"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." -Bruce Schneier
msfcli is a great 'tool' part of the metasploit framework. Although it isn't GUI or as user friendly as msfconsole, there are some crafty things you can do with msfcli. Offensive-Security lists a few uses for msflcli in their Metasploit Unleashed tutorial.
> Supports launching of exploits and auxiliary modules
> Useful for specific tasks
> Convenient to use when testing or developing a new exploit
> Good for learning
> Useful for scripts (bash-scripting)
In this tutorial, we focus on learning. The only prereq for this is knowing what msfcli, msfconsole (basically, what are th‌e interfaces of Metasploit) are and how they should be used. You don't have to know how they work, but if you do, then you're solid. Feel free to read something more challenging. You can find the link for writing a bash-script at the end of this tutorial.
Why write about msfcli?
During my search on the web I noticed a shortage of msfcli focused discussions. Even the most well-known and cred sources only explained msfcli with a brief overview and left users to explore all its uses. It is part of the metasploit framework, so it is mentioned in the Metasploit Penetration Tester's Guide. Yet there is still a small need for the beginner, such as myself, where a breakdown of 'Mode' commands could be beneficial. This is just that breakdown.
What is MSFcli?
MSFcli stands for Metasploit Framework Command Line Interface. It differs from the MSFconsole in serveral ways, primarly that it can run straight from the terminal or shell. This is beneficial because output of the command terminal can redirect, executing instructions for another Metasploit tool, such as the msfconsole or msfencode. If you want to learn more about msfencode or msfconsole, check out Metasploit Tester's Guide or the Metasploit Unleashed tutorial.
How do I access msfcli?
Accessing msfcli is very straight-forward, simply open your terminal, assuming you have root access and metasploit is installed on your system, and type: 'msfcli -h'
Mode Description
---- -----------
(A)dvanced Show available advanced options for this module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
(H)elp You're looking at it baby!
(I)DS Evasion Show available ids evasion options for this module
(O)ptions Show available options for this module
(P)ayloads Show available payloads for this module
(S)ummary Show information about this module
(T)argets Show available targets for this exploit module
Examples:
msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E
msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E
The -h option, is for the help screen, or Help. This shows you how to used the Modes found in msfcli. Modes are the 'actions' you want to perform on a particular msfconsole <exploit_name?> where name is the name of the exploit you wish to execute, or in our case, learn more about. Because I own your attention at the moment, I'll brief you on some terminology:
` An exploit takes advantage of a flaw within a system, application or service.
A payload is the code delivered by the framework we want to execute. Yes, a payload is a class or type of exploit! For example, a script is a payload.
A module is of two types: an exploit module or an auxilary module. Modules can be used to either conduct an attack or exploit or scan a system. exploit modules attack, auxilary modules scan.
`
Okay, so now we're looking at the help screen of msfcli. Notice there is no other indication that you're using msfcli other than the help screen. (unless you're using BackTrack) Whenever you wish to interact with msfcli you must invoke it with the 'msfcli' header. On the help screen we have several Modes and a brief description of what each does. The modes are appended at the end of your input in single letter form. note the () around the beginning letter of each mode.
Mode Description
---- -----------
(A)dvanced Show available advanced options for this module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
(H)elp You're looking at it baby!
(I)DS Evasion Show available ids evasion options for this module
(O)ptions Show available options for this module
(P)ayloads Show available payloads for this module
(S)ummary Show information about this module
(T)argets Show available targets for this exploit module
[note] if you are using BT, you have to specify the path/name/to/msfcli in order to invoke msfcli. I have not tried it in BT yet, but I believe you only type it in once. For example: /opt/metasploit/apps/pro/msf3/msfcli In kali, you can simply type #:~ msfcli (everytime).
Now for some learning. Suppose you wanted to learn about an exploit, its payloads, auxilary modules or the options required to execute it, this is a quick and easy way to do such a thing. Normally, in msfconsole, when you're inside a module and type 'show options', you would get the options specific for that module. However, when you type 'show exploits', 'show payloads' you may be overwhelmed by the output. Msfcli is a bit cleaner than msfconsole when outputting specified content of a search.
So, let's learn what options we need for a pariticular auxiliary/
CODE :
msfcli auxiliary/scanner/http/http_version O
CODE :
[*] Initializing modules...
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
root@kali:~#
Here we see that our auxiliary module requires a Target address rage, a Target port and a THREADS count. The other options are not a requirement.
So, what did we do? First we invoked msfcli (using Kali Linux) we then typed the auxiliary module name we wanted to learn about, finally we appended the letter'O' at the end of our search to tell msfcli 'show options' for this module. msfcli did so without fuss.
What if we did not know and wanted to see if any payloads are available for this auxiliary/module? We would use the P mode this time.
CODE :
auxiliary/scanner/http/http_version P
CODE :
[*] Initializing modules...
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
root@kali:~# msfcli auxiliary/scanner/http/http_version P
[*] Initializing modules...
Error:>>>>>> This type of module does not support payloads <<<<<<<
root@kali:~#
See, now we know something about auxiliary/modules, the don't support payloads.
Okay, that was fun. But we are here to learn so let's try another module that may have some payloads available. This time, we will use the (exploit/windows/smb/ms08_067_netapi): module. Same two options: O and P.
CODE :
root@kali:~# msfcli exploit/windows/smb/ms08_067_netapi O
CODE :
[*] Initializing modules...
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.15.3 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Above are the options for this particular module. In my ouput, you can see the last target IP address which I attacked. The default port is 445. The default pipe is BROWSER. This module has similar options as our first module minus the few optionals which are not required. However, there are no optionals for this module, we can see that each option is required; indicated by the 'yes'.
Now let's see if it supports payloads!!
CODE :
msfcli exploit/windows/smb/ms08_067_netapi P
CODE :
[*] Initializing modules...
Compatible payloads
===================
Name Description
---- -----------
generic/custom Use custom string or file as payload. Set either PAYLOADFILE or
PAYLOADSTR.
generic/debug_trap Generate a debug trap in the target process
generic/shell_bind_tcp Listen for a connection and spawn a command shell
generic/shell_reverse_tcp Connect back to attacker and spawn a command shell
generic/tight_loop Generate a tight loop in the target process
windows/dllinject/bind_ipv6_tcp Listen for a connection over IPv6, Inject a DLL via a reflective loader
windows/dllinject/bind_nonx_tcp Listen for a connection (No NX), Inject a DLL via a reflective loader
windows/dllinject/bind_tcp Listen for a connection, Inject a DLL via a reflective loader
windows/dllinject/reverse_http Tunnel communication over HTTP, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_ipv6_tcp Connect back to the attacker over IPv6, Inject a DLL via a reflective loader
windows/dllinject/reverse_nonx_tcp Connect back to the attacker (No NX), Inject a DLL via a reflective loader
windows/dllinject/reverse_ord_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_allports Try to connect back to the attacker, on all possible ports (1-65535, slowly), Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_dns Connect back to the attacker, Inject a DLL via a reflective loader
windows/dllinject/reverse_tcp_rc4 Connect back to the attacker, Inject a DLL via a reflective loader
windows/dns_txt_query_exec Performs a TXT query against a series of DNS record(s) and executes the returned payload
windows/exec Execute an arbitrary command
windows/loadlibrary Load an arbitrary library path
Here we can see that this module supports a number of payloads, most of which connects back to the attacker via a meterpreter shell. If you're wondering, no, you can't learn more about these payloads from msfcli: Let's try to learn more about the windows/loadlibrary payload using the S=summary mode:
We get an error. This is because a payload is not a module, it is a payload within a module. To explore more about this payload we must use the msfconsole...that is outside the scope of this tutorial. But, I'll show you the output for educational purposes!
line:1
CODE :
msf exploit(ms08_067_netapi) > use windows/loadlibrary
line:2
CODE :
msf payload(loadlibrary) > show options
line:3
CODE :
Module options (payload/windows/loadlibrary):
Name Current Setting Required Description
---- --------------- -------- -----------
DLL yes The library path to load (UNC is OK)
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)
msf payload(loadlibrary) >
Breakdown:
In line:1, we are in the framework, using the ms08_067_netapi exploit. We invoke, or tell metasploit to 'use' the windows/loadlibrary payload from our previous output we learned about.
In line:2, we are in the payload, still part of the framekwork, and we wish to learn what options we have to use to execute this payload/exploit
In line:3, we see there are two options, both are required.
How is this useful?
Suppose you're inside the Framework, using msfconsole. You want to learn what Options, Payloads, or Targets are available for a particular exploit but you don't want to keep clearing the screen after every output. You would be wise to start another terminal, name it msfcli and use it to search for the exploit of choice to learn more about it.
Where to go from here?
Well, you may want to check out Metaploit Unleashed & Metasploit Tester's Guide to get you started. As I said, this was not meant for the professional Pentester, rather the beginner. Those two references are great tools to learn from. At the time of this writing, metasploit unleashed is located at: http://www.offensive-security.com/metasploit-unleashed/Msfcli. There are a few people who have scanned their Metasploit Tester's Guide but I could not find any at this time. This is one of those books where your Google-Fu will be useful for finding. It's best to buy your own copy or rent or download from a reliable source. I have the e-book from google play. Costs about 29.99. I'm not fully sure because I already purchased it and all it says now is read. Aside from all this, you could practice searching for options and see which modules support payloads. Also, try other modes:
(A)dvanced Show available advanced options for this module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
(H)elp You're looking at it baby!
(I)DS Evasion Show available ids evasion options for this module
(O)ptions Show available options for this module <<
(P)ayloads Show available payloads for this module <<
(S)ummary Show information about this module
(T)argets Show available targets for this exploit module
How do I find you?
Good que‭stion! I don't blog or use social media, but every now and again I am here, working on the labs as I like to call them. (challenges) Feel free to drop me a messge. I'm also active in the Kali Linux community.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 3 comments.
HackThisSite is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.
