Metasploit is an open-source penetration testing framework developed by Rapid7 found in a number of Linux distributions. I will be demonstrating the basics using Kali Linux. It provides tools for ethical hackers, security researchers, and penetration testers to perform security assessments and test the vulnerabilities of computer systems, networks, and applications of various types. The framework is designed to automate various stages of the penetration testing process and offers a comprehensive set of tools for exploiting, post-exploitation, and vulnerability assessment. It is perhaps the most well known exploitation framework. Exploitation simply means that it is able to make use of some code to take advantage of vulnerabilites in a system. These vulnerabilities can be as a result of the version of the software, the system configuration and so on. Some of the key things about metasploit include the following;
In this tutorial, I will show how to use the msfconsole to find exploits, select them, set options, targets and run exploits.
On the command line, run the command below to start the console
msfconsole
This will load metasploit as shown in the figure. There are several things you can do so to get some help, simply type help to see the options that are available.
You can search for auxiliary, exploits or playloads. Exploits are meant to execute based on vulnerabilities on a system while auxiliary modules are can be used in a more generic sense even without vulnerabilities on a target system. Payloads on the other hand are used after successful exploitation. They execute some function on the target system to achieve some objective. Auxilliary modules can for example scan and find systems that are vulnerable. Exploit modules can then connect us to that vulnerable system and then payloads can execute something on that system perhaps shutting down the server or deleting a file just as an example. I will use an Auxilliary module for this demonstration.
We will be searching for the log4shell scanner. This is a tool that can find systems that have the log4shell vulnerability. We can search for it without specifying whether it is an exploit or a payload or even its platform as shown below.
msf6 > search name:log4shell
This will give us all sorts results. We can further fine grain our search by specifying that we want an auxiliary module.
msf6 > search type:auxiliary name:log4shell
You will see that the results will only be limited to Auxilliary modules with all results starting with "auxiliary/". Of course if you are searching for an exploit or a payload you would use those words instead of auxiliary in the search command.
Once you find what you are looking for, you can select the module by using the "use module" command. The sytanx in this case will be as follows;
#syntax
#use module
msf6 > use auxiliary/scanner/http/log4shell_scanner
You will type the module as it appears on the search and press enter. The module will appear in red if it has been selected successfully.
Once selected, try viewing what the module is about by running the info command while the module is selected. You will be able to read about the module as shown in the figure.
msf6 > auxiliary/scanner/http/log4shell_scanner > info
Different modules can have various options that you might have to set for them to run well. You can view the options by typing the command "show options".
msf6 > auxiliary/scanner/http/log4shell_scanner > show options
You will see the name of the option on the left and the current setting it has. You can change this to a value you prefer. In the case for log4shell_scanner, we need to set the interface to listen on or an IP address which is can be set using the "SRVHOST" option. We will also set the port to 8080 using the "RHOSTS" just as an example.
#setting the port
msf6 > auxiliary/scanner/http/log4shell_scanner > set RPORT 8080
#checking if the setting has changed
msf6 > auxiliary/scanner/http/log4shell_scanner > show options
#setting the ethernet interface
msf6 > auxiliary/scanner/http/log4shell_scanner > set SRVHOST eth0
Once the module is selected and options are run. You can then set the target which will include the hosts to scan. This can be a single IP address or a range.
msf6 > auxiliary/scanner/http/log4shell_scanner > set RHOSTS 192.168.43.1-192.168.43.250
In this case we set it to scan a network range. We can then say exploit to run the module.
msf6 > auxiliary/scanner/http/log4shell_scanner > exploit
Since this module searches for machines with the log4shell vulnerability, it would return the IP of a machine that has the vulnerability with some specifics. You can then repeat this process for other exploits and payloads. If lets say you found a vulnerability with 192.168.43.1, you would have to search for an exploit to run on that target, you set the options, you set the target then you say exploit, just as we have done with this module. If the exploit is successful, you again find a payload to execute on the machine that you exploited. You can search, find the payload, set the options and exploit.
You can leave a module by using the command "back" or leave the console altogether by typing "exit"
msf6 > auxiliary/scanner/http/log4shell_scanner > back
msf6 >
msf6 > exit
The simple service discovery protocol or SSDP works to detect plug and play devices using the UpnP. This protoocol is however known to have a number of vulnerabilities that can lead to buffer overflows and denial of service attacks. Metasploit has a module that allows us to scan for these SSDP endpoints and possibly recognise the vulnerability. We will use this in this example to scan 192.168.43.141.
msfconsole
use auxiliary/scanner/upnp/ssdp_msearch
set RHOSTS 192.168.43.141
show options
exploit
There are several modules that can scan or exploit different things on the target machine. Below is a short list of some of the most commonly used.
Module | purpose |
---|---|
exploit/multi/http/wordpress_admin_shell_upload | Exploits a vulnerable wordpress installation and uploads and PHP file that gives shell access as a back door. |
exploit/windows/smb/ms17_010_eternablue | This is based on the EternalBlue SMBv1 vulnerability that allows remote code execution on windows systems. |
auxiliary/multi/scanner/portscan/tcp | This performs a simple TCP port scan. |
exploit/multi/handler | Creates a payload handler that recieves incoming connections from an exploited target. |
post/windows/manage/persistence_exe | It creates a backdoor server that is able to remain active even after the windows system is rebooted allowing remote access on the compromised machine. |
You can use these modules and more to test the security of the devices in your network. You can view what hackers can do on your network and protect yourself from it.