# The Metasploit Framework (MSF) > For this particular session, I did not create any detailed notes. Instead, I have listed the modules used in this session along with a one-line description of their usage. **This is not a complete set of notes for this section only.** As I am very familiar with The Metasploit Framework (MSF), for more details you can refer to the following [documentation](https://docs.rapid7.com/metasploit/msf-overview/) for The Metasploit Framework (MSF) by Rapid7. ## **Nmap Commands** * **Create a new workspace with the specified name:** ```bash workspace -a ``` * **Import the results of an Nmap scan into the Metasploit database:** ```bash db_import ``` * **List the hosts stored in the Metasploit database:** ```bash hosts ``` * **List the services associated with hosts in the Metasploit database:** ```bash services ``` * **Perform an Nmap scan against a specific IP address, and update the Metasploit database with the scan results:** ```bash db_nmap -Pn -sV -O ``` * **List the vulnerabilities identified and stored in the Metasploit database:** ```bash vulns ``` ## **Enumeration** ### **Port Scanning with Auxiliary Modules** * **Search for modules related to port scanning within the Metasploit framework:** ```bash search portscan ``` * **Use `curl` to make an HTTP request to the specified IP address:** ```bash curl ``` * **Run the `autoroute` module to add routes for the specified IP range, allowing traffic to be routed through the compromised host:** ```bash run autoroute -s ``` ### **FTP Enumeration** * **Search for auxiliary modules related to FTP in the Metasploit framework:** ```bash search type:auxiliary name:ftp ``` * **Auxiliary Modules:** * **Determine the FTP server version running on a target host:** ```bash auxiliary/scanner/ftp/ftp_version ``` * **Perform login attempts against an FTP server to validate credentials:** ```bash auxiliary/scanner/ftp/ftp_login ``` * **Check if anonymous FTP login is allowed on the target FTP server:** ```bash auxiliary/scanner/ftp/ftp_anonymous ``` * **Enumerate directories and files on an FTP server:** ```bash auxiliary/scanner/ftp/ftp_enum ``` * **Retrieve a list of directories and files from an FTP server:** ```bash auxiliary/scanner/ftp/ftp_list ``` ### **SMB Enumeration** * **Search for auxiliary modules related to SMB (Server Message Block) services in the Metasploit framework:** ```bash search type:auxiliary name:smb ``` * **Auxiliary Modules:** * **Enumerate available shares on an SMB server:** ```bash auxiliary/scanner/smb/smb_enumshares ``` * **Enumerate user accounts on an SMB server:** ```bash auxiliary/scanner/smb/smb_enumusers ``` * **Determine the SMB version and OS information of an SMB server:** ```bash auxiliary/scanner/smb/smb_version ``` * **Perform login attempts against an SMB server to validate credentials:** ```bash auxiliary/scanner/smb/smb_login ``` * **Enumerate group names on an SMB server:** ```bash auxiliary/scanner/smb/smb_enumgroups ``` ### **Web Server Enumeration** * **Search for auxiliary modules related to HTTP services in the Metasploit framework:** ```bash search type:auxiliary name:http ``` * **Auxiliary Modules:** * **Enumerate Apache user directories:** ```bash auxiliary/scanner/http/apache_userdir_enum ``` * **Perform directory brute force attacks:** ```bash auxiliary/scanner/http/brute_dirs ``` * **Scan for directories on a web server:** ```bash auxiliary/scanner/http/dir_scanner ``` * **Check for directory listings on a web server:** ```bash auxiliary/scanner/http/dir_listing ``` * **Test for the HTTP PUT method:** ```bash auxiliary/scanner/http/http_put ``` * **Check for files in web directories:** ```bash auxiliary/scanner/http/files_dir ``` * **Perform HTTP login attempts:** ```bash auxiliary/scanner/http/http_login ``` * **Retrieve HTTP headers from web servers:** ```bash auxiliary/scanner/http/http_header ``` * **Determine the version of HTTP used by web servers:** ```bash auxiliary/scanner/http/http_version ``` * **Retrieve and analyze the `robots.txt` file from web servers:** ```bash auxiliary/scanner/http/robots_txt ``` ### **MySQL Enumeration:** * ```bash search type:auxiliary name:mysql ``` **Search for auxiliary modules related to MySQL services in the Metasploit framework.** * **Auxiliary Modules:** * ```bash auxiliary/admin/mysql/mysql_enum ``` **Enumerate MySQL databases and tables.** * ```bash auxiliary/admin/mysql/mysql_sql ``` **Execute arbitrary SQL commands against a MySQL server.** * ```bash auxiliary/scanner/mysql/mysql_file_enum ``` **Enumerate files on a MySQL server.** * ```bash auxiliary/scanner/mysql/mysql_hashdump ``` **Dump password hashes from a MySQL server.** * ```bash auxiliary/scanner/mysql/mysql_login ``` **Perform login attempts against a MySQL server.** * ```bash auxiliary/scanner/mysql/mysql_schemadump ``` **Dump database schemas from a MySQL server.** * ```bash auxiliary/scanner/mysql/mysql_version ``` **Determine the version of MySQL running on a server.** * ```bash auxiliary/scanner/mysql/mysql_writable_dirs ``` **Identify writable directories on a MySQL server.** ### **SSH Enumeration:** * ```bash search type:auxiliary name:ssh ``` **Search for auxiliary modules related to SSH (Secure Shell) services in the Metasploit framework.** * **Auxiliary Modules:** * ```bash auxiliary/scanner/ssh/ssh_version ``` **Determine the version of the SSH protocol used by an SSH server.** * ```bash auxiliary/scanner/ssh/ssh_login ``` **Perform login attempts against an SSH server.** ### **SMTP Enumeration:** * ```bash search type:auxiliary name:smtp ``` **Search for auxiliary modules related to SMTP (Simple Mail Transfer Protocol) services in the Metasploit framework.** * **Auxiliary Modules:** * ```bash auxiliary/scanner/smtp/smtp_enum ``` **Enumerate SMTP accounts on a mail server.** * ```bash auxiliary/scanner/smtp/smtp_relay ``` **Check if the SMTP server allows relaying.** * ```bash auxiliary/scanner/smtp/smtp_user_enum ``` **Enumerate valid usernames on an SMTP server.** * ```bash auxiliary/scanner/smtp/smtp_vrfy ``` **Verify the validity of email addresses using SMTP VRFY commands.** * ```bash auxiliary/scanner/smtp/smtp_webmail_enum ``` **Enumerate webmail accounts associated with an SMTP server.** ## **Vulnerability Scanning** ### **Vulnerability Scanning With MSF:** * ```bash analyze ``` **The `analyze` command is used for analyzing modules, exploits, and vulnerabilities in the Metasploit framework.** * **Metasploit-Autopwn GitHub Script**: Metasploit-Autopwn is a GitHub script that automates the process of scanning and exploiting vulnerabilities using Metasploit. It simplifies the task of identifying and exploiting targets. * To load a custom module in Metasploit: 1. ```bash sudo mv /usr/share/metasploit-framework/plugins ``` **Move the custom module file to the Metasploit plugins directory.** 2. ```bash load db_autopwn ``` **Load the `db_autopwn` module, which is used for automating the exploitation of targets in the Metasploit database.** ### **Vulnerability Scanning With Nessus:** * ```bash db_import c ``` **Import a Nessus scan report file into the Metasploit database with the "c" option to clear existing data.** ### **Web App Vulnerability Scanning With WMAP:** * ```bash load wmap ``` **Load the WMAP (Web Metasploit Automation Project) extension.** * ```bash wmap_ ``` **Access the WMAP sub-menu for further commands.** * ```bash wmap_sites -a ``` **Add a target URL to the WMAP scan list.** * ```bash wmap_sites -l ``` **List the target sites currently in the WMAP scan list.** * ```bash wmap_targets -t ``` **Specify a target URL for scanning.** * ```bash wmap_targets -l ``` **List the defined target URLs.** * ```bash wmap_run -t ``` **Run WMAP scans on the specified target.** * ```bash wmap_run -e ``` **Export WMAP scan results.** * ```bash wmap_vulns -l ``` **List the discovered vulnerabilities from WMAP scans.** ## **Exploitation** ### **Windows Exploitation** #### **Exploiting A Vulnerable HTTP File Server:** * ```bash exploit/windows/http/rejetto_hfs_exec ``` **This Metasploit module exploits a remote code execution vulnerability in Rejetto HTTP File Server (HFS). It allows an attacker to execute arbitrary code on a target system running a vulnerable version of HFS.** #### **Exploiting Windows MS17-010 SMB Vulnerability:** * ```bash exploit/windows/smb/ms17_010_eternalblue ``` **This Metasploit module exploits the MS17-010 vulnerability, also known as EternalBlue, in the SMB (Server Message Block) protocol. It allows an attacker to execute arbitrary code on a target system running a vulnerable version of Windows.** #### **Exploiting WinRM (Windows Remote Management Protocol):** * ```bash auxiliary/scanner/winrm/winrm_login ``` **This auxiliary module is used to perform login attempts against a Windows Remote Management (WinRM) service to check for valid credentials.** * ```bash auxiliary/scanner/winrm/winrm_auth_methods ``` **This auxiliary module enumerates the authentication methods supported by a WinRM service.** * ```bash auxiliary/scanner/winrm/winrm_cmd ``` **This auxiliary module allows the execution of arbitrary commands on a remote Windows system through the WinRM service.** * ```bash exploit/windows/winrm/winrm_script_exec ``` **This Metasploit module is used to execute PowerShell scripts on a remote Windows system via the WinRM service.** #### **Exploiting A Vulnerable Apache Tomcat Web Server:** * ```bash exploit/multi/http/tomcat_jsp_upload_bypass ``` **This Metasploit module exploits a vulnerability in Apache Tomcat servers that allows an attacker to bypass file upload restrictions and upload a JSP (JavaServer Pages) webshell, which can lead to remote code execution on the target server.** ### **Linux Exploitation** #### **Exploiting A Vulnerable FTP Server:** * ```bash exploit/unix/ftp/vsftpd_234_backdoor ``` **This Metasploit module exploits a backdoor vulnerability in certain versions of the vsftpd FTP (File Transfer Protocol) server. It allows an attacker to gain unauthorized access to the target system.** #### **Exploiting Samba:** * ```bash exploit/linux/samba/is_known_pipename ``` **This Metasploit module checks if a named pipe exists on a Linux system running Samba. Named pipes can be used for remote code execution and lateral movement in some scenarios.** #### **Exploiting A Vulnerable SSH Server:** * ```bash auxiliary/scanner/ssh/libssh_auth_bypass ``` **This auxiliary module is used to scan for SSH servers that are vulnerable to the LibSSH authentication bypass vulnerability. This vulnerability allows an attacker to gain unauthorized access to SSH servers without proper authentication.** #### **Exploiting A Vulnerable SMTP Server:** * ```bash exploit/linux/smtp/haraka ``` **This Metasploit module exploits vulnerabilities in the Haraka SMTP server on Linux systems. It allows an attacker to gain unauthorized access and execute arbitrary code on the target system.** *** *** *** **`Hacker's Mantra:`**`Being a hacker does not say what side you are on. Being a hacker means you know how things actually work and can manipulate the way things actually work for good or for harm. - Dan K`