How Can We Help?
Using Metasploit for System Penetration Testing and Security Hardening
The Metasploit Framework is the foundation on which commercial add-on products for Metasploit Pro are built.
It is an open source project that provides the infrastructure, content, and tools for performing system penetration tests and security auditing.
A quick overview of the basics:
Modules
A Metasploit module is a standalone piece of code that extends the functionality of the Metasploit Framework system.
A module can be an:
Exploit
Auxiliary
Payload
No operation payload (NOP)
Post-exploitation module
Encoder
For example, an exploit uses a payload to deliver code for running on another machine. The payload can open a shell or a Meterpreter session to run an exploitation module.
The encoder ensures the payload is delivered and the “no operation payload” or NOP ensures the payload size is kept consistent.
Metasploit comes pre-installed on Kali Linux. There are also pre-installed ready-to-use virtual machines with Kali Linux and Metasploit Framework available for download.
To install Metasploit on Ubuntu
First install Oracle Java 8
add the Oracle Java Package source:
sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
Then install dependencies that are needed by Metasploit Framework:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev curl zlib1g-dev gawk bison libffi-dev libgdbm-dev libncurses5-dev libtool sqlite3 libgmp-dev gnupg2 dirmngr
How to Start mfsconsole
then you can start the msfconsole. This is the primary user interface to Metasploit Framework.
IMPORTANT! Please run msfdb as a non-root user!
Do not run as root!
root@asus:~#
root@asus:~#
root@asus:~# msfconsole
. .
.
dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o
‘ dB’ BBP
dB’dB’dB’ dBBP dBP dBP BB
dB’dB’dB’ dBP dBP dBP BB
dB’dB’dB’ dBBBBP dBP dBBBBBBB
dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP
. . dB’ dBP dB’.BP
| dBP dBBBB’ dBP dB’.BP dBP dBP
–o– dBP dBP dBP dB’.BP dBP dBP
| dBBBBP dBP dBBBBP dBBBBP dBP dBP
.
.
o To boldly go where no
shell has gone before
=[ metasploit v6.1.35-dev ]
+ — –=[ 2209 exploits – 1171 auxiliary – 395 post ]
+ — –=[ 615 payloads – 45 encoders – 11 nops ]
+ — –=[ 9 evasion ]
Metasploit tip: You can use help to view all
available commands
msf6 >
msf6 >
Set Up a Database for Metasploit
The first essential task is to set up a database for Metasploit:
Most of the database creation is now handled by the Metasploit installation routine.
After you’ve set up the database, you need to connect to it.
You will need to manually connect to the database each time you launch msfconsole.
So once you have completed the installation of Metasploit, start msfconsole and then run the following command in the console:
msf6 >
msf6 >
msfdb init
msf6 > msfdb init
[*] exec:
[?] Would you like to init the webservice? (Not Required) [no]: Clearing http web data service credentials in msfconsole
Running the ‘init’ command for the database:
Existing database found, attempting to start it
Starting database at /home/kevin/.msf4/db…success
msf6 >
msf6 >
and then you can connect with
db_connect msfdb
db_connect msfdb
[*] Connected to Postgres data service: /msfdb
msf6 >
You can then assemble commands and run exploits using msfconsole.
Remember that each time you restart msfconsole you first need to run the two commands:
msfdb init
db_connect msfdb
msf6 > msfdb init
[*] exec: msfdb init
[?] Would you like to init the webservice? (Not Required) [no]:
Clearing http web data service credentials in msfconsole
Running the ‘init’ command for the database:
Existing database running
msf6 > db_connect msfdb
[*] Connected to Postgres data service: /msfdb
msf6 >
to verify that you are connected to the database you can run this command at any time:
msf6 > db_status
[*] Connected to msfdb. Connection type: postgresql. Connection name: local_db_service.
msf6 >
msfconsole Command Overview
msf6 > help Core Commands ============= Command Description ------- ----------- ? Help menu banner Display an awesome metasploit banner cd Change the current working directory color Toggle color connect Communicate with a host debug Display information useful for debugging exit Exit the console features Display the list of not yet released features that can be opted in to get Gets the value of a context-specific variable getg Gets the value of a global variable grep Grep the output of another command help Help menu history Show command history load Load a framework plugin quit Exit the console repeat Repeat a list of commands route Route traffic through a session save Saves the active datastores sessions Dump session listings and display information about sessions set Sets a context-specific variable to a value setg Sets a global variable to a value sleep Do nothing for the specified number of seconds spool Write console output into a file as well the screen threads View and manipulate background threads tips Show a list of useful productivity tips unload Unload a framework plugin unset Unsets one or more context-specific variables unsetg Unsets one or more global variables version Show the framework and console library version numbers Module Commands =============== Command Description ------- ----------- advanced Displays advanced options for one or more modules back Move back from the current context clearm Clear the module stack favorite Add module(s) to the list of favorite modules info Displays information about one or more modules listm List the module stack loadpath Searches for and loads modules from a path options Displays global options or for one or more modules popm Pops the latest module off the stack and makes it active previous Sets the previously loaded module as the current module pushm Pushes the active or list of modules onto the module stack reload_all Reloads all modules from all defined module paths search Searches module names and descriptions show Displays modules of a given type, or all modules use Interact with a module by name or search term/index Job Commands ============ Command Description ------- ----------- handler Start a payload handler as job jobs Displays and manages jobs kill Kill a job rename_job Rename a job Resource Script Commands ======================== Command Description ------- ----------- makerc Save commands entered since start to a file resource Run the commands stored in a file Database Backend Commands ========================= Command Description ------- ----------- analyze Analyze database information about a specific address or address range db_connect Connect to an existing data service db_disconnect Disconnect from the current data service db_export Export a file containing the contents of the database db_import Import a scan result file (filetype will be auto-detected) db_nmap Executes nmap and records the output automatically db_rebuild_cache Rebuilds the database-stored module cache (deprecated) db_remove Remove the saved data service entry db_save Save the current data service connection as the default to reconnect on startup db_status Show the current data service status hosts List all hosts in the database loot List all loot in the database notes List all notes in the database services List all services in the database vulns List all vulnerabilities in the database workspace Switch between database workspaces Credentials Backend Commands ============================ Command Description ------- ----------- creds List all credentials in the database Developer Commands ================== Command Description ------- ----------- edit Edit the current module or a file with the preferred editor irb Open an interactive Ruby shell in the current context log Display framework.log paged to the end if possible pry Open the Pry debugger on the current module or Framework reload_lib Reload Ruby library files from specified paths time Time how long it takes to run a particular command msfconsole ========== `msfconsole` is the primary interface to Metasploit Framework. There is quite a lot that needs go here, please be patient and keep an eye on this space! Building ranges and lists ------------------------- Many commands and options that take a list of things can use ranges to avoid having to manually list each desired thing. All ranges are inclusive. ### Ranges of IDs Commands that take a list of IDs can use ranges to help. Individual IDs must be separated by a `,` (no space allowed) and ranges can be expressed with either `-` or `..`. ### Ranges of IPs There are several ways to specify ranges of IP addresses that can be mixed together. The first way is a list of IPs separated by just a ` ` (ASCII space), with an optional `,`. The next way is two complete IP addresses in the form of `BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR specifications may also be used, however the whole address must be given to Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC. Additionally, a netmask can be used in conjunction with a domain name to dynamically resolve which block to target. All these methods work for both IPv4 and IPv6 addresses. IPv4 addresses can also be specified with special octet ranges from the [NMAP target specification](https://nmap.org/book/man-target-specification.html) ### Examples Terminate the first sessions: sessions -k 1 Stop some extra running jobs: jobs -k 2-6,7,8,11..15 Check a set of IP addresses: check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255 Target a set of IPv6 hosts: set RHOSTS fe80::3990:0000/110, ::1-::f0f0 Target a block from a resolved domain name: set RHOSTS www.example.test/24 msf6 >