MSF Introduction
What is Metasploit (MSF)?
Metasploit Framework is an open-source penetration testing and exploitation tool used for testing and evaluating the security of computer systems and networks. Developed by Rapid7, Metasploit is one of the most popular and widely used tools in the field of ethical hacking and cybersecurity. It provides a comprehensive and extensible framework for finding vulnerabilities, conducting penetration tests, and developing and executing exploits.
Key features and components of Metasploit Framework include:
Exploits: Metasploit contains a vast collection of exploits that can be used to target known vulnerabilities in various software applications, operating systems, and network devices. These exploits are used to gain unauthorized access to target systems for testing and assessment purposes.
Payloads: Payloads are code snippets or scripts that are delivered to a compromised system after a successful exploitation. These payloads can be used for tasks such as creating reverse shells, running arbitrary commands, or exfiltrating data from the target.
Post-exploitation Modules: Metasploit includes a range of post-exploitation modules that allow testers to perform tasks on compromised systems, such as gathering information, escalating privileges, and maintaining access.
Auxiliary Modules: These modules provide additional functionality, such as scanning, fingerprinting, and brute-force attacks. They are not directly involved in exploitation but assist in the overall penetration testing process.
Meterpreter: Meterpreter is a powerful post-exploitation payload included with Metasploit. It provides a command shell with extensive capabilities for interacting with the compromised system, including file manipulation, privilege escalation, and network pivoting.
Exploit Development: Metasploit Framework allows security professionals to develop and test their own exploits for new vulnerabilities.
Resource Scripts: Users can create resource scripts to automate tasks and actions within Metasploit, simplifying the process of penetration testing.
Terminology
Term
Description
Interface
Methods of interacting with the Metasploit Framework (msfconsole
, Metasploit cmd)
Module
Pieces of code that perform a particular task (an exploit)
Vulnerability
Exploitable flaw or weakness in a computer system or network
Exploit
Code/Module used to take advantage of a vulnerability
Payload
Piece of code delivered to the target by an exploit (execute arbitrary commands or provide remote access)
Listener
Utility that listens for an incoming connection from a target
📌 Exploit is launched (takes advantage of the vulnerability) ➡️ Payload dropped (executes a reverse shell command) ➡️ Connects back to the Listener
Interfaces
🗒️ Metasploit Framework Console (MSFconsole) - an all in one interface that provides with access to all the functionality of the MSF.msfconsole🗒️ Metasploit Framework Command Line Interface (MSFcli) - a command line utility used to facilitate the creation of automation scripts that utilize Metasploit modules.
Discontinued in 2015, MSFconsole can be used with the same functionality of redirecting output from other tools into
msfcli
and vice versa.
🗒️ Metasploit Community Edition GUI - a web based GUI front-end of the MSF.🗒️ Armitage - a free Java based GUI front-end cyber attack management tool for the MSF.
Visualizes targets and simplifies network discovery
Recommends exploits
Exposes the advanced capabilities of the MSF
Metasploit Framework Architecture - oreilly.com🗒️ A module is the piece of code that can be utilized and executed by the MSF.The MSF libraries (Rex, Core, Base) allow to extend and initiate functionality, facilitating the execution of modules without having to write additional code.
Modules
MSF Module
Description
Exploit
Used to take advantage of a vulnerability, usually paired with a payload
Payload
Code delivered and remotely executed on the target after successful exploitation - e.g. a reverse shell that initiates a connection
Encoder
Used to encode payloads in order to avoid Anti Virus detection - e.g. shikata_ga_nai encoding scheme
NOPS
Keep the payload sizes consistent across exploit attempts and ensure the stability of a payload on the target system
Auxiliary
Is not paired with a payload, used to perform additional functionality - e.g. port scanners, fuzzers, sniffers, etc
Payloads are created at runtime from various components. Depending on the target system and infrastructure, there are two types of payloads that can be used:
Non-Staged Payload - sent to the target system as is, along with the exploit
Staged Payload - sent to the target in two parts:
the stager (first part) establish a stable communication channel between the attacker and target. It contains a payload, the stage, that initiates a reverse connection back to the attacker
the stage (second part) is downloaded by the stager and executed
executes arbitrary commands on the target
provides a reverse shell or Meterpreter session
🗒️ The Meterpreter is an advanced multi-functional payload executed by in memory DLL injection stagers on the target system.
Communicates over the stager socket
Provides an interactive command interpreter on the target system
MSF filesystem is intuitive and organized by directories.
Modules are stored under:
/usr/share/metasploit-framework/modules/
~/.msf4/modules
- user specified modules
Pentesting with MSF
🗒️ PTES (Penetration Testing Execution Standard) is a methodology that contains 7 main sections, defined by the standard as a comprehensive basis for penetration testing execution.
can be adopted as a roadmap for Metasploit integration and understanding of the phases of a penetration test.
The various phases involved in a typical pentest should be:📌 Pre-Engagement Interactions⬇️📌 Information Gathering⬇️📌 Enumeration
Threat Modeling
Vulnerability Analysis
⬇️📌 Exploitation
Identify Vulnerable Services
Prepare Exploit Code
Gaining Access
Bypass AV detection
Pivoting
⬇️📌 Post Exploitation
Privilege Escalation
Maintaining Persistent Access
Clearing Tracks
⬇️📌 Reporting
Pentesting Phase
MSF Implementation
Information Gathering & Enumeration
Auxiliary Modules, nmap
reports
Vulnerability Scanning
Auxiliary Modules, nessus
reports
Exploitation
Exploit Modules & Payloads
Post Exploitation
Meterpreter
Privilege Escalation
Post Exploitation Modules, Meterpreter
Maintaining Persistent Access
Post Exploitation Modules, Persistence
PTES - infopulse.com
Metasploit Fundamentals
Database
🗒️ The Metasploit Framework Database (msfdb) contains all the data used with MSF like assessments and scans data, etc.
Uses PostgreSQL as the primary database -
postgresql
service must be runningFacilitates the import and storage of scan results (from Nmap, Nessus, other tools)
Use APT package manager on Kali Linux (or on Debian-based distros)
sudo apt update && sudo apt install metasploit-framework -y
Enable
postgresql
at boot, start the service and initialize MSF database
sudo systemctl enable postgresqlsudo systemctl restart postgresqlsudo msfdb init
Run
msfconsole
to start the Metasploit Framework Console
msfconsole
Check the db connection is on in the
msfconsole
db_status
📌 Check this article by StationX ➡️ How to Use Metasploit in Kali Linux + Metasploitable3 which will cover:
Deploying a Kali Linux virtual machine with Metasploit pre-installed
Setting up a target in a virtual lab, Metasploitable3, with Vagrant
A sample walkthrough against a vulnerable MySQL Server
Frequently Asked Questions (FAQ)
🗒️ The Metasploit Framework Console (msfconsole) is an all-in-one interface and centralized console that allows access to all of the MSF options and features.
It is launched by running the
msfconsole
command
msfconsole
Run it in quiet mode without the banner with
msfconsole -q
Module Variables
An MSF module requires additional information that can be configured through the use of MSF variables, both local or global variables, called options
inside the msfconsole.Variables e.g. (they are based on the selected module):
LHOST
- attacker's IP addressLPORT
- attacker's port number (receive reverse connection)RHOST
- target's IP addressRHOSTS
- multiple targets/networks IP addressesRPORT
- target port number
Useful Commands
Run
msfconsole
and check these useful commands:
helpversionshow -hshow allshow exploitssearch <STRING>use <MODULE_NAME>set <OPTION>runexecute # same as runsessionsconnect
Port Scan Example
search portscanuse auxiliary/scanner/portscan/tcpshow optionsset RHOSTS <TARGET_IP>set PORTS 1-1000run# CTRL+C to cancel the running processback
CVE Exploits Example
search cve:2017 type:exploit platform:windowssearch cve:2017 type:exploit platform:window
Payload Options Example
search eternalblueuse 0# specify the identifierset payload <PAYLOAD_NAME>set RHOSTS <TARGET_IP>run# orexploit
🗒️ Metasploit Workspaces allows to manage and organize the hosts, data, scans and activities stored in the msfdb
.
Import, manipulate, export data
Create, manage, switch between workspaces
Sort and organize the assessments of the penetration test
📌 It's recommended to create a new workspace for each engagement.
msfconsole -qdb_status[*] Connected to msf. Connection type: postgresql.workspace -hworkspace -hworkspace# current working workspace* default
Create a new workspace
workspace -a Test
Change workspace
workspace <WORKSPACE_NAME>workspace -a INE
Delete a workspace
workspace -d Test
Last updated