This document provides an overview of Metasploit for beginners. It discusses why Metasploit is useful, how to set up a demo environment, and how to use auxiliary and exploit modules. It then demonstrates auxiliary modules for scanning and information gathering. It also demonstrates two exploit modules against ElasticSearch and Jenkins, using reverse shell payloads. The document provides a cheat sheet for navigating msfconsole and describes common commands used prior to demonstrations.
4. Why Metasploit?
● Published independently
● Different programming languages
● Targeted limited to a specific platform
● No evasion techniques
● No clear documentation
● No coding style and difficult to embed /modify
5. Metasploit Framework
Current stable version is v4.13.X
• Written in ruby, https://github.com/rapid7/metasploit-framework.git,
• [ 1610 exploits, 914 auxiliary, 279 post ,471 payloads , 39 encoders , 9 nops ]
Ready in kali - used in this demo.
Available as windows installer. (Never really tried!..)
7. Visualising an attack
Target
Vulnerable software
PayloadExploitAuxiliary
Windows/Shell
Windows/add user
Remote exploit
Local exploit
Scan and enumerate
Rogue Servers
Post
Enum credentials
Exploit suggest
Exploit Payload Post
msfconsole
8. Demo Setup!
Target Windows 2008 R2 – Metasploitable3
Designed vulnerable to test payload
Setup instructions https://github.com/rapid7/metasploitable3
172.28.128.4
Metasploit/kali
Attacker
172.28.128.3
Victim
Windows 2k8
Virtual Box
9. Msfconsole Navigation cheat sheet!
Msfupdate - update
Msfconsole – initialize metasploit
>help - example: help search
>search – example: search name:pcman type:exploit
>show - example show info, show options and show advanced
>use - example use exploit/.., use aux/.., use payload/..
>set, unset, setg & unsetg - set payload/.. set exitfunc
>back,previous
Exploit ,POST and Payload specifics
>set RHOST : Victim IP
>set RPORT: Victim port
>set LHOST: Attacker IP
>set LPORT: Attacker Port on Reverse Connect or Victim Port on Bind
>set SESSION: The Session id of an earlier attack to attempt Local priv esc
10. Commands Prior Demo!
• Start the PostgreSQL, initialize database for metasploit and then proceed with starting msfconsole
• Setup a workspace within metasploit to store enumeration result
• Initialise a scan with nmap to store its results. Results in db will be accessible via “services”
11. Auxiliary Module - Demo
• Brute Force access tests on different protocols.
• Enumerate and gather more information with limited access.
• Check for misconfigured or default Web Portals.
• Set up a rogue- ftp,http,smb,imap servers
13. Exploit Module
Searching remote exploits are typically -> exploit/Platform/protocol/Application_or_service
Searching local exploits are typically -> exploit/Platform/local/Application_or_service
14. Payload Module
Bind Shell TCP
• Successful exploitation leads to a new port on Victim with shell access.
Reverse Shell TCP
• Successful exploitation makes to client connect to Attack and provide its shell.
BindShell-Listener
Reverse Shell-Listener
Exploit
Exploit
16. Exploit Module 2
In these cases we will need to use the attacker machine as a server, servicing
the delivery of the exploit. We will need 2 more options,
SRVHOST and SRVPORT
Meterpreter Payload ,provides an interactive environment with functionalities
likes
• Getsystem, clearnenv, migrate, hashdump, post, up/download,edit
• Run portrecorder , load mimikatz..