Metasploit Framework is an open-source penetration testing and exploitation tool used for testing and evaluating the security of computer systems and networks. Developed by Rapid7, Metasploit is one of the most popular and widely used tools in the field of ethical hacking and cybersecurity. It provides a comprehensive and extensible framework for finding vulnerabilities, conducting penetration tests, and developing and executing exploits.
Key features and components of Metasploit Framework include:
- Exploits: Metasploit contains a vast collection of exploits that can be used to target known vulnerabilities in various software applications, operating systems, and network devices. These exploits are used to gain unauthorized access to target systems for testing and assessment purposes.
- Payloads: Payloads are code snippets or scripts that are delivered to a compromised system after a successful exploitation. These payloads can be used for tasks such as creating reverse shells, running arbitrary commands, or exfiltrating data from the target.
- Post-exploitation Modules: Metasploit includes a range of post-exploitation modules that allow testers to perform tasks on compromised systems, such as gathering information, escalating privileges, and maintaining access.
- Auxiliary Modules: These modules provide additional functionality, such as scanning, fingerprinting, and brute-force attacks. They are not directly involved in exploitation but assist in the overall penetration testing process.
- Meterpreter: Meterpreter is a powerful post-exploitation payload included with Metasploit. It provides a command shell with extensive capabilities for interacting with the compromised system, including file manipulation, privilege escalation, and network pivoting.
- Exploit Development: Metasploit Framework allows security professionals to develop and test their own exploits for new vulnerabilities.
- Resource Scripts: Users can create resource scripts to automate tasks and actions within Metasploit, simplifying the process of penetration testing.
{% embed url="https://www.offsec.com/metasploit-unleashed/" %}
| Term | Description |
|---|---|
| Interface | Methods of interacting with the Metasploit Framework (msfconsole, Metasploit cmd) |
| Module | Pieces of code that perform a particular task (an exploit) |
| Vulnerability | Exploitable flaw or weakness in a computer system or network |
| Exploit | Code/Module used to take advantage of a vulnerability |
| Payload | Piece of code delivered to the target by an exploit (execute arbitrary commands or provide remote access) |
| Listener | Utility that listens for an incoming connection from a target |
📌 Exploit is launched (takes advantage of the vulnerability) ➡️ Payload dropped (executes a reverse shell command) ➡️ Connects back to the Listener
🗒️ Metasploit Framework Console (MSFconsole) - an all in one interface that provides with access to all the functionality of the MSF.msfconsole🗒️ Metasploit Framework Command Line Interface (MSFcli) - a command line utility used to facilitate the creation of automation scripts that utilize Metasploit modules.
- Discontinued in 2015, MSFconsole can be used with the same functionality of redirecting output from other tools into
msfcliand vice versa.
🗒️ Metasploit Community Edition GUI - a web based GUI front-end of the MSF.🗒️ Armitage - a free Java based GUI front-end cyber attack management tool for the MSF.
- Visualizes targets and simplifies network discovery
- Recommends exploits
- Exposes the advanced capabilities of the MSF
Metasploit Framework Architecture - oreilly.com🗒️ A module is the piece of code that can be utilized and executed by the MSF.The MSF libraries (Rex, Core, Base) allow to extend and initiate functionality, facilitating the execution of modules without having to write additional code.
Modules
| MSF Module | Description |
|---|---|
| Exploit | Used to take advantage of a vulnerability, usually paired with a payload |
| Payload | Code delivered and remotely executed on the target after successful exploitation - e.g. a reverse shell that initiates a connection |
| Encoder | Used to encode payloads in order to avoid Anti Virus detection - e.g. shikata_ga_nai encoding scheme |
| NOPS | Keep the payload sizes consistent across exploit attempts and ensure the stability of a payload on the target system |
| Auxiliary | Is not paired with a payload, used to perform additional functionality - e.g. port scanners, fuzzers, sniffers, etc |
Payloads are created at runtime from various components. Depending on the target system and infrastructure, there are two types of payloads that can be used:
- Non-Staged Payload - sent to the target system as is, along with the exploit
- Staged Payload - sent to the target in two parts:
- the stager (first part) establish a stable communication channel between the attacker and target. It contains a payload, the stage, that initiates a reverse connection back to the attacker
- the stage (second part) is downloaded by the stager and executed
- executes arbitrary commands on the target
- provides a reverse shell or Meterpreter session
🗒️ The Meterpreter is an advanced multi-functional payload executed by in memory DLL injection stagers on the target system.
- Communicates over the stager socket
- Provides an interactive command interpreter on the target system
ls /usr/share/metasploit-framework
- MSF filesystem is intuitive and organized by directories.
- Modules are stored under:
/usr/share/metasploit-framework/modules/~/.msf4/modules- user specified modules
🗒️ PTES (Penetration Testing Execution Standard) is a methodology that contains 7 main sections, defined by the standard as a comprehensive basis for penetration testing execution.
- can be adopted as a roadmap for Metasploit integration and understanding of the phases of a penetration test.
The various phases involved in a typical pentest should be:📌 Pre-Engagement Interactions⬇️📌 Information Gathering⬇️📌 Enumeration
- Threat Modeling
- Vulnerability Analysis
⬇️📌 Exploitation
- Identify Vulnerable Services
- Prepare Exploit Code
- Gaining Access
- Bypass AV detection
- Pivoting
⬇️📌 Post Exploitation
- Privilege Escalation
- Maintaining Persistent Access
- Clearing Tracks
⬇️📌 Reporting
| Pentesting Phase | MSF Implementation |
|---|---|
| Information Gathering & Enumeration | Auxiliary Modules, nmap reports |
| Vulnerability Scanning | Auxiliary Modules, nessus reports |
| Exploitation | Exploit Modules & Payloads |
| Post Exploitation | Meterpreter |
| Privilege Escalation | Post Exploitation Modules, Meterpreter |
| Maintaining Persistent Access | Post Exploitation Modules, Persistence |
PTES - infopulse.com
Database
🗒️ The Metasploit Framework Database (msfdb) contains all the data used with MSF like assessments and scans data, etc.
- Uses PostgreSQL as the primary database -
postgresqlservice must be running - Facilitates the import and storage of scan results (from Nmap, Nessus, other tools)
- Use APT package manager on Kali Linux (or on Debian-based distros)
sudo apt update && sudo apt install metasploit-framework -y
- Enable
postgresqlat boot, start the service and initialize MSF database
sudo systemctl enable postgresqlsudo systemctl restart postgresqlsudo msfdb init
- Run
msfconsoleto start the Metasploit Framework Console
msfconsole
- Check the db connection is on in the
msfconsole
db_status
📌 Check this article by StationX ➡️ How to Use Metasploit in Kali Linux + Metasploitable3 which will cover:
- Deploying a Kali Linux virtual machine with Metasploit pre-installed
- Setting up a target in a virtual lab, Metasploitable3, with Vagrant
- A sample walkthrough against a vulnerable MySQL Server
- Frequently Asked Questions (FAQ)
🗒️ The Metasploit Framework Console (msfconsole) is an all-in-one interface and centralized console that allows access to all of the MSF options and features.
- It is launched by running the
msfconsolecommand
msfconsole
- Run it in quiet mode without the banner with
msfconsole -q
An MSF module requires additional information that can be configured through the use of MSF variables, both local or global variables, called options inside the msfconsole.Variables e.g. (they are based on the selected module):
LHOST- attacker's IP addressLPORT- attacker's port number (receive reverse connection)RHOST- target's IP addressRHOSTS- multiple targets/networks IP addressesRPORT- target port number
- Run
msfconsoleand check these useful commands:
helpversionshow -hshow allshow exploitssearch <STRING>use <MODULE_NAME>set <OPTION>runexecute # same as runsessionsconnect
search portscanuse auxiliary/scanner/portscan/tcpshow optionsset RHOSTS <TARGET_IP>set PORTS 1-1000run# CTRL+C to cancel the running processback
CVE Exploits Example
search cve:2017 type:exploit platform:windowssearch cve:2017 type:exploit platform:window
Payload Options Example
search eternalblueuse 0# specify the identifierset payload <PAYLOAD_NAME>set RHOSTS <TARGET_IP>run# orexploit
🗒️ Metasploit Workspaces allows to manage and organize the hosts, data, scans and activities stored in the msfdb.
- Import, manipulate, export data
- Create, manage, switch between workspaces
- Sort and organize the assessments of the penetration test
📌 It's recommended to create a new workspace for each engagement.
msfconsole -qdb_status[*] Connected to msf. Connection type: postgresql.workspace -hworkspace -hworkspace# current working workspace* default
- Create a new workspace
workspace -a Test
- Change workspace
workspace <WORKSPACE_NAME>workspace -a INE
- Delete a workspace
workspace -d Test