Metasploit cheat sheet
Metasploit is a framework and not a specific application. As a framework, the user can build their own specific tools that can be used for specific tasks. It eases the effort to exploit known vulnerabilities in networks, operating systems, and applications, and to develop new exploits for new or unknown vulnerabilities.
Terms to know
System exploitation – the root term behind meta ‘sploit’ – i.e. exploitation
This term means that you are trying to exploit a vulnerability in a system, machine or network. This means that basically, you are trying to look into a network and find a computer that has a hole (backdoor) which could be compromised.
Payload – think of this like a fighter jet unleashing a weapon with a payload!
A big thing about Metasploit is that it not only scans but it also collects information regarding systems that can be exploited – and then – executes code within a compromised system. In summary, this term implies injecting code that is bundled within a payload. Once a payload has been unleashed, the hacker or penetration tester can run commands and actions. The objective should be to plant a big enough payload that can facilitate the creation of a shell code. A shell is a command interface which essentially gives the user complete control over a compromised machine.
Listening – get in touch with your female side and be a good listener!
Metasploit is patient and a great listener. Metasploit, like Wireshark in fact, is very good at listening to incoming connections. Worth noting that in the hacking world, things don’t move very fast, a dedicated hacker can spend months working out their best strategy and attack vectors. Research is obviously vital to any attack. PunkSPIDER and SHODAN would be two examples of services that a penetration tester could use before opening up Metasploit. Both PunkSPIDER and SHODAN act almost like search engines with the difference in that these engines look for server information and vulnerabilities. Metasploit could be deployed to open any half-closed doors.
There are a couple of interfaces that can be used. The first option is the MSFconsole which is the hackers preferred method or most puritanical way of using Metasploit. The other more friendly approach to using Metasploit is to use Armitage.
Metasploit Database – specific to the user’s requirements
One of the things that makes Metasploit unique, and a must for anyone interested in learning the skills of pentesting or hacking, is that the program/ framework can record data in its’ own internal database, i.e. on your system. Why is this good? Simply said it just organizes your workflow. You can set up the system so that tasks are spread as thin as possible to minimize the chances of being detected.
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Post exploitation is an important process in a penetration test as it allows the attacker to gather information from the system that he has exploited. A lot of penetration testers are using the Metasploit framework modules for system exploitation. However, Metasploit provides and modules for post exploitation activities for a variety of systems.
Msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. Note: MSF venom has replaced both msfpayload and ms encoded as of June 8th, 2015.
The advantages of MSF venom are:
- One single tool
- Standardized command line options
- Increased speed
The MSF console is probably the most popular interface to the MSF. It provides an “all-in-one” centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.
A password guessing attack that systematically attempts to authenticate to services using a set of user-supplied credentials.
A credential can be defined as public, private, or complete credential pair. A credential can be associated with a realm, but it is not mandatory.
A password is guessing technique that tries to authenticate to a target using known credentials.
A plaintext password, SSH key, NTLM hash, or non-replay able hash.
A credential that is associated with a particular service.
It is the source of the credential. The origin refers to how the credential was obtained or added to the project, such as through Bruteforce Guess, an exploit, manual entry, or an imported wordlist.
Realm is the functional grouping of database schemas to which the credential belongs. A realm type can be a domain name, a Postgres database, a DB2 database, or an Oracle System Identifier (SID).
A plaintext password, hash, or private SSH key.
Can be stated as usernames.
A credential that has successfully authenticated to a target.
Metasploit offers a couple different methods you can use to perform exploitation:
- Manual exploitation.
The auto-exploitation feature cross-references open services, vulnerability references, and fingerprints to find matching exploits. The simple goal of auto-exploitation is to get a session as quickly as possible by leveraging the data that Metasploit has for the target hosts.
Manual exploitation provides a more targeted and methodical approach to exploiting vulnerabilities. This method is particularly useful if there is a specific vulnerability that you want to exploit.
Payload Type: Specifies the type of payload that the exploit will deliver to the target. Choose one of the following payload types:
- Command: A command execution payload that enables you to execute commands on the remote machine.
- Meterpreter: An advanced payload that provides a command line that enables you to deliver commands and inject extensions on the fly.
Connection Type: Specifies how you want your Metasploit instance to connect to the target. Choose one of the following connection types:
- Auto: Automatically uses a bind connection when NAT is detected; otherwise, a reverse connection is used.
- Bind: Uses a bind connection, which is useful when the targets are behind a firewall or a NAT gateway.
- Reverse: Uses a reverse connection, which is useful if your system is unable to initiate connections to the targets.
LHOST: Defines the address for the local host.
LPORT: Defines the ports that you want to use for reverse connections.
RHOST: Defines the target address.
RPORT: Defines the remote port you want to attack.
Target Settings: Specifies the target operating system and version.
Exploit Timeout: Defines the timeout in minutes.
Whole process of exploiting vulnerability consists of 5 steps:
- Information Gathering
- Vulnerability Scanning
- Post exploitation
Your goals during information gathering should be to gain accurate information about your targets without revealing your presence or your intentions. There are two types of information gathering: passive and active.
Passive Information Gathering
Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software in use on the target without touching their system.
Active Information Gathering
In active information gathering, we interact directly with a system to learn more about it. We might conduct port scans for open ports on the target or conduct scans to determine what services are running. Each system or running service that we discover gives us another opportunity for exploitation.
Tools for information gathering:
A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a “well-known” port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses.
Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
The idle scan is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. This is accomplished by impersonating another computer called a “zombie” (that is not transmitting or receiving information) and observing the behavior of the ”zombie” system.
Nessus is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network.
A password sniffer is a software application that scans and records passwords that are used or broadcasted on a computer or network interface. It listens to all incoming and outgoing network traffic and records any instance of a data packet that contains a password.
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. It detects and classifies system weaknesses in computers, networks, and communications equipment and predicts the effectiveness of countermeasures.
An exploit is the use of software, data, or commands to “exploit” a weakness in a computer system or program to carry out some form of malicious intent, such as a denial-of-service attack, Trojan horses, worms or viruses. The weakness in the system can be a bug, a glitch or simply a design vulnerability. The process is known as exploitation.
The following are the five steps in the exploitation process:
- scanning the target
- selecting an exploit
- selecting a payload
- encoding the exploit
- launching the attack
- Scanning the target
To scan the target, we use port scanning and vulnerability scanning techniques in which we perform scanning by using different tools like nmap, nessus and etc.
- Selecting the exploit
This process includes the selection of exploit. The attacker can call the show exploits command to get a full list of all the exploits available.
- Selecting the payload
Selecting a payload in Metasploit has become an optimized and elegant process. Payloads are the commands the attacker runs upon a successful completion of their exploit. These get packaged with the exploit and are sent in one bundled attack.
- Encoding the exploit
Encoding in Metasploit is how the exploit and payload are packaged together, and is often done automatically, via the set commands. Encoding typically determines how the code will be structured, delivered and whether or not it incorporates nop padding.
- Launching the attack
Launching the attack is the easiest part, once all the settings have been set, the attacker simply calls an exploit. An attacker can also save the entire exploit to a.exe and use it as a client side, or local exploit.
The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time.
Reporting is the key deliverable in any security assessment activity. The final deliverable is the report which shows the service provided, the methodology used, findings/results and the recommendation. Reports are introduced to Metasploit to help users to organize their findings into relevant sections, display charts and graphs for statistical data, and summarizes major findings.
The Metasploit framework provides a GUI, a console interface called MSF console and a command line interface called MSFC li.
Graphic user interface
To open Metasploit GUI, open your terminal and type msfgui. From the Metasploit’s graphic user interface you can do pretty much the same things as you can do from the other interfaces. GUI is very helpful if you are new to Metasploit framework.
Msfconsole is the most popular interface to the Metasploit Framework. It provides everything you need to launch an exploit, load auxiliary modules, perform enumeration, create listeners or run mass exploitation against multiple targets. It is the only supported way to access most of the features within Metasploit, and it is the most stable Metasploit interface. MSFconsole offers tab completion! To open MSF console, open your terminal and type msfconsole.
Msfcli provides a powerful command-line interface to the Metasploit framework, but it doesn’t support any of the advanced automation features of MSF console. Msfcli is an excellent interface for scripting, allowing you to redirect its output to other command line tools or redirect output from other tools into msfcli. Msfcli can be used like MSF console, to launch exploits or auxiliary modules but is much more difficult to use. It is useful for specific tasks such as when you are testing or developing a new exploit. Msfcli is suitable when you know exactly which exploit and options you need. To run msfcli, open your terminal and type msfcli. Type msfcli -h to get more help.
Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework. It is a free GUI front-end for the Metasploit Framework developed by Raphael Mudge. To launch armitage, type armitage in your terminal.
There are plenty of free tutorials, and guides are available on the internet. As well as there are many other frameworks for exploitation testing, but Metasploit is one of the famous frameworks that most of the cyber security professionals prefer to use.