Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Metasploit Bootcamp

You're reading from   Metasploit Bootcamp The fastest way to learn Metasploit

Arrow left icon
Product type Paperback
Published in May 2017
Publisher
ISBN-13 9781788297134
Length 230 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Nipun Jaswal Nipun Jaswal
Author Profile Icon Nipun Jaswal
Nipun Jaswal
Arrow right icon
View More author details
Toc

Table of Contents (8) Chapters Close

Preface 1. Getting Started with Metasploit FREE CHAPTER 2. Identifying and Scanning Targets 3. Exploitation and Gaining Access 4. Post-Exploitation with Metasploit 5. Testing Services with Metasploit 6. Fast-Paced Exploitation with Metasploit 7. Exploiting Real-World Challenges with Metasploit

The fundamentals of Metasploit

Now that we have completed the setup of Kali Linux, let us talk about the big picture: Metasploit. Metasploit is a security project that provides exploits and tons of reconnaissance features to aid a penetration tester. Metasploit was created by H.D. Moore back in 2003, and since then, its rapid development has led it to be recognized as one of the most popular penetration testing tools. Metasploit is entirely a Ruby-driven project and offers a great deal of exploits, payloads, encoding techniques, and loads of post-exploitation features.

Metasploit comes in various editions, as follows:

  • Metasploit Pro: This edition is a commercial edition, offers tons of great features such as web application scanning and exploitation and automated exploitation, and is quite suitable for professional penetration testers and IT security teams. The Pro edition is used for advanced penetration tests and enterprise security programs.
  • Metasploit Express: This is used for baseline penetration tests. Features in this version of Metasploit include smart exploitation, automated brute forcing of the credentials, and much more. This version is quite suitable for IT security teams in small to medium-sized companies.
  • Metasploit Community: This is a free version with reduced functionality when compared to the Express edition. However, for students and small businesses, this edition is a favorable choice.
  • Metasploit Framework: This is a command-line version with all manual tasks such as manual exploitation, third-party import, and so on. This release is entirely suitable for developers and security researchers.
You can download Metasploit from the following link:
https://www.rapid7.com/products/metasploit/download/editions/

Throughout this book, we will be using the Metasploit Community and Framework versions. Metasploit also offers various types of user interfaces, as follows:

  • The graphical user interface (GUI) interface: This has all the options available at the click of a button. This interface offers a user-friendly interface that helps to provide cleaner vulnerability management.
  • The console interface: This is the most preferred interface and the most popular one as well. This interface provides an all-in-one approach to all the options offered by Metasploit. This interface is also considered one of the most stable interfaces. Throughout this book, we will be using the console interface the most.
  • The command-line interface: This is the more potent interface that supports the launching of exploits to activities such as payload generation. However, remembering each and every command while using the command-line interface is a difficult job.
  • Armitage: Armitage by Raphael Mudge added a neat hacker-style GUI interface to Metasploit. Armitage offers easy vulnerability management, built-in NMAP scans, exploit recommendations, and the ability to automate features using the Cortana scripting language. An entire chapter is dedicated to Armitage and Cortana in the latter half of this book.
For more information on the Metasploit community, refer to https://community.rapid7.com/community/metasploit/blog.

Basics of Metasploit Framework

Before we put our hands onto the Metasploit Framework, let us understand the basic terminology used in Metasploit. However, the following modules are not just terminologies, but modules that are the heart and soul of the Metasploit project:

  • Exploit: This is a piece of code which, when executed, will trigger the vulnerability at the target.
  • Payload: This is a piece of code that runs at the target after a successful exploitation is done. It defines the type of access and actions we need to gain on the target system.
  • Auxiliary: These are modules that provide additional functionalities such as scanning, fuzzing, sniffing, and much more.
  • Encoder: These are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.
  • Meterpreter: This is a payload that uses in-memory stagers based on DLL injections. It provides a variety of functions to perform at the target, which makes it a popular choice.

Architecture of Metasploit

Metasploit comprises various components, such as extensive libraries, modules, plugins, and tools. A diagrammatic view of the structure of Metasploit is as follows:

Let's see what these components are and how they work. It is best to start with the libraries that act as the heart of Metasploit.

Let's understand the use of various libraries, as explained in the following table:

Library name

Uses

REX

Handles almost all core functions, such as setting up sockets, connections, formatting, and all other raw functions.

MSF CORE

Provides the underlying API and the actual core that describes the framework.

MSF BASE

Provides friendly API support to modules.

We have many types of modules in Metasploit, and they differ regarding their functionality. We have payload modules for creating access channels to exploited systems. We have auxiliary modules to carry out operations such as information gathering, fingerprinting, fuzzing an application, and logging into various services. Let's examine the basic functionality of these modules, as shown in the following table:

Module type

Working

Payloads

Payloads are used to carry out operations such as connecting to or from the target system after exploitation or performing a particular task such as installing a service and so on.

Payload execution is the next step after the system is exploited successfully.

The widely used meterpreter shell is a standard Metasploit payload.

Auxiliary

Auxiliary modules are a special kind of module that performs specific tasks such as information gathering, database fingerprinting, scanning the network to find a particular service and enumeration, and so on.

Encoders

Encoders are used to encode payloads and the attack vectors to (or intending to) evade detection by antivirus solutions or firewalls.

NOPs

NOP generators are used for alignment which results in making exploits stable.

Exploits

The actual code that triggers a vulnerability.

Metasploit Framework console and commands

Gathering knowledge of the architecture of Metasploit, let us now run Metasploit to get hands-on knowledge of the commands and different modules. To start Metasploit, we first need to establish a database connection so that everything we do can be logged into the database. However, usage of databases also speeds up Metasploit's load time by making use of caches and indexes for all modules. Therefore, let us start the postgresql service by typing in the following command at the Terminal:

root@beast:~# service postgresql start

Now, to initialize Metasploit's database, let us initialize msfdb as shown in the following screenshot:

It is clearly visible in the preceding screenshot that we have successfully created the initial database schema for Metasploit. Let us now start the Metasploit database using the following command:

root@beast:~# msfdb start

We are now ready to launch Metasploit. Let us issue msfconsole in the Terminal to start Metasploit, as shown in the following screenshot:

Welcome to the Metasploit console. Let us run the help command to see what other commands are available to us:

The commands in the preceding screenshot are core Metasploit commands which are used to set/get variables, load plugins, route traffic, unset variables, print version, find the history of commands issued, and much more. These commands are pretty general. Let's see the module-based commands, as follows:

Everything related to a particular module in Metasploit comes under the module controls section of the Help menu. Using the preceding commands, we can select a particular module, load modules from a particular path, get information about a module, show core and advanced options related to a module, and even can edit a module inline. Let us learn some basic commands in Metasploit and familiarize ourselves with the syntax and semantics of these commands:

Command

Usage

Example

use [auxiliary/exploit/payload/encoder]

To select a particular module to start working with.

msf>use
exploit/unix/ftp/vsftpd_234_backdoor
msf>use auxiliary/scanner/portscan/tcp

show [exploits/payloads/encoder/auxiliary/options]

To see the list of available modules of a particular type.

msf>show payloads
msf> show options

set [options/payload]

To set a value to a particular object.

msf>set payload windows/meterpreter/reverse_tcp
msf>set LHOST 192.168.10.118
msf> set RHOST 192.168.10.112
msf> set LPORT 4444
msf> set RPORT 8080

setg [options/payload]

To assign a value to a particular object globally, so the values do not change when a module is switched on.

msf>setg RHOST   192.168.10.112       

run

To launch an auxiliary module after all the required options are set.

msf>run      

exploit

To launch an exploit.

msf>exploit      

back

To unselect a module and move back.

msf(ms08_067_netapi)>back
msf>

Info

To list the information related to a particular exploit/module/auxiliary.

msf>info exploit/windows/smb/ms08_067_netapi
msf(ms08_067_netapi)>info

Search

To find a particular module.

msf>search hfs

check

To check whether a particular target is vulnerable to the exploit or not.

msf>check

Sessions

To list the available sessions.

msf>sessions [session   number]

Meterpreter commands

Usage

Example

sysinfo

To list system information of the compromised host.

meterpreter>sysinfo    

ifconfig

To list the network interfaces on the compromised host.

meterpreter>ifconfig  
meterpreter>ipconfig (Windows)

Arp

List of IP and MAC addresses of hosts connected to the target.

meterpreter>arp

background

To send an active session to background.

meterpreter>background

shell

To drop a cmd shell on

the target.

meterpreter>shell     

getuid

To get the current user details.

meterpreter>getuid        

getsystem

To escalate privileges and gain system access.

meterpreter>getsystem       

getpid

To gain the process id of the meterpreter access.

meterpreter>getpid        

ps

To list all the processes running at the target.

meterpreter>ps
If you are using Metasploit for the very first time, refer to http://www.offensive-security.com/metasploit-unleashed/Msfconsole_Commands for more information on basic commands.

 

You have been reading a chapter from
Metasploit Bootcamp
Published in: May 2017
Publisher:
ISBN-13: 9781788297134
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image