Welcome back, my aspiring cyber warriors!
In this series, I will introduce you to the world's most popular hacking/pentesting platform, Metasploit!
Metasploit is the world's leading exploitation/hacker framework. It is used--to some extent--by nearly every hacker/pentester. As such, you really need to become familiar with it if you want to enter and prosper in this burgeoning cybersecurity/pentesting industry.
What is Metasploit?
Metasploit is standardized framework for use in offensive security or penetration testing (legal hacking to find vulnerabilities before the bad guys do). Before Metasploit, exploits and shellcode would be developed by various developers, in various languages, for various systems. The pentester had to rely upon the trustworthiness of the developer that it was not laden with malicious code and learn how the developer intended the exploit/shellcode/tool to work. With Metasploit, the pentester has a standardized framework to work from where the tools work similarly and all are written in the same language making things much simpler and easier.
Originally developed by HD Moore as an open-source project, it is now owned by the security company, Rapid7 (Rapid7 also owns the vulnerability scanner, Nexpose). Although originally developed as an open-source project, Rapid7 has now developed a Pro version of Metasploit with a few more "bells and whistles". Fortunately, the open-source, community-edition is still available to the rest of us without the tens of thousands of dollars to spend on the Pro version (if you are a professional pentester, the efficiency and time savings accrued in using the Pro version make it a good investment).
The original Metasploit was written in Python, then ported to Ruby. This means that all modules had to be written or ported to Ruby (Python is the most common scripting language for exploits). Now, with the development and release of Metasploit 5, Metasploit now supports modules written in Python or GO.
With the release of the fifth version of Metasploit, the developers at Rapid7 have added a number of new features, including;
1. Storing data in a local database or an HTTP based data service
2. Evasion modules
3. An API
4. Ease of scaling. RHOST and RHOSTS are aliased
5. The ability to background shell sessions
6. As mentioned above, support for Python and GO modules.
Metasploit Interfaces
Metasploit has multiple interfaces including;
(1) msfconsole - an interactive command-line like interface (2) msfcli - a literal Linux command line interface (3) Armitage - a GUI-based third party application (4) msfweb - browser based interface
Undoubtedly, the most common way to use Metasploit is through Metasploit's own interactive shell, msfconsole. In this series on Metasploit, we will be largely using this msfconsole, but I will show you how to use the others in later tutorials.
In recent years, Metasploit has integrated additional tools to make it more than just a exploitation framework. Tools, such as nmap, Nessus and Nexpose, are now integrated into Metasploit, so that the entire process of from port scanning, vulnerability scanning, exploitation and post-exploitation, can all be done from one single tool. In addition, Metasploit has now integrated a postgresql database to store the data collected from your scans and exploits.
Getting Started
Before we start Metasploit, we should start the postgresql database. Metasploit will work without postgresql, but this database enables Metasploit to run faster searches and store the information you collect while scanning and exploiting.
Start the postgresql database before starting Metasploit by typing;
kali > sudo systemctl start postgresql
Note: In the latest versions of starting with Kali Linux 2020, you can not run commands that require root privileges without preceding the commands with sudo.
Next, if this is the first time running Metasploit, you must initialize the database.
kali >sudo msfdb init
Once the database has been initialized, you can start the Metasploit Framework console by typing;
kali >msfconsole
As Metasploit loads everything into RAM, it can take awhile (it's much faster in Metasploit 5).
Don't worry if it doesn't look exactly the same as my screen above as Metasploit rotates the opening splash images. As long as you have the msf5 > prompt, you are in the right place.
This starts the Metasploit console, a kind of interactive console.
If you are more GUI oriented, you can go to Kali icon-->Exploitation Tools--> metasploit framework like below.
Metasploit Keywords
Although Metasploit is a very powerful exploitation framework, just a few keywords can get you started hacking just about any system.
Metasploit has six (7) types of modules;
(1) exploits
(2) payloads
(3) auxiliary
(4) nops
(5) post
(6) encoders
(7) evasion (new in Metasploit 5)
A word about terminology though before we start. In Metasploit terminology, an exploit is a module that takes advantage of a system or application vulnerability. It usually will attempt to place a payload on the system. This payload can be a simple command shell or the all-powerful, Meterpreter. In other environments these payloads might be termed listeners, shellcode, or rootkits. You can read more about the different types of payloads in Metasploit Basics, Part3: Payloads
Let's take a look at some of those keyword commands. We can get a list of commands by entering help at the metasploit (msf5>) prompt.
msf > help
Note that we can access this help menu with the "?" as well as "help".
msf > use
The "use" command loads a module. So, for instance, if I wanted to load the exploit/windows/browser/adobe_flash_avm2 module (this is an exploit that takes advantage of one of the many vulnerabilities in the Adobe Flash plug-in), I would enter;
msf > use exploit/windows/browser/adobe_flash_avm2
As you can see above, when Metasploit successfully loads the module, it responds with the type of module (exploit) and the abbreviated module name in red.
msf> show
After you load a module, the show command can be very useful to gather more information on the module. The three "show" commands I use most often are "show options", "show payloads" and "show targets". Let's take a look at "show payloads" first.
msf > show payloads
This command, when used after selecting your exploit, will show you all the payloads that are compatible with this exploit (note the column heading "Compatible Payloads"). If you run this command before selecting an exploit, it will show you ALL payloads, a VERY long list. As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.
msf > show options
This command is also very useful in running an exploit. It will display all of the options that need to set before running the module. These options include such things as IP addresses, URI path, the port, etc. msf > show targets
A less commonly used command is "show targets". Each exploit has a list of the targets it will work against. By using the "show targets" command, we can get a list of them. In this case, targeting is automatic, but some exploits have as many as 100 different targets (different operating systems, service packs, languages, etc.) and success will often depend upon selecting the appropriate one. These targets can be defined by operating system, service pack and language, among other things.
msf > info
The info command is simple. When you type it after you have selected a module, it shows you key information about the module, including the options that need to be set, the amount of payload space (more about this in the payloads section), and a description of the module. I usually always run it after selecting my exploit.
msf > search
As a newcomer to Metasploit, the "search" command might be the most useful. When Metasploit was small and new, it was relatively easy to find the right module you needed. Now, with over 3000 modules, finding just the right module can be time-consuming and problematic. Rapid7 added the search function starting with version 4 and it has become a time- and life-saver.
Although you can use the search function to search for keywords in the name or description of the module (including CVE or MS vulnerability number), that approach is not always efficient as it will often return a VERY large result set.
To be more specific in your search, you can use the following keywords.
platform - this is the operating system that the module is built for type - this is the type of module. These include exploits, nops, payloads, post, encoders, evasion and auxiliary name - if you know the name of the module you can search by its name
The syntax for using search is the keyword followed by a colon and then a value such as;
msf > search type:exploit For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash, we could type;
msf > search type:exploit platform:windows flash
As you can see above, Metasploit searched it's database for modules that were exploits for the Windows platform and included the keyword "flash".
msf > set
This command is use to set options within the module you selected. For instance, if we look above at the show options command, we can see numerous options that must set such as URIPATH, SVRHOST and SVRPORT. We can set any of these with the set command such as;
msf > set SRVPORT 80
This changes the default SVRPORT (server port) from 8080 to 80.
msf > unset
This command, as you might expect, unsets the option that was previously set. Such as;
msf > unset SRVPORT
As you can see, we first set the SRVPORT variable to 80 and then unset it. It then reverted back to the default value of 8080 that we can see when we typed show options again.
msf > exploit
Once we have loaded our exploit and set all the necessary options, the final action is "exploit". This sends the exploit to the target system and, if successful, installs the payload. As you can see in this screenshot, the exploit starts and is running as background job with a reverse handler on port 4444. It then started a webserver on host 0.0.0.0 on port 80 with a randomized URL (F5pmyl9gCHVGw90). We could have chosen a specific URL and set it by changing the URIPATH variable with the set command.
msf > back
We can use the back command to take us "back" one step in our process. So, if you instance, we decided that we did not want to use the adobe/flash/avm2 exploit, we could type "back" and it would remove the loaded exploit.
msf > exit
The exit command, as you would expect, exits us from the msfconsole and back into the BASH command shell.
Notice that in this case, it stops the webserver that we created in this exploit and returned us to the Kali command prompt in the BASH shell.
In many exploits, you will see the following options (variables).
RHOSTS - this is the remote host(s) or target IP(s) LHOST - this is the local host or attacker IP RPORT - this is the remote port or target port LPORT - this is the local port or attacker port
These can all be set, by using the SET command followed by the variable name (RHOST, for instance) and then the value.
msf > SET RHOST 75.75.75.75
Although this is less than an exhaustive list of Metasploit commands, with just these commands you should be able to execute most of the functions in Metasploit. When you need another command in this course, I will take a few minutes to introduce it, but these are all you will likely need, for now.
You can continue this series by going to Metasploit Basics, Part 2 as we explore the most powerful open-source exploitation framework until you become a Metasploit Expert!
If you want to learn more about Metasploit in a hands-on live course, click here or click here for more Metasploit Basics for Hackers.
