This is the first in a five part series on the fundamentals of Metasploit that I wrote back in 2014. While some of the specifics have changed over time, the series still provides a good overview for the new user of Metasploit.
Links to all of the articles are listed below:
- Part 1: Metasploit Overview and Tools
- Part 2: The Metasploit Console
- Part 3: Pivoting with Metasploit
- Part 4: Metasploit Dynamic Shellcode Generation
- Part 5: Scripting Metasploit
This series of articles is written for the novice hacker or information security professional who is just getting started with Metasploit. Odds are that you’ve heard about it previously; every news article that talks about a new exploit invariably mentions something along the lines of “… and there is already a module for it in Metasploit, the hacker’s tool of choice.” Maybe you’re not sure exactly what Metasploit really can do though, or why it has become a must-have tool to those in our industry. This article will help you gain that knowledge, and provide the baseline for the remaining four articles in the series.
The information in this article was current as of Metasploit 4.7, and the examples that are shown were obtained using Kali Linux.
DISCLAIMER: All discussions of exploitation and compromise are made only with regard to systems that you either personally own or have been authorized by the owner in writing to assess. The author does not condone or encourage the attacking, exploitation, or compromise of systems that do not meet those criteria.
What IS Metasploit
Metasploit is developed by a company named Rapid7, and is at its heart an exploitation framework. This means that it provides standard tools, methods, and access hooks to repeatably identify, exploit, and compromise vulnerable systems and applications. Furthermore, it provides a uniform way to do this so that exploits can be easily shared amongst the community. When most people think of Metasploit they think of the Metasploit Console, which provides an interactive interface to many of the most commonly used features, but the Metasploit Framework has a far richer feature set than that.
Let’s dive into the various tools and you’ll see what we mean.
Metasploit Console (msfconsole/msfpro)
The Metasploit Console is a simple interface that allows the user to search for modules, configure those modules, and execute them against specified targets with chosen payloads. It also provides a management interface for opened sessions, network redirection, and data collection.
Before we go any further, let’s establish what each of those terms really means for the purposes of this article.
- Module: A module is an exploit, escalation, scanner, or information gathering unit of code that interfaces with the framework to perform some operation. For instance, an exploit for the infamous MS08-067 vulnerability against multiple versions of the Windows operating system is a single module, as is a scanner to identify Windows usernames from SNMP, and just like a tool to gather password hashes from a Linux system after successful exploitation. It may be easiest to think of a module as a discrete job that you would assign to a co-worker, like “Exploit the FTP Server on Windows 2003” or “Find me a list of all credentials stored by Firefox on this server.”
- Session: A session is a connection between a target and the machine running Metasploit. Sessions allow for commands to be sent to and executed by the target machine.
- Payload: A payload is the actual code that we want Metasploit to run on a compromised application or machine. This could be something as simple as executing a single command to as complex as creating a reverse connection and staging a custom shell environment on the compromised system.
The Metasploit Console is so important in and of itself that it is the topic of the next article, so we’ll leave this description for now. Just remember that when you’re getting started, this is more than likely the tool you will want to use.
Metasploit Updater (msfupdate)
The Metasploit Updater provides a simple way to keep your Metasploit Framework up to date. Just get a network connection and invoke this on the command line to automatically download the latest patches, payloads, and exploits.
Metasploit Command Line Interface (msfcli)
The Metasploit Command Line Interface allows for the selection of a module, specification of all required arguments, and execution of that module in a non-interactive manner. In short, it makes scripting possible. For example, if you have a system which automatically scans your network for hosts that offer information via a public SNMP community string and you want to automatically run a Metasploit module to gather information from them whenever they are found, the Metasploit Command Line Interface makes it quite simple to do that (and we demonstrate just such a technique in part 5 of this series).
Metasploit RPC (msfrpc/msfrpcd)
The Metasploit RPC Daemon runs as a background process and allows multiple users to connect to the same system and control sessions, exploits, etc. Think about it this way: you may find a process on a particular system that is vulnerable and exploitable, but that will crash as part of the exploit and which won’t come back online. You and your team members all need to be able to perform activities on the exploited system. By using the Metasploit Daemon to route all of these actions through a common system you only need to exploit something once to grant all team members access to it.
Another place this comes in handy is in avoiding collisions. If one team member gains access to a system by exploiting a particular process, another team member may inadvertently terminate that access when they exploit the same process. Of course, all of this is also quite noisy for those situations where discretion is preferred. The Metasploit RPC Daemon makes short work of such problems.
Metasploit Binary Scanners (msfbinscan/msfpescan/msfelfscan/msfmachscan)
When developing custom exploits you may often need to find an address within an executable matching a specific criterion, such as a JMP to EAX command. The Metasploit Framework provides a set of tools which enable you to search binaries directly for such addresses. There is a generic scanner (msfbinscan) that will attempt to automatically determine the appropriate scanner to use, which for new users is probably the best route to take. For more experienced users, the generic scanner really makes calls to the specific format scanners (PE/ELF/MACH).
Metasploit Payload Generator (msfpayload)
As part of the Metasploit Framework there are literally hundreds of payloads (exploit code) that are included, ranging from arbitrary command execution to injection of a Meterpreter shell (a custom shell designed for Metasploit that allows for easy integration and staging of further exploits) or even running DNS queries. These payloads are well tested, modular, and ready for use in your own custom exploits. The Metasploit Payload Generator allows you to take a payload and generate a custom payload just for that purpose. For instance, it can generate a byte buffer to execute a specified command on Windows in C#, or build the exact same result as custom executable.
The Metasploit Framework Generator can also generate raw bytes, which is especially useful for those instances in which you need to re-encode data to avoid input filters. If only there was a tool to encode things…
Metasploit Encoder (msfencode)
The Metasploit Encoder allows us to take raw bytes (such as from msfpayload) and encode or re-encode them to meet specific criteria. Let’s say that you find an FTP server vulnerability that you’d like to exploit, but the payload you generate to deliver to it has a null character in the string… bad news, since that will close the command on the FTP server and stop your exploitation from progressing. Using the Metasploit Encoder you can take your payload and re-encode it to avoid that character. That’s just brushing the tip of the iceberg for this tool, of course. In the second series on Metasploit we’ll take a look at some of the more advanced things this can really do.
Metasploit Venom (msfvenom)
Metasploit Venom is probably the most underappreciated tool in the Metasploit Framework. Although also an advanced tool, it has the ability to take an executable and inject a custom payload into it, effectively “poisoning” the original (hence “venom”). We’ll also be taking a look at this tool in the second series.
Well, that about wraps up our quick overview of the Metasploit Framework tools. As you can see, the Metasploit Framework offers a full range of tools for designing, building, deploying, and controlling exploits.
If all of this seemed to go a bit too quickly, fear not. We’ll be diving into each of these in the coming articles. By the time we’re done you’ll be fully comfortable using the Metasploit Framework to exploit systems and applications.