💣The Metasploit Framework (MSF)

For this particular session, I did not create any detailed notes. Instead, I have listed the modules used in this session along with a one-line description of their usage. This is not a complete set of notes for this section only. As I am very familiar with The Metasploit Framework (MSF), for more details you can refer to the following documentation for The Metasploit Framework (MSF) by Rapid7.

Nmap Commands

Create a new workspace with the specified name:
```
workspace -a <workspace_name>
```
Import the results of an Nmap scan into the Metasploit database:
```
db_import <nmap_scan_path>
```
List the hosts stored in the Metasploit database:
```
hosts
```
List the services associated with hosts in the Metasploit database:
```
services
```
Perform an Nmap scan against a specific IP address, and update the Metasploit database with the scan results:
```
db_nmap -Pn -sV -O <ip>
```
List the vulnerabilities identified and stored in the Metasploit database:
```
vulns
```

Enumeration

Port Scanning with Auxiliary Modules

Search for modules related to port scanning within the Metasploit framework:
```
search portscan
```
Use curl to make an HTTP request to the specified IP address:
```
curl <ip>
```
Run the autoroute module to add routes for the specified IP range, allowing traffic to be routed through the compromised host:
```
run autoroute -s <ip_range>
```

FTP Enumeration

Search for auxiliary modules related to FTP in the Metasploit framework:
```
search type:auxiliary name:ftp
```
Auxiliary Modules:
- Determine the FTP server version running on a target host:
  auxiliary/scanner/ftp/ftp_version
- Perform login attempts against an FTP server to validate credentials:
  auxiliary/scanner/ftp/ftp_login
- Check if anonymous FTP login is allowed on the target FTP server:
  auxiliary/scanner/ftp/ftp_anonymous
- Enumerate directories and files on an FTP server:
  auxiliary/scanner/ftp/ftp_enum
- Retrieve a list of directories and files from an FTP server:
  auxiliary/scanner/ftp/ftp_list

SMB Enumeration

Search for auxiliary modules related to SMB (Server Message Block) services in the Metasploit framework:
```
search type:auxiliary name:smb
```
Auxiliary Modules:
- Enumerate available shares on an SMB server:
  auxiliary/scanner/smb/smb_enumshares
- Enumerate user accounts on an SMB server:
  auxiliary/scanner/smb/smb_enumusers
- Determine the SMB version and OS information of an SMB server:
  auxiliary/scanner/smb/smb_version
- Perform login attempts against an SMB server to validate credentials:
  auxiliary/scanner/smb/smb_login
- Enumerate group names on an SMB server:
  auxiliary/scanner/smb/smb_enumgroups

Web Server Enumeration

Search for auxiliary modules related to HTTP services in the Metasploit framework:
```
search type:auxiliary name:http
```
Auxiliary Modules:
- Enumerate Apache user directories:
  auxiliary/scanner/http/apache_userdir_enum
- Perform directory brute force attacks:
  auxiliary/scanner/http/brute_dirs
- Scan for directories on a web server:
  auxiliary/scanner/http/dir_scanner
- Check for directory listings on a web server:
  auxiliary/scanner/http/dir_listing
- Test for the HTTP PUT method:
  auxiliary/scanner/http/http_put
- Check for files in web directories:
  auxiliary/scanner/http/files_dir
- Perform HTTP login attempts:
  auxiliary/scanner/http/http_login
- Retrieve HTTP headers from web servers:
  auxiliary/scanner/http/http_header
- Determine the version of HTTP used by web servers:
  auxiliary/scanner/http/http_version
- Retrieve and analyze the robots.txt file from web servers:
  auxiliary/scanner/http/robots_txt

MySQL Enumeration:

```
search type:auxiliary name:mysql
```
Search for auxiliary modules related to MySQL services in the Metasploit framework.
Auxiliary Modules:
- auxiliary/admin/mysql/mysql_enum
  Enumerate MySQL databases and tables.
- auxiliary/admin/mysql/mysql_sql
  Execute arbitrary SQL commands against a MySQL server.
- auxiliary/scanner/mysql/mysql_file_enum
  Enumerate files on a MySQL server.
- auxiliary/scanner/mysql/mysql_hashdump
  Dump password hashes from a MySQL server.
- auxiliary/scanner/mysql/mysql_login
  Perform login attempts against a MySQL server.
- auxiliary/scanner/mysql/mysql_schemadump
  Dump database schemas from a MySQL server.
- auxiliary/scanner/mysql/mysql_version
  Determine the version of MySQL running on a server.
- auxiliary/scanner/mysql/mysql_writable_dirs
  Identify writable directories on a MySQL server.

SSH Enumeration:

```
search type:auxiliary name:ssh
```
Search for auxiliary modules related to SSH (Secure Shell) services in the Metasploit framework.
Auxiliary Modules:
- auxiliary/scanner/ssh/ssh_version
  Determine the version of the SSH protocol used by an SSH server.
- auxiliary/scanner/ssh/ssh_login
  Perform login attempts against an SSH server.

SMTP Enumeration:

```
search type:auxiliary name:smtp
```
Search for auxiliary modules related to SMTP (Simple Mail Transfer Protocol) services in the Metasploit framework.
Auxiliary Modules:
- auxiliary/scanner/smtp/smtp_enum
  Enumerate SMTP accounts on a mail server.
- auxiliary/scanner/smtp/smtp_relay
  Check if the SMTP server allows relaying.
- auxiliary/scanner/smtp/smtp_user_enum
  Enumerate valid usernames on an SMTP server.
- auxiliary/scanner/smtp/smtp_vrfy
  Verify the validity of email addresses using SMTP VRFY commands.
- auxiliary/scanner/smtp/smtp_webmail_enum
  Enumerate webmail accounts associated with an SMTP server.

Vulnerability Scanning

Vulnerability Scanning With MSF:

```
analyze
```
The analyze command is used for analyzing modules, exploits, and vulnerabilities in the Metasploit framework.
Metasploit-Autopwn GitHub Script: Metasploit-Autopwn is a GitHub script that automates the process of scanning and exploiting vulnerabilities using Metasploit. It simplifies the task of identifying and exploiting targets.
To load a custom module in Metasploit:
1. sudo mv <module_file> /usr/share/metasploit-framework/plugins
  Move the custom module file to the Metasploit plugins directory.
2. load db_autopwn
  Load the db_autopwn module, which is used for automating the exploitation of targets in the Metasploit database.

Vulnerability Scanning With Nessus:

```
db_import <nessus_file_path.nessus> c
```
Import a Nessus scan report file into the Metasploit database with the "c" option to clear existing data.

Web App Vulnerability Scanning With WMAP:

```
load wmap
```
Load the WMAP (Web Metasploit Automation Project) extension.
```
wmap_
```
Access the WMAP sub-menu for further commands.
```
wmap_sites -a <target_URL>
```
Add a target URL to the WMAP scan list.
```
wmap_sites -l
```
List the target sites currently in the WMAP scan list.
```
wmap_targets -t <target_URL>
```
Specify a target URL for scanning.
```
wmap_targets -l
```
List the defined target URLs.
```
wmap_run -t
```
Run WMAP scans on the specified target.
```
wmap_run -e
```
Export WMAP scan results.
```
wmap_vulns -l
```
List the discovered vulnerabilities from WMAP scans.

Exploitation

Windows Exploitation

Exploiting A Vulnerable HTTP File Server:

```
exploit/windows/http/rejetto_hfs_exec
```
This Metasploit module exploits a remote code execution vulnerability in Rejetto HTTP File Server (HFS). It allows an attacker to execute arbitrary code on a target system running a vulnerable version of HFS.

Exploiting Windows MS17-010 SMB Vulnerability:

```
exploit/windows/smb/ms17_010_eternalblue
```
This Metasploit module exploits the MS17-010 vulnerability, also known as EternalBlue, in the SMB (Server Message Block) protocol. It allows an attacker to execute arbitrary code on a target system running a vulnerable version of Windows.

Exploiting WinRM (Windows Remote Management Protocol):

```
auxiliary/scanner/winrm/winrm_login
```
This auxiliary module is used to perform login attempts against a Windows Remote Management (WinRM) service to check for valid credentials.
```
auxiliary/scanner/winrm/winrm_auth_methods
```
This auxiliary module enumerates the authentication methods supported by a WinRM service.
```
auxiliary/scanner/winrm/winrm_cmd
```
This auxiliary module allows the execution of arbitrary commands on a remote Windows system through the WinRM service.
```
exploit/windows/winrm/winrm_script_exec
```
This Metasploit module is used to execute PowerShell scripts on a remote Windows system via the WinRM service.

Exploiting A Vulnerable Apache Tomcat Web Server:

```
exploit/multi/http/tomcat_jsp_upload_bypass
```
This Metasploit module exploits a vulnerability in Apache Tomcat servers that allows an attacker to bypass file upload restrictions and upload a JSP (JavaServer Pages) webshell, which can lead to remote code execution on the target server.

Linux Exploitation

Exploiting A Vulnerable FTP Server:

```
exploit/unix/ftp/vsftpd_234_backdoor
```
This Metasploit module exploits a backdoor vulnerability in certain versions of the vsftpd FTP (File Transfer Protocol) server. It allows an attacker to gain unauthorized access to the target system.

Exploiting Samba:

```
exploit/linux/samba/is_known_pipename
```
This Metasploit module checks if a named pipe exists on a Linux system running Samba. Named pipes can be used for remote code execution and lateral movement in some scenarios.

Exploiting A Vulnerable SSH Server:

```
auxiliary/scanner/ssh/libssh_auth_bypass
```
This auxiliary module is used to scan for SSH servers that are vulnerable to the LibSSH authentication bypass vulnerability. This vulnerability allows an attacker to gain unauthorized access to SSH servers without proper authentication.

Exploiting A Vulnerable SMTP Server:

```
exploit/linux/smtp/haraka
```
This Metasploit module exploits vulnerabilities in the Haraka SMTP server on Linux systems. It allows an attacker to gain unauthorized access and execute arbitrary code on the target system.

Hacker's Mantra:Being a hacker does not say what side you are on. Being a hacker means you know how things actually work and can manipulate the way things actually work for good or for harm. - Dan K

PreviousArp Poisoning NextExploitation

Last updated 1 year ago

Was this helpful?