πŸ•ΈοΈ
Th4ntis CyberSec
  • πŸ•·οΈ>whoami_
  • πŸ–₯️General Info
    • CyberSec News
    • Getting Started and other Resources
      • CompTIA Certs
        • Security+
        • Pentest+
    • MITRE ATT&CK
    • Cyber Kill Chain
    • Docker
  • πŸ’»Networking
    • General Networking
    • Common Ports and Protocols
    • TCP/IP Model
    • OSI Model
    • Subnetting
    • Wireshark
    • NMap
    • Wireless
      • Wardriving/WiFi Sniffing
    • 3-Way Handshake
  • 🐧Linux
    • Common commands
    • Sudo
    • Files and File contents
    • Sed Awk and Grep
    • Permissions
  • πŸͺŸWindows
    • Event Codes
    • Powershell
    • Internals
    • Active Directory
  • πŸ”ŽOSINT
    • OSINT Tools
    • IP/Domain OSINT
    • Email/Username OSINT
    • URL OSINT and Sandboxing
    • Social Media OSINT
    • Website OSINT
    • Password OSINT
    • Physical Location OSINT
    • Image OSINT
    • People OSINT
    • Phone Number OSINT
    • Shodan
    • Google Dorking
  • πŸ› οΈTools
    • Brute Force
      • Hydra
    • Credential Dumping
      • Mimikatz
    • Enumeration
      • Bloodhound
      • Certipy
      • Dirb/Dirbuster
      • Enum4Linux
      • GoBuster
    • Exploitation Framework
      • Metasploit
      • Sliver
      • Cobalt Strike
    • Hash Cracking
      • Hashcat
      • JohnTheRipper
    • Methods
      • Powershell Obfuscation
      • Privilege Escalation
      • Pass-The-Hash
      • Kerberos and Kerberoasting
    • Vulnerability Scanners
      • Nessus
      • OpenVAS
    • Web App
      • BurpSuite
      • OWASP Zap
    • Wireless
      • Aircrack-ng
      • Kismet
      • Bettercap
      • HCXDumptool
      • Wifite
    • Impacket
    • Social-Engineer Toolkit (SET)
  • πŸ“”Guides and How-To's
    • Lab Setup
      • Ubuntu VM
      • Kali VM
      • Windows User VM
      • Windows Server VM
    • Wardriving
      • Pwnagotchi
    • Wireless Pentesting
      • WiFi Pineapple Basics
      • Evil-Twin Attack
    • Over The Wire
      • Bandit
      • Natas
      • Leviathan
      • Krypton
      • Narnia
      • Behemoth
      • Utumno
      • Maze
      • Vortex
      • Manpage
    • Docker and Kali Linux
    • Staying Private and goin Dark Online
  • πŸ“•Quick References
    • Tools
      • Tmux
      • NMap
      • Ffuf
      • NetExec
      • CrackMapExec
      • Proxychains
      • OneDriveUser Enum
      • Hashcat
    • One-liners
    • Reverse Shells
    • Post Exploitation
    • Enumeration
      • Google
      • Sublist3r
      • NMap
      • DNSDumpster
    • Hashcracking
    • Wireless
  • πŸ““Courses
    • PNPT
      • Practical Ethical Hacking
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • OSINT Fundamentals
      • External Pentest Playbook
  • ☁️TryHackMe
    • Attacking Kerberos
    • Hacking with Powershell
    • Powershell for Pentesters
    • Linux PrivEsc
    • Windows PrivEsc
    • Blue
    • Kenobi
  • πŸ“¦HackTheBox
    • Starting Point
      • Tier 0
        • Meow
        • Fawn
        • Dancing
        • Redeemer
        • Explosion
        • Preignition
        • Mongod
        • Synced
      • Tier 1
        • Appointment
        • Sequel
        • Crocodile
        • Responder
        • Three
        • Ignition
        • Bike
        • Funnel
        • Pennyworth
        • Tactics
      • Tier 2
        • Archetype
        • Oopsie
        • Vaccine
        • Unified
        • Included
        • Markup
        • Base
    • Walkthroughs
      • Lame
      • Analytics
      • Manager
      • Codify
Powered by GitBook
On this page
  • Installing
  • Usage
  • Searching
  • Options
  • Database
  • Scanning
  • Payloads and Sessions/Shells
  • Resources
Edit on GitHub
  1. Tools
  2. Exploitation Framework

Metasploit

Last updated 1 year ago

is a very popular and useful exploitation framework. It's an industry standard that can be used for scanning, exploitation and more. Maintained by , it is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools.

Installing

, we can install it on MacOS and Linux with:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

We can also from .

Usage

Metasploit can do various things. Start it with msfconsole. The banner will change almost every time you start it, but we can remove the banner with msfconsole -q. We can also initialize a database with msfdb init. The console can be used just like a regular command-line shellwhere we can run commands such as ls, mkdir, or ping.

Once in, run help get a list of commands. A very helpful one is search that we can use to search the available modules with what they are used for. Other commands include use, set, options.The use command select which payload we want to us. The set command sets options for the used payload. Options shows options that are required such as local host, remote host, if we want to provide credentials, etc.

Searching

Running just search alone can provide a helpful list of keywords to use when searching. But for example I will search for portscan modules.

We see the Number of the module, the name, and other information on what it's used for. The number is helpful to use instead of the full name but either can be used. When you find a module you want to use or look at, you use the use command with the name OR the number.

Eg. use 5 will select the auxiliary/scanner/portscan/tcp module and we sill see our payload selected.

Options

Running options once we have our payload selected will show us a list of options for the payload and will tell us if they are required or not.

we can set the options with set, I will set the remote host (RHOSTS) as that is required but does not have a current setting. Eg. set rhosts 192.168.50.55

Running options again will show us our set options, then we can type run or exploit to run the payload.

Database

You will first need to start the PostgreSQL database: systemctl start postgresql. Then you will need to initialize the Metasploit Database using msfdb init. Once in the console, verify connectivity with db_status.

msfconsole -q                                                                                                                                                                                ξ‚² βœ” ξ‚³ 12s ο‰’ 
dbmsf6 > db_status
[*] Connected to msf. Connection type: postgresql.

You can create workspaces to isolate different projects. When first launched, you should be in the default workspace. You can list available workspaces running workspace. You can add a workspace using the -a parameter or delete a workspace using the -d parameter. Change databases with workspace (workspace name).

msf6 > workspace
  demo
* default
msf6 > workspace demo
[*] Workspace: demo
msf6 > workspace 
  default
* demo
msf6 >

Scanning

We can do nmap scans within the console as well and store the results into a database or use modules, like shown above.

If you run a Nmap scan using the db_nmap shown below, all results will be saved to the database.

The information relevant to hosts and services running on target systems with the hosts and services commands. Once the host information is stored in the database, you can use the hosts -R command to add this value to the RHOSTS parameter.

The services command used with the -S parameter will allow you to search for specific services in the environment.

Payloads and Sessions/Shells

Most of the exploits will have a preset default payload. But running show payloads will list other commands you can use with that specific exploit. You can run set payload to make your choice. Note: that choosing a working payload could become a trial and error process due to environmental or OS restrictions such as firewall rules, anti-virus, file writing, or the program performing the payload execution isn't available.

Once a session is opened, you can background it using CTRL+Z or abort it using CTRL+C. Backgrounding a session will be useful when working on more than one target simultaneously or on the same target with a different exploit and/or shell. The sessions command will list all active sessions and supports a number of options that will help you manage sessions better. You can interact with any existing session using the sessions -i command followed by the session ID (sessions -i 1).

Resources

πŸ› οΈ
Metasploit Documentation
Metasploit Unleashed
Metasploit Github
Using Metasploit
Metasploit
Rapid 7
Per their documentation
install it on on Windows
their installer