Metasploit - Githubissues

The Lunch command

msfconsole

Modules

Exploit: A piece of code that uses a vulnerability present on the target system.
Vulnerability: A design, coding, or logic flaw affecting the target system. The exploitation of a vulnerability can result in disclosing confidential information or allowing the attacker to execute code on the target system.
Payload: An exploit will take advantage of a vulnerability. However, if we want the exploit to have the result we want (gaining access to the target system, read confidential information, etc.), we need to use a payload. Payloads are the code that will run on the target system.

Auxiliary

Any supporting module, such as scanners, crawlers and fuzzers, can be found here.

root@ip-10-10-25-111:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 auxiliary/
auxiliary/
\u251c\u2500\u2500 admin
\u251c\u2500\u2500 analyze
\u251c\u2500\u2500 bnat
\u251c\u2500\u2500 client
\u251c\u2500\u2500 cloud
.......

20 directories, 2 files

Evasion

While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software.

root@ip-10-10-25-111:/opt/metasploit-framework/embedded/framework/modules# tree -L 2 evasion/
evasion/
\u2514\u2500\u2500 windows
    \u251c\u2500\u2500 applocker_evasion_install_util.rb
    \u251c\u2500\u2500 applocker_evasion_msbuild.rb
    \u251c\u2500\u2500 applocker_evasion_presentationhost.rb
    \u251c\u2500\u2500 applocker_evasion_regasm_regsvcs.rb
    \u251c\u2500\u2500 applocker_evasion_workflow_compiler.rb
    \u251c\u2500\u2500 process_herpaderping.rb
    \u251c\u2500\u2500 syscall_inject.rb
    \u251c\u2500\u2500 windows_defender_exe.rb
    \u2514\u2500\u2500 windows_defender_js_hta.rb

1 directory, 9 files

Exploits

Exploits, neatly organized by target system. root@ip-10-10-25-111:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 exploits/

NOPs

NOPs (No OPeration) do nothing, literally. They are represented in the Intel x86 CPU family they are represented with 0x90, following which the CPU will do nothing for one cycle. They are often used as a buffer to achieve consistent payload sizes.

Payloads

Payloads are codes that will run on the target system. Four different directories under payloads: adapters, singles, stagers and stages.

Adapters: An adapter wraps single payloads to convert them into different formats. For example, a normal single payload can be wrapped inside a Powershell adapter, which will make a single powershell command that will execute the payload.
Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
Stages: Downloaded by the stager. This will allow you to use larger sized payloads.

Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.

generic/shell_reverse_tcp
windows/x64/shell/reversetcp Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the “” between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”.

Post

Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation. root@ip-10-10-135-188:/opt/metasploit-framework/embedded/framework/modules# tree -L 1 post/

search

msf6 > search smtp_version msf6 > search type:auxiliary telnet

info

msf6 > info ssh_login

unset

clear any parameter value using the unset command or clear all set parameters with the unset all command. unset payload

Msfvenom

Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads.

Port Scanning

msf6 > search portscan

TCP scan (scanner/portscan/tcp) msf6 > nmap -sS 10.10.12.229

UDP scan msf6 auxiliary(scanner/discovery/udp_sweep) > run

SMB scan msf6 auxiliary(scanner/smb/smb_version) > run

The Metasploit Database

root@attackbox:~# systemctl start postgresql 
root@attackbox:~# msfdb init

You can now launch msfconsole and check the database status using the db_status command. Checking the database status

msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 >

The database feature will allow you to create workspaces to isolate different projects. List available workspaces using the workspace command.

msf6 > workspace
* default
msf6 >

You can add a workspace using the -a parameter or delete a workspace using the -d parameter, respectively.

msf6 > workspace -a tryhackme
[*] Added workspace: tryhackme
[*] Workspace: tryhackme
msf5 > workspace
default
* tryhackme
msf6 >

切换workspace

msf5 > workspace default
[*] Workspace: default
msf5 > workspace 
tryhackme
* default

If you run a Nmap scan using the db_nmap shown below, all results will be saved to the database. msf6 > db_nmap -sV -p- 10.10.12.229 You can now reach information relevant to hosts and services running on target systems with the hosts and services commands, respectively. Once the host information is stored in the database, you can use the hosts -R command to add this value to the RHOSTS parameter. If there is more than one host saved to the database, all IP addresses will be used when the hosts -R command is used. The services command used with the -S parameter will allow you to search for specific services in the environment. msf6 > services -S netbios

WDavid404 / Note_tryhackme

Metasploit #12