Metasploit - Working with modules
Metasploit: Working with modules
In my previous article, I provided a brief introduction to Metasploit. In this article, I'll delve deeper into how to get your hands dirty with this amazing tool.
Before showing you how to work with the Metasploit modules, I'd like to clarify something first. And that is about having a strategy. Without a good strategy, you're not going to make it very far.
Strategy
Identify the tech stack (e.g., Windows, Android) and then use the appropriate exploits to pentest the target. For instance, if the target machine is Windows, use the MS17-010 “Eternalblue” exploit to pentest the target.
Working with modules
Once you have entered the context of a module using the use command followed by the module name, as seen earlier, you will need to set parameters. The most common parameters you will use are listed below. Remember, based on the module you use, additional or different parameters may need to be set. It is good practice to use the show options command to list the required parameters.
All parameters are set using the same command syntax:
set PARAMETER_NAME VALUE
Before we proceed, remember always to check the msfconsole prompt to ensure you are in the right context. When dealing with Metasploit, you may see five different prompts:
The regular command prompt: You can not use Metasploit commands here.
The Meterpreter prompt: Meterpreter is a crucial payload that we will examine in detail later in this article. This means a Meterpreter agent was loaded onto the target system and connected back to you. You can use Meterpreter-specific commands here.
A shell on the target system: Once the exploit is completed, you may have access to a command shell on the target system. This is a regular command line, and all commands typed here run on the target system.
As mentioned earlier, the show options command will list all available parameters.
As you can see in the screenshot above, some of these parameters require a value for the exploit to work. Some required parameter values will be pre-populated; ensure you verify that these remain the same for your target. For example, a web exploit could have an RPORT (remote port: the port on the target system that Metasploit will try to connect to and run the exploit) value preset to 80, but your target web application could be using port 8080.
In this example, we will set the RHOSTS parameter to the IP address of our target system using the set command.
Once you have set a parameter, you can use the show options command to check that the value was set correctly.
Parameters you will often use are:
- RHOSTS: “Remote host”, the IP address of the target system. A single IP address or a network range can be set. This will support the CIDR (Classless Inter-Domain Routing) notation (/24, /16, etc.) or a network range (10.10.10.x – 10.10.10.y). You can also use a file where targets are listed, one target per line, using file:/path/of/the/target_file.txt, as you can see below.
- RPORT: “Remote port”, the port on the target system where the vulnerable app is running.
- PAYLOAD: The payload you will use with the exploit.
- LHOST: “Localhost”, the attacking machine (Kali Linux) IP address.
- LPORT: “Local port”, the port you will use for the reverse shell to connect back to. This is a port on your attacking machine, and you can set it to any port not used by any other application.
- Ex: set LPORT 6666
- SESSION: Each connection established to the target system using Metasploit will have a session ID. You will use this with post-exploitation modules that will connect to the target system using an existing connection.
You can override any set parameter using the set command again with a different value. You can also clear any parameter value using the unset command (ex, unset PAYLOAD) or clear all set parameters with the unset all command.
You can use the setg command (ex, setg RHOSTS 10.10.19.23) to set values that will be used for all modules. The setg command is used like the set command. The difference is that if you use the set command to set a value using a module and you switch to another module, you will need to set the value again. The setg command allows you to set the value so it can be used by default across different modules. You can clear any value set with setg using unsetg.
The example below uses the following flow:
- We use the ms17_010_eternalblue exploitable
- We set the RHOSTS variable using the setg command instead of the set command
- We use the back command to leave the exploit context
- We use an auxiliary (this module is a scanner to discover MS17-010 vulnerabilities)
- The show options command shows that the RHOSTS parameter is already populated with the IP address of the target system.
The setg command sets a global value that will be used until you exit Metasploit or clear it using the unsetg command.
Using modules
Once all module parameters are set, you can launch the module using the exploit command. Metasploit also supports the run command, which is an alias created for the exploit command, as the word exploit did not make sense when using modules that were not exploits (port scanners, vulnerability scanners, etc.).
The exploit command can be used without any parameters or using the “-z” parameter.
The exploit -z command will run the exploit and background the session as soon as it opens.
This will return to you the context prompt from which you have run the exploit.
Some modules support the check option. This will check if the target system is vulnerable without exploiting it.
Sessions
Once a vulnerability has been successfully exploited, a session will be created. This is the communication channel established between the target system and Metasploit.
You can use the background command to background the session prompt and go back to the msfconsole prompt.
Alternatively, CTRL+Z can be used to background sessions.
The sessions command can be used from the msfconsole prompt or any context to see the existing sessions.
To interact with any session, you can use the sessions -i command followed by the desired session number.
That's a wrap!
Comments
Post a Comment