Noirchapeau's Gitbook
Noirchapeau
NoirchapeauEsau
Noirchapeau
NoirchapeauEsau
  • Welcome to NoirChapeau Gitbook
  • Network Mapping and Security Auditing Tool
  • Footprinting - Enumeration and Information Gathering Notes
    • FTP Pentesting Notes
    • SMB Pentesting Notes
    • SSH Pentesting Notes
    • IPMI Pentesting Notes
    • Oracle TNS Pentesting Notes
    • MSSQL Pentesting Notes
    • MySQL Pentesting Notes
    • SNMP Pentesting Notes
    • IMAP/POP3 Pentesting Notes
    • SMTP Pentesting Notes
    • DNS Pentesting Notes
    • NFS Pentesting Notes
  • Web Reconnaissance Notes
  • Vulnerability Assessment Notes
    • Nessus Vulnerability Scanner Notes
    • OpenVAS (GVM) Vulnerability Scanner Notes
  • File Transfer Techniques for Pentesting
    • Advanced File Transfer Techniques
    • File Transfer Detection & Evasion Techniques
  • Shells & Payloads: Shell Overview
    • Shells & Payloads: Payloads Overview
    • Shells & Payloads: Web Shells Overview
    • Shells & Payloads: Detection & Prevention
  • Metasploit
    • Working with Metasploit Modules
    • Targets and Payloads
    • Encoders & Msfvenom: Advanced Exploitation Techniques
    • Database Management in Metasploit
    • Sessions and Jobs
    • Writing and Importing Custom Modules into Metasploit
    • Firewall and IDS/IPS Evasion
  • Password Attacks
    • Remote Password Attacks
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Files & Archives Cracking
    • Password Management
  • Interacting with Common Services
    • Protocol Specific Attacks
Powered by GitBook
On this page
  • Overview
  • Why Write Custom Modules?
  • Installing Pre-Existing Modules
  • Writing Custom Modules
  • Defining Module Options
  • Testing Your Module
  • Porting Existing Exploits
  • Best Practices for Custom Modules
  • Command Cheatsheet
  1. Metasploit

Writing and Importing Custom Modules into Metasploit

Overview

Metasploit’s modular design allows users to extend its functionality by writing or importing custom modules. This capability is essential for creating tailored exploits, auxiliary tools, and post-exploitation modules to target unique scenarios.

Why Write Custom Modules?

  1. Expand Functionality:

    • Address vulnerabilities or scenarios not covered by existing modules.

  2. Customization:

    • Adapt modules to specific environments or requirements.

  3. Port Existing Exploits:

    • Convert scripts written in Python, Perl, or other languages into Ruby-based Metasploit modules.

  4. Reusability:

    • Use standardized frameworks to streamline future testing.

Installing Pre-Existing Modules

  1. Update Metasploit to Access Latest Modules:

    • Ensure the framework has the latest modules:

      msfupdate

  2. Download External Modules:

    • Use platforms like Exploit-DB or GitHub to find third-party modules.

    • Example: Clone DarkOperator plugins:

      git clone https://github.com/darkoperator/Metasploit-Plugins

  3. Copy Module to the Correct Directory:

    • Default module directories:

      /usr/share/metasploit-framework/modules/

    • Example for a web exploit:

      cp custom_exploit.rb /usr/share/metasploit-framework/modules/exploits/web/custom_exploit.rb

  4. Reload Modules in Metasploit:

    • Refresh the module list without restarting Metasploit:

      reload_all

Writing Custom Modules

  1. Create a Module Directory:

    • Custom modules can be placed in the user directory:

      ~/.msf4/modules/<category>/<type>/<module_name>.rb

  2. Follow Ruby Naming Conventions:

    • Use descriptive names with snake_case, avoiding spaces or special characters.

    • Example:

      my_custom_exploit.rb

  3. Basic Structure of a Module:

    Example Exploit Template:

    class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Custom Exploit',
      'Description'    => 'This is a custom HTTP exploit.',
      'License'        => MSF_LICENSE,
      'Author'         => ['YourName'],
      'References'     => [['URL', 'https://example.com/exploit']],
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows Server', { 'Offset' => 0x1234 }]
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('TARGETURI', [true, 'Path to vulnerable endpoint', '/vulnerable'])
      ]
    )
  end

  def exploit
    print_status("Sending malicious payload...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => datastore['TARGETURI'],
      'vars_get' => {
        'cmd' => "calc.exe"
      }
    })
    print_good("Payload delivered successfully.")
  end
end

Defining Module Options

Common Option Types:

  • Strings:

    OptString.new('TARGETURI', [true, 'Target URI', '/'])

  • Ports:

    Opt::RPORT(80)

  • IP Addresses:

    OptAddress.new('RHOST', [true, 'Target address', ''])

Registering Options:

register_options(
  [
    OptString.new('USERNAME', [true, 'Username for authentication', 'admin']),
    OptString.new('PASSWORD', [true, 'Password for authentication', 'password'])
  ]
)

Testing Your Module

  1. Reload the Custom Module:

    reload_all

  2. Load the Module in Metasploit:

    use <category>/<type>/<module_name>

  3. Verify Functionality:

    • Use info to check module details.

      info

    • Run the module to ensure it behaves as expected.

Porting Existing Exploits

Steps to Port Scripts:

  1. Identify a script (e.g., Python or Perl) suitable for porting.

  2. Break down the script into components:

    • Payload delivery mechanism.

    • Vulnerability triggering code.

    • Exploit parameters (IP, port, etc.).

  3. Translate the components into Ruby:

    • Use Metasploit’s Msf::Exploit::Remote mixin for remote exploits.

  4. Test the module rigorously.

Example:

  • Original Python Script:

    import requests

target = "http://example.com/vulnerable"
response = requests.get(f"{target}?cmd=calc.exe")
print("Exploit sent.")

  • Ported Ruby Module:

    def exploit
  print_status("Sending exploit payload...")
  send_request_cgi({
    'method'  => 'GET',
    'uri'     => datastore['TARGETURI'],
    'vars_get' => {
      'cmd' => "calc.exe"
    }
  })
  print_good("Payload delivered successfully.")
end

Best Practices for Custom Modules

  1. Follow Metasploit Standards:

    • Use existing modules as references.

    • Follow Rapid7’s Ruby documentation.

  2. Document Your Code:

    • Include clear comments and module metadata for easy maintenance.

  3. Test Thoroughly:

    • Test in isolated environments to prevent unintended consequences.

  4. Organize Module Files:

    • Place modules in the correct directory hierarchy for easier management.

  5. Keep It Modular:

    • Reuse common functionality across modules using Ruby mixins.

Command Cheatsheet

Command
Description

reload_all

Reload all modules.

use <module_path>

Load a custom module.

info

View module details.

edit <module_path>

Open the module in a text editor.

set <option> <value>

Set a parameter for the module.

PreviousSessions and JobsNextFirewall and IDS/IPS Evasion