Table of Content
- Introduction to Metasploit - Overview - Main Components - Room Objectives
- Main Components of Metasploit - Core Concepts
- Msfconsole
- Launching msfconsole
- Console Functionality
- Limitations
- Contextual Configuration
- Module Selection and Context Switching
- Viewing Module Options
- Example: EternalBlue Exploit
- Example: Post-Exploitation Modules
- Showing Available Modules
- Illustrative Example
- Listing All Modules
- Module Information (
infocommand) - Module Searching (
searchcommand):** - Exploit Ranking
Introduction to Metasploit
Overview
Metasploit is a widely used penetration testing framework, available in two versions:
- Metasploit Pro: Commercial, GUI-based, offering automation and management features.
- Metasploit Framework: Open-source, command-line interface (CLI), used in this room and commonly found on penetration testing Linux distributions. This room focuses on the Framework.
The Framework supports all phases of penetration testing: information gathering, scanning, exploitation, exploit development, and post-exploitation. It’s also valuable for vulnerability research and exploit development.
Main Components
msfconsole: The primary CLI.- Modules: Exploits, scanners, payloads, and other supporting components.
- Tools: Standalone utilities aiding in vulnerability research, assessment, and penetration testing. Examples include:
msfvenom: (Covered in this room) Used for creating payloads.pattern_createandpattern_offset: (Not covered in this room) Useful for exploit development.
Room Objectives
This room provides a foundation in using the Metasploit Framework CLI. Upon completion, users will be able to:
- Navigate the Metasploit command line.
- Find relevant exploits.
- Set parameters for exploits.
- Exploit vulnerable services.
Main Components of Metasploit
The Metasploit console (msfconsole) is launched from the terminal using the command msfconsole. This console serves as the primary interface for interacting with Metasploit’s modules.
graph LR
A[msfconsole] --> B(Modules);
A --> C(Tools);
B --> D{Exploits};
B --> E{Auxiliary};
B --> F{Payloads};
B --> G{Post-Exploitation};
B --> H{Encoders};
B --> I{Evasion};
B --> J{NOPs};
C --> K[msfvenom];
C --> L[pattern_create/offset];
Core Concepts
- Vulnerability: A flaw (design, coding, or logic) in a system that can be exploited. Exploitation can lead to information disclosure or code execution.
- Exploit: Code that leverages a system vulnerability.
- Payload: Code executed on the target system after successful exploitation. Payloads achieve the attacker’s objective (e.g., gaining a shell, executing commands, retrieving data).
Metasploit Modules
Modules are self-contained components within the Metasploit Framework, categorized as follows:
graph LR
A[Modules] --> B(Auxiliary);
A --> C(Encoders);
A --> D(Evasion);
A --> E(Exploits);
A --> F(NOPs);
A --> G(Payloads);
A --> H(Post-Exploitation);
B --> B1(Scanning);
B --> B2(Crawling);
B --> B3(Fuzzing);
B --> B4(Other);
G --> G1(Adapters);
G --> G2(Singles/Inline);
G --> G3(Stagers);
G --> G4(Stages);
A. Auxiliary Modules
These support various tasks, including
- Scanning: Identifying potential vulnerabilities.
- Crawling: Mapping web applications.
- Fuzzing: Testing application robustness by providing unexpected inputs.
- Other: Admin, analyze, bnat, client, cloud, docx, dos, fileformat, gather, parser, pdf, server, sniffer, spoof, sqli, voip, vsploit.
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 auxiliary/
auxiliary/
├── admin
├── analyze
├── bnat
├── client
├── cloud
├── crawler
├── docx
├── dos
├── example.py
├── example.rb
├── fileformat
├── fuzzers
├── gather
├── parser
├── pdf
├── scanner
├── server
├── sniffer
├── spoof
├── sqli
├── voip
└── vsploit
20 directories, 2 filesB. Encoders
These encode exploits and payloads to potentially evade signature-based antivirus detection. However, their effectiveness is limited as advanced antivirus solutions often employ additional detection methods.
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 encoders/
encoders/
├── cmd
├── generic
├── mipsbe
├── mipsle
├── php
├── ppc
├── ruby
├── sparc
├── x64
└── x86
10 directories, 0 filesC. Evasion Modules
These actively attempt to evade antivirus software, often with varying degrees of success. (Primarily focused on Windows systems).
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 2 evasion/
evasion/
└── windows
├── applocker_evasion_install_util.rb
├── applocker_evasion_msbuild.rb
├── applocker_evasion_presentationhost.rb
├── applocker_evasion_regasm_regsvcs.rb
├── applocker_evasion_workflow_compiler.rb
├── process_herpaderping.rb
├── syscall_inject.rb
├── windows_defender_exe.rb
└── windows_defender_js_hta.rb
1 directory, 9 filesD. Exploit Modules
These contain code to leverage specific vulnerabilities, organized by target operating system (e.g., Windows, Linux, Android).
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 exploits/
exploits/
├── aix
├── android
├── apple_ios
├── bsd
├── bsdi
├── dialup
├── example_linux_priv_esc.rb
├── example.py
├── example.rb
├── example_webapp.rb
├── firefox
├── freebsd
├── hpux
├── irix
├── linux
├── mainframe
├── multi
├── netware
├── openbsd
├── osx
├── qnx
├── solaris
├── unix
└── windows
20 directories, 4 filesE. NOP (No Operation) Modules
These modules insert “no operation” instructions (0x90 in x86) into payloads, creating padding to ensure consistent payload sizes. They are architecture-specific (x86, x64, ARM, etc.).
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 nops/
nops/
├── aarch64
├── armle
├── cmd
├── mipsbe
├── php
├── ppc
├── sparc
├── tty
├── x64
└── x86
10 directories, 0 filesF. Payload Modules
These contain the code that will be executed on the target system after a successful exploit. They are categorized as:
- Adapters: Wrap single payloads into different formats (e.g., PowerShell).
- Singles (Inline): Self-contained payloads that don’t require additional components (e.g., launching an application). Indicated by ”_” between components in the name (e.g.,
generic/shell_reverse_tcp). - Stagers: Establish a connection between Metasploit and the target, then download the remaining payload (stage). Used with staged payloads.
- Stages: The main part of the payload, downloaded by the stager. Allows for larger payloads. Indicated by ”/” between components in the name (e.g.,
windows/x64/shell/reverse_tcp).
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 payloads/
payloads/
├── adapters
├── singles
├── stagers
└── stages
4 directories, 0 filesNOTE
Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.
- generic/shell_reverse_tcp
- windows/x64/shell/reverse_tcp Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the __ between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”.
G. Post-Exploitation Modules
These are used after initial access to extend the attack (Post modules). They are also organized by target operating system.
root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 post/
post/
├── aix
├── android
├── apple_ios
├── bsd
├── firefox
├── hardware
├── linux
├── multi
├── networking
├── osx
├── solaris
└── windows
12 directories, 0 filesIV. Module Location:
On the AttackBox, Metasploit modules are located within /opt/metasploit-framework/embedded/framework/modules. The directory structure mirrors the module categories described above.
Msfconsole
Launching msfconsole
The Metasploit console is launched using the command msfconsole in the terminal. Upon launch, it displays a banner indicating the version and module counts. The prompt changes to msf6> (or msf5> depending on the version).
┌──(neo㉿Neo)-[~]
└─$ msfconsole
Metasploit tip: Network adapter names can be used for IP options set LHOST
eth0
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No<nano>o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf>exploit -j. :Ns.BOB&ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:<script>.Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hevnsntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: & };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2VjRFNN.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v6.4.34-dev ]
+ -- --=[ 2461 exploits - 1267 auxiliary - 431 post ]
+ -- --=[ 1471 payloads - 49 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/Console Functionality
-
Command Line Interface:
msfconsoleacts like a regular command-line shell. It supports many standard Linux commands likels,ping, andclear. However, it does not support all features, such as output redirection (e.g.,command > file.txt). -
Help System: The
helpcommand provides information on Metasploit commands and options. Usinghelp [command]gives specific details about a command (e.g.,help set). -
Command History: The
historycommand displays previously executed commands. -
Tab Completion: Tab completion significantly speeds up command entry, auto-completing commands and options as you type.
-
Datastore Management: The
setcommand allows modifying options within the Metasploit framework, operating on either the global or module-specific datastore.set [option] [value]sets an option; omitting the value displays its current setting; omitting both lists currently set options. Using-gwith thesetcommand operates on the global datastore. Payload selection uses indexes fromshow payloads.
Example Commands and Their Usage:
ls: Lists files and directories in the current directory.ping -c 1 8.8.8.8: Sends a single ping to Google’s DNS server. (The-c 1limits the number of pings).help: Displays general help information.help set: Displays specific help for thesetcommand.history: Shows the command history.set [option] [value]: Sets a specific option to a value.show payloads: Displays available payloads.
Limitations
- Output redirection (e.g.,
>,>>) is not supported.
Contextual Configuration
msfconsole operates within a specific context. This means that settings made for a particular module (exploit, auxiliary, post-exploitation module, etc.) are not global. Changing modules resets the configuration to the defaults for the new module. Any parameters set for a previous module are lost unless they’re explicitly set as global variables (a more advanced topic).
Module Selection and Context Switching
Modules are selected using the use command followed by the module path (e.g., use exploit/windows/smb/ms17_010_eternalblue). The console prompt changes to reflect the current context: msf6 exploit(windows/smb/ms17_010_eternalblue) >. This indicates you are now working within the context of the ms17_010_eternalblue exploit.
Standard Linux commands (e.g., ls) can still be used within a module context; however, they operate on the system’s filesystem, not within the Metasploit framework’s internal structure.
Viewing Module Options
The show options command displays the configurable options for the currently selected module. These options are specific to the module’s functionality. Some options are required (Required: yes), while others are optional. The output differs depending on the module type (exploit, payload, auxiliary, post-exploitation module, etc.).
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit
/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Win
dows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machin
es.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows
Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 20
08 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.19.193.57 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.Example: EternalBlue Exploit
The ms17_010_eternalblue exploit, as shown in the example, requires settings like RHOSTS (target IP address(es)) and RPORT (target port). After selecting this exploit using use, show options reveals these and other relevant parameters. If you switch to a different module, you’ll need to reconfigure these settings for the new module.
Example: Post-Exploitation Modules
Post-exploitation modules operate on existing sessions (connections to compromised systems). Their options typically include a SESSION parameter, specifying the session ID to use.
msf6 post(windows/gather/enum_domain_users) > show options Module options (post/windows/gather/enum_domain_users): Name Current Setting Required Description ---- --------------- -------- ----------- HOST no Target a specific host SESSION yes The session to run this module on. USER no Target User for NetSessionEnum msf6 post(windows/gather/enum_domain_users) >Showing Available Modules
The show command, followed by a module type (e.g., show exploits, show payloads, show auxiliary), lists the available modules of that type. This is useful for browsing and selecting appropriate tools. show payloads within an exploit’s context only lists payloads compatible with that exploit.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom . normal No Custom Payload
1 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
2 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
..... bla bla blaIllustrative Example
use exploit/windows/smb/ms17_010_eternalblue: Selects the EternalBlue exploit, establishing its context.show options: Displays options specifically for the EternalBlue exploit (e.g.,RHOSTS,RPORT).set RHOSTS 192.168.1.100: Sets the target IP address.use auxiliary/scanner/portscan/tcp: Switches to a TCP port scanner module. TheRHOSTSsetting is lost.show options: Displays options for the TCP port scanner, which will likely require different parameters than the EternalBlue exploit.
Listing All Modules
The show command, when used without any arguments from the msfconsole prompt, lists all available modules in the Metasploit database.
Module Context Management
-
usecommand: Selects a specific module, changing the console context to that module. The prompt reflects the current module (e.g.,msf6 exploit(windows/smb/ms17_010_eternalblue)). All subsequent commands, unless explicitly specified as global, apply only to the currently selected module. -
show optionscommand: Displays the configurable options for the selected module. Required and optional parameters are clearly indicated. This command’s output is specific to the module’s context. -
backcommand: Exits the current module context, returning to the mainmsfconsoleprompt.
Module Information (info command)
The info command provides detailed information about a module. It can be used in two ways:
-
Within a module’s context:
infodisplays comprehensive details, including author(s), description, relevant references (URLs, CVE numbers), licensing information, supported targets (if any), and basic options. -
From the main
msfconsoleprompt:info [module_path](e.g.,info exploit/windows/smb/ms17_010_eternalblue) displays the same detailed information.
The info command provides far more than a simple help menu; it provides rich contextual information about the module’s capabilities and background.
msf6 exploit(windows/smb/ms17_010_eternalblue) > info auxiliary/scanner/ssh/ssh_login
Name: SSH Login Check Scanner
Module: auxiliary/scanner/ssh/ssh_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
todb <todb@metasploit.com>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession true no Create a new session for every successful login
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: non
e, user, user&realm)
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasplo
it/basics/using-metasploit.html
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per li
ne
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE false yes Whether to print output for all attempts
Description:
This module will test ssh logins on a range of machines and
report successful logins. If you have loaded a database plugin
and connected to a database this module will record successful
logins and hosts so you can track your access.
References:
https://nvd.nist.gov/vuln/detail/CVE-1999-0502
View the full module info with the info -d command.Module Searching (search command):**
The search command is a powerful tool for finding relevant modules within the Metasploit database. It supports various search parameters, including:
-
Keywords: Search for modules containing specific terms in their names or descriptions (e.g.,
search eternalblue,search heartbleed). -
CVE numbers: Find modules related to specific vulnerabilities (e.g.,
search CVE-2017-0143). -
Module type: Filter results by module type (e.g.,
search type:auxiliary telnetsearches only for auxiliary modules related to Telnet). -
Platform: Filter results based on the target operating system (e.g.,
search platform:windows).
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 >The output of the search command lists matching modules, including their name, disclosure date, rank (reliability), whether a check is available, and a brief description. Modules can be selected using either their index number or full path (e.g., use 4 or use exploit/windows/smb/smb_doublepulsar_rce).
Exploit Ranking
Source: https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking
Metasploit assigns a rank to exploits indicating their reliability. This helps penetration testers gauge the likelihood of success when using a given exploit. The ranking system is detailed in the Metasploit Framework’s official documentation. Note that even high-ranked exploits may not always be successful due to unpredictable target system behavior or unforeseen circumstances.