Complete Metasploit Guide (Part-2 Understanding all Modules)
In this article, we will be going to see all types of modules in the Metasploit framework. basically an understanding of each module in detail.
So let us actually we going to take a better look at the structure of the Metasploit framework itself. and the first thing you want to know is where are all the modules, encoders, payloads, exploits actually stored. So they are stored in the user.
/usr/share/metasploit-framework
just cd user, share, and then you go to the Metasploit framework. Once you change directory to that, you can just type ls and you will see a bunch of these files
and I will show you what are the more important ones and the ones that we will use.
Now, let's see, first of all. So the first one is the
msfconsole,
It is used as a program to run the console itself and actually perform the attacks.
Now one of the also important ones is the msfvenom.
Now, this program we will use in order to create our payloads, our meterpreter shells, and back doors. So we do that with this command line right here.
And also you can update your Metasploit framework with the msfupdate command.
Most of the others are not so important at the moment. Now if you want, it's good to know that the Metasploit framework and all of the exploit are written in Ruby, which is a programming language similar to Python. So if you know that language it is also a plus.
Now in order for you to find all of the exploits and payloads you need to go to the modules directory. Everything is stored in there.
So if you go into the modules, and type ls here, you will see that we have all of the things we want to understand.
So we have auxiliary, encoders, evasion, exploits, nops, payloads, post.
Now let us explain all of those in detail.
Exploits are basically used to target vulnerable software running on a remote machine. these are some of the exploits which can help us to take advantage of vulnerable systems to gain access to it.
So let's actually change our directory to exploits, and cd exploits, and type ls, and you will notice that you have different exploits for different types of operating systems and different types of platforms such as browsers.
So for example you have Linux, Windows, Unix, Solaris Android, Apple exploits. Also, browser exploits as we see Firefox. There are a bunch of these separated directories for different types of exploits.
So let's actually try to find the exploit that I talked about in the previous article. The one for the Windows 7 and Windows 8 machine, I believe, it is the Eternal Blue exploit from 2017. It is a Windows exploit. So we go to Windows, and we type in ls, there is a future division between all of these exploits, as we can see in the image up. Some of them are mostly divided by the port number or the servers that they're running on a certain port.
For example, we can see HTTP, which is running on port 80. We can see ssh, port 22. Ftp, port 21. We can see SMB, port 445 I believe. So let us go to the smb since there is the Eternal Blue exploit. If I type here ls, you will see a bunch of these different exploits used for the SMB. Now here it is, the eternalblue_win8.py exploit. We also have the regular Eternal Blue exploit.
And most of these are .rb which basically stands that they are Ruby files. And the ruby exploits are just written in Ruby, as I said before.
So if you wanted to you could actually nano some of them in order to see what they look like. So ms1let's see what Eternal Blue looks like. So .rb, and we can see the code of the exploit itself. So it is written in Ruby as I said. You can check out a bunch of these things right here.
Now I do not know Ruby, so I will not be actually explaining what all of this does. It is similar to Python. You can actually understand it if you did learn some of the programming languages before. But from now on, I just wanted to show you the simple code behind this exploit.
So let's close this, and let's actually go back to the module. So change our directory back to the modules, and let's talk about, the payload.
Payloads are files that can allow us to take access or control of the system. payloads are simply owns attackers a system that they are injected in.
for example- rootkits.
So for the payload directory, lets change first of all the directory to payloads, and type ls in order to see what we have. And here we have different types of payloads.
As I said before, those are files that we send to the victim. For example, back doors. Now as we can see there are three types right here, singles, stagers, and stages.
Now singles are basically used to, they are smaller payloads and they're used to actually perform only one action.
for example - a single keylogging payload
Stagers right there, they can be used to deliver another payload. also, use to communicate between attacker and target.
And these stages are some of the larger payloads, which given almost full control of the target.
For example, the outer shell that we will use in most of our attacks consists of meterpreter shells.
Now, what is a meterpreter shell?
That is basically a shell with a bunch of different options that we can use after we exploit the remote system. So we can actually screenshot the desktop, we can run a keylogger, we can bypass antivirus, and we can do a bunch of this stuff with the meterpreter shell. So it gives us a bunch of options to use. We can upload the other payload as well with meterpreter. We can download files, upload files, and some of the other things that we will cover in the next tutorials. So that'll be about it for the payload.
Let us check what else we have. So we have an auxiliary.
The auxiliary is a collection of different functionalities that is widely used while hacking. it gives a variety of functions to enumeration, scanning, and brute force target.
So let us go to the auxiliary modules and just type here ls, and you will see that they're divided also into different types.
So we have fuzzers, spoofers, sniffers, different types of auxiliary modules. But most likely auxiliary will only be scanners that you'll perform on a target.
So for example you can scan if your target is vulnerable to some type of attack. And sometimes auxiliary modules are also used to brute force, for example, SSH, Tomcat, and other different stuff that we will also cover in the next article.
You can check out all of these other subdirectories, if you want to, and see what does it have in them. some of the auxiliary modules written in the Ruby language.
So that'll be about it for the auxiliary.
Now let's talk about the encoders.
As the name suggests encoders are used to encode exploits and payloads so that they can bypass the security system.
So if I type here ls you will have the encoders. Let's go to that directory.
these are the encoders for different types of machines. So encoders are mostly used to bypass antiviruses. Now you can change how the code looks with the encoder, or you can scramble the code and then the antivirus database can't recognize it.
Now how the antivirus databases work, or basically how does most of the antivirus work, is they have a huge database where they have all of the known exploits. All of the known viruses, Trojans, and malware, basically, that they have in their database. And once you run one of the programs on your PC which is malware, and it is also known to that database, your antivirus will prevent it from running and it will delete it.
But if you for example change the code a little bit and scramble the code, or even better write the malware yourself, most likely most of the antivirus won't be able to detect it since it is the first time that they see code like that. And that code is not in their database, so therefore they cannot really detect that code. And then they run it as a normal program and not as malware.
That's why... that's why coding your own malware is a big advantage. So that would be about it for the encoders. We will also show how to use them later on.
So the post right here is basically some of the tools or programs that you will use after you exploit the target. which normally called post-exploitation.
in the post you will find capture, escalating privileges, gathering information, manage, recon and WLAN.
For example, you send meterpreter which is a reverse shell that we will use. You can upload from the meterpreter other post-exploitation programs that you can use together,
password gathering, or basically any other information gathering you want. You can gather cookies etc. if you want to from a certain browser.
It is short for no operation. It is basically a command in the assembly language and it just performs no operation. nop causes a system or processor to do nothing at the entire clock cycle.
which is very useful in buffer overflow attacks.
Well, basically if you have ever encountered an assembly code, or if you're an assembly programmer as well, you will most likely know what nops are.
Now, this is most popularly known for on X86 chips at 0 x 90 bytes. So this is the byte are not instruction. When a processor loads this instruction it simply doesn't do anything. It basically just keeps the instructions until it comes to the next useful instruction. It doesn't, it just does nothing for one cycle, and then advances the register to the next instruction.
Now, why are these nops useful?
Well, basically the nops keep the payload size consistent. The practical importance of this has to do with writing instruction jumps. Now if you do not know what instruction jumps it doesn't really matter that much. but jumps can either be relative or absolute. Basically, if you move data around at all with an absolute jump, you must recode an absolute jump to it. If you move one instruction around relative to another, you must also recode the relative jump. Putting nops basically simplifies the problem because a jump that lands anywhere in a series of nops will continue on the first executable instruction, and prevent the processor from reading an invalid code that could stop execution and crash the software.
So basically from all of this you just need to remember that nops is an instruction which is referred to as a byte zero, or a byte 90, and basically doesn't do anything. So, that's what you need to know.
We will probably use it later on in some other section.
these are all modules of the Metasploit framework.
now on this would be enough for you to understand the basic structure of the Metasploit framework in the next Article,
we will actually start covering some of these scanners and exploits that we can use on our vulnerable targets. So that would be it for this tutorial and I hope I see you in the next one.
So let us actually we going to take a better look at the structure of the Metasploit framework itself. and the first thing you want to know is where are all the modules, encoders, payloads, exploits actually stored. So they are stored in the user.
/usr/share/metasploit-framework
just cd user, share, and then you go to the Metasploit framework. Once you change directory to that, you can just type ls and you will see a bunch of these files
and I will show you what are the more important ones and the ones that we will use.
Now, let's see, first of all. So the first one is the
msfconsole,
It is used as a program to run the console itself and actually perform the attacks.
Now one of the also important ones is the msfvenom.
Now, this program we will use in order to create our payloads, our meterpreter shells, and back doors. So we do that with this command line right here.
And also you can update your Metasploit framework with the msfupdate command.
Most of the others are not so important at the moment. Now if you want, it's good to know that the Metasploit framework and all of the exploit are written in Ruby, which is a programming language similar to Python. So if you know that language it is also a plus.
Now in order for you to find all of the exploits and payloads you need to go to the modules directory. Everything is stored in there.
So if you go into the modules, and type ls here, you will see that we have all of the things we want to understand.
So we have auxiliary, encoders, evasion, exploits, nops, payloads, post.
Now let us explain all of those in detail.
- Exploits
Exploits are basically used to target vulnerable software running on a remote machine. these are some of the exploits which can help us to take advantage of vulnerable systems to gain access to it. So let's actually change our directory to exploits, and cd exploits, and type ls, and you will notice that you have different exploits for different types of operating systems and different types of platforms such as browsers.
So for example you have Linux, Windows, Unix, Solaris Android, Apple exploits. Also, browser exploits as we see Firefox. There are a bunch of these separated directories for different types of exploits.
So let's actually try to find the exploit that I talked about in the previous article. The one for the Windows 7 and Windows 8 machine, I believe, it is the Eternal Blue exploit from 2017. It is a Windows exploit. So we go to Windows, and we type in ls, there is a future division between all of these exploits, as we can see in the image up. Some of them are mostly divided by the port number or the servers that they're running on a certain port.
For example, we can see HTTP, which is running on port 80. We can see ssh, port 22. Ftp, port 21. We can see SMB, port 445 I believe. So let us go to the smb since there is the Eternal Blue exploit. If I type here ls, you will see a bunch of these different exploits used for the SMB. Now here it is, the eternalblue_win8.py exploit. We also have the regular Eternal Blue exploit.
And most of these are .rb which basically stands that they are Ruby files. And the ruby exploits are just written in Ruby, as I said before.
So if you wanted to you could actually nano some of them in order to see what they look like. So ms1let's see what Eternal Blue looks like. So .rb, and we can see the code of the exploit itself. So it is written in Ruby as I said. You can check out a bunch of these things right here.
Now I do not know Ruby, so I will not be actually explaining what all of this does. It is similar to Python. You can actually understand it if you did learn some of the programming languages before. But from now on, I just wanted to show you the simple code behind this exploit.
So let's close this, and let's actually go back to the module. So change our directory back to the modules, and let's talk about, the payload.
- Payloads
Payloads are files that can allow us to take access or control of the system. payloads are simply owns attackers a system that they are injected in.for example- rootkits.
So for the payload directory, lets change first of all the directory to payloads, and type ls in order to see what we have. And here we have different types of payloads.
As I said before, those are files that we send to the victim. For example, back doors. Now as we can see there are three types right here, singles, stagers, and stages.
Now singles are basically used to, they are smaller payloads and they're used to actually perform only one action.
for example - a single keylogging payload
Stagers right there, they can be used to deliver another payload. also, use to communicate between attacker and target.
And these stages are some of the larger payloads, which given almost full control of the target.
For example, the outer shell that we will use in most of our attacks consists of meterpreter shells.
Now, what is a meterpreter shell?
That is basically a shell with a bunch of different options that we can use after we exploit the remote system. So we can actually screenshot the desktop, we can run a keylogger, we can bypass antivirus, and we can do a bunch of this stuff with the meterpreter shell. So it gives us a bunch of options to use. We can upload the other payload as well with meterpreter. We can download files, upload files, and some of the other things that we will cover in the next tutorials. So that'll be about it for the payload.
Let us check what else we have. So we have an auxiliary.
- Auxiliary
The auxiliary is a collection of different functionalities that is widely used while hacking. it gives a variety of functions to enumeration, scanning, and brute force target.So let us go to the auxiliary modules and just type here ls, and you will see that they're divided also into different types.
So we have fuzzers, spoofers, sniffers, different types of auxiliary modules. But most likely auxiliary will only be scanners that you'll perform on a target.
So for example you can scan if your target is vulnerable to some type of attack. And sometimes auxiliary modules are also used to brute force, for example, SSH, Tomcat, and other different stuff that we will also cover in the next article.
You can check out all of these other subdirectories, if you want to, and see what does it have in them. some of the auxiliary modules written in the Ruby language.
So that'll be about it for the auxiliary.
Now let's talk about the encoders.
- Encoders
As the name suggests encoders are used to encode exploits and payloads so that they can bypass the security system. So if I type here ls you will have the encoders. Let's go to that directory.
these are the encoders for different types of machines. So encoders are mostly used to bypass antiviruses. Now you can change how the code looks with the encoder, or you can scramble the code and then the antivirus database can't recognize it.
Now how the antivirus databases work, or basically how does most of the antivirus work, is they have a huge database where they have all of the known exploits. All of the known viruses, Trojans, and malware, basically, that they have in their database. And once you run one of the programs on your PC which is malware, and it is also known to that database, your antivirus will prevent it from running and it will delete it.
But if you for example change the code a little bit and scramble the code, or even better write the malware yourself, most likely most of the antivirus won't be able to detect it since it is the first time that they see code like that. And that code is not in their database, so therefore they cannot really detect that code. And then they run it as a normal program and not as malware.
That's why... that's why coding your own malware is a big advantage. So that would be about it for the encoders. We will also show how to use them later on.
- Post
So the post right here is basically some of the tools or programs that you will use after you exploit the target. which normally called post-exploitation.in the post you will find capture, escalating privileges, gathering information, manage, recon and WLAN.
For example, you send meterpreter which is a reverse shell that we will use. You can upload from the meterpreter other post-exploitation programs that you can use together,
password gathering, or basically any other information gathering you want. You can gather cookies etc. if you want to from a certain browser.
- Nops
It is short for no operation. It is basically a command in the assembly language and it just performs no operation. nop causes a system or processor to do nothing at the entire clock cycle.which is very useful in buffer overflow attacks.
Well, basically if you have ever encountered an assembly code, or if you're an assembly programmer as well, you will most likely know what nops are.
Now, this is most popularly known for on X86 chips at 0 x 90 bytes. So this is the byte are not instruction. When a processor loads this instruction it simply doesn't do anything. It basically just keeps the instructions until it comes to the next useful instruction. It doesn't, it just does nothing for one cycle, and then advances the register to the next instruction.
Now, why are these nops useful?
Well, basically the nops keep the payload size consistent. The practical importance of this has to do with writing instruction jumps. Now if you do not know what instruction jumps it doesn't really matter that much. but jumps can either be relative or absolute. Basically, if you move data around at all with an absolute jump, you must recode an absolute jump to it. If you move one instruction around relative to another, you must also recode the relative jump. Putting nops basically simplifies the problem because a jump that lands anywhere in a series of nops will continue on the first executable instruction, and prevent the processor from reading an invalid code that could stop execution and crash the software.
So basically from all of this you just need to remember that nops is an instruction which is referred to as a byte zero, or a byte 90, and basically doesn't do anything. So, that's what you need to know.
We will probably use it later on in some other section.
these are all modules of the Metasploit framework.
now on this would be enough for you to understand the basic structure of the Metasploit framework in the next Article,
we will actually start covering some of these scanners and exploits that we can use on our vulnerable targets. So that would be it for this tutorial and I hope I see you in the next one.
Check Out The Metasploit Series