Advanced Ethical Hacking Institute in Pune

Working with Exploit Mixins

 

Exploit::Remote::Tcp

Code:

lib/msf/core/exploit/tcp.rb

Provides TCP options and methods.

  • Defines RHOST, RPORT, ConnectTimeout
  • Provides connect(), disconnect()
  • Creates self.sock as the global socket
  • Offers SSL, Proxies, CPORT, CHOST
  • Evasion via small segment sends
  • Exposes user options as methods – rhost() rport() ssl()

 

Exploit::Remote::DCERPC

Code:

lib/msf/core/exploit/dcerpc.rb

Inherits from the TCP mixin and has the following methods and options:

  • dcerpc_handle()
  • dcerpc_bind()
  • dcerpc_call()
  • Supports IPS evasion methods with multi-context BIND requests and fragmented DCERPC calls

 

Exploit::Remote::SMB

Code:

lib/msf/core/exploit/smb.rb

Inherits from the TCP mixin and provides the following methods and options:

  • smb_login()
  • smb_create()
  • smb_peer_os()
  • Provides the Options of SMBUser, SMBPass, and SMBDomain
  • Exposes IPS evasion methods such as: SMB::pipe_evasion, SMB::pad_data_level, SMB::file_data_level

 

Exploit::Remote::BruteTargets

There are 2 source files of interest.

Code:

lib/msf/core/exploit/brutetargets.rb

Overloads the exploit() method.’

  • Calls exploit_target(target) for each Target
  • Handy for easy target iteration

Code:

lib/msf/core/exploit/brute.rb

Overloads the exploit method.

  • Calls brute_exploit() for each stepping
  • Easily brute force and address range

Metasploit Mixins

The mixins listed above are just the tip of the iceberg as there are many more at your disposal when creating exploits. Some of the more interesting ones are:

  • Capture – sniff network packets
  • Lorcon – send raw WiFi frames
  • MSSQL – talk to Microsoft SQL servers
  • KernelMode – exploit kernel bugs
  • SEH – structured exception handling
  • NDMP – the network backup protocol
  • EggHunter – memory search
  • FTP – talk to FTP servers
  • FTPServer – create FTP servers