metasploit basics

msfconsole


The msfconsole is probably the most popular interface to the MSF. It provides an all-on-one centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Getting Help

Entering 'help' or a '?' at the msf command prompt will display a listing of available commands along with a description of what they are used for.

msf > help

Tab completion

One of the more useful features of msfconsole is tab completion. As with most other shells, entering what you know and pressing "Tab" will present you with list of options available to you or auto-complete the string if there is only one option.

Show command

Entering 'show' at the msfconsole prompt will display every module within Metasploit

There are number of 'show' commands you can use, but the ones you will use most frequently are 'show auxiliary', 'show exploits', and 'show payloads'

Executing 'show auxiliary' will display a listing of all the available auxiliary modules within metasploit. Auxiliary modules include scanners, deniel of service modules, fuzzers, and more.

msf > show auxiliary

'show exploits' will give a listing of all exploits contained in the framework

msf > show exploits

'show payloads' will display all of the different payloads for all platforms available within Metasploit

msf > show payloads

There are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads.

msf exploit(ms08_067_netapi) > show payloads

If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module.

msf exploit(ms08_067_netapi) > show options

If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported.

msf exploit(ms08_067_netapi) > show targets

If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'

msf exploit(ms08_067_netapi) > show advanced


"search" Command

If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module references.

msf > search ms09-001

"info" Command

The 'info' command will provide detailed information about a particular module including all options, targets, and other information.

msf > info dos/windows/smb/ms09_001_write

"use" Command

When you have decided on a particular module to make use of, issue the 'use' command to select it.

msf > use dos/windows/smb/ms09_001_write

msf auxiliary(ms09_001_write) > show options

"connect" Command

By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet.

msf > connect 192.168.1.1 23

"set" Command

The 'set' command is used to configure the options and settings of the module you are currently working with.

msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options

A recently added feature in Metasploit is the ability to set an encoder to use at run-time. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit.

msf exploit(ms08_067_netapi) > show encoders
msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai

"check" command

There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.

msf exploit(ms04_045_wins) > show options
msf exploit(ms04_045_wins) > check
Check failed: The connection was refused by the remote host (192.168.1.114:42)

Setting Global Variables

In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you 'run' or 'exploit'. Conversely, you can use the 'unsetg' command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so.

msf > setg LHOST 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
msf > setg RHOST 192.168.1.136
msf > save

"exploit/run" Commands

When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.

msf auxiliary(ms09_001_write) > run

"back" Command

Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally

msf auxiliary(ms09_001_write) > back