metasploit

Getting Started with Metasploit

Getting Started with Metasploit

I. Introduction

Metasploit is the world’s leading exploitation framework. It is used, to some extent, by nearly every hacker/pentester. As such, you really need to become familiar with it if you want to enter and prosper in this burgeoning field.

Originally developed by HD Moore as an open-source project, it is now owned by the security company, Rapid7 (Rapid7 also owns the vulnerability scanner, Nexpose). Although originally developed as an open-source project, Rapid7 has now developed a Pro version of Metasploit with a few more “bells and whistles”. Fortunately, the open-source, community-edition is still available to the rest of us without the tens of thousands of dollars to spend on the Pro version (if you are a professional pentester, the efficiency and time savings accrued in using the Pro version make it a good investment).

Metasploit Interfaces

Metasploit has multiple interfaces including;

    (1) msfconsole – an interactive command-line like interface
(2) msfcli – a literal Linux command line interface
(3) Armitage – a GUI-based third party application
(4) msfweb – browser based interface

Undoubtedly, the most common way to use Metasploit is through Metasploit’s own interactive shell, msfconsole. In this tutorial, we will be largely using this msfconsole, but I will show you how to use the others in  later tutorials.

In recent years, Metasploit has integrated additional tools to make it more than just a exploitation framework. Tools, such as nmap and Nexpose, are now integrated into Metasploit, so that the entire process of from port scanning, vulnerability scanning, exploitation and post-exploitation,  can all be done from  one single tool. In addition, Metasploit has now integrated a postgresql database  to store the data collected from your scans and exploits.

II. Getting Started

Before we start Metasploit, we should start the postgresql database. Metasploit will work without postgresql, but this database enables Metasploit to run faster searches and store the information you collect while scanning and exploiting.

Start the postgresql database before starting Metasploit by typing;

kali > service postgresql start

Once the database has been started, you can  start the Metasploit Framework console by typing;

kali >msfconsole

As Metasploit loads everything into RAM, it takes awhile, so be patient. Eventually, you should get a screen that looks like this.

 

Don’t worry if it doesn’t look exactly the same as my screen above as Metasploit rotates the opening splash images. As long as you have the msf >prompt, you are in the right place.

This starts the Metasploit console. If you are more GUI oriented, you can go Applications–>Exploitation  Tools–> metasploit framework.

 

III. Metasploit Keywords

Although Metasploit is a very powerful exploitation framework, just a few keywords can get you started  hacking just about any system.

Metasploit has six (6) types of modules;

   (1) exploits

   (2) payloads

   (3) auxiliary

   (4) nops

   (5) post

   (6) encoders

A word about terminology though before we start. In Metasploit terminology, an exploit is a module that takes advantage of a system or application vulnerability. It usually will attempt to place a payload on the system. This payload can be a simple command shell or the all powerful Meterpreter. In other environments these payloads might be termed listeners or rootkits. I will do a tutorial on each of these types of modules in the near future.

Let’s take a look at some of those keyword commands. We can get a list of commands by typing help.

msf >  help

 

 

 

Note that we can access this help menu with the  “?” as well as “help”.

msf > use

The “use” command loads a module. So, for instance, if I wanted to load the exploit/windows/browser/adobe_flash_avm2 module (this is an exploit that takes advantage of one of the many vulnerabilities in the Adobe Flash plug-in), I would type;

msf > use exploit/windows/browser/adobe_flash_avm2

        
As you can see above, when Metasploit successfully loads the module, it responds with the type of module (exploit) and the abbreviated module name in red.

msf> show

After you load a module, the show command can be very useful to gather more information on the module. The three “show” commands I use most often are “show options”, “show payloads” and “show targets”. Let’s take a look at “show payloads” first.

msf > show payloads

 

This command, when used after selecting your exploit, will show you all the payloads that are compatible with this exploit. If you run this command before selecting an exploit, it  will show you ALL payloads, a VERY long list.

As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.

   msf > show options

 This command is also very useful in running an exploit. It will display all of the options that need to set before running the module. These options include such things as IP addresses, URI path, the port, etc.

msf > show targets

 

 A less commonly used command is “show targets”. Each exploit has a list of the targets it will work against. By using the “show targets” command, we can get a list of them.  In this case, targeting is automatic, but some exploits have as many as 100 different targets and success will often depend upon selecting the correct one. These targets can be defined by operating system, service pack and language, among other things.

msf > info

The info command is simple. When you type it after you have selected a module, it shows  you key information about the module, including the options that need to be set, the amount of payload space (more about this in the payloads section), and a description of the module. I usually always run it after selecting my exploit.

msf > search

As a newcomer to Metasploit, the “search” command might be the most useful. When  Metasploit was small and new, it was relatively easy to find the right module you needed.  Now, with over 3000 modules, finding just the right module can be time-consuming and  problematic. Rapid7 added the search function starting with version 4 and it has become a time- and life-saver.

Although you can use the search function to search for keywords, that approach is not  always efficient as it will often return a VERY large result set.

To be more specific in your search, you can use the following keywords.

platform – this is the operating system that the module is built for
type – this is the type of module. These include exploits, nops, payloads, post, encoders and auxiliary
name – if you know the name of the module you can search by its name

The syntax for using search is the keyword followed by a colon and then a value such as;

msf > search type:exploit

For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash, we could type;

msf > search type:exploit platform:windows flash

As you can see above, Metasploit searched it’s database for modules that were exploits for the Windows platform and included the keyword “flash”.

msf > set

This command is use to set options within the module you selected. For instance, if we look above at the show options command, we can see numerous options that must set such as  URIPATH, SVRHOST and SVRPORT. We can set any of these with the set command such as;

msf > set SRVPORT 80

This changes the default SVRPORT (server port) from 8080 to 80.

     

msf > unset

This command, as you might expect, unsets the option that was previously set. Such as;

msf > unset SRVPORT

As you can see, we first set the SRVPORT variable to 80 and then unset it. It then reverted  back to the default value of 8080 that we can see when we typed show options again.

msf > exploit

Once we have loaded our exploit and set all the necessary options, the final action  is  “exploit”.  This sends the exploit to the target system and, if successful, installs the payload.

As you can see in this screenshot, the exploit starts and is running as background job with a  reverse handler on port 4444. It then started a webserver on host 0.0.0.0 on port 80 with a  randomized URL (F5pmyl9gCHVGw90). We could have chosen a specific URL and set it by changing the URIPATH variable with the set command.

msf > back

 

We can use the back command to take us “back” one step in our process. So, if you instance, we decided that we did not want to use the adobe/flash/avm2 exploit, we could type “back” and it would remove the loaded exploit.

msf > exit

 

The exit command, as you would expect, exits us from the msfconsole and back into the  BASH command shell.

Notice that in this case, it stops the webserver that we created in this exploit and returned us to the Kali command prompt in the BASH shell.

In many exploits, you will see the following options (variables).

RHOST – this is the remote host or target IP
LHOST – this is the local host or attacker IP
RPORT – this is the remote port or target port
LPORT – this is the local port or attacker port

These can all be set, by using the SET command followed by the variable name (RHOST, for instance) and then the value.

msf > SET RHOST 75.75.75.75

Although this is less than an exhaustive list of Metasploit commands, with just these commands you should be able to execute most  of the functions in Metasploit. When you need another command in this course, I will take a few minutes to introduce it, but these are all you will likely need, for now.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.