💣The Metasploit Framework (MSF)
For this particular session, I did not create any detailed notes. Instead, I have listed the modules used in this session along with a one-line description of their usage. This is not a complete set of notes for this section only. As I am very familiar with The Metasploit Framework (MSF), for more details you can refer to the following documentation for The Metasploit Framework (MSF) by Rapid7.
Nmap Commands
Create a new workspace with the specified name:
workspace -a <workspace_name>
Import the results of an Nmap scan into the Metasploit database:
db_import <nmap_scan_path>
List the hosts stored in the Metasploit database:
hosts
List the services associated with hosts in the Metasploit database:
services
Perform an Nmap scan against a specific IP address, and update the Metasploit database with the scan results:
db_nmap -Pn -sV -O <ip>
List the vulnerabilities identified and stored in the Metasploit database:
vulns
Enumeration
Port Scanning with Auxiliary Modules
Search for modules related to port scanning within the Metasploit framework:
search portscan
Use
curl
to make an HTTP request to the specified IP address:curl <ip>
Run the
autoroute
module to add routes for the specified IP range, allowing traffic to be routed through the compromised host:run autoroute -s <ip_range>
FTP Enumeration
Search for auxiliary modules related to FTP in the Metasploit framework:
search type:auxiliary name:ftp
Auxiliary Modules:
Determine the FTP server version running on a target host:
auxiliary/scanner/ftp/ftp_version
Perform login attempts against an FTP server to validate credentials:
auxiliary/scanner/ftp/ftp_login
Check if anonymous FTP login is allowed on the target FTP server:
auxiliary/scanner/ftp/ftp_anonymous
Enumerate directories and files on an FTP server:
auxiliary/scanner/ftp/ftp_enum
Retrieve a list of directories and files from an FTP server:
auxiliary/scanner/ftp/ftp_list
SMB Enumeration
Search for auxiliary modules related to SMB (Server Message Block) services in the Metasploit framework:
search type:auxiliary name:smb
Auxiliary Modules:
Enumerate available shares on an SMB server:
auxiliary/scanner/smb/smb_enumshares
Enumerate user accounts on an SMB server:
auxiliary/scanner/smb/smb_enumusers
Determine the SMB version and OS information of an SMB server:
auxiliary/scanner/smb/smb_version
Perform login attempts against an SMB server to validate credentials:
auxiliary/scanner/smb/smb_login
Enumerate group names on an SMB server:
auxiliary/scanner/smb/smb_enumgroups
Web Server Enumeration
Search for auxiliary modules related to HTTP services in the Metasploit framework:
search type:auxiliary name:http
Auxiliary Modules:
Enumerate Apache user directories:
auxiliary/scanner/http/apache_userdir_enum
Perform directory brute force attacks:
auxiliary/scanner/http/brute_dirs
Scan for directories on a web server:
auxiliary/scanner/http/dir_scanner
Check for directory listings on a web server:
auxiliary/scanner/http/dir_listing
Test for the HTTP PUT method:
auxiliary/scanner/http/http_put
Check for files in web directories:
auxiliary/scanner/http/files_dir
Perform HTTP login attempts:
auxiliary/scanner/http/http_login
Retrieve HTTP headers from web servers:
auxiliary/scanner/http/http_header
Determine the version of HTTP used by web servers:
auxiliary/scanner/http/http_version
Retrieve and analyze the
robots.txt
file from web servers:auxiliary/scanner/http/robots_txt
MySQL Enumeration:
search type:auxiliary name:mysql
Search for auxiliary modules related to MySQL services in the Metasploit framework.
Auxiliary Modules:
auxiliary/admin/mysql/mysql_enum
Enumerate MySQL databases and tables.
auxiliary/admin/mysql/mysql_sql
Execute arbitrary SQL commands against a MySQL server.
auxiliary/scanner/mysql/mysql_file_enum
Enumerate files on a MySQL server.
auxiliary/scanner/mysql/mysql_hashdump
Dump password hashes from a MySQL server.
auxiliary/scanner/mysql/mysql_login
Perform login attempts against a MySQL server.
auxiliary/scanner/mysql/mysql_schemadump
Dump database schemas from a MySQL server.
auxiliary/scanner/mysql/mysql_version
Determine the version of MySQL running on a server.
auxiliary/scanner/mysql/mysql_writable_dirs
Identify writable directories on a MySQL server.
SSH Enumeration:
search type:auxiliary name:ssh
Search for auxiliary modules related to SSH (Secure Shell) services in the Metasploit framework.
Auxiliary Modules:
auxiliary/scanner/ssh/ssh_version
Determine the version of the SSH protocol used by an SSH server.
auxiliary/scanner/ssh/ssh_login
Perform login attempts against an SSH server.
SMTP Enumeration:
search type:auxiliary name:smtp
Search for auxiliary modules related to SMTP (Simple Mail Transfer Protocol) services in the Metasploit framework.
Auxiliary Modules:
auxiliary/scanner/smtp/smtp_enum
Enumerate SMTP accounts on a mail server.
auxiliary/scanner/smtp/smtp_relay
Check if the SMTP server allows relaying.
auxiliary/scanner/smtp/smtp_user_enum
Enumerate valid usernames on an SMTP server.
auxiliary/scanner/smtp/smtp_vrfy
Verify the validity of email addresses using SMTP VRFY commands.
auxiliary/scanner/smtp/smtp_webmail_enum
Enumerate webmail accounts associated with an SMTP server.
Vulnerability Scanning
Vulnerability Scanning With MSF:
analyze
The
analyze
command is used for analyzing modules, exploits, and vulnerabilities in the Metasploit framework.Metasploit-Autopwn GitHub Script: Metasploit-Autopwn is a GitHub script that automates the process of scanning and exploiting vulnerabilities using Metasploit. It simplifies the task of identifying and exploiting targets.
To load a custom module in Metasploit:
sudo mv <module_file> /usr/share/metasploit-framework/plugins
Move the custom module file to the Metasploit plugins directory.
load db_autopwn
Load the
db_autopwn
module, which is used for automating the exploitation of targets in the Metasploit database.
Vulnerability Scanning With Nessus:
db_import <nessus_file_path.nessus> c
Import a Nessus scan report file into the Metasploit database with the "c" option to clear existing data.
Web App Vulnerability Scanning With WMAP:
load wmap
Load the WMAP (Web Metasploit Automation Project) extension.
wmap_
Access the WMAP sub-menu for further commands.
wmap_sites -a <target_URL>
Add a target URL to the WMAP scan list.
wmap_sites -l
List the target sites currently in the WMAP scan list.
wmap_targets -t <target_URL>
Specify a target URL for scanning.
wmap_targets -l
List the defined target URLs.
wmap_run -t
Run WMAP scans on the specified target.
wmap_run -e
Export WMAP scan results.
wmap_vulns -l
List the discovered vulnerabilities from WMAP scans.
Exploitation
Windows Exploitation
Exploiting A Vulnerable HTTP File Server:
exploit/windows/http/rejetto_hfs_exec
This Metasploit module exploits a remote code execution vulnerability in Rejetto HTTP File Server (HFS). It allows an attacker to execute arbitrary code on a target system running a vulnerable version of HFS.
Exploiting Windows MS17-010 SMB Vulnerability:
exploit/windows/smb/ms17_010_eternalblue
This Metasploit module exploits the MS17-010 vulnerability, also known as EternalBlue, in the SMB (Server Message Block) protocol. It allows an attacker to execute arbitrary code on a target system running a vulnerable version of Windows.
Exploiting WinRM (Windows Remote Management Protocol):
auxiliary/scanner/winrm/winrm_login
This auxiliary module is used to perform login attempts against a Windows Remote Management (WinRM) service to check for valid credentials.
auxiliary/scanner/winrm/winrm_auth_methods
This auxiliary module enumerates the authentication methods supported by a WinRM service.
auxiliary/scanner/winrm/winrm_cmd
This auxiliary module allows the execution of arbitrary commands on a remote Windows system through the WinRM service.
exploit/windows/winrm/winrm_script_exec
This Metasploit module is used to execute PowerShell scripts on a remote Windows system via the WinRM service.
Exploiting A Vulnerable Apache Tomcat Web Server:
exploit/multi/http/tomcat_jsp_upload_bypass
This Metasploit module exploits a vulnerability in Apache Tomcat servers that allows an attacker to bypass file upload restrictions and upload a JSP (JavaServer Pages) webshell, which can lead to remote code execution on the target server.
Linux Exploitation
Exploiting A Vulnerable FTP Server:
exploit/unix/ftp/vsftpd_234_backdoor
This Metasploit module exploits a backdoor vulnerability in certain versions of the vsftpd FTP (File Transfer Protocol) server. It allows an attacker to gain unauthorized access to the target system.
Exploiting Samba:
exploit/linux/samba/is_known_pipename
This Metasploit module checks if a named pipe exists on a Linux system running Samba. Named pipes can be used for remote code execution and lateral movement in some scenarios.
Exploiting A Vulnerable SSH Server:
auxiliary/scanner/ssh/libssh_auth_bypass
This auxiliary module is used to scan for SSH servers that are vulnerable to the LibSSH authentication bypass vulnerability. This vulnerability allows an attacker to gain unauthorized access to SSH servers without proper authentication.
Exploiting A Vulnerable SMTP Server:
exploit/linux/smtp/haraka
This Metasploit module exploits vulnerabilities in the Haraka SMTP server on Linux systems. It allows an attacker to gain unauthorized access and execute arbitrary code on the target system.
Hacker's Mantra:
Being a hacker does not say what side you are on. Being a hacker means you know how things actually work and can manipulate the way things actually work for good or for harm. - Dan K
Last updated
Was this helpful?