetg
  • run = exploit

Some exploit modules have a check option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don’t have a check at all. YMMV!

Payloads

Payloads can be divided into:

  • Singles (self-contained; also indicated by the use of an _ separating “shell” from the rest of the payload name, as in shell_reverse_tcp)
  • Stagers (small applications that establish a connection back to the attacker to download a larger, more complex payload)
  • Stages (payloads designed to be downloaded by a stager; also indicated by the use of a / separating “shell” from the rest of the payload name, as in shell/reverse_tcp)

Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads).

Important

Metasploit defaults to sending 32-bit payloads, but an increasing number of things won’t work on a 64-bit system from a 32-bit meterpreter shell. It’s probably best to explicitly set the payload option to use a 64-bit payload unless you know that you’ll be dealing with a 32-bit system.

List all available payloads using msfvenom --list payloads or show payloads from within the Metasploit console.

A specific payload can be set in the Metasploit console use the set PAYLOAD full/path/to/payload.

If you initially get a native shell, use the post/multi/manage/shell_to_meterpreter module to upgrade to Meterpeter.

Note

shell_to_meterpreter creates a new connection on a new port, by default 4433.

Scanners

Use search portscan to display built-in Metasploit port scanners. Note that msfconsole needs to be run as root for many scans to work — just like Nmap. That said, in my experience the fancier TCP scans (for example, SYN) don’t work over a VPN… So maybe best to stick with Nmap.

Targeted scanners can be more useful, however:

  • The auxiliary/scanner/discovery/udp_sweep module will probe for common UDP services.
  • The auxiliary/scanner/http/http_version module will give you HTTP server version information.
  • The auxiliary/scanner/smb/smb_login module will allow you to conduct brute-force and password spraying attacks against Samba logins.

Metasploit has a variety of Samba/CIFS scanners too (use search scanner/smb to list them), as well as modules for basic enumeration such as smtp_version/smtp_enum (for SMTP) and mysql_sql (for MySQL, though this seems to just be a thin wrapper around the MySQL command line client).

Exploits

  • exploit/multi/handler — Catch a shell produced using msfvenom. Note that you’ll need to use set payload to tell Metasploit what it’s catching — for example, windows/meterpreter/reverse_tcp (or windows/x64/meterpreter/reverse_tcp). Both regular reverse shells and meterpreter sessions can be caught this way.
  • exploit/windows/smb/psexec — Call PsExec over SMB (instantiates meterpreter by default). Only works if SMBUser has admin privileges on the target!

Note that any Windows exploit that requires a password will also accept an NTLM hash (the LMHash part can be replaced by an appropriately-sized string of 0 characters if not available).

meterpreter

Potentially useful Metsploit modules to run from/besides meterpreter:

  • post/windows/gather/checkvm — try to determine if we’re in a VM
  • post/multi/recon/local_exploit_suggester — find possible privilege escalation exploits (can be slow/unreliably on 64-bit architectures)
  • post/windows/gather/enum_shares — enumerate shares
  • auxiliary/scanner/smb/smb_enumusers_domain — enumerate SMB domain users (requires existing admin credentials)
  • post/windows/gather/hashdump — same as the hashdump command, but pushes the hashes into the Metasploit DB
  • post/windows/gather/smart_hashdump GETSYSTEM=FALSE — same as the hashdump command, but pushes the hashes into the Metasploit DB and ignores system accounts
  • auxiliary/analyze/crack_windows — sic John the Ripper or Hashcat on NTLM hashes stored in the Metasploit DB
  • post/windows/manage/enable_rdp — enable RDP access (requires admin privileges)
  • post/multi/manage/autoroute — manipulate target routing for pivoting
  • auxiliary/server/socks_proxy — start a SOCKS proxy
  • exploit/windows/local/persistence — sets up a persistent connection (you probably want to set STARTUP SYSTEM)… without a password!

Tip

It is generally more useful to background meterpreter and then run these commands through the Metasploit console, as within meterpreter they need to have all options specified on the “run” command line (in the console you can access help, actually see what the options are, etc.).

There seem to be a lot of options for the post/multi/manage/autoroute and auxiliary/server/socks_proxy modules, but I don’t see a way to access them from meterpreter (it looks like to get help you need to background meterpreter and use the console).

The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you’re attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.)

CIFS

Metasploit can also enumerate CIFS users using the auxiliary/smb/smb_lookupsid module.

Like Nmap, I’ve found this to be a bit unreliable on UNIX-like systems.

MS SQL

Metasploit MS SQL modules

Metasploit provides a lot of tools for enumerating and exploiting MS SQL.

  • auxiliary/scanner/mssql/mssql_ping — Discover MS SQL servers (alternatively, use --script=ms-sql-info with Nmap)
  • auxiliary/scanner/mssql/mssql_login — Brute force logins
  • auxiliary/admin/mssql/mssql_enum — Enumerate databases
  • exploit/windows/mssql/mssql_payload — Get a shell
Link to original