How to use the Metasploit Framework: features, instructions for use

Table of contents:

How to use the Metasploit Framework: features, instructions for use
How to use the Metasploit Framework: features, instructions for use

Metasploit Framework (MSF) is a free Rapid7 open source computer system intrusion testing solution. The use of MSF ranges from protecting systems from intrusion to examining vulnerabilities that pose a real threat. Metasploit eliminates the need to write separate exploits, saving users time and effort.

The program presents a set of shellcodes, fuzzing tools, payloads and encoders combined into a single platform. It is available on Linux, Windows, OS X platforms. Its main purpose is to test the organization's computer defenses by creating artificial attacks, provoking the system, something like "disrupt by protecting". Metasploit offers a wide range of tools and utilities for such attacks on all operating systems, including Android and iOS.

History of protecting public code

History of public code protection
History of public code protection

Metasploit was originally designed and conceived by HD Moore (Moore), network security expert, open source programmer.source code and hacker. He became the developer of MSF, a penetration testing software package, and the founder of the Metasploit Project.

Moore was a chief scientist at the Boston, Massachusetts-based security firm Rapid7, a provider of data protection and analytics software and cloud solutions. He released his first edition of Perl-based Msf in October 2003 with a total of 11 exploits and remained the chief architect of the Metasploit Framework until his retirement. He announced his departure from Rapid7 in 2016, moving to a venture capital firm.

Many users have contributed to the development of MSF. The main intellectual infusion was in 2006, after which the base was replenished with 150+ exploits. Then there were major changes in version 3. It was reprogrammed in Ruby, became cross-platform and had a unique property - new versions and modules were easily loaded and added to the software. In 2009, Rapid7 acquired the entire project, of which it is still the owner. The basic architecture of Metasploit has not changed, and the versions have remained free.

Useful terminology

Useful Metasploit Terminology
Useful Metasploit Terminology

Getting started with Metasploit starts after installing the program. The software will easily help you install the file system and libraries, as it is intuitive. Metasploit is based on a scripting language, so it has a folder containing "meterpreter" scripts and others required by the platform. MSF can be obtained via the GUI as well as the command line versionline.

General terms:

  1. Vulnerability - a weakness in the target system, due to which a successful penetration can occur.
  2. Exploit, once a vulnerability is known, an attacker exploits it and infiltrates the system with code.
  3. Payload, a payload, a set of tasks initiated by an attacker after an exploit to maintain access to a compromised system.
  4. Single - a self-contained payload that performs a specific task.
  5. Stager - Facilitates the delivery of useful features and creates a network connection between the computers of the attacker and the victim. Before using Metasploit, functions are loaded via connections such as VNC and meterpreter.

There are other network and system commands that you need to learn in order to successfully work with the software. Capturing keystrokes is easily done using the "stdapi" user interface command set. keyscan_start starts the service, and keyscan_dump shows captured keystrokes.


Metasploit GUIs
Metasploit GUIs

A new GUI for Metasploit has been added to the SVN repository by ScriptJunkie. The first version was developed in such a framework that the framework is both functionality and durability. The new GUI is multi-platform and based on Java. The Netbeans project is hosted in the external/source/gui/msfguijava/ directory for those who wish to contribute and have Java and user interface skills. GUI canrun by calling the "msfgui" script in the MSF directory base.

Metasploit comes in various interfaces:

  1. Msfconsole - interactive shell to perform multi-user tasks.
  2. Msfcli - calls msf functions from the terminal /cmd without changing it.
  3. Msfgui - GUI.
  4. Armitag is another graphical tool written in Java to manage MSF penetration testing.
  5. The Metasploit Community Web Interface provided by rapid7 is a framework that allows for easy testing.
  6. Cob altStrike is another GUI with some extra features for post-exploitation and reporting.

Modules Auxiliary, Encoders

Exploit is a technique by which an attacker exploits a vulnerability in a system, services, applications and is always accompanied by payloads. Payload, a success payload, is a piece of code that is executed on a live system. Once the exploit runs, the platform injects the payload through the vulnerability and launches it on the target system. Thus, an attacker gets inside the system or can get data from a compromised system before using the payload in Metasploit.

Auxiliary Auxiliary module provides additional functionality such as fuzzing, scanning, recontact, dos-attack and others. Auxiliary scanning of banners or operating systems does not perform a DOS attack on the target. It does not inject the payload,as exploits, so will not be able to access the system using this module.

Encoders - Encoders are used to mask modules to avoid being detected by a protection mechanism such as antivirus or firewall, widely used to create a back door.

Shellcode and Listener instructions

Shellcode - A set of instructions used as payload in production, written in assembler. In most cases, a command shell or Meterpreter shell will be provided after a series of commands has been executed by the target machine.

The Listener instruction listens for connections from a payload injected into a compromised system. The Post module, as the name implies, is used for subsequent operation. Once hacked, they go deep into the system or set up as a center for attacking other systems.

Nop - No Operation, a well-known feature, thanks to x86 processors, associated with shellcode and machine language instructions, prevents the program from crashing when using jump statements in shellcode. Nops loops machine language instructions from the beginning if they fall into an invalid memory area after issuing a branch statement and prevents the payload from failing. This is a very advanced concept, and a developer must understand shell coding before using Metasploit with the "nops" benefits.


Metasploit Guidelines
Metasploit Guidelines

Much of the Metasploit support is in the community withopen source is provided in the form of modules. They must go through msftidy.rb and follow the guidelines, both distributed with MSF.

Modules should have a clear and obvious purpose: exploits lead to a shell, mail to privilege escalation, ancillaries are in the "Everything else" category, but even these are limited to a well-defined task, such as collecting information for use. They should not activate others, given the complexity of setting up multiple payloads. These actions are frontend automation tasks set before running Metasploit.

Denial of service modules should be asymmetric and at least have some interesting features. If it's comparable to synflood, then it shouldn't be included. If it is comparable to Baliwicked, then the opposite should be included. Modules, slowloris, are included with some rationale.

Windows client exploits

MSF assigns each user a unique SID - Security Identifier. Each thread has an associated primary token containing information about things like privileges and groups. Using an impersonation token, a process or thread can temporarily assume the identity of some other user. As soon as the resource is used up, the thread again accepts the main token.

Token attack patterns:

  1. Local privilege escalation. If a low-privileged process is running on a system with administrator authentication, the administrator can accessimpersonation token. If the attacker stops using any exploit, he will gain access to the impersonation token with administrator rights.
  2. Domain privilege escalation. Here, the attacker traverses to other machines over the network using an impersonation token.

This can be done incognito in the "meterpreter" console, which is installed before using Metasploit. Apply commands such as "list_tokens, steal_tokens" and "impersonate_token" to perform operations. If the target is behind a firewall or NAT, the attacker must provide the victim with a link that will redirect him to his computer - the Metasploit instance. This is necessary because direct probing of the target is not possible.

Client and server on the same machine

You can use the Russian version of Metasploit for Windows to run all the tests on one machine. The MSF platform requires administrator rights to install on Windows. It will be installed by default to the c:\metasploit folder. AV on the computer will generate warnings when installing MSF on Win, so the correct exceptions are thrown.

Building on Windows is slower than on Linux. Meterpreter uses MSFVenom (c:\metasploit\msfvenom.bat) to create 32-bit and 64-bit executables for injecting the payload.

List of commands:

  • "msfvenom.bat --help" will show options;
  • "msfvenom.bat --list payloads" will show the payloads;
  • "msfvenom.bat --help-format" will show all output formats.

Executablethe formats will generate programs and scripts, while the conversion formats will simply produce the payload. Use "msfvenom.bat" to create a 32-bit and 64-bit executable with the "meterpreter_reverse_http" payload, which is defined before using Metasploit. If platform and architecture are not specified, "msfvenom" will select them depending on the payload.

Client and server on the same machine
Client and server on the same machine

MSF handler now waiting for connection, run "meterpreter-64.exe" with admin rights. Once launched, meterpreter-64.exe will connect to the handler and wait for instructions.

Security testing tool

MSF is a software platform for developing, testing and executing exploits. It can be used to create security tools and apply modules, as well as a penetration system for Android.

Security testing tool
Security testing tool

Commands required to execute:

  1. Create an APK and run the multi/handler exploit.
  2. Open Kali Linux OS on Oracle VM VirtualBox. Default login: root/toor.
  3. Login to the Kali Linux virtual machine using the default credentials.
  4. Check the IP address of the Kali machine. Enter the command: ifconfig.
  5. Open a terminal in Kali Linux and write down the IP address of the system.
  6. Open MSF from terminal: msfconsole.
  7. Run the command: msf > use exploit/multi/handler.
  8. Set LHOST andLPORT command "set".
  9. Start the listener. Command: msf> exploit.

In Metasploit, the use command uses a specific framework model. In this case, a "multi/handler" exploit is needed, which makes it easier to listen for an incoming wildcard connection. The "search" command in "msfconsole" is used to search by keyword. In this command find load Android meterpreter.

Along with the "use" and "search" commands, "set" is another command used in MSF to set a specific exploit payload - "show options" to see various inputs.

Installing the Android App

Metasploit termux is an android application supporting Linux environment.

To install the software, do the following:

  1. Install Termux Google Play-Store.
  2. Enter the "apt update" command.
  3. Update "apt install curl" command.
  4. Enter "cd $ HOME".
  5. After the download of the above file is completed, enter "ls", the file ".sh" will open.
  6. Enter this command "chmod + x".
  7. Run a script with a command like "sh".
  8. Enter "ls".
  9. Find the "Metasploit-framework" folder.
  10. Open the folder "cd yourfoldername".
  11. Enter the "ls" command.
  12. Enter "./msfconsole" to start MSF.

MSF Web Interface Overview

The browser-based web interface contains a workspace that is used to set up projects and complete taskspentesting and provides navigation menus for accessing module configuration pages. The user interface works in the following browsers.

Msf web interface overview
Msf web interface overview

Using it to run a detection scan, run an exploit against a target, generate a report, configure system settings, and perform administrative tasks. Each has its own configuration page that displays all options and settings. The user interface displays fields required for data entry, checkbox options that can be enabled or disabled depending on test requirements, and drop-down menus.

The overview page shows statistical information for the project, such as the number of hosts and services discovered, as well as the number of sessions and credentials obtained. The project will not display statistics or a dashboard until a target is scanned or host data is imported, at which point a dashboard is displayed that provides a high-level graphical breakdown of the data stored in the project and a log of recent events.

Antivirus Bypass

For penetration testers, some antivirus solutions are not configured by default to scan MSI files or TMP files that are generated when MSI files are executed. Use "msfconsole" to create an MSI file that will execute the MSF payload.

You can also generate an MSI file using the "msfvenom ruby" script that comes with Metasploit: msfvenom -pwindows/adduser USER=Attacker PASS=Attacker123! -f msi > evil.msi.

Copy the "evil.msi" file to the target system and run the MSI install from the command line to execute the Metasploit payload. From a penetration test perspective, using the "/quiet" option is handy because it suppresses messages that would normally be displayed to the user.

Check the antivirus logs to see if the payload has been identified. You can also check if the payload has been executed and add the "Attacker" user. If information about it is returned, then the payload was successful.

Vulnerability testing

A vulnerability scanner is similar to other types of scanners - for example, port scanners help protect a network and the systems on it. The purpose of these checks is to identify any weaknesses and use the results to fix problems before attackers do. Common issues during the scanning process include buffer overflow detection, non-proprietary software, Structured Query Language (SQL) issues, and others. How much the scanner detects depends on the software itself, some scanners are much more aggressive in scanning, finding missing patches or configuration errors, while others simply point the user in the right direction.

Metasploit goes beyond the usual vulnerability scanners, it allows you to develop your own exploits and delivery mechanisms. The idea is that in cases wherewhen other methods are based on known problems, Msf allows you to develop your own to provide more flexibility in scanning as well as research.

To run the scanner function, follow the Metasploit usage instructions:

  1. Choose and configure the targeting exploit. It will target the system in order to take advantage of a software defect. The pool depends on the operating system and changes depending on the version of the system, constantly increasing. Msf currently contains over 400 exploits for most modern operating systems.
  2. Test an exploit against a system to see if the system is vulnerable to it.
  3. Select and configure the payload, in the form of code run after the scanner detects the entry point.
  4. Select and configure the encoding and delivery method to be used. The purpose of this step is to format the payload in such a way that it can bypass entrenched intrusion detection systems (IDS).
  5. Perform an exploit.

So MSI offers a lot of security information. It's not just exploits, it's a complete network security framework. Currently, there is no shortage of tools in the software. Metasploit's advanced capabilities allow administrators to scan a wide range of network devices and report any vulnerabilities found or corresponding security misconfigurations.

Popular topic

Editor's choice