Metasploit Basics - Foren-Ken/tech-journal GitHub Wiki
What is Metasploit?
Metasploit is a large collection of exploits categorized and documented to allow penetration tester (or really anyone in fact) test different exploits on a host.
How to use Metasploit?
Information gathering is key to enabling the best usage of metasploit. Metasploit is like a big library, and without the author's name it will be difficult to discover which book to use. Once some information about services and modules are discovered, start searching for old/not maintained. Once discovered, use the following command to aid in searching for the exploit:
`/usr/share/metasploit-framework/modules | grep -e "[relevant keyword]" -e "[another relevant keyword]..."
This command should aid in discovering some exploits cataloged in Metasploit.
When an exploit is discovered, its time to start the metasploit console with the command msfconsole.
From the console, type in use then the path of the exploit from /usr/share/metasploit-framework/modules. I am using another module as an example, but likely mine will not be the one used.
If everything worked properly, the text should have turned red. If this is so, type options to see the variables for the exploit to rearrange.
To change each option, the syntax set [option name] [value]
Once every desired option has been changed, the command exploit can be used. Notice the session number.
The following commands can be used:
| Command | Usage |
|---|---|
| session [session number] | Selects a session to be active |
| getuid | Gets the username of the session |
| shell | Allows the creation of the shell to be used |
Metasploit Example:
On the following system named "Nancurinir" I had discovered the following from active recon:
- The server uses phpMyAdmin with the username "gandalf" and the password "shallnotpass"
- phpMyAdmin is running on version 4.8.1
Using this information, the following actions were taken:
-
Used the command
find /usr/share/metasploit-framework/modules | grep "phpmyadmin"to find any exploits related to the phpMyAdmin instance.
-
Looked up each exploit to see if it worked with my target. The
/usr/share/metasploit-framework/modules/exploits/multi/http/phpmyadmin_lfi_rce.rbexploit was found to by the Rapid7 website here: https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce/ -
Loaded
msfconsoleand loaded theexploit/multi/http/phpmyadmin_lfi_rcemodule.
-
Set the following variables based off the username and password for phpmyadmin and the remote host address. The reason why phpMyAdmin credentials are required is due to the phpMyAdmin being a service hosted on the server, making to not possible to normally access the server's resources directly. This exploit allows me to bypass this restriction and have access to the server's resources as if I were a user.
-
Used the
exploitcommand to run the exploit. From here, used the "shell" command to access the remote shell created by the exploit. -
From here, privilege escalation tools and techniques should be used. This example ends here because I was able to gain the foothold.
Reflection
While this is a very impressive tool, it takes away from the human ingenuity of discovering and struggling. For a professional, this tools should be used since they most likely understand what and why they are doing what they are, but beginners may use this at a crutch, making it so eventually they cannot even walk on their own without the tool guiding them through the exploit process. If an exploit isn't categorized on the tool, beginners may not even decide to look for it on the general internet. Though, it does serve as a very good start for any exploiting efforts due to the wide library of exploits.