Day 054 #FromZeroToHacker – Metasploit Introduction

Metasploit is the most widely used exploitation framework that supports all phases of a penetration testing engagement, from information gathering to post-exploitation.

Let’s start our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What have I learnt today?
Stats
Resources

Introduction to Metasploit Introduction

Metasploit is the most widely used exploitation framework that supports all phases of a penetration testing engagement, from information gathering to post-exploitation.

What have I learnt today?

Introduction to Metasploit

The Metasploit framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation and more. Not only we can do penetration testing, but other things such as vulnerability research and exploit development.

Metasploit has two versions:

  • Metasploit Pro: The commercial version that improves the automation and management of tasks. Even it has a Graphical User Interface (GUI).
  • Metasploit Framework: The open-source and free version that works from the command line.

The main components of the Metasploit Framework are:

  • msfconsole: The main command-line interface.
  • Modules: Supporting modules such as exploits, scanners, payloads, etc.
  • Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing.

Let’s start learning the main components of Metasploit.

The main components of Metasploit

Launching it by using the command msfconsole, this console will be our main interface to interact with all the different modules of the Metasploit Framework.

Before starting, a brief reminder of a few concepts:

  • Exploit: A piece of code that uses a vulnerability present in the target system.
  • Vulnerability: A design, coding or logic flaw affecting the target system.
  • Payload: An exploit that takes advantage of a vulnerability. Payloads are the code that will run on the target system.

Let’s see some modules and categories from the Metasploit Framework:

Auxiliary

Any supporting module, such as scanners, crawlers, and fuzzers.

Metasploit Auxiliary

Encoders

Encoders allow you to encode the exploit and payload, hoping that a signature-based antivirus misses them.

As signature-based antivirus and security solutions have a database of known threats, our payloads can get caught instantly. Encoders can improve the success rate by hiding their signature.

Metasploit Encoders

Evasion

Instead of encoding, you can also try to evade the antivirus software.

Metasploit evasion

Exploits

Exploits organised by the targeted system.

Metasploit exploits

NOPs

NOPs (No OPeration) do…nothing. Really. They are often used as a buffer to achieve payload sizes.

Metasploit NOPs

Payloads

Payloads are codes that will run on the target system to exploit a vulnerability. Getting a shell, loading malware, creating a backdoor to the target system… This and many more are proof of concept of what we can do with payloads.

Running commands on the target system is nice, but having an interactive connection that allows you to type commands (A Shell) is even better. Metasploit offers the ability to send different payloads that can open shells on the target system:

Metasploit payloads

There are four different directories:

  • Adapters: An adapter wraps single payloads to convert them into different formats. A Python code turned into a PowerShell adapter, for example.
  • Singles: Self-contained payloads (add user, launch notepad.exe, etc) that do not need to download an additional component to run.
  • Stagers: Responsible for setting up a connection channel between Metasploit and the target system, while working with staged payloads.
  • Stages: Downloaded by the stager, allows you to use larger-sized payloads.

Post

Post modules are useful in the final stage of the penetration testing process, on the post-exploitation process.

Msfconsole

The console will be the main interface when using Metasploit Framework. We can launch it with msfconsole.

Metasploit msfconsole

The Metasploit console (msfconsole) works just as a regular command-line shell. We can even use commands as ls, clear, history or ping. It also has auto-complete.

One important thing to understand is that Msfconsole is managed by context: All parameter settings are lost if you change the module you are using. For example, once we use use /exploit/windows/smb/ms17_010_eternalblue, the command line prompt changes from msf6 to msf6 exploit(windows/smb/ms17_010_eternalblue.

Metasploit Eternalblue

Now, we have a context set in which we will work. We can see it by typing the show options command:

Metasploit show options

This will print options related to the exploit we have chosen earlier. Depending on the exploit we have chosen, we will have different options. For example, let’s use show options while using a different exploit:

Metasploit show options

We can also leave the current module with back:

Back command

We can gather more information with the info command:

Info command

Search

One of the most useful commands in msfconsole is search. This command search inside the Metasploit Framework database for modules relevant to the search parameter.

Search command

This provides a list of modules that we can use, along with columns containing information such as Name, Date, Rank, Description, etc. We can load one module with use <NUMBER>.

Exploits are rated based on their reliability (the Rank column):

Exploit Ranking

Working with modules

Once we have loaded one module with the use command, we need to set parameters, based on the module we will use. We can set them with set <PARAMETER_NAME> <VALUE>.

Metasploit show options

Let’s use this as an example. RHOSTS, RPORT, VERIFY_ARCH and VERIFY_TARGET options are required. Oftentimes, like with the last 3, are pre-populated, but at least we need to set the RHOSTS value.

Set command

Notice that RHOSTS now has a value.

Even if every exploit has different options, we can often see common parameters such as:

  • RHOSTS: Remote HOST, the IP address of the target system.
  • RPORT: Remote PORT, the port on the target system.
  • PAYLOAD: The payload we will use with the exploit.
  • LHOST: Local HOST, the attacking machine.
  • LPORT: Local PORT, the port we will use for reverse shells on the attacking machine.
  • SESSION: Each connection created to the target system using Metasploit will have its own Session ID. We can use this with post-exploitation modules that will connect to the target system using an existing connection.

We can reset all the values (with the exception of the ones with a default option) with the unset all option:

Unset command

We can set values on a global scale with the setg <PARAMETER_NAME> <VALUE>. Notice the G (Global) after set.

Setg command

Using modules

Once we have set all the needed values, we can launch the module using the exploit command or run.

Some modules support the check command that will check if the target is vulnerable without running the whole exploit.

Check command

Sessions

Once a vulnerability has been exploited, a session will be created. This is a communication channel established between the target and Metasploit. We can use the background command to background the session and go back to the msfconsole prompt. List all the existing sessions with sessions. To interact with any sessions, use the sessions -i <NUMBER> command.

Here is how we can go back and forth with sessions:

Summary

Metasploit is a powerful tool that can help us during the exploitation process. This process has three steps:

  • Finding the exploit.
  • Customizing the exploit.
  • Exploiting the vulnerable service.

Metasploit, as we just saw, provides many modules that we can use for each step of the exploitation process.

Stats

From 78.514th to 77.283th.

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Jr Penetration tester

Metasploit

TryHackMe: Metasploit: Introduction

Other resources

Nessus
OWASP Framework top 10 vulnerabilities
Rapid7
Vulnerability Databases
RCE
What the shell?
Staged payloads
Msfconsole cheat sheet
Exploit Ranking