Metasploit - OrestisPrg/bsc_project GitHub Wiki

Start metasploit platform: msfconsole

msfvenom

payload generator & encoder with staged (online) & stageless (offline) payloads.

  • Staged payloads create a small ‘dumb’ stub that is used to pull down the full payload after it is executed. This gives the benefit of a smaller initial payload, but requires outbound TCP communication to complete.

  • Stageless payloads are larger by comparison but they contain everything required in one payload.

Usage:
msfvenom --list [payloads] [encoders]

MS as a Project Management Tool

Metasploit comes with project management functionality built in used to manage data generated by scans, brute forcing or guessing credentials& even retrieved data such as interesting or importand fields. It keeps track of scanned data/credentials/loot during pentesting.

Workspaces:
Metasploit uses workspaces to keep your tasks and project data separate. This is useful when working on several projects at once, or when you want to keep data for different stages of an engagement separate.

workspace -a [name] creates a new workspace

PostgreSQL

Metasploit uses a PostgreSQL database to store the project data.

  • Start the PostgreSQL service service postgresql start
  • Initialise the database and connect to it, create a new workspace, and import the scan data from the /root/ScanData directory: msfdb init
  • Check the database connection: db_status
  • If no database is connected, you can specify the database to connect to. This command uses the config file that was created when initialising the database: db_connect -y /usr/share/metasploit-framework/config/database.yml

Metasploit can import Nmap scan data and previously exported Metasploit databases in XML format. Once all of the scan data has been imported, use the hosts, services, creds and loot commands to answer the questions. You can use the -S flag in addition to these commands to search for specific hosts, services, ports and protocols.

Metasploit Auxiliary Modules

Any Metasploit module that is not an exploit and that does not deliver a payload is classified as an auxiliary module. These auxiliary modules allow Metasploit to be extended beyond just exploitation, and bring a wide range of functionality such as scanning, fuzzing and sniffing. Auxiliary Modules Documentation

  • Scanners: Metasploit has auxiliary modules for scanning and enumerating a vast number of servers and protocols. You’ll find modules for scanning anything from FTP and HTTP to MySQL and SMB. These scanner modules can be used to perform ARP and UDP scans, to fingerprint network services and servers, and to automate tasks such as attempting to log in to multiple servers with credentials.

  • Admin modules: Metasploit has admin modules that can be used to interact with HTTP, SQL, Postgres and VMware servers, allowing you some administrative control over the server. Providing you know the credentials for the server, you can perform actions like turning VMs on within ESXi, interacting with MSSQL, MySQL and Postgres databases, and Tomcat Servers.

  • Credential capture modules: Metasploit contains auxiliary modules that can be used to emulate services and capture user credentials for that service. If a user can be enticed to interact and authenticate with your server, Metasploit will record their credentials so the legitimate servers can be exploited later.

Usage:

Location: /usr/share/metasploit-framework/modules/auxiliary/

  • http dir_scanner module detects any interesting directories available on a web server.

    • use auxiliary/scanner/dir_scanner
    • set RHOST [ipaddress]
    • run

  • ssh ssh_login module enumerates valid user credentials for the SSH service.

    • use with wordlist /usr/share/metasploit-framework/data/wordlists/root_userpass.txt

  • files_dir