Metasploit Container Task

Overview

The Metasploit container task is built with Rapid7's Metasploit Framework and Dan McInerney's pymetasploit3 library.

The source code for the Metasploit container task is available here: https://github.com/havocsh/havoc-attack-containers/tree/main/metasploit
The container image for the Metasploit container task is available here: https://gallery.ecr.aws/havoc_sh/metasploit

Launching a Metasploit Container Task

To launch a Metasploit container task as an ECS task within the AWS account of your ./havoc deployment, use the task_startup or run_task command:

task_startup --task_name=<task_name> --task_type=metasploit --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>

run_task --task_name=<task_name> --task_type=metasploit --task_host_name=<task_host_name> --task_domain_name=<task_domain_name> --portgroups=<portgroup1,portgroup2,...> --end_time=<time_string>

To launch a Metasploit container task as a remote container task on any system that can run Docker containers, use the docker run command:

sudo docker run -d \
  --name=<container-name> \
  --network host \
  --cap-add SYS_ADMIN \
  -e "LOCAL_IP=$(hostname -I)" \
  -e "CAMPAIGN_ID=<campaign-id>" \
  -e "USER_ID=<campaign-user-id>" \
  -e "TASK_NAME=<task-name>" \
  -e "TASK_CONTEXT=<task-context>" \
  -e "REMOTE_TASK=true" \
  -e "API_KEY=<api-key>" \
  -e "SECRET=<secret>" \
  -e "API_DOMAIN_NAME=<api-domain-name>" \
  -e "API_REGION=<api-region>" \
  public.ecr.aws/havoc_sh/metasploit:latest \
  /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

Refer to the Usage Through CLI Console and Usage Through SDK pages for more details about the run_task and docker run commands.

Available Commands

These commands are available to be passed as the instruct_command in the instruct_task method call. The sub-bullets under the commands are the arguments for the command that should be passed in the instruct_args parameter. See the Usage Through CLI Console and Usage Through SDK pages for more details on how to use instruct_args.

  • list_exploits - list all of Metasploit's available exploits.
  • list_payloads - list all of Metasploit's available payloads.
  • list_jobs - list currently running jobs such as exploit modules that wait for a client connection to execute.
  • list_sessions - list currently active sessions.
  • set_exploit_module - stage an exploit module for configuration and execution.
    • exploit_module - specify the exploit module to be staged.
  • set_exploit_options - configure a staged exploit module. The exploit module must be set for this command to work.
    • Options vary depending on the exploit module. See the exploit module's documentation for details about which options to pass in the instruct_args parameter.
  • set_exploit_target - specify the target within the exploit module. The exploit module must be set for this command to work.
    • exploit_target - specify the ID associated with the desired exploit target.
  • set_payload_module - stage a payload module.
    • payload_module - specify the payload module to be staged.
  • set_payload_options - configure a staged payload module. The payload module must be set for this command to work.
    • Options vary depending on the payload module. See the payload module's documentation for details about which options to pass in the instruct_args parameter.
  • show_exploit - show the description for an exploit module. The exploit module must be set for this command to work.
  • show_exploit_options - show the available options for an exploit module. The exploit module must be set for this command to work.
  • show_exploit_option_info - show available information about a given exploit option. The exploit module must be set for this command to work.
    • exploit_option - specify the exploit option to show information for.
  • show_exploit_targets - show available targets for an exploit module. The exploit module must be set for this command to work.
  • show_exploit_evasion - show available evasion methods for an exploit module. The exploit module must be set for this command to work.
  • show_exploit_payloads - show available payloads for an exploit module. The exploit module must be set for this command to work.
  • show_configured_exploit_options - show the configured settings for an exploit module. The exploit module must be set for this command to work.
  • show_exploit_requirements - show the required configuration settings for an exploit module. The exploit module must be set for this command to work.
  • show_missing_exploit_requirements - show the required configuration settings for an exploit module that have not yet been set. The exploit module must be set for this command to work.
  • show_last_exploit_results - show the most recent results from an executed exploit. The exploit module must be set for this command to work.
  • show_payload - show the description for a payload module. The payload module must be set for this command to work.
  • show_payload_options - show the available options for a payload module. The payload module must be set for this command to work.
  • show_payload_option_info - show available information about a given payload option. The payload module must be set for this command to work.
    • payload_option - specify the payload option to show information for.
  • show_configured_payload_options - show the configured settings for a payload module. The payload module must be set for this command to work.
  • show_payload_requirements - show the required configuration settings for a payload module. The payload module must be set for this command to work.
  • show_missing_payload_requirements - show the required configuration settings for a payload module that have not yet been set. The payload module must be set for this command to work.
  • show_job_info - show information for a given job.
    • job_id - the ID of the job.
  • show_session_info - show information for a given session.
    • session_id - the ID of the session.
  • execute_exploit - execute a staged exploit. The exploit module must be set for this command to work.
  • generate_payload - generate a payload file. The payload module must be set for this command to work. The file will be written to the container task's local workspace directory.
    • filename - the file name to give to the generated file.
  • run_session_command - run a command on a session. Determining if a session is done running a command can be accomplished with end_strings or by hitting the timeout limit with timeout_exception set to False.
    • session_id - the session ID.
    • session_command - the command to run.
    • end_strings - a string of characters expected to appear when a command is finished running.
    • timeout - the amount of time to wait for the command to finish. timeout defaults to Metasploit's comm timeout of 300 seconds and will throw an exception if the command timed out unless timeout_exception is set to False.
    • timeout_exception - tell Metasploit whether or not to throw an exception if the command times out. Accepted values are True and False. Defaults to True.
  • run_session_shell_command - run a shell command on a session. Determining if a session is done running a shell command can be accomplished with end_strings.
    • end_strings- a string of characters expected to appear when a command is finished running.
  • session_tabs - ask Metasploit to provide available session commands based on a given partial session_command.
    • session_id - the session ID.
    • session_command - the partial session command.
  • load_session_plugin - load a session plugin.
    • session_id - the session ID.
    • plugin_name - the name of the plugin to load.
  • session_import_psh - import a PowerShell script to a session.
    • session_id - the session ID.
    • script_name - the file name of the PowerShell script to import. The script file must already be present in the container task's local workspace directory.
  • session_run_psh_cmd - run an imported PowerShell script on a session.
    • session_id - the session ID.
    • ps_cmd - the PowerShell command to run (typically the name of the imported PowerShell function).
  • run_session_script - run a Meterpreter script on a session.
    • session_id - the session ID.
    • script_name - the file name of the Meterpreter script to run. The script file must already be present in the container task's local workspace directory.
  • get_session_writeable_dir - gets the temp directory which we are assuming is writeable.
    • session_id - the session ID.
  • session_read - read data from a Meterpreter session.
    • session_id - the session ID.
  • detach_session - detach a Meterpreter session but leave it running.
    • session_id - the session ID.
  • kill_session - kill a Meterpreter session.
    • session_id - the session ID.
  • kill_job - kill a staged exploit module that is running as a job.
    • job_id - the job ID.
  • echo - get an arbitrary response from the container task (can be used to check if the container is responsive to commands).
  • sync_from_workspace - download all files from the Campaign's workspace to the local workspace directory on the container task.

    Note that this will overwrite any existing files with the same name in the container task's local workspace.

  • sync_to_workspace - upload all files from the container task's local workspace directory to the Campaign's workspace.

    Note that this will overwrite any existing files with the same name in the Campaign's workspace.

  • download_from_workspace - download a specific file from the Campaign's workspace to the container task's local workspace directory.
    • file_name - the name of the file to be downloaded.

      Note that this will overwrite any existing file with the same name in the container task's local workspace.

  • upload_to_workspace - upload a specific file from the container task's local workspace directory to the Campaign's workspace.
    • file_name - the name of the file to be downloaded.

      Note that this will overwrite any existing file with the same name in the Campaign's workspace.

  • ls - list files of the container task's local shared directory.
  • del - delete a file from the container task's local shared directory.
    • file_name - the name of the file to be deleted.
  • terminate - instruct the container task to shutdown.