enabling the database#

Metasploit can be configured to save the loot in the database for reference. The loot includes, among others, stuff like hosts, creds and vulns.

# Set up the database
systemctl enable postgresql
sudo msfdb init

# Use the db
msf6 > db_status # check the connection
msf6 > db_import <filename> # import data from external tools, e.g. Nmap
msf6 > db_connect -y /usr/share/metasploit-framework/config/database.yml
msf6 > db_export # exports the db; useful if you're using different attacking machines

It’s worth running db_import without a parameter to ensure the connection with the database is actually working, as db_status might lie.

workspaces#

msf6 > workspace # list workspaces
msf6 > workspace -a <name> # add a workspace and switch to it immediately

hosts#

msf6 > hosts # show targets we interacted with

creds#

msf6 > creds # show credentials extracted using Metasploit modules

search for and use the modules#

msf6 > search portscan # search for port scanning modules
msf6 > use <index>
msf6 > search ftp type:aux # filter modules by type

ports scanning#

msf6 > use auxiliary/scanner/portscan/tcp # exemplary payload
msf6 > options # list available options
msf6 > advanced # list advanced options
msf6 > set RHOSTS <target_ip_1> [<target_ip_2>]
msf6 > set PORTS 1-10000
msf6 > exploit # or `run` but we are the l33t

services#

msf6 > services # shows services running on the hosts we interacted with

global settings#

msf6 > setg RHOSTS <target_ip> # set an option globally for the active workspace's scope

sessions#

msf6 > sessions # list active connections
msf6 > sessions [-i] <id> # start session <id>
msf6 > background # exit the session without closing the connection
msf6 > sessions -k <id> # kill the session

shell commands#

msf6 > curl -I <target_ip> # easy; add `-k|--insecure` to skip certificate validation

combining Metasploit with Nmap#

msf6 > db_nmap <params> # calls Nmap with params and saves the results in the database
msf6 > services # list the services identified with db_nmap

💡 You can also use rustscan.

importing modules to Metasploit#

Not every Metasploit payload is available to find with search. If we stumble upon one, e.g. on Exploit-DB, we can import it to Metasploit by copying or symlinking it:

# for Kali Linux
cp /usr/share/exploitdb/exploits/php/remote/9939.rb /usr/share/metasploit-framework/modules # if you have a disk space
ln -s /usr/share/exploitdb/exploits/php/remote/9939.rb /usr/share/metasploit-framework/modules # if you don't ¯\_(ツ)_/¯

💡 python-based modules might need code adjustments to work with Metasploit

services that host payloads#

dank meme#