Metasploit is a framework for penetration testing.

Setup

On Kali (or any other distro after installing metasploit package), install postgresql, enable/start postgresql service, then run sudo msfdb init.

msfconsole

Msfconsole is the command-line tool for using the Metasploit framework.

  • use MODULE: switch to a module
  • back: switch to main prompr (i.e. msf6 >)
  • previous: switch to previous module
  • show CATEGORY: show all modules under specified category; see show -h for valid arguments
  • search QUERY: search for modules (advanced filtering available, see search -h)

Module

  • info or show info: show help message / general information for current module / payload
  • options or show options: show available options for current module / payload
  • advanced or show advanced: show advanced options for current module / payload
  • set[g] OPTION VALUE: set an option; use setg to set an option globally / for all modules
  • set TARGET: set target (vulnerable software version, etc)
  • check: check if the target remote is vulnerable (not supported by all modules)
  • run: run module
  • exploit: alias for run
  • services -p PORT --rhosts: Add services from database on PORT to RHOSTS option.

Database

  • services: show discovered services across all hosts (from port scans, etc); e.g. services -p 443
  • hosts: show discovered hosts
  • db_nmap: run nmap with the given options and save results into Metasploit database
  • creds: show valid credentials stored in database (from successful login attempts)
  • workspace: show available workspaces (In a workspace, only database entries under this workspace will appear)
  • workspace WORKSPACE: enter a workspace
  • workspace [ -a | -d ] WORKSPACE: add or delete a workspace

Sessions

  • sessions: list current Meterpreter sessions
  • sessions -k ID: kill Meterpreter session by ID
  • sessions -i ID: interact with / switch to session by ID

Transports

In Meterpreter prompt:

  • transport list: list current meterpreter transports
  • transport add OPTIONS...: add transport (e.g. transport add -t reverse_tcp -l IP -p PORT)
  • transport next: switch current meterpreter session to next transport (requires a running exploit/multi/handler)

Payloads

Two types of payloads exist:

  • Non-staged: immediately effective once executed
  • Staged: connects back to request more payload, often to save space in the initial payload (e.g. for buffer overflow) and to evade antivirus

A non-staged payload and its staged counterpart are differentiated by underscores and slashes:

  • Non-staged: windows/shell_reverse_tcp
  • Staged: windows/shell/reverse_tcp

Common Modules

Scanning: use auxiliary/scanner/portscan/syn (SYN scanner; ./tcp is also available)

How to pivot (also see Meterpreter pivoting):

  • use multi/manage/autoroute: automatically add routes to avaliable networks in a session
  • route add CIDR SESSION_ID: manually add a route to target machine’s internal network via an active session (e.g. route add 192.168.1.0/24 3)
  • use auxiliary/server/socks_proxy: set up a SOCKS proxy (can be used with proxychains)
  • use exploit/windows/smb/psexec: needs credentials; works with windows/meterpreter/bind_tcp