MSF Introduction

What is Metasploit (MSF)?

Metasploit Framework is an open-source penetration testing and exploitation tool used for testing and evaluating the security of computer systems and networks. Developed by Rapid7, Metasploit is one of the most popular and widely used tools in the field of ethical hacking and cybersecurity. It provides a comprehensive and extensible framework for finding vulnerabilities, conducting penetration tests, and developing and executing exploits.

Key features and components of Metasploit Framework include:

  1. Exploits: Metasploit contains a vast collection of exploits that can be used to target known vulnerabilities in various software applications, operating systems, and network devices. These exploits are used to gain unauthorized access to target systems for testing and assessment purposes.

  2. Payloads: Payloads are code snippets or scripts that are delivered to a compromised system after a successful exploitation. These payloads can be used for tasks such as creating reverse shells, running arbitrary commands, or exfiltrating data from the target.

  3. Post-exploitation Modules: Metasploit includes a range of post-exploitation modules that allow testers to perform tasks on compromised systems, such as gathering information, escalating privileges, and maintaining access.

  4. Auxiliary Modules: These modules provide additional functionality, such as scanning, fingerprinting, and brute-force attacks. They are not directly involved in exploitation but assist in the overall penetration testing process.

  5. Meterpreter: Meterpreter is a powerful post-exploitation payload included with Metasploit. It provides a command shell with extensive capabilities for interacting with the compromised system, including file manipulation, privilege escalation, and network pivoting.

  6. Exploit Development: Metasploit Framework allows security professionals to develop and test their own exploits for new vulnerabilities.

  7. Resource Scripts: Users can create resource scripts to automate tasks and actions within Metasploit, simplifying the process of penetration testing.

Terminology

Term

Description

Interface

Methods of interacting with the Metasploit Framework (msfconsole, Metasploit cmd)

Module

Pieces of code that perform a particular task (an exploit)

Vulnerability

Exploitable flaw or weakness in a computer system or network

Exploit

Code/Module used to take advantage of a vulnerability

Payload

Piece of code delivered to the target by an exploit (execute arbitrary commands or provide remote access)

Listener

Utility that listens for an incoming connection from a target

📌 Exploit is launched (takes advantage of the vulnerability) ➡️ Payload dropped (executes a reverse shell command) ➡️ Connects back to the Listener

Interfaces

🗒️ Metasploit Framework Console (MSFconsole) - an all in one interface that provides with access to all the functionality of the MSF.msfconsole🗒️ Metasploit Framework Command Line Interface (MSFcli) - a command line utility used to facilitate the creation of automation scripts that utilize Metasploit modules.

  • Discontinued in 2015, MSFconsole can be used with the same functionality of redirecting output from other tools into msfcli and vice versa.

🗒️ Metasploit Community Edition GUI - a web based GUI front-end of the MSF.🗒️ Armitage - a free Java based GUI front-end cyber attack management tool for the MSF.

  • Visualizes targets and simplifies network discovery

  • Recommends exploits

  • Exposes the advanced capabilities of the MSF

Metasploit Framework Architecture - oreilly.com🗒️ A module is the piece of code that can be utilized and executed by the MSF.The MSF libraries (Rex, Core, Base) allow to extend and initiate functionality, facilitating the execution of modules without having to write additional code.

Modules

MSF Module

Description

Exploit

Used to take advantage of a vulnerability, usually paired with a payload

Payload

Code delivered and remotely executed on the target after successful exploitation - e.g. a reverse shell that initiates a connection

Encoder

Used to encode payloads in order to avoid Anti Virus detection - e.g. shikata_ga_nai encoding scheme

NOPS

Keep the payload sizes consistent across exploit attempts and ensure the stability of a payload on the target system

Auxiliary

Is not paired with a payload, used to perform additional functionality - e.g. port scanners, fuzzers, sniffers, etc

Payloads are created at runtime from various components. Depending on the target system and infrastructure, there are two types of payloads that can be used:

  • Non-Staged Payload - sent to the target system as is, along with the exploit

  • Staged Payload - sent to the target in two parts:

    • the stager (first part) establish a stable communication channel between the attacker and target. It contains a payload, the stage, that initiates a reverse connection back to the attacker

    • the stage (second part) is downloaded by the stager and executed

      • executes arbitrary commands on the target

      • provides a reverse shell or Meterpreter session

🗒️ The Meterpreter is an advanced multi-functional payload executed by in memory DLL injection stagers on the target system.

  • Communicates over the stager socket

  • Provides an interactive command interpreter on the target system

  • MSF filesystem is intuitive and organized by directories.

  • Modules are stored under:

    • /usr/share/metasploit-framework/modules/

    • ~/.msf4/modules - user specified modules

Pentesting with MSF

🗒️ PTES (Penetration Testing Execution Standard) is a methodology that contains 7 main sections, defined by the standard as a comprehensive basis for penetration testing execution.

  • can be adopted as a roadmap for Metasploit integration and understanding of the phases of a penetration test.

The various phases involved in a typical pentest should be:📌 Pre-Engagement Interactions⬇️📌 Information Gathering⬇️📌 Enumeration

  • Threat Modeling

  • Vulnerability Analysis

⬇️📌 Exploitation

  • Identify Vulnerable Services

  • Prepare Exploit Code

  • Gaining Access

  • Bypass AV detection

  • Pivoting

⬇️📌 Post Exploitation

  • Privilege Escalation

  • Maintaining Persistent Access

  • Clearing Tracks

⬇️📌 Reporting

Pentesting Phase

MSF Implementation

Information Gathering & Enumeration

Auxiliary Modules, nmap reports

Vulnerability Scanning

Auxiliary Modules, nessus reports

Exploitation

Exploit Modules & Payloads

Post Exploitation

Meterpreter

Privilege Escalation

Post Exploitation Modules, Meterpreter

Maintaining Persistent Access

Post Exploitation Modules, Persistence

PTES - infopulse.com

Metasploit Fundamentals

Database

🗒️ The Metasploit Framework Database (msfdb) contains all the data used with MSF like assessments and scans data, etc.

  • Uses PostgreSQL as the primary database - postgresql service must be running

  • Facilitates the import and storage of scan results (from Nmap, Nessus, other tools)

  • Use APT package manager on Kali Linux (or on Debian-based distros)

sudo apt update && sudo apt install metasploit-framework -y

  • Enable postgresql at boot, start the service and initialize MSF database

sudo systemctl enable postgresqlsudo systemctl restart postgresqlsudo msfdb init

  • Run msfconsole to start the Metasploit Framework Console

msfconsole

  • Check the db connection is on in the msfconsole

db_status

📌 Check this article by StationX ➡️ How to Use Metasploit in Kali Linux + Metasploitable3 which will cover:

  • Deploying a Kali Linux virtual machine with Metasploit pre-installed

  • Setting up a target in a virtual lab, Metasploitable3, with Vagrant

  • A sample walkthrough against a vulnerable MySQL Server

  • Frequently Asked Questions (FAQ)

🗒️ The Metasploit Framework Console (msfconsole) is an all-in-one interface and centralized console that allows access to all of the MSF options and features.

  • It is launched by running the msfconsole command

msfconsole

  • Run it in quiet mode without the banner with

msfconsole -q

Module Variables

An MSF module requires additional information that can be configured through the use of MSF variables, both local or global variables, called options inside the msfconsole.Variables e.g. (they are based on the selected module):

  • LHOST - attacker's IP address

  • LPORT - attacker's port number (receive reverse connection)

  • RHOST - target's IP address

  • RHOSTS - multiple targets/networks IP addresses

  • RPORT - target port number

Useful Commands

  • Run msfconsole and check these useful commands:

helpversion​show -hshow allshow exploits​search <STRING>use <MODULE_NAME>set <OPTION>runexecute # same as run​sessionsconnect

Port Scan Example

search portscanuse auxiliary/scanner/portscan/tcpshow optionsset RHOSTS <TARGET_IP>set PORTS 1-1000run# CTRL+C to cancel the running processback

CVE Exploits Example

search cve:2017 type:exploit platform:windowssearch cve:2017 type:exploit platform:window

Payload Options Example

search eternalblueuse 0# specify the identifierset payload <PAYLOAD_NAME>set RHOSTS <TARGET_IP>run# orexploit

🗒️ Metasploit Workspaces allows to manage and organize the hosts, data, scans and activities stored in the msfdb.

  • Import, manipulate, export data

  • Create, manage, switch between workspaces

  • Sort and organize the assessments of the penetration test

📌 It's recommended to create a new workspace for each engagement.

msfconsole -qdb_status[*] Connected to msf. Connection type: postgresql.workspace -hworkspace -hworkspace# current working workspace* default

  • Create a new workspace

workspace -a Test

  • Change workspace

workspace <WORKSPACE_NAME>workspace -a INE

  • Delete a workspace

workspace -d Test

Last updated