Sweshi's Tutorials

Exploitation Tools


Metasploit Beginner Tutorial

NOTICE: All the tutorials on this website are meant to help you find security vulnerabilties on your own network and devices to understand your security posture before black hats do. Penetration testing without a written consent is illegal and you can be prosecuted. Use these tutorials to secure your own networks or those whose permission you have been granted. Keep it ethical and keep it professional.
Table of Contents
Introduction to MetaSploit

Metasploit is an open-source penetration testing framework developed by Rapid7 found in a number of Linux distributions. I will be demonstrating the basics using Kali Linux. It provides tools for ethical hackers, security researchers, and penetration testers to perform security assessments and test the vulnerabilities of computer systems, networks, and applications of various types. The framework is designed to automate various stages of the penetration testing process and offers a comprehensive set of tools for exploiting, post-exploitation, and vulnerability assessment. It is perhaps the most well known exploitation framework. Exploitation simply means that it is able to make use of some code to take advantage of vulnerabilites in a system. These vulnerabilities can be as a result of the version of the software, the system configuration and so on. Some of the key things about metasploit include the following;

  • Exploitation: Metasploit includes a vast database of exploits that target known vulnerabilities in various software and systems. It provides a platform for security professionals to launch these exploits against target systems and assess their security. There are thousands of exploits written for metaploit targeting systems.
  • Payloads: Metasploit allows users to deliver payloads to exploited systems. Payloads are pieces of code that perform specific actions on the target system, such as establishing remote access, collecting information, or creating a backdoor.
  • Auxiliary Modules: Metasploit includes auxiliary modules that perform various tasks, such as scanning for vulnerabilities, collecting information, or interacting with systems in different ways.
How to use metaploit

In this tutorial, I will show how to use the msfconsole to find exploits, select them, set options, targets and run exploits.

metasploit beginner tutorial: starting the msfconsole

On the command line, run the command below to start the console

msfconsole

This will load metasploit as shown in the figure. There are several things you can do so to get some help, simply type help to see the options that are available.

metasploit beginner tutorial: msf6 help
searching using metasploit

You can search for auxiliary, exploits or playloads. Exploits are meant to execute based on vulnerabilities on a system while auxiliary modules are can be used in a more generic sense even without vulnerabilities on a target system. Payloads on the other hand are used after successful exploitation. They execute some function on the target system to achieve some objective. Auxilliary modules can for example scan and find systems that are vulnerable. Exploit modules can then connect us to that vulnerable system and then payloads can execute something on that system perhaps shutting down the server or deleting a file just as an example. I will use an Auxilliary module for this demonstration.

We will be searching for the log4shell scanner. This is a tool that can find systems that have the log4shell vulnerability. We can search for it without specifying whether it is an exploit or a payload or even its platform as shown below.

msf6 > search name:log4shell

This will give us all sorts results. We can further fine grain our search by specifying that we want an auxiliary module.

msf6 > search type:auxiliary name:log4shell

You will see that the results will only be limited to Auxilliary modules with all results starting with "auxiliary/". Of course if you are searching for an exploit or a payload you would use those words instead of auxiliary in the search command.

metasploit beginner tutorial: searching auxiliary modules
Selecting a module in metasploit

Once you find what you are looking for, you can select the module by using the "use module" command. The sytanx in this case will be as follows;

#syntax #use module msf6 > use auxiliary/scanner/http/log4shell_scanner

You will type the module as it appears on the search and press enter. The module will appear in red if it has been selected successfully.

metasploit beginner tutorial: selecting the log4shell scanner

Once selected, try viewing what the module is about by running the info command while the module is selected. You will be able to read about the module as shown in the figure.

msf6 > auxiliary/scanner/http/log4shell_scanner > info

metasploit beginner tutorial: how to view informaiton about a module
Setting module options in metaploit

Different modules can have various options that you might have to set for them to run well. You can view the options by typing the command "show options".

msf6 > auxiliary/scanner/http/log4shell_scanner > show options metasploit beginner tutorial: how to show module options in metasploit

You will see the name of the option on the left and the current setting it has. You can change this to a value you prefer. In the case for log4shell_scanner, we need to set the interface to listen on or an IP address which is can be set using the "SRVHOST" option. We will also set the port to 8080 using the "RHOSTS" just as an example.

#setting the port msf6 > auxiliary/scanner/http/log4shell_scanner > set RPORT 8080 #checking if the setting has changed msf6 > auxiliary/scanner/http/log4shell_scanner > show options #setting the ethernet interface msf6 > auxiliary/scanner/http/log4shell_scanner > set SRVHOST eth0 metasploit beginner tutorial: how to change the setting of a metasploit module metasploit beginner tutorial: set SRVHOST eth0
Setting the target in metaploit

Once the module is selected and options are run. You can then set the target which will include the hosts to scan. This can be a single IP address or a range.

msf6 > auxiliary/scanner/http/log4shell_scanner > set RHOSTS 192.168.43.1-192.168.43.250 metasploit beginner tutorial: set options to scan

In this case we set it to scan a network range. We can then say exploit to run the module.

msf6 > auxiliary/scanner/http/log4shell_scanner > exploit metasploit beginner tutorial: exploiting using metasploit

Since this module searches for machines with the log4shell vulnerability, it would return the IP of a machine that has the vulnerability with some specifics. You can then repeat this process for other exploits and payloads. If lets say you found a vulnerability with 192.168.43.1, you would have to search for an exploit to run on that target, you set the options, you set the target then you say exploit, just as we have done with this module. If the exploit is successful, you again find a payload to execute on the machine that you exploited. You can search, find the payload, set the options and exploit.

You can leave a module by using the command "back" or leave the console altogether by typing "exit"

msf6 > auxiliary/scanner/http/log4shell_scanner > back msf6 > msf6 > exit
SSDP Scanning using metasploit

The simple service discovery protocol or SSDP works to detect plug and play devices using the UpnP. This protoocol is however known to have a number of vulnerabilities that can lead to buffer overflows and denial of service attacks. Metasploit has a module that allows us to scan for these SSDP endpoints and possibly recognise the vulnerability. We will use this in this example to scan 192.168.43.141.

msfconsole use auxiliary/scanner/upnp/ssdp_msearch set RHOSTS 192.168.43.141 show options exploit metasploit beginner tutorial: ssdp scanning using metasploit

There are several modules that can scan or exploit different things on the target machine. Below is a short list of some of the most commonly used.

Module purpose
exploit/multi/http/wordpress_admin_shell_upload Exploits a vulnerable wordpress installation and uploads and PHP file that gives shell access as a back door.
exploit/windows/smb/ms17_010_eternablue This is based on the EternalBlue SMBv1 vulnerability that allows remote code execution on windows systems.
auxiliary/multi/scanner/portscan/tcp This performs a simple TCP port scan.
exploit/multi/handler Creates a payload handler that recieves incoming connections from an exploited target.
post/windows/manage/persistence_exe It creates a backdoor server that is able to remain active even after the windows system is rebooted allowing remote access on the compromised machine.

You can use these modules and more to test the security of the devices in your network. You can view what hackers can do on your network and protect yourself from it.