Header Ads

Metasploit Commands

Metasploit commands

We will go through the Metasploit basic commands quickly so we can get started with the fun part and learn how to use the exploits on a vulnerable machine like Metasploitable 2. The basics command consist of help, back, exit and info.

Use, back and exit commands

The use command in Metasploit is used to activate a particular module and changes the context of the msfconsole to that particular module. The exploit name will be mentioned in red on the command line as following:
Metasploit use command 3
In this example we have changed the context of the command line to the exploit called realvnc_client. From here on we can retrieve information about this exploit, set the required exploit parameters and run it against a target.
If we want to leave the exploit context and switch back to the msfconsole we need to use the back command. The back command will take us back to the msfconsole in the general context. From here on we can issue the use command again to switch to another Metasploit module.
The exit command will close the msfconsole and will take you back to the Kali Linux terminal.

Help command

As we’ve seen earlier in this tutorial the help command will return a list of possible commands together with a description when typed at the msfconsole. When there is an active exploit selected we can use the help command to get a list of exploit commands:
Metasploit exploit help command 2

Info command

When an exploit is selected with the use command we can retrieve information like the name, platform, author, available targets and a lot more by using the info command. In the following screenshot we’ve use the info command on an exploit named ie_execcommand_uaf:
Metasploit info command 4

Search command

As of this writing Metasploit contains over 1.500 different exploits and new ones are added regularly. With this number of exploit the search function, and knowing how to use it, becomes very important. The easiest way of using the search function is by issuing the command search followed by a search term, for example flash to search for exploits related to Flash player. By using the search command Metasploit will search for the given search term in the module names and description as following:
Metasploit search flash exploits 5
As expected there are a lot of exploits related to the often vulnerable Flash player software. The list also includes CVE-2015-5122 Adobe Flash opaqueBackground Use After Free zero-day which was discovered in the Hacking Team data breach last year.

Searching with exploits with keywords

You can also use the search command with a keyword to search for a specific author, an OSVDB ID or a platform. The ‘help search’ command displays the available keywords in the msfconsole as following:
Metasploit help search command 6
The usage of the search command with a keyword is pretty straight forward and displayed at the bottom of the help text. The following command is used to search for modules with a CVE ID from 2016:
msf > search cve:2016
This returns us all exploits with a CVE ID from 2016 including and auxiliary module scanner for the very recent Fortinet firewall SSH backdoor:
Metasploit exploits 2016

Metasploit commands for exploits

In the previous chapter we’ve learned the Metasploit commands to activate an exploit on the msfconsole and change the command line context to the exploit with the use command. Now we will be looking at how to show the exploit parameters and how to change them with the set command. We will also be looking at how to show the payloads, targets, advanced and evasion options. The help show command will display the available parameters for the show command:
Metasploit help show command 7

Show options

The show options command will show you the available parameters for an exploit if used when the command line is in exploit context. Let’s use the adobe_flash_shader_drawing_fill exploit and have a look at the options with the following command:
msf > Use exploit/multi/browser/ adobe_flash_shader_drawing_fill
Followed by the show options command:
msf > show options
Metasploit show exploit options command 8
The Flash exploit contains a total of 6 options from which only 2 are required:
  • Retries
  • SRVHOST (Required)
  • SRVPORT (Required)
  • SSL
  • SSLCert
  • URLPath
Note that the show options command is returning the current selected target below the module options. The default target is 0 which is Windows for the selected exploit.
Use the set command followed by the option name and the new value to change the default values:
Set SRVHOST 192.168.0.100 to change the SRVHOST value to 192.168.0.100
Set SRVPORT 80 to change the port from 8080 to 80
Metasploit set exploit options command 8-1
By using the show options command again you can verify that the SRVHOST and SRVPORT values have been changed. You can change Boolean values by using the set command with option name and true or false.

Show payloads

When we use the show payloads command the msfconsole will return a list of compatible payloads for this exploit. In our flash player exploit example it will return quite a few compatible payloads:
Metasploit show payloads command 9
An overview of compatible exploits
To use a certain payload you need to use the set command followed by the payload name:
Set payload linux/x86/exec
Metasploit set payload command 9-2

Show targets

The show targets command will return a list of operating systems which are vulnerable to the selected exploit. When we run the command we get the following output for the adobe_flash_shader_drawing_fill exploit:
Metasploit show targets command
An overview of available targets for the selected exploit.
This exploit targets both Windows and Linux operating systems. Note that we can use the info command to get additional info about this exploit and targets.
To set a target we can use the command set followed by the target ID:
set target 1
By setting the target the list of payloads will be reduced a lot because only payloads will be shown which are compatible with the target:
Metasploit show reduced list of payloads command 9-1

Show advanced

By using the show advanced command we can have a look at the advanced options for the exploit.
Metasploit show advanced options command 10
Use the set command followed by the advanced parameter and the new value to change the advanced settings:
Set displayablepayloadhandler true
Metasploit set advanced options command 10-1

Show encoders

The show encoders command will return the compatible encoders. Encoders are used to evade simple IDS/IPS signatures that are looking for certain bytes of your payload. We will be looking at encoders in detail in a later chapter of the Metasploit tutorials.
Metasploit show encoders command 11
To use an encoder use the set command followed by the name of the encoder.

Show nops

The show nops command will return a list of NOP generators. A NOP is short for No Operation and is used to change the pattern of a NOP sled in order to bypass simple IDS/IPS signatures of common NOP sleds. The NOP generators start with the CPU architecture in the name. We will be looking at NOPS in a later chapter of this tutorial.
Metasploit show nops command 12
To use a NOP generator use the set command followed by the name of the NOP generator. When the exploit is launched the NOP sleds will be taken from the NOP generator.

Show evasion

The show evasion command returns a list of available evasion techniques.
Metasploit show evasion command 12
To change evasions settings use the set command followed by the evasion parameter and the new value.
When all the required options have been set for the exploit, including a payload and advanced settings like a NOP generator, evasion options and encoding, the exploit is ready to be executed. The exploit can be executed using two commands: run and exploit. Just type run or exploit in the msfconsole and the exploit will run.
This will conclude the Metasploit commands tutorial for now. If you have questions regarding any of the mentioned or non mentioned commands, please ask them using the comment functionality below this post. In the next Metasploit tutorial we will enumerating the Metasploitable 2 machine. After that we will be doing a vulnerability assessment with the gathered information. If you haven’t installed Metasploitable 2 yet, you can follow the Metasploitable 2 installation tutorial first.

No comments