Metasploit Framework EditionThe free version. It contains a command line interface, third-party import, manual exploitation and manual brute forcing. This free version of metasploit project also includes Zenmap, a well known ports-scanner and a compiler for Ruby, the language in which this version of metasploit was written.
Some servers don't run SSH, and I often like to leverage meterpreter once I find an initial entry vector for a variety of reasons. Similar to SSH, meterpreter can become a socks proxy, though I have generally found it less reliable than SSH. If you are using the docker compose file provided, I include a slightly modified metasploit image on the public network.
We'll run meterpreter over SSH for this example, but the steps would be the same for any meterpreter session once connected. The below will jump from our machine into the metasploit docker container, start metasploit, and create a meterpreter over SSH connection.
There is an important difference between non-staged and staged payload. A non-staged shell is sent over in one block. You just send shell in one stage. This can be caught with metasploit multi-handler. But also with netcat.
staged shells send them in turn. This can be useful for when you have very small buffer for your shellcode, so you need to divide up the payload. Meterpreter is a staged shell. First it sends some parts of it and sets up the connection, and then it sends some more. This can be caught with metasploit multi-handler but not with netcat. 2b1af7f3a8