Metasploit
https://tryhackme.com/r/room/metasploitintro
msfconsole --defer-module-loads # to load Metasploit superfast
meterpreter > cd 'c:\Program Files (x86)\Windows Multimedia Platform\'Metasploit is an open-source penetration testing framework that helps security professionals find and exploit vulnerabilities in computer systems. It includes a database of known vulnerabilities and tools and scripts for exploiting them.
Few recurring concepts
Exploit: A piece of code that uses a vulnerability present on the target system.
Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in disclosing confidential information or allowing the attacker to execute code on the target system.
Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, read confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.
Auxiliary
Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 auxiliary
auxiliary/
βββ admin
βββ analyze
βββ bnat
βββ client
βββ cloud
βββ crawler
βββ docx
βββ dos
βββ example.py
βββ example.rb
βββ fileformat
βββ fuzzers
βββ gather
βββ parser
βββ pdf
βββ scanner
βββ server
βββ sniffer
βββ spoof
βββ sqli
βββ voip
βββ vsploitEncoders
Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Signature-based antivirus and security solutions have a database of known threats. They detect threats by comparing suspicious files to this database and raise an alert if there is a match. Thus encoders can have a limited success rate as antivirus solutions can perform additional checks.
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 encoders/
encoders/
βββ cmd
βββ generic
βββ mipsbe
βββ mipsle
βββ php
βββ ppc
βββ ruby
βββ sparc
βββ x64
βββ x86Evasion
While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software. On the other hand, βevasionβ modules will try that, with more or less success.
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 2 evasion/
evasion/
βββ windows
βββ applocker_evasion_install_util.rb
βββ applocker_evasion_msbuild.rb
βββ applocker_evasion_presentationhost.rb
βββ applocker_evasion_regasm_regsvcs.rb
βββ applocker_evasion_workflow_compiler.rb
βββ process_herpaderping.rb
βββ syscall_inject.rb
βββ windows_defender_exe.rb
βββ windows_defender_js_hta.rbExploits
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 exploits/
exploits/
βββ aix
βββ android
βββ apple_ios
βββ bsd
βββ bsdi
βββ dialup
βββ example_linux_priv_esc.rb
βββ example.py
βββ example.rb
βββ example_webapp.rb
βββ firefox
βββ freebsd
βββ hpux
βββ irix
βββ linux
βββ mainframe
βββ multi
βββ netware
βββ openbsd
βββ osx
βββ qnx
βββ solaris
βββ unix
βββ windowsNOPs
No OPeration do nothing, literally. They are represented in the Intel x86 CPU family with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 nops/
nops/
βββ aarch64
βββ armle
βββ cmd
βββ mipsbe
βββ php
βββ ppc
βββ sparc
βββ tty
βββ x64
βββ x86Payloads
Payloads are codes that will run on the target system.
Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be; getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report. Starting the calculator on the target system remotely by launching the calc.exe application is a benign way to show that we can run commands on the target system.
Running command on the target system is already an important step but having an interactive connection that allows you to type commands that will be executed on the target system is better. Such an interactive command line is called a "shell". Metasploit offers the ability to send different payloads that can open shells on the target system.
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 payloads/
payloads/
βββ adapters
βββ singles
βββ stagers
βββ stagAdapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a PowerShell adapter, which will make a single PowerShell command that will execute the payload.
Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. βStaged payloadsβ will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
Stages: Downloaded by the stager. This will allow you to use larger sized payloads.
Metasploit has a subtle way to help you identify single (also called βinlineβ) payloads and staged payloads.
generic/shell_reverse_tcp
windows/x64/shell/reverse_tcp
Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the β_β between βshellβ and βreverseβ. While the latter is a staged payload, as indicated by the β/β between βshellβ and βreverseβ.
Post
cd /opt/metasploit-framework/embedded/framework/modules
tree -L 1 post/
βββ aix
βββ android
βββ apple_ios
βββ bsd
βββ firefox
βββ hardware
βββ linux
βββ multi
βββ networking
βββ osx
βββ solaris
βββ windowsLast updated