9 min read

In this article by Nipun Jaswal, the author of the book Metasploit Bootcamp, we will be covering the following topics:

  • Fundamentals of Metasploit
  • Benefits of using Metasploit

(For more resources related to this topic, see here.)

Penetration testing is an art of performing a deliberate attack on a network, web application, server or any device that require a thorough check up from the security perspective. The idea of a penetration test is to uncover flaws while simulating real world threats. A penetration test is performed to figure out vulnerabilities and weaknesses in the systems so that vulnerable systems can stay immune to threats and malicious activities.

Achieving success in a penetration test largely depends on using the right set of tools and techniques. A penetration tester must choose the right set of tools and methodologies in order to complete a test. While talking about the best tools for penetration testing, the first one that comes to mind is Metasploit. It is considered as one of the most practical tools to carry out penetration testing today. Metasploit offers a wide variety of exploits, a great exploit development environment, information gathering and web testing capabilities, and much more.

The fundamentals of Metasploit

Now that we have completed the setup of Kali Linux let us talk about the big picture: Metasploit. Metasploit is a security project that provides exploits and tons of reconnaissance features to aid a penetration tester. Metasploit was created by H.D Moore back in 2003, and since then, its rapid development has led it to be recognized as one of the most popular penetration testing tools. Metasploit is entirely a Ruby-driven project and offers a great deal of exploits, payloads, encoding techniques, and loads of post-exploitation features.

Metasploit comes in various editions, as follows:

  • Metasploit pro: This edition is a commercial edition, offers tons of great features such as web application scanning and exploitation, automated exploitation and is quite suitable for professional penetration testers and IT security teams. Pro edition is used for advanced penetration tests and enterprise security programs.
  • Metasploit express: The Express edition is used for baseline penetration tests. Features in this version of Metasploit include smart exploitation, automated brute forcing of the credentials, and much more. This version is quite suitable for IT security teams to small to medium size companies.
  • Metasploit community: This is a free version with reduced functionalities of the express edition. However, for students and small businesses, this edition is a favorable choice.
  • Metasploit framework: This is a command-line version with all manual tasks such as manual exploitation, third-party import, and so on. This release is entirely suitable for developers and security researchers.

You can download Metasploit from the following link: https://www.rapid7.com/products/metasploit/download/editions/

We will be using the Metasploit community and framework version.Metasploit also offers various types of user interfaces, as follows:

  • The graphical user interface(GUI): This has all the options available at a click of a button. This interface offers a user-friendly interface that helps to provide a cleaner vulnerability management.
  • The console interface: This is the most preferred interface and the most popular one as well. This interface provides an all in one approach to all the options offered by Metasploit. This interface is also considered one of the most stable interfaces.
  • The command-line interface: This is the more potent interface that supports the launching of exploits to activities such as payload generation. However, remembering each and every command while using the command-line interface is a difficult job.
  • Armitage: Armitage by Raphael Mudge added a neat hacker-style GUI interface to Metasploit. Armitage offers easy vulnerability management, built-in NMAP scans, exploit recommendations, and the ability to automate features using the Cortanascripting language.

Basics of Metasploit framework

Before we put our hands onto the Metasploit framework, let us understand basic terminologies used in Metasploit. However, the following modules are not just terminologies but modules that are heart and soul of the Metasploit project:

  • Exploit: This is a piece of code, which when executed, will trigger the vulnerability at the target.
  • Payload: This is a piece of code that runs at the target after a successful exploitation is done. It defines the type of access and actions we need to gain on the target system.
  • Auxiliary: These are modules that provide additional functionalities such as scanning, fuzzing, sniffing, and much more.
  • Encoder: Encoders are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.
  • Meterpreter: This is a payload that uses in-memory stagers based on DLL injections. It provides a variety of functions to perform at the target, which makes it a popular choice.

Architecture of Metasploit

Metasploit comprises of various components such as extensive libraries, modules, plugins, and tools. A diagrammatic view of the structure of Metasploit is as follows:

Metasploit Bootcamp

Let’s see what these components are and how they work. It is best to start with the libraries that act as the heart of Metasploit.

Let’s understand the use of various libraries as explained in the following table:

Library name Uses
REX Handles almost all core functions such as setting up sockets, connections, formatting, and all other raw functions
MSF CORE Provides the underlying API and the actual core that describes the framework
MSF BASE Provides friendly API support to modules

We have many types of modules in Metasploit, and they differ regarding their functionality. We have payload modules for creating access channels to exploited systems. We have auxiliary modules to carry out operations such as information gathering, fingerprinting, fuzzing an application, and logging into various services. Let’s examine the basic functionality of these modules, as shown in the following table:

Module type Working
Payloads Payloads are used to carry out operations such as connecting to or from the target system after exploitation or performing a particular task such as installing a service and so on.

Payload execution is the next step after the system is exploited successfully.

Auxiliary

Auxiliary modules are a special kind of module that performs specific tasks such as information gathering, database fingerprinting, scanning the network to find a particular service and enumeration, and so on.
Encoders Encoders are used to encode payloads and the attack vectors to (or intending to) evade detection by antivirus solutions or firewalls.
NOPs NOP generators are used for alignment which results in making exploits stable.
Exploits The actual code that triggers a vulnerability

Metasploit framework console and commands

Gathering knowledge of the architecture of Metasploit, let us now run Metasploit to get a hands-on knowledge about the commands and different modules. To start Metasploit, we first need to establish database connection so that everything we do can be logged into the database. However, usage of databases also speeds up Metasploit’s load time by making use of cache and indexes for all modules. Therefore, let us start the postgresql service by typing in the following command at the terminal:

root@beast:~# service postgresql start

Now, to initialize Metasploit’s database let us initialize msfdb as shown in the following screenshot:

Metasploit Bootcamp

It is clearly visible in the preceding screenshot that we have successfully created the initial database schema for Metasploit. Let us now start the Metasploit’s database using the following command:

root@beast:~# msfdb start

We are now ready to launch Metasploit. Let us issue msfconsole in the terminal to startMetasploit as shown in the following screenshot:

Metasploit Bootcamp

Welcome to the Metasploit console, let us run the help command to see what other commands are available to us:

Metasploit Bootcamp

The commands in the preceding screenshot are core Metasploit commands which are used to set/get variables, load plugins, route traffic, unset variables, printing version, finding the history of commands issued, and much more. These commands are pretty general. Let’s see module based commands as follows:

Metasploit Bootcamp

Everything related to a particular module in Metasploit comes under module controls section of the Help menu. Using the preceding commands, we can select a particular module, load modules from a particular path, get information about a module, show core, and advanced options related to a module and even can edit a module inline. Let us learn some basic commands in Metasploit and familiarize ourselves to the syntax and semantics of these commands:

Command Usage Example
use [auxiliary/exploit/payload/encoder] To select a particular
msf>use
exploit/unix/ftp/vsftpd_234_backdoor
msf>use auxiliary/scanner/portscan/tcp
show[exploits/payloads/encoder/auxiliary/options] To see the list of available modules of a particular type
msf>show payloads
msf> show options
set [options/payload] To set a value to a particular object
msf>set payload
windows/meterpreter/reverse_tcp
msf>set LHOST 192.168.10.118
msf> set RHOST 192.168.10.112
msf> set LPORT 4444
msf> set RPORT 8080
setg [options/payload] To assign a value to a particular object globally, so the values do not change when a module is switched on
msf>setgRHOST 192.168.10.112
run To launch an auxiliary module after all the required options are set
msf>run
exploit To launch an exploit
msf>exploit
back To unselect a module and move back
msf(ms08_067_netapi)>back
msf>
Info To list the information related to a particular exploit/module/auxiliary
msf>info
exploit/windows/smb/ms08_067_netapi
msf(ms08_067_netapi)>info
Search To find a particular module
msf>search hfs
check To check whether a particular target is vulnerable to the exploit or not
msf>check
Sessions To list the available sessions
msf>sessions [session number]

 

Meterpreter commands Usage Example
sysinfo To list system information of the compromised host
meterpreter>sysinfo
ifconfig To list the network interfaces on the compromised host
meterpreter>ifconfig
meterpreter>ipconfig (Windows)
Arp List of IP and MAC addresses of hosts connected to the target
meterpreter>arp
background To send an active session to background
meterpreter>background
shell To drop a cmd shell on the target
meterpreter>shell
getuid To get the current user details
meterpreter>getuid
getsystem To escalate privileges and gain system access
meterpreter>getsystem
getpid To gain the process id of the meterpreter access
meterpreter>getpid
ps To list all the processes running at the target
meterpreter>ps

If you are using Metasploit for the very first time, refer to http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commandsfor more information on basic commands

Benefits of using Metasploit

Metasploit is an excellent choice when compared to traditional manual techniques because of certain factors which are listed as follows:

  • Metasploit framework is open source
  • Metasploit supports large testing networks by making use of CIDR identifiers
  • Metasploit offers quick generation of payloads which can be changed or switched on the fly
  • Metasploit leaves the target system stable in most of the cases
  • The GUI environment provides a fast and user-friendly way to conduct penetration testing

Summary

Throughout this article, we learned the basics of Metasploit. We learned about various syntax and semantics of Metasploit commands. We also learned the benefits of using Metasploit.

Resources for Article:


Further resources on this subject:


LEAVE A REPLY

Please enter your comment!
Please enter your name here