Metasploit is a framework for penetration testing.
Setup
On Kali (or any other distro after installing metasploit package), install postgresql, enable/start postgresql service, then run sudo msfdb init
.
msfconsole
Msfconsole is the command-line tool for using the Metasploit framework.
Navigation
use MODULE
: switch to a moduleback
: switch to main prompr (i.e.msf6 >
)previous
: switch to previous moduleshow CATEGORY
: show all modules under specified category; seeshow -h
for valid argumentssearch QUERY
: search for modules (advanced filtering available, seesearch -h
)
Module
info
orshow info
: show help message / general information for current module / payloadoptions
orshow options
: show available options for current module / payloadadvanced
orshow advanced
: show advanced options for current module / payloadset[g] OPTION VALUE
: set an option; usesetg
to set an option globally / for all modulesset TARGET
: set target (vulnerable software version, etc)check
: check if the target remote is vulnerable (not supported by all modules)run
: run moduleexploit
: alias forrun
services -p PORT --rhosts
: Add services from database on PORT to RHOSTS option.
Database
services
: show discovered services across all hosts (from port scans, etc); e.g.services -p 443
hosts
: show discovered hostsdb_nmap
: run nmap with the given options and save results into Metasploit databasecreds
: show valid credentials stored in database (from successful login attempts)workspace
: show available workspaces (In a workspace, only database entries under this workspace will appear)workspace WORKSPACE
: enter a workspaceworkspace [ -a | -d ] WORKSPACE
: add or delete a workspace
Sessions
sessions
: list current Meterpreter sessionssessions -k ID
: kill Meterpreter session by IDsessions -i ID
: interact with / switch to session by ID
Transports
In Meterpreter prompt:
transport list
: list current meterpreter transportstransport add OPTIONS...
: add transport (e.g.transport add -t reverse_tcp -l IP -p PORT
)transport next
: switch current meterpreter session to next transport (requires a runningexploit/multi/handler
)
Payloads
Two types of payloads exist:
- Non-staged: immediately effective once executed
- Staged: connects back to request more payload, often to save space in the initial payload (e.g. for buffer overflow) and to evade antivirus
A non-staged payload and its staged counterpart are differentiated by underscores and slashes:
- Non-staged:
windows/shell_reverse_tcp
- Staged:
windows/shell/reverse_tcp
Common Modules
Scanning:
use auxiliary/scanner/portscan/syn
(SYN scanner; ./tcp
is also available)
How to pivot (also see Meterpreter pivoting):
use multi/manage/autoroute
: automatically add routes to avaliable networks in a sessionroute add CIDR SESSION_ID
: manually add a route to target machine’s internal network via an active session (e.g.route add 192.168.1.0/24 3
)use auxiliary/server/socks_proxy
: set up a SOCKS proxy (can be used with proxychains)use exploit/windows/smb/psexec
: needs credentials; works withwindows/meterpreter/bind_tcp