Metasploit Framework

Metasploit – “The de facto of Exploit Development“, “The Attackers Playbook“, “The one-stop Penetration Testing Solution” and it goes on….

Metasploit is a framework of exploits, shellcodes, fuzzing tools, payloads,encoders etc. More over we can regard it as a collection of exploitation tools bundled into a single framework. It is avaliable in all major Linux, Windows, OS X platforms. It’s main objective is to test your/company’s/organization’s defences by attacking them. Something like “Offense for Defense”. This is actually where a penetration tester/Security Analyst begins attacking the victim after a huge recon. Metasploit has a wide range of tools & utilities to perform attacks agianst all operating systems including Android & iOS.

History

Metasploit was first written in Perl by H.D.Moore. Initially it was intented to be a maintainable framework which automates the process of exploiting rather than manually verifying it. The first version was released in 2003 which consisted of 8-11(exact number not sure) no of exploits. Then more contributors collaborated & contributed to it an major release was 2.7 in 2006 which consisted of 150+ exploits. Then a major change was in version 3. It was reprogrammed in Ruby & was made cross-platform. Also the coolest thing is that new exploits & modules can be downloaded and added with ease by the release of this version. In 2009 Rapid7 acquired the project and still owns & maintains it. Still now the basic architecture of metasploit is not changed & basic versions are free. Currently 4.11.x version  has 200000+ contributors, 1412 exploits,802 auxiliaries, 229 post, 361 payloads, 327 encoders & 8nops. We will have a brief look into those.

Modules & Interfaces

Metasploit comes in a variety of interfaces

  • msfconsole – An interactive curses like shell to do all tasks.
  • msfcli – Calls msf functions from the terminal/cmd itself. Doesn’t change the terminal.
  • msfgui –  the Metasploit Framework Graphical User Interface.
  • Armitag – Another graphical tool written in java to manage pentest performed with MSF.
  • Metasploit Community(or above) Web Interface – The web based interface provided by rapid7 for easy pentesting.
  • CobaltStrike – Yet another GUI with some added features for post-exploitation, reporting etc.

Modules

Exploit

An exploit is the method by which the attacker takes adwantage of a flaw within a system, service, application etc. The attacker generally uses this to do something with the particular system/service/application which he/she is attacking which the developer/implementer never intented to do. Kind of like misusing. This is the thing which an attacker uses to gain access to a system.

Exploits are always accompanied by payloads

Source: “Metasploit- A pentester’s Guide”

Payload

A payload is the pice of code which is run in the successfully exploited system. After an exploit works successfully, the framework injects the payload through the exploited vulnerability(flaw) and makes it run it within the target system. Thus an attacker gets inside the system or can get data from the compromised system using the payload.

Auxiliary

Provides additional functionality like fuzzing, scanning, recon, dos attack etc. Auxiliary scans for banners or OSes, fuzzes or does a DOS attack on the target. It doesn’t inject a payload like exploits. Means you wont be able to gain access to a system using an auxiliary

Source: “Mastering Metasploit” from PacktPub

Encoders

Encoders are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall. This is widely used when we create a backdoor. The backdoor is encoded (even multiple times) and sent to the victim.

Source: “Mastering Metasploit” from PacktPub

Shellcode

Shellcode is a set of instructions used as a payload when exploitation occurs. Shellcode is typically written in assembly language. In most cases, a command shell or a Meterpreter shell will be provided after the series of instructions have been performed by the target machine, hence the name.

Source: “Metasploit- A pentester’s Guide”

Listener

A listener listens for connections from a payload injected into a compromised system.

Post

As the name suggests, these modules are used for post-exploitation. After a system is been compromised, we can dig deeper into the system or set it as a pivot to attack other systems using these modules

Nops

Nop is No Operation popularly known for x86 processors. This is related to shellcode & machine language instructions.Briefly it prevents a program(here the payload) from crashing while using jump statements in it’s shell code. Nops kind of loops the machine language instructions from the beginning if it lands into an invalid memory location after issuing a jump statement. Thus prevents the payload from crashing. This is somewhat advanced concept and you must understand shell coding in order to understand & use nops.

Okay, thats enough of the blah blah…Lets have some fun. For now lets proceed with a tutorial. I will keep you posted on the basics & commands of msfconsole in upcoming posts.

Here is a brief block diagram about the archetecture of Metasploit

metasploit
Metasploit Architecture

Links: Metaspliot Home Page | Rapid7 | HD Moore

Lab 1: Gather publicly available email-ids from search engines.

In this lab, we are gonna try to gather email ids from a specific domain. Here we use an auxiliary module through the msfconsole.

Step 1: Prerequisites: Start & enable postgresql service, check your IP, start metasploit service & msfconsole

Command:service postgresql start
Command:update-rc.d postresql enable
Command: ip a | grep inet
Command: service metasploit start
Command: msfconsole
metasploit
Starting Services & initial setup
metasploit
The MSF-console

Step 2: Take Initial steps.

Check & Connect db to msfconsole.

Command:db_status

The above command checks whether there is a database connection. I will explain this in detail in upcoming posts.

If the metasploit service is started correctly, there will be a connection. Else, open a new terminal, start the service(command given above) and follow these:

db_connect msf3:msf3@localhost/msf3

Then check db status agian. If it didn’t succeed don’t worry, msf will work fine but without a database connection and some extended features. For the solution, check  Step 2 in the following link

http://kalilinuxtutorials.com/et/msfconsole-1/

Step 3: Lets proceed. There is an auxiliary module which gathers all emailIDs found pubilically through a company’s website, social profiles etc. The module works by searching them in search engines like google, bing & yahoo.

In the msf prompt type:

search email
metassploit
The Msf-console & Database status
metasploit
Modules listed after search

This will show a list of modules. Here we are gonna use an auxiliary module : auxiliary/gather/search_email_collector

Type in:

info auxiliary/gather/search_email_collector

This displays some information on the module.

metasploit
Information of the module

Step 4: Let’s Porceed to using the module

use auxiliary/gather/search_email_collector

Then there are certain options for this module, we can view this by using the following command

show options

We are gonna search for publicly available gmail ids. so we set domain as gmail, and save the output to gmails.txt.

set DOMAIN gmail.com
set OUTFILE /root/gmails.txt <make sure to use the absolute path here>
metasploit
Setting Options in the module

All set, we can run the auxiliary now but it’s always better to view all options set before running.

show options

The moment of truth

run
metasploit
The module running & displaying results
metasploit
The module showing final results

After successful completion the result will be in the file we specified. Verify it by going to the home folder or just opening a new terminal and type:

Command: cat gmails.txt | less <replace with the filename you gave>

metasploit

Reading the outfile

Press q to exit.

This is a very-very basic demo of the Metasploit Framework & made exclusively for beginners. Also this module is useful for collecting email IDs of a company during penetration tests. You can set the domain option to your target domain and run.

Hope you enjoyed this long post. Follow us in FB, Twitter & G+. Comment on this post & give feedback. That’s what keeps me alive.

Thank you

References: http://security.stackexchange.com/questions/30497/nops-in-metasploit

Facebook Comments

3 thoughts on “Metasploit Framework

  • March 7, 2017 at 10:09 pm
    Permalink

    Hey bro a very nice tut. But can you please tell me from where these emails came from and what will be the use to collect these emails

    Reply
    • March 24, 2017 at 7:41 pm
      Permalink

      These mail ids come from google & bing. These are mail ids which are publicly exposed on websites, forums etc. There is no use of gmail IDs, but this technique can be used to enumerate a set of email ids of an organization(for eg: xyz corp).

      Reply
  • January 28, 2016 at 6:38 pm
    Permalink

    hi Ravi

    I really enjoyed going through all your post on metasploit and would be glad if you can throw some more insight on the same

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: