Metasploit with slack
In this section, we will learn about a module called ShellHerder. This plugin is used to monitor all Metasploit/Meterpreter sessions. It was created with a basic idea in mind: to easily monitor new incoming sessions. In a red-team activity, this is useful as it can be used to monitor live phishing campaigns or a Rubber Ducky attack.
This plugin uses session subscriptions to monitor activity and send alerts to slack. Let's take a look at how to set it up.
We clone ShellHerder and copy it to our Metasploit plugins directory using the following commands. In our case, we saved the file as notify.rb in the destination folder:
git clone https://github.com/chrismaddalena/ShellHerder.git
cp ShellHerder/ShellHerder.rb /opt/metasploit-framework/embedded/framework/plugins/notify.rb
We will then register an account on https://slack.com.
At this point, we choose Create a new workspace and follow the instructions:
Once the account is ready and we are logged in, we should be taken to a web page which will look something like this:
From the left-side menu in the Channels tab, we add a channel, as shown in the following screenshot:
ShellHerder relies on slack's incoming Webhooks to send real-time alerts from Metasploit. So, as shown in the following screenshot, we now choose Add an application in the channel we created.
At this point, we search for an incoming Webhook app and add it. We will be redirected to the next page to configure the app. Here, we choose the channel name where we want the alerts to be posted:
Once we click on Add Incoming WebHooks integration, we will be taken to the next page where we will see the generated URL of our Webhook. We will copy this for later use and save the settings:
Now we connect to our team server and load the plugin from the console, as follows:
To configure the plugin, we run the help command:
We set the options and save the configuration using notify_save:
Running the notify_test command will show us a message on slack, as shown in the following screenshot:
Every time a new session pops up, we will get a notification on slack:
The preceding screenshot shows the connection on our Armitage. We can see a new notification message on our slack, as shown in the following screenshot:
