In this lab, we will explore the fundamental concepts and usage of the Metasploit Framework, a powerful open-source penetration testing tool. Metasploit provides a comprehensive platform for identifying and exploiting vulnerabilities in various systems and applications. The goal of this lab is to familiarize you with the core components of Metasploit, its attack methodologies, and basic usage techniques.
In this step, we will introduce the Metasploit Framework, its architecture, and core concepts.
Metasploit is a powerful and widely-used penetration testing framework developed in Ruby. It consists of various components, including modules, interfaces, plugins, utilities, and libraries. The framework is designed to be modular, allowing for code reuse and extensibility.
The Metasploit Framework is organized into several key modules:
Metasploit provides several interfaces for interacting with the framework, including a command-line interface (msfconsole), a web-based interface (Metasploit Web UI), and a command-line interface (Metasploit Command Line).
At first, let's start the lab environment. Start Metasploitable2 by double-clicking the xfce terminal on the desktop and entering the following command in the terminal:
sudo virsh start Metasploitable2Ping the target machine to ensure it's running (press Ctrl-C to exit ping):
ping 192.168.122.102Then, let's start the Kali container and enter the bash interface, execute the ping operation to verify network connectivity:
docker run -ti --network host b5b709a49cd5 bashNow, we could execute the ping operation to verify network connectivity (press Ctrl-C to exit ping):
ping 192.168.122.102Now, we could start the Metasploit console:
cd ~
msfconsoleIn the following steps, we will explore the basic usage of the Metasploit console and perform various tasks.
In this step, we will learn how to navigate the Metasploit console and explore the available modules.
The Metasploit console provides a command-line interface for interacting with the framework. Here are some basic commands:
help: Display a list of available commands and their descriptions.search [keyword]: Search for modules based on the provided keyword.Let's search for modules related to Linux in Metasploit console:
search linuxThis command will list all modules related to Linux vulnerabilities and exploits.
To select a specific module, use the use command followed by the module path in Metasploit console:
use auxiliary/analyze/jtr_linuxOnce a module is selected, you can view its options and required parameters using the show options command in Metasploit console:
show optionsHere's an example of the output you might see:
Module options (auxiliary/analyze/jtr_linux):
Name Current Setting Required Description
---- --------------- -------- -----------
BLOWFISH false no Include BLOWFISH hashes (Very Slow)
BSDI true no Include BSDI hashes
CONFIG no The path to a John config file to use instead of the default
CRACKER_PATH no The absolute path to the cracker executable
CUSTOM_WORDLIST no The path to an optional custom wordlist
DES true no Indlude DES hashes
FORK 1 no Forks for John the Ripper to use
INCREMENTAL true no Run in incremental mode
ITERATION_TIMEOUT no The max-run-time for each iteration of cracking
KORELOGIC false no Apply the KoreLogic rules to John the Ripper Wordlist Mode(slower)
MD5 true no Include MD5 hashes
MUTATE false no Apply common mutations to the Wordlist (SLOW)
POT no The path to a John POT file to use instead of the default
SHA256 false no Include SHA256 hashes (Very Slow)
SHA512 false no Include SHA512 hashes (Very Slow)
USE_CREDS true no Use existing credential data saved in the database
USE_DB_INFO true no Use looted database schema info to seed the wordlist
USE_DEFAULT_WORDLIST true no Use the default metasploit wordlist
USE_HOSTNAMES true no Seed the wordlist with hostnames from the workspace
USE_ROOT_WORDS true no Use the Common Root Words Wordlist
WORDLIST true no Run in wordlist mode
Auxiliary action:
Name Description
---- -----------
john Use John the RipperPress Ctrl+D to quit the Metasploit console then start the inspection
In this step, we will learn how to set options for a selected module in Metasploit.
First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsoleSelect a module:
use auxiliary/analyze/jtr_linuxMany modules require specific options to be set before they can be executed. You can set an option using the set command followed by the option name and its value in Metasploit console like set OPTION_NAME value.
For example, let's set the JOHN_PATH option for the jtr_linux module in Metasploit console:
set JOHN_PATH /usr/share/metasploit-framework/data/wordlists/password.lstYou can also use the setg command to set a global option that will persist across module changes.
After setting the required options, you can execute the module using the run or exploit command in Metasploit console, depending on the module type.
runor
exploitTo go back to the parent context or exit the current module, use the back command.
Press Ctrl+D to quit the Metasploit console then start the inspection
In this step, we will simulate a real-world scenario and attempt to exploit a vulnerability on a target system.
First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsoleAssume we have identified a vulnerable MySQL server on the target IP address 192.168.122.102. We can use the mysql_login module to attempt a brute-force attack on the MySQL credentials.
Select the mysql_login module in Metasploit console:
use auxiliary/scanner/mysql/mysql_loginNext, set the required options in Metasploit console:
set RHOSTS 192.168.122.102set user_file /path/to/usernames.txtset pass_file /path/to/passwords.txtFinally, execute the module in Metasploit console:
exploitMetasploit will attempt to log in to the MySQL server using the provided username and password combinations from the specified files, and the username and password we provided are just examples, the log in might be failed, you should replace them to the real username and password.
Press Ctrl+D to quit the Metasploit console then start the inspection
In this step, we will explore the post-exploitation modules available in Metasploit, which can be used to maintain access and perform additional actions on a compromised system.
After successfully exploiting a vulnerability and gaining access to the target system, you can use post-exploitation modules to perform various tasks, such as:
First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsoleTo use a post-exploitation module, follow the same steps as with other module types in Metasploit console:
use post/windows/gather/enum_logged_on_usersshow optionsHere's an example of the output you might see:
Module options (post/windows/gather/enum_logged_on_users):
Name Current Setting Required Description
---- --------------- -------- -----------
CURRENT true yes Enumerate currently logged on users
RECENT true yes Enumerate recently logged on users
SESSION yes The session to run this module onset SESSION 1exploitThis example module enumerates the logged-on users on a Windows system, but Metasploit provides many other post-exploitation modules for various platforms and tasks.
Press Ctrl+D to quit the Metasploit console then start the inspection
In this lab, we explored the Metasploit Framework, a powerful tool for penetration testing and vulnerability assessment. We learned about the core components of Metasploit, such as exploits, payloads, and auxiliary modules. We also practiced navigating the Metasploit console, searching for modules, setting options, and executing modules to exploit vulnerabilities and perform post-exploitation tasks.
Metasploit provides a comprehensive and versatile platform for ethical hackers, security professionals, and researchers to identify and mitigate security vulnerabilities. By understanding and practicing with Metasploit, you can enhance your skills in penetration testing, vulnerability analysis, and overall security assessment.