Metasploit documentation: docs.metasploit.com Related CheatSheet: Metasploit
Metasploit architecture
Modules
Ruby script files, one for each exploit
Stored usally in:
/usr/share/metasploit-framework/modules
$HOME/.msf4/modules
Modules sources:
- www.exploit-db.com
- db
- GitHub dork :
MetasploitModule path:*.rb OR MetasploitModule path:*.rc*
Plugins
Adds extra functionalities to metasploit
Stored usually in:
/usr/share/metasploit-framework/plugins
$HOME/.msf4/plugins
Example from docs.metasploit.com
Capture Plugin
msf6 > load capture
[*] Successfully loaded plugin: Credential Capture
msf6 > captureg start --ip 192.168.159.128
Logging results to /home/smcintyre/.msf4/logs/captures/capture_local_20220325104416_589275.txt
Hash results stored in /home/smcintyre/.msf4/loot/captures/capture_local_20220325104416_612808
[+] Authentication Capture: DRDA (DB2, Informix, Derby) started
[+] Authentication Capture: FTP started
[+] HTTP Client MS Credential Catcher started
[+] HTTP Client MS Credential Catcher started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: MSSQL started
[+] Authentication Capture: MySQL started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: PostgreSQL started
[+] Printjob Capture Service started
[+] Authentication Capture: SIP started
[+] Authentication Capture: SMB started
[+] Authentication Capture: SMTP started
[+] Authentication Capture: Telnet started
[+] Authentication Capture: VNC started
[+] Authentication Capture: FTP started
[+] Authentication Capture: IMAP started
[+] Authentication Capture: POP3 started
[+] Authentication Capture: SMTP started
[+] NetBIOS Name Service Spoofer started
[+] LLMNR Spoofer started
[+] mDNS Spoofer started
[+] Started capture jobs
msf6 >
Tools
Metasploit tools are scripts usually developed by third parties that aids during pentest, CTFs and such
The source are stored usually in:
/usr/share/metasploit-framework/tools
Scripts
Metasploit scripts are now deprecated and modules should be used instead
Metasploit architecture in Exegol
Metasploit is not installed in the same way as the ParrotOS is inside Exegol
- Modules and Plugins are stored inside
/root/.msf4/
- Binaries - such as
msfconsole
,msfdb
ormsfvenom
- are stored in/opt/metasploit-framework/bin/
Metasploit Payloads
Singles
Contains exploit + entire shellcode => Self-contained More stable but bigger than the others
Stagers
Works with Stages to typically set up a network connection beteen the attacker and victim Designed to be small and reliable Metasploit uses the best stager and less-preferred as fallbacks
Stages
Component downloaded by the Stagers w/o size limits such as meterpreter (see Meterpreter for more info about this attack payload) and others
Common Payload Types
Windows
Payload | Description |
---|---|
generic/custom | Generic listener, multi-use |
generic/shell_bind_tcp | Generic listener, multi-use, normal shell, TCP connection binding |
generic/shell_reverse_tcp | Generic listener, multi-use, normal shell, reverse TCP connection |
windows/x64/exec | Executes an arbitrary command (Windows x64) |
windows/x64/loadlibrary | Loads an arbitrary x64 library path |
windows/x64/messagebox | Spawns a dialog via MessageBox using a customizable title, text & icon |
windows/x64/shell_reverse_tcp | Normal shell, single payload, reverse TCP connection |
windows/x64/shell/reverse_tcp | Normal shell, stager + stage, reverse TCP connection |
windows/x64/shell/bind_ipv6_tcp | Normal shell, stager + stage, IPv6 Bind TCP stager |
windows/x64/meterpreter/$ | Meterpreter payload + varieties above |
windows/x64/powershell/$ | Interactive PowerShell sessions + varieties above |
windows/x64/vncinject/$ | VNC Server (Reflective Injection) + varieties above |
Automatic payload selection
Metasploit sets automatically a payload for an exploit. This is the preference list that Metasploit uses to select a payload if there isn't one set for the exploit :
- windows/meterpreter/reverse_tcp
- java/meterpreter/reverse_tcp
- php/meterpreter/reverse_tcp
- php/meterpreter_reverse_tcp
- ruby/shell_reverse_tcp
- cmd/unix/interact
- cmd/unix/reverse
- cmd/unix/reverse_perl
- cmd/unix/reverse_netcat_gaping
- windows/meterpreter/reverse_nonx_tcp
- windows/meterpreter/reverse_ord_tcp
- windows/shell/reverse_tcp
- generic/shell_reverse_tcp
Metasploit database
msfconsole
has built-in support for PostgreSQL db
Setup
❯ sudo msfdb init
❯ sudo msfdb run
Reinitiate the DB
❯ msfdb reinit
❯ cp /usr/share/metasploit-framework/config/database.yml ~/.msf4
# Or if your on exegol
❯ cp /opt/metasploit-framework/config/database.yml /root/.msf4
❯ sudo servcie postgresql restart
❯ msfconsole -q
Workspaces
Having the msfdb set up allows the creatoion of Workspaces. Workspaces are pretty useful when dealing with large amount of hosts and data linked to them.
msf6> workspace
* default
We can add or delete a workspace with workspace -a
and workspace -d
Importing nmap Scan Results
Info
XML
content is prefered over plaintext
- Generate
xml
scan reports with nmap usingnmap -oX
- Generate all report types with
nmap -oA
msf6 > db_import host_scan.xml
[*] Importing 'Nmap XML' data
[*] Import: Parsing with 'Nokogiri v1.10.9'
[*] Importing host 192.168.10.21
[*] Successfully imported ~/host_scan.xml
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.10.21 Unknown device
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.10.21 135 tcp msrpc open Microsoft Windows RPC
<SNIP>
Using nmap inside msfconsole
msf6 > db_nmap -sC -sV -Pn --min-rate 10000 -T 5 192.168.10.21
Export msfdb contents
msf6 > db_export -f xml session_backup.xml
Display stored creds
During interactions with target hosts, gathered creds are stored inside the db. We can list, add manually, delete and match credentials with ports
msf6 > creds -h
With no sub-command, list credentials. If an address range is
given, show only credentials with logins on hosts within that
range.
Usage - Listing credentials:
creds [filter options] [address range]
Usage - Adding credentials:
creds add uses the following named parameters.
user : Public, usually a username
password : Private, private_type Password.
ntlm : Private, private_type NTLM Hash.
Postgres : Private, private_type Postgres MD5
ssh-key : Private, private_type SSH key, must be a file path.
hash : Private, private_type Nonreplayable hash
jtr : Private, private_type John the Ripper hash type.
realm : Realm,
realm-type: Realm, realm_type (domain db2db sid pgdb rsync wildcard), defaults to domain.
Examples: Adding
# Add a user, password and realm
creds add user:admin password:notpassword realm:workgroup
# Add a user and password
creds add user:guest password:'guest password'
# Add a password
creds add password:'password without username'
# Add a user with an NTLMHash
creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A
# Add a NTLMHash
creds add ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A
# Add a Postgres MD5
creds add user:postgres postgres:md5be86a79bf2043622d58d5453c47d4860
# Add a user with an SSH key
creds add user:sshadmin ssh-key:/path/to/id_rsa
# Add a user and a NonReplayableHash
creds add user:other hash:d19c32489b870735b5f587d76b934283 jtr:md5
# Add a NonReplayableHash
creds add hash:d19c32489b870735b5f587d76b934283
General options
-h,--help Show this help information
-o <file> Send output to a file in csv/jtr (john the ripper) format.
If the file name ends in '.jtr', that format will be used.
If file name ends in '.hcat', the hashcat format will be used.
CSV by default.
-d,--delete Delete one or more credentials
Filter options for listing
-P,--password <text> List passwords that match this text
-p,--port <portspec> List creds with logins on services matching this port spec
-s <svc names> List creds matching comma-separated service names
-u,--user <text> List users that match this text
-t,--type <type> List creds that match the following types: password,ntlm,hash
-O,--origins <IP> List creds that match these origins
-R,--rhosts Set RHOSTS from the results of the search
-v,--verbose Don't truncate long password hashes
Examples, John the Ripper hash types:
Operating Systems (starts with)
Blowfish ($2a$) : bf
BSDi (_) : bsdi
DES : des,crypt
MD5 ($1$) : md5
SHA256 ($5$) : sha256,crypt
SHA512 ($6$) : sha512,crypt
Databases
MSSQL : mssql
MSSQL 2005 : mssql05
MSSQL 2012/2014 : mssql12
MySQL < 4.1 : mysql
MySQL >= 4.1 : mysql-sha1
Oracle : des,oracle
Oracle 11 : raw-sha1,oracle11
Oracle 11 (H type): dynamic_1506
Oracle 12c : oracle12c
Postgres : postgres,raw-md5
Examples, listing:
creds # Default, returns all credentials
creds 1.2.3.4/24 # Return credentials with logins in this range
creds -O 1.2.3.4/24 # Return credentials with origins in this range
creds -p 22-25,445 # nmap port specification
creds -s ssh,smb # All creds associated with a login on SSH or SMB services
creds -t NTLM # All NTLM creds
creds -j md5 # All John the Ripper hash type MD5 creds
Example, deleting:
# Delete all SMB credentials
creds -d -s smb