{"id":131,"date":"2019-02-03T12:49:59","date_gmt":"2019-02-03T11:49:59","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=131"},"modified":"2024-09-06T12:22:57","modified_gmt":"2024-09-06T10:22:57","slug":"metasploit","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=131","title":{"rendered":"metasploit"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The usu\u00adal&nbsp;stuff:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">workspace -a host42 \/\/ To create a new workspace<br>workspace host42 \/\/ To open an existing workspace<br>db_nmap ...<br>hosts<br>services<br>...<br>search smb type:auxiliary<br>...<br>vulns \/\/ Shows all found vulnerabilities<br>creds \/\/ Shows all found credentials<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">General usage<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>back<\/strong> \u2014 delete the cur\u00adrent context<\/li>\n\n\n\n<li><strong>check<\/strong> \u2014 per\u00adforms a check if the tar\u00adget is vul\u00adner\u00ada\u00adble (not sup\u00adport\u00aded from all modules)<\/li>\n\n\n\n<li><strong>con\u00adnect<\/strong> \u2014 Telnet<\/li>\n\n\n\n<li><strong>edit<\/strong> \u2014 Opens <span class=\"caps\">VI<\/span>(m)<\/li>\n\n\n\n<li><strong>info &lt;mod\u00adule&gt;<\/strong> \u2014 shows&nbsp;usage<\/li>\n\n\n\n<li><strong>irb<\/strong> \u2014&nbsp;irb&nbsp;\ud83d\ude42<\/li>\n\n\n\n<li><strong>route<\/strong> \u2014 rere\u00adout\u00aded all traf\u00adfic from a network\/host through a metas\u00adploit session<\/li>\n\n\n\n<li><strong>search<\/strong> \u2014 search\u00ades for any\u00adthing, options can be combined:&nbsp;<ul class=\"wp-block-list\">\n<li>search name:mysql<\/li>\n\n\n\n<li>search platform:linux<\/li>\n\n\n\n<li>search type:post<\/li>\n\n\n\n<li>can be com\u00adbined: search name:mysql platform:linux <br>\n<ul class=\"wp-block-list\">\n<li>grep can be used: <em>grep pat\u00adtern&nbsp;cmd<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>ses\u00adsions<\/strong> \u2014 man\u00adag\u00ading con\u00adcur\u00adrent run\u00adning sessions<\/li>\n\n\n\n<li><strong>set<\/strong> \u2014 sets frame\u00adwork options and para\u00adme\u00adters like set <span class=\"caps\">RHOST<\/span> 127.0.0.1<\/li>\n\n\n\n<li><strong>unset<\/strong> \u2014 unsets frame\u00adwork options and parameters<\/li>\n\n\n\n<li><strong>setg<\/strong> \u2014 sets glob\u00adal vari\u00adable to be used in the con\u00adsole lat\u00ader. Exam\u00adple: setg <span class=\"caps\">LHOST<\/span> 10.1.1.1<\/li>\n\n\n\n<li><strong>show<\/strong> \u2014 shows many things:&nbsp;<ul class=\"wp-block-list\">\n<li>show aux\u00adil\u00adiary<\/li>\n\n\n\n<li>show exploits<\/li>\n\n\n\n<li>show pay\u00adloads<\/li>\n\n\n\n<li>show options<\/li>\n\n\n\n<li>show tar\u00adgets<\/li>\n\n\n\n<li>show advanced<\/li>\n\n\n\n<li>show encoders<\/li>\n\n\n\n<li>show nops<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>use &lt;mod\u00adule&gt;<\/strong> \u2014 acti\u00advates a module<\/li>\n\n\n\n<li><strong>creds<\/strong> \u2014 man\u00adage found credentials&nbsp;<ul class=\"wp-block-list\">\n<li>Add man\u00adu\u00adal\u00adly: <strong>creds \u2011a 172.16.194.134 \u2011p 445 \u2011u Admin\u00adis\u00adtra\u00adtor \u2011P&nbsp;test<\/strong><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>hosts<\/strong> \u2014 shows retrieved host information<\/li>\n\n\n\n<li><strong>db_nmap<\/strong> per\u00adforms nmap and stores the infor\u00adma\u00adtion to the <span class=\"caps\">DB<\/span>. Then, infor\u00adma\u00adtions can be looked up direct\u00adly, e.g. via <strong>ser\u00advices \u2011p 443<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Payloads<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Staged pay\u00adload with \/: <code>payload\/linux\/x86\/shell\/reverse_tcp<\/code><\/li>\n\n\n\n<li>Non-Staged pay\u00adload with\u00adout \/: <code>payload\/linux\/x86\/shell_reverse_tcp<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Working with sessions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sin\u00adgles<\/strong> sin\u00adgle pay\u00adload which can be inte\u00adgrat\u00aded in an attack<\/li>\n\n\n\n<li><strong>Stagers<\/strong> Pay\u00adload is loaded direct\u00adly from the attack\u00ader\u2019s sys\u00adtem after an attack.<\/li>\n\n\n\n<li><strong>Stages<\/strong> Pay\u00adloads is loaded via the net\u00adwork from any\u00adwhere after an attack.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Using the database<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A data\u00adbase can be used to store infor\u00adma\u00adtions, pay\u00adloads, etc. To cre\u00adate a ini\u00adtial db, use <strong>msfdb init<\/strong> before open\u00ading msfconsole.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>work\u00adspace<\/strong> \u2014 shows all workspaces<\/li>\n\n\n\n<li><strong>work\u00adsapace \u2011a &lt;name&gt;<\/strong> \u2014 cre\u00adates a workspace<\/li>\n\n\n\n<li><strong>work\u00adspace &lt;name&gt;<\/strong> \u2014 switch\u00ades to a workspace<\/li>\n\n\n\n<li><strong>work\u00adspace \u2011d &lt;name&gt;<\/strong> \u2014 deletes a workspace<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">With <strong>db_export \u2011f xml \/root\/e.xml<\/strong>, a work\u00adspace can be exported.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Local Modules<\/h3>\n","protected":false},"excerpt":{"rendered":"<p>The usu\u00adal&nbsp;stuff: work\u00adspace \u2011a host42 \/\/ To cre\u00adate a new work\u00adspace\u00adwork\u00adspace host42 \/\/ To open an exist\u00ading workspacedb_nmap \u2026hostsservices\u2026search smb type:auxiliary\u2026vulns \/\/ Shows all found vul\u00adner\u00ada\u00adbil\u00adi\u00adti\u00ades\u00adcreds \/\/ Shows all found cre\u00adden\u00adtials Gen\u00ader\u00adal usage Pay\u00adloads Work\u00ading with ses\u00adsions Using the data\u00adbase A data\u00adbase can be used to store infor\u00adma\u00adtions, pay\u00adloads, etc. To cre\u00adate a ini\u00adtial&nbsp;db,&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[63,134,46],"class_list":["post-131","post","type-post","status-publish","format-standard","hentry","category-general","tag-metasploit","tag-meterpreter","tag-ssh"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=131"}],"version-history":[{"count":38,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/131\/revisions"}],"predecessor-version":[{"id":4262,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/131\/revisions\/4262"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}