The Metasploit Framework

Background

The Metasploit framework is a collection of open source software projects designed for penetration testing and discovery. Created by H.D. Moore in 2003 as a Perl networing tool, the framework has since evolved into a utility for verifying vulnerabilities, managing security assessmenets, and improving security awarenesss. Over time, the project adopted a wider feature set to include the ability to test exploits, and even assist in developing means of breaking into remote systems through oversights in common programs. As of 2019, the lastest version of the metasploit framework is 5.0, and may be found at https://www.metasploit.com/.

The people behind Metasploit

The Metasploit framework is one of many tools owned and maintained by Rapid7, a company that specifically deals with cyber security. Their other products include:

  • Nexpose
  • InsightVM
  • Insight Connect
  • InsightIDR
  • AppSpider

However, the Metasploit framework is also open-source, meaning that third-parties and individuals may also contribute and learn from the framework’s source-code. Given that the code is intended as a tool to develop exploitative code, where exploit means taking advantage of software bug or oversight to achieve access to a target machine (ex: privilege escalation), the Metasploit framework is used by all manner of hackers. White hats may use Metasploit to assess a client’s security measures before an attack occurs. Black hats, on the other hand, may use Metasploit to develop their own malicious hacks, and then use the modules to test against known vulnerabilitys. Essentially, it allows them to prepare an attack rather than blindly target a system and hope for the best.

What is Metasploit and how do I use it?

As mentioned, Metasploit is a tool for testing software penetration and system vulnerabilities, as well as creating and developing exploitation techniques (for ethical reasons only, of course). After getting Metasplot up and running (which may be done by the various means shown here: https://www.metasploit.com/get-started or here: https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework), you will be shown a command-line window, with an indication that Metasploit is running. The Metasploit framework is a command-line tool that is composed of modules. A module is a piece of software that performs a specific task. These modules are:

Module Description
Exploits Execute instructions to target a vulnerability
Payloads Leave code behind after an attack to compromise a system
Auxiliary Perform actions that aren’t related to exploitation (ex: scan, “fuzz”)
Encoders Compile software to the target platform (ex: x86, x86-64)
Post “Post-exploitation” i.e.: software to run after system has been “hacked”
NOPS “No operation” i.e.: instruction used to help getting remote code running (see NOP sled)

With the use of these modules, a user may use Metasploit to:

  • Discover exploits present in a known vulnerability
  • Set up an environment in which that exploit could succeed
  • Test whether that exploit would work given an environment and vulnerability
  • Test whether a payload could be delivered after an exploit has been
  • And much more

An example of using the Metasploit framework

To use Metasploit, you would have to download it from the official website (https://www.metasploit.com/) for the platform of your choice, and then follow the instructions (https://metasploit.help.rapid7.com/) to get it running. Alternatively, you could instead download and install VirtualBox (https://www.virtualbox.org/) and load up Kali linux (https://www.kali.org/), since Kali linux has Metasploit pre-installed and ready to go. Regardless of the method you choose, to begin Metasploit, open a command-line window, and type:

$ msfconsole

At which point Metasploit will load, and the prompt will now read

msf>

And you may now type in commands to use Metasploit

Before beginning to use Metasploit, you will have to know of a vulnerability that you want to exploit on a remote device. If you don’t know what vulnerabilities exist, or you are curious about the range of exploitative software that you can target, Rapid7 maintains a database of known vulnerablies that you can search from at: https://www.rapid7.com/db/modules/. For instance, suppose that you wanted a way to get remote access to a computer. One way to do this is to find a vurlnerability that is found in a commonly installed program, and then use that as an entry point. When typing “Adobe” into the database search engine, the results showed many different exploits found in “Adobe” products that we could choose from. Of course, the exploits required specific versions of the software, so keep this in mind. After choosing a vulnerability to target, the next step is to use Metasploit’s exploit module, as follows

msf> exploit(name_of_vulnerability)

At this point, if the vulnerability given hasn’t been patched yet, Metasploit will load up an exploit for the vulnerability given, and then several options will open up. To see these options, we use the show command, which takes in arguments

msf> show [arg]
msf> show options

“Show options” shows the set of target machine configurations that can be set. This is how we can customize the target machine to see what settings are possible, or not possible, when trying to run the exploit (options include and server port, sever address, etc.)

msf> show payloads

“Show payloads” shows the different kinds of payloads that you can use with the currently loaded exploit. These are what you can deliver to the target machine after running the exploit. These let you know what is avaiable when launching your attack.

msf> show info

Gives you information about the exploit, how it works, what software version it targets and other details about the attack

msf> set SRV
msf> set SRVPORT 80
msf> set SRVHOST 129.141.9.1

The set commands allows you to change the configurations of the target machine.

msf> exploit

Finally, when you are happy with the current settings, you can run the exploit command, which will then run the exploit currently loaded. After a while, the framework will tell you whether or not the exploit succeeded, and you can go from there. This is just a small taste of the Metasploit framework, but it gives you an idea of how it works, how it is used, and what you can do with one of its many, many modules.