What is the MSFconsole?
The msfconsole is likely the most pop interface to the Metasploit Framework (MSF). It provides an “all-in-one” centralized console together with allows you lot efficient access to virtually all of the options available inwards the MSF. MSFconsole may seem intimidating at first, but ane time you lot larn the syntax of the commands you lot volition larn to appreciate the mightiness of utilizing this interface.
Benefits to Using MSFconsole:
* It is the solely supported agency to access most of the features inside Metasploit.
* Provides a console-based interface to the framework.
* Contains the most features together with is the most stable MSF interface.
* Full readline support, tabbing, together with dominance completion.
* Execution of external commands inwards msfconsole is possible:
Open MSFconsole
The MSFconsole is launched yesteryear exactly running msfconsole from the dominance line. MSFconsole is located inwards the /usr/share/metasploit-framework/msfconsole directory.
The -q selection removes the launch banner yesteryear starting msfconsole in placidity mode.
How to Use the msfconsole Command Prompt
You tin overstep -h to msfconsole to encounter the other usage options available to you.
Entering help or a ? ane time inwards the msf dominance prompt volition display a listing of available commands along alongside a description of what they are used for.
Tab Completion on MSFconsole
The MSFconsole is designed to hold out fast to work together with ane of the features that helps this goal is tab completion. With the broad array of modules available, it tin hold out hard to recollect the exact yell together with path of the especial module you lot wishing to brand work of. As alongside most other shells, entering what you lot know together with pressing ‘Tab’ volition acquaint you lot alongside a listing of options available to you lot or auto-complete the string if at that spot is solely ane option. Tab completion depends on the ruby readline extension together with nearly every dominance inwards the console supports tab completion.
* use exploit/windows/dce
* use .*netapi.*
* set LHOST
* show
* set TARGET
* set PAYLOAD windows/shell/
* exp
MSFconsole Core Commands
back: Once you lot convey finished working alongside a especial module, or if you lot inadvertently pick out the incorrect module, you lot tin number the back command to motion out of the electrical current context. This, nonetheless is non required. Just equally you lot tin inwards commercial routers, you lot tin switch modules from inside other modules. As a reminder, variables volition solely bear over if they are laid upwardly globally.
msf auxiliary(ms09_001_write) > back
msf >
banner: Simply displays a randomly selected banner.
check: There aren’t many exploits that back upwardly it, but at that spot is also a check selection that volition banking concern check to encounter if a target is vulnerable to a especial exploit instead of truly exploiting it.
msf exploit(ms08_067_netapi) > demo options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The piping yell to work (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > check
[*] Verifying vulnerable status... (path: 0x0000005a)
[*] System is non vulnerable (status: 0x00000000)
[*] The target is non exploitable.
msf exploit(ms08_067_netapi) >
color: You tin enable or disable if the output you lot acquire through the msfconsole volition incorporate colors.
msf > color
Usage: color >'true'|'false'|'auto'>
Enable or disable color output.
connect: There is a miniature Netcat clone built into the msfconsole that supports SSL, proxies, pivoting, together with file transfers. By issuing the connect dominance alongside an IP address together with port number, you lot tin connect to a remote host from inside msfconsole the same equally you lot would alongside Netcat or Telnet.
msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
DD-WRT login:
You tin encounter all the additional options yesteryear issuing connect -h.
edit: The edit dominance volition edit the electrical current module alongside $VISUAL or $EDITOR. By default, this volition opened upwardly the electrical current module inwards Vim.
msf exploit(ms10_061_spoolss) > edit
[*] Launching /usr/bin/vim /usr/share/metasploit-framework/modules/exploits/windows/smb/ms10_061_spoolss.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/windows_error'
class Metasploit3 > Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
exit: The exit dominance volition exactly leave of absence msfconsole.
msf exploit(ms10_061_spoolss) > exit
root@kali: #
grep: The grep dominance is similar to Linux grep. It matches a given pattern from the output of unopen to other msfconsole command. The next is an illustration of using grep to gibe output containing the string “http” from a search for modules containing the string “oracle”.
info: The info dominance volition render detailed information almost a especial module including all options, targets, together with other information. Be for sure to ever read the module description prior to using it equally unopen to may convey un-desired effects.
The info dominance also provides the next information:
* The writer together with licensing information.
* Vulnerability references (ie: CVE, BID, etc).
* Any payload restrictions the module may have.
irb: Running the irb dominance volition drib you lot into a alive Ruby interpreter musical rhythm out where you lot tin number commands together with create Metasploit scripts on the fly. This characteristic is also really useful for agreement the internals of the Framework.
msf > irb
[*] Starting IRB shell...
>> puts "Hello, metasploit!"
Hello, metasploit!
=> nil
>> Framework::Version
=> "4.8.2-2014022601"
jobs: Jobs are modules that are running inwards the background. The jobs dominance provides the mightiness to listing together with sack these jobs.
kill: The kill dominance volition kill whatsoever running jobs when supplied alongside the chore id.
msf exploit(ms10_002_aurora) > kill 0
Stopping job: 0...
[*] Server stopped.
load: The load dominance loads a plugin from Metasploit’s plugin directory. Arguments are passed equally key=val on the shell.
msf > load
Usage: load [var=val var=val ...]
Loads a plugin from the supplied path. If path is non absolute, get-go looks
in the user's plugin directory (/root/.msf4/plugins) then
in the framework root plugin directory (/usr/share/metasploit-framework/plugins).
The optional var=val options are custom parameters that tin hold out passed to plugins.
msf > charge pcap_log
[*] PcapLog plugin loaded.
[*] Successfully loaded plugin: pcap_log
loadpath: The loadpath dominance volition charge a third-part module tree for the path thence you lot tin indicate Metasploit at your 0-day exploits, encoders, payloads, etc.
msf > loadpath /home/secret/modules
Loaded 0 modules.
unload: Conversely, the unload dominance unloads a previously loaded plugin together with removes whatsoever extended commands.
msf > unload pcap_log
Unloading plugin pcap_log...unloaded.
resource: The resource dominance runs resources (batch) files that tin hold out loaded through msfconsole.
msf > resource
Usage: resources path1 [path2 ...]
Run the commands stored inwards the supplied files. Resource files may also contain
ruby code between tags.
See also: makerc
Some attacks, such equally Karmetasploit, work resources files to run a laid upwardly of commands inwards a karma.rc file to create an attack. Later, nosotros volition verbalise over how, exterior of Karmetasploit, that tin hold out really useful.
msf > resources karma.rc
[*] Processing karma.rc for ERB directives.
resource (karma.rc_.txt)> db_connect postgres:toor@127.0.0.1/msfbook
resource (karma.rc_.txt)> work auxiliary/server/browser_autopwn
...snip...
Batch files tin greatly speed upwardly testing together with evolution times equally good equally allow the user to automate many tasks. Besides loading a batch file from inside msfconsole, they tin also hold out passed at startup using the -r flag. The uncomplicated illustration below creates a batch file to display the Metasploit version number at startup.
root@kali: # echo version > version.rc
root@kali: # msfconsole -r version.rc
Frustrated alongside proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.
=[ metasploit v4.8.2-2014021901 [core:4.8 api:1.0] ]
+ -- --=[ 1265 exploits - 695 auxiliary - 202 postal service ]
+ -- --=[ 330 payloads - 32 encoders - 8 nops ]
[*] Processing version.rc for ERB directives.
resource (version.rc)> version
Framework: 4.8.2-2014022601
Console : 4.8.2-2014022601.15168
msf >
route: The route dominance inwards Metasploit allows you lot to road sockets through a session or ‘comm’, providing basic pivoting capabilities. To add together a route, you lot overstep the target subnet together with network mask followed yesteryear the session (comm) number.
search: The msfconsole includes an extensive regular-expression based search functionality. If you lot convey a full general persuasion of what you lot are looking for, you lot tin search for it via search. In the output below, a search is beingness made for EternalBlue. The search business office volition locate this string inside the module names, descriptions, references, etc. Note the naming convention for Metasploit modules uses underscores versus hyphens.
help: You tin farther refine your searches yesteryear using the built-in keyword system.
name: To search using a descriptive name, work the name keyword.
platform: You tin work platform to narrow downwardly your search to modules that impact a specific platform.
type: Using the type lets you lot filter yesteryear module type such equally auxiliary, post, exploit, etc.
author: Searching alongside the author keyword lets you lot search for modules yesteryear your favourite author.
multiple: You tin also combine multiple keywords together to farther narrow downwardly the returned results.
sessions: The sessions dominance allows you lot to list, interact with, together with kill spawned sessions. The sessions tin hold out shells, Meterpreter sessions, VNC, etc.
To listing whatsoever active sessions, overstep the -l options to sessions.
msf exploit(3proxy) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.1.101:33191 -> 192.168.1.104:4444
To interact alongside a given session, you lot exactly demand to work the -i switch followed yesteryear the Id number of the session.
msf exploit(3proxy) > sessions -i 1
[*] Starting interaction alongside 1...
C:WINDOWSsystem32>
set: The set dominance allows you lot to configure Framework options together with parameters for the electrical current module you lot are working with.
msf auxiliary(ms09_050_smb2_negotiate_func_index) > laid upwardly RHOST 172.16.194.134
RHOST => 172.16.194.134
msf auxiliary(ms09_050_smb2_negotiate_func_index) > demo options
Module options (exploit/windows/smb/ms09_050_smb2_negotiate_func_index):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.194.134 yes The target address
RPORT 445 yes The target port
WAIT 180 yes The number of seconds to hold back for the laid upwardly on to complete.
Exploit target:
Id Name
-- ----
0 Windows Vista SP1/SP2 together with Server 2008 (x86)
Metasploit also allows you lot to laid upwardly an encoder to work at run-time. This is specially useful inwards exploit evolution when you lot aren’t quite for sure equally to which payload encoding methods volition piece of work alongside a given exploit.
msf exploit(ms09_050_smb2_negotiate_func_index) > demo encoders
Compatible Encoders
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic/none normal The "none" Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder
unset: The contrary of the set command, of course, is unset. unset removes a parameter previously configured alongside set. You tin take away all assigned variables alongside unset all.
msf > laid upwardly RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > laid upwardly THREADS 50
THREADS => 50
msf > set
Global
======
Name Value
---- -----
RHOSTS 192.168.1.0/24
THREADS 50
msf > unset THREADS
Unsetting THREADS...
msf > unset all
Flushing datastore...
msf > set
Global
======
No entries inwards information store.
msf >
setg: In guild to relieve a lot of typing during a pentest, you lot tin laid upwardly global variables inside msfconsole. You tin exercise this alongside the setg command. Once these convey been set, you lot tin work them inwards equally many exploits together with auxiliary modules equally you lot like. You tin also relieve them for work the adjacent fourth dimension you lot start msfconsole. However, the pitfall is forgetting you lot convey saved globals, thence ever banking concern check your options earlier you lot run or exploit. Conversely, you lot tin work the unsetg dominance to unset a global variable. In the examples that follow, variables are entered inwards all-caps (ie: LHOST), but Metasploit is case-insensitive thence it is non necessary to exercise so.
msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136
After setting your unlike variables, you lot tin run the relieve dominance to relieve your electrical current surround together with settings. With your settings saved, they volition hold out automatically loaded on startup, which saves you lot from having to laid upwardly everything again.
msf > save
Saved configuration to: /root/.msf4/config
msf >
Read to a greater extent than in Offensive Security: MSFconsole together with MSFconsole commands
0 comments:
Post a Comment