In this article we will learn about Metasploit cheat sheet.
Metasploit is a framework and not a specific application. As a framework, the user can build their own specific tools that can be used for specific tasks. It makes it easier for us to exploit known vulnerabilities in networks, operating systems and applications, and to develop new exploits for new or unknown vulnerabilities.
Know the conditions of Metasploit cheat sheet
System exploitation – the root term behind the meta ‘sploit’ – i.e. exploitation
This term means that you are trying to exploit a vulnerability in a system, computer or network. This means that you are basically trying to look into the network and find a computer that has a hole (backdoor) that could be compromised.
Payload – Think of it as a fighter jet launching a payload weapon!
The great thing about Metasploit is that it not only scans, but also collects information regarding exploitable systems – and then – executes code on the compromised system. In short, this term refers to the injection of code that is part of the payload. After releasing the payload, the hacker or penetration tester can execute commands and actions. The goal should be to plant a large enough payload that can make shellcode easier to build. A shell is a command interface that essentially gives the user complete control over the compromised machine.
Listen – connect with your feminine side and be a good listener!
Metasploit is patient and a great listener. Metasploit, like Wireshark in fact, is very good at listening in on incoming connections. It’s worth noting that things don’t move very fast in the world of hacking, a dedicated hacker can spend months working out their best strategy and attack vectors. Research is of course vital to any attack. PunkSPIDER and SHODAN would be two examples of services a penetration tester could use before opening Metasploit. Both PunkSPIDER and SHODAN work almost like search engines, except that these machines look for server and vulnerability information. Metasploit can be used to open any half-closed door.
The Metasploit interface
There are several interfaces that can be used. The first option is MSFconsole, which is the hacker’s preferred method or the most puritanical way to use Metasploit. Another friendlier approach to using Metasploit is to use Armitage.
Metasploit Database – specific to user requirements
One of the things that makes Metasploit unique and a must for anyone looking to learn pentesting or hacking skills is that the program/framework can log data to its own internal database, i.e. your system. Why is it good? Simply put, it just organizes your workflow. You can set up the system to keep tasks as thin as possible to minimize the chance of detection.
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is scaled across the network at runtime. It communicates through a stager socket and provides a comprehensive client-side Ruby API. Includes order history, card refills, channels and more.
Post exploitation is an important process in a penetration test because it allows an attacker to gain information from the system they exploited. Many penetration testers use the Metasploit framework modules for system exploitation. However, Metasploit provides and modules for post-exploitation activities for different systems.
poison of Doctors Without Borders
Msfvenom is a combination of Msfpayload and Msfencode, putting both tools into a single Framework instance. Note: MSF venom has replaced both msfpayload and ms encodings since June 8, 2015.
The benefits of MSF poison are:
- One single tool
- Standardized command line options
- Increased speed
- Doctors Without Borders console
The MSF console is probably the most popular interface for MSF. It provides an all-in-one centralized console and gives you efficient access to virtually every option available in the Metasploit Framework.
By brute force
A password-guessing attack that systematically attempts to authenticate services using a set of user-supplied credentials.
Credentials can be defined as public, private, or the full credential pair. A credential can be associated with a realm, but it is not required.
A password is a guessing technique that attempts to authenticate a target using known credentials.
Plaintext password, SSH key, NTLM hash, or hash that cannot be replayed.
A credential that is associated with a specific service.
It is a source of credentials. Origin refers to how the credential was obtained or added to the project, such as through a Bruteforce Guess, an exploit, manual input, or an imported wordlist.
A realm is a functional grouping of database schemas to which a credential belongs. The realm type can be a domain name, a Postgres database, a DB2 database, or an Oracle System Identifier (SID).
Password in plain text, hash, or private SSH key.
Can be listed as usernames.
A credential that was successfully authenticated to the target.
Exploitation of vulnerabilities
Metasploit offers several different methods you can use to exploit:
- Automatic exploitation.
- Manual exploitation.
- Automatic Abuse:
The automated exploit feature cross-references open services, vulnerability links, and fingerprints to find matching exploits. The simple goal of autoexploitation is to get a session as quickly as possible by exploiting the data that Metasploit has for the target hosts.
Manual exploitation provides a more targeted and methodical approach to exploiting vulnerabilities. This method is especially useful if there is a specific vulnerability that you want to exploit.
Payload Type: Specifies the type of payload that the exploit will deliver to the target. Select one of the following payload types:
Command: A command execution payload that allows you to execute commands on a remote machine.
Meterpreter: An advanced payload that provides a command line that allows you to deliver commands and insert extensions at runtime.
Connection Type: Specifies how you want your Metasploit instance to connect to the target. Select one of the following connection types:
Auto: Automatically use established connection when NAT is detected; otherwise, reverse wiring is used.
Bind: Uses connection binding, which is useful when destinations are behind a firewall or NAT gateway.
Reverse: Uses a reverse connection, which is useful if your system is unable to initiate connections to targets.
LHOST: Defines the address for the local host.
LPORT: Defines the ports you want to use for reverse connections.
RHOST: Defines the destination address.
RPORT: Defines the remote port you want to attack.
Target Settings: Specifies the target operating system and version.
Exploit Timeout: Defines the timeout in minutes.
The entire process of exploiting a vulnerability consists of 5 steps:
- Collection of information
- Vulnerability scanning
- After exploitation
- Collection of information
Your goal in gathering information should be to obtain accurate information about your targets without revealing your presence or your intentions. There are two types of information gathering: passive and active.
Passive information gathering
Using passive information gathering, you can discover information about targets without touching their systems. For example, you can identify network boundaries, operating systems, open ports, and web server software being used on a target without touching their system.
Active information gathering
When actively collecting information, we communicate directly with the system to learn more about it. We can perform port scans for open ports on the target or scan to see what services are running. Every system or running service we discover gives us another opportunity to exploit.
Information collection tools:
A port scan is a series of messages sent by someone trying to break into a computer to find out which computer network services, each associated with a “well-known” port number, the computer provides. Port scanning, a popular computer cracker approach, gives an attacker an idea of where to look for vulnerabilities.
Nmap (“Network Mapper”) is a free and open source (licensed) network discovery and security auditing tool. Many system and network administrators also find it useful for tasks such as network inventory, managing service upgrade plans, and monitoring host or service uptime. Nmap uses raw IP packets in new ways to determine which hosts are available on the network, what services (application name and version) those hosts offer, what operating systems (and OS versions) they use, what type of packet filters/firewalls are in use, and dozens of other properties.
Idle scanning is a method of TCP port scanning that involves sending fake packets to a computer to see what services are available. This is achieved by impersonating another computer called a “zombie” (which does not send or receive information) and observe the behavior of the “zombie” system.
Nessus is a remote security scanning tool that scans your computer and alerts you if it finds any vulnerabilities that malicious hackers could use to gain access to any computer you’re connected to.
A password tracker is a software application that scans and records passwords that are used or transmitted on a computer or network interface. It listens to all incoming and outgoing network traffic and logs every instance of a data packet that contains a password.
Vulnerability scanning is the inspection of potential exploit sites on a computer or network to identify security holes. It detects and classifies systemic weaknesses in computers, networks, and communication devices and predicts the effectiveness of countermeasures.
An exploit is the use of software, data, or commands to “exploit” a weakness in a computer system or program to perform some form of malicious intent, such as a denial-of-service attack, Trojan horses, worms, or viruses. A system weakness can be a bug, glitch, or simply a design vulnerability. The process is known as exploitation.
The following are five steps in the exploitation process:
- scanning target
- exploit selection
- payload selection
- exploit coding
- launching an attack
To scan the target we use port scanning and vulnerability scanning techniques in which we scan using various tools like nmap, nessus etc.
This process involves selecting an exploit. An attacker can call the show exploits command to get a complete list of all available exploits.
Payload selection in Metasploit has become an optimized and elegant process. Payloads are commands that an attacker executes after successfully completing their exploit. These are packaged with an exploit and sent in one combined attack.
Coding in Metasploit is how exploits and payloads are packaged together and is often done automatically using set commands. Coding usually dictates how the code will be structured, delivered, and whether or not it contains nop padding.
Launching an attack
Launching the attack is the easiest part, once all the settings are set the attacker simply calls the exploit. An attacker can also store the entire exploit in a.exe and use it as a client-side or local exploit.
The purpose of the Post-Exploitation phase is to determine the value of the compromised machine and retain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the usefulness of the machines in further compromising the network. The methods described in this phase are intended to help
The Metasploit framework provides a graphical user interface, a console interface called MSF console, and a command line interface called MSFC li.
Graphical user interface
To open the Metasploit GUI, open your terminal and type msfgui. You can do essentially the same things from the Metasploit GUI as you can from other interfaces. The GUI is very useful if you are new to Metasploit.
Msfconsole is the most popular interface for the Metasploit Framework. It provides everything you need to run an exploit, load helpers, enumerate, create listeners, or run mass exploits against multiple targets. It is the only supported way to access most features within Metasploit and is the most stable Metasploit interface. MSFconsole offers card refills! To open the MSF console, open your terminal and type msfconsole.
Msfcli provides a powerful command-line interface to the Metasploit framework, but does not support any advanced MSF console automation features. Msfcli is an excellent scripting interface that allows you to redirect its output to other command line tools or to redirect output from other tools to msfcli. Msfcli can be used as an MSF console to run exploits or helpers, but it is much more difficult to use. It’s useful for specific tasks, like when you’re testing or developing a new exploit. Msfcli is useful when you know exactly which exploit and options you need. To run msfcli, open a terminal and type msfcli. For more help, type msfcli -h.
Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and reveals advanced post-exploitation features within the framework. It is a free front-end GUI for the Metasploit Framework developed by Raphael Mudge. To run armitage, type armitage in the terminal.