Using the Metasploit Framework - Modules

#readwise # Using the Metasploit Framework - Modules ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article1.be68295a7e40.png) ## Metadata - Author: [[Hack The Box]] - Full Title: Using the Metasploit Framework - Modules ## Summary Metasploit modules are scripts designed to exploit vulnerabilities in systems. Users can search for specific modules and customize them for their targets. Each module has tags that indicate its type, operating system, and service it targets. After setting the necessary options, users can launch attacks and interact with the target machine. ## Highlights Metasploit `modules` are prepared scripts with a specific purpose and corresponding functions that have already been developed and tested in the wild. The `exploit` category consists of so-called proof-of-concept (`POCs`) that can be used to exploit existing vulnerabilities in a largely automated manner. ([View Highlight](https://read.readwise.io/read/01jq60e3yn4c6mgkx3yef7gsdc)) --- Once we are in the `msfconsole`, we can select from an extensive list containing all the available Metasploit modules. Each of them is structured into folders, which will look like this: ^z0tkbd ``` <No.> <type>/<os>/<service>/<name> ``` ^3rvvo0 Example: ``` 794 exploit/windows/ftp/scriptftp_list ``` ([View Highlight](https://read.readwise.io/read/01jq60fqtgc1kvfjhw64kbpm34)) --- The `No.` tag will be displayed to select the exploit we want afterward during our searches. We will see how helpful the `No.` tag can be to select specific Metasploit modules later. ([View Highlight](https://read.readwise.io/read/01jq60g3t2s961sw2x9q6kazp5)) --- The `Type` tag is the first level of segregation between the Metasploit `modules`. Looking at this field, we can tell what the piece of code for this module will accomplish. Some of these `types` are not directly usable as an `exploit` module would be, for example. However, they are set to introduce the structure alongside the interactable ones for better modularization. To explain better, here are the possible types that could appear in this field: | Type | Description | | ----------- | ----------------------------------------------------------------------------------------------- | | `Auxiliary` | Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality. | | `Encoders` | Ensure that payloads are intact to their destination. | | `Exploits` | Defined as modules that exploit a vulnerability that will allow for the payload delivery. | | `NOPs` | (No Operation code) Keep the payload sizes consistent across exploit attempts. | | `Payloads` | Code runs remotely and calls back to the attacker machine to establish a connection (or shell). | | `Plugins` | Additional scripts can be integrated within an assessment with `msfconsole` and coexist. | | `Post` | Wide array of modules to gather information, pivot deeper, etc. | ^p12aos ([View Highlight](https://read.readwise.io/read/01jq60h72wawyj20z3j12f5ryv)) --- Metasploit also offers a well-developed search function for the existing modules. With the help of this function, we can quickly search through all the modules using specific `tags` to find a suitable one for our target. ([View Highlight](https://read.readwise.io/read/01jq60mmbc24m8m52vt3dm81py)) --- We can also make our search a bit more coarse and reduce it to one category of services. For example, for the CVE, we could specify the year (`cve:<year>`), the platform Windows (`platform:<os>`), the type of module we want to find (`type:<auxiliary/exploit/post>`), the reliability rank (`rank:<rank>`), and the search name (`<pattern>`). ([View Highlight](https://read.readwise.io/read/01jq60pabn9xeeeqz580jyxsc2)) ^3mbyx5 --- Within the interactive modules, there are several options that we can specify. These are used to adapt the Metasploit module to the given environment. Because in most cases, we always need to scan or attack different IP addresses. Therefore, we require this kind of functionality to allow us to set our targets and fine-tune them. To check which options are needed to be set before the exploit can be sent to the target host, we can use the `show options` command. Everything required to be set before the exploitation can occur will have a `Yes` under the `Required` column. ([View Highlight](https://read.readwise.io/read/01jq60td8h3x1g1eft8yzv0vq1)) --- We can use the command `info` after selecting the module if we want to know something more about the module. This will give us a series of information that can be important for us. ([View Highlight](https://read.readwise.io/read/01jq60yb226mcfz5fy3a7ekr2h)) --- After we are satisfied that the selected module is the right one for our purpose, we need to set some specifications to customize the module to use it successfully against our target host, such as setting the target (`RHOST` or `RHOSTS`). ([View Highlight](https://read.readwise.io/read/01jq60z1fp0e1kthdk7mfefm6j)) ``` set RHOSTS 10.10.10.40 ``` ([View Highlight](https://read.readwise.io/read/01jq60zag5ny4phn2n6q2jhdyd)) --- In addition, there is the option `setg`, which specifies options selected by us as permanent until the program is restarted. Therefore, if we are working on a particular target host, we can use this command to set the IP address once and not change it again until we change our focus to a different IP address. ([View Highlight](https://read.readwise.io/read/01jq60zwnvtah3rg9tgzt8rxbr)) --- Finally, since we are about to use a TCP-based reverse shell (`/windows/meterpreter/reverse_tcp`) we need to specify to which IP address it needs to connect to in order to establish a connection. Therefore, we need to set `LHOST` to our own IP address like following: ([View Highlight](https://read.readwise.io/read/01jq610t4h11t9pmgxx9wjdz8s)) --- Once everything is set and ready to go, we can proceed to launch the attack. Note that the payload was not set here, as the default one is sufficient for this demonstration. ([View Highlight](https://read.readwise.io/read/01jq6116xb9t9vysdmthvam6dn)) ---