Using the Metasploit Framework

• The Metasploit Framework includes a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection.

• Metasploit as a product is split into two versions: the Metasploit Pro version and the Metasploit Framework. The Pro version includes some additional features.

• The old way to update Metasploit was to run msfupdate in our OS terminal (outside msfconsole). However, the apt package manager can now handle the update of modules and features.

• To start interacting with the Metasploit Framework, we type msfconsole in the terminal of our choice.

Archeticture

• The files related to Metasploit are by default found in /usr/share/metasploit-framework/

• The archeticture includes:

  • Data, Documentation & Lib: These are the base files for the Framework. The Data and Lib are the functioning parts of the msfconsole interface, while the Documentation folder contains all the technical details about the project.

  • Modules: The modules are actual exploit proof-of-concepts that have already been developed, tested in the wild, and integrated within the framework.

  • Plugins: Plugins can be manually or automatically loaded as needed to provide extra functionality and automation.

  • Scripts: Meterpreter functionality and other useful scripts.

Modules

• The modules are structured into folders that follow this structure: <No.>/<type>/<os>/<service>/<name>

• The types are the first level of segregation between the different modules:

Type	Description
Auxiliary	Scanning, fuzzing, sniffing, and admin capabilities. Offer extra assistance and functionality.
Encoders	Ensure that payloads are intact to their destination.
Exploits	Defined as modules that exploit a vulnerability that will allow for the payload delivery.
NOPs	(No Operation code) Keep the payload sizes consistent across exploit attempts.
Payloads	Code runs remotely and calls back to the attacker machine to establish a connection (or shell).
Plugins	Additional scripts can be integrated within an assessment with msfconsole and coexist.
Post	Wide array of modules to gather information, pivot deeper, etc.

• Note that each exploit can be run against different targets (e.g., different versions of an operating system). Automatically, Metasploit will enumerate the target first to identify it, and then run the exploit. But if we already know the target, we can set it directly.

• To install an extra module, we can find the source code on sites like ExploitDB, then copy it to the modules folder of Metasploit and run the command msfconsole -m /usr/share/metasploit-framework/modules/ or reload_all after running the framework to import the newly installed modules.

• multi/recon/local_exploit_suggester is an example of a module that can be used to suggest exploits after gaining initial access.

• Command List:

#To search for a module
search <Keyword>

#To add filters to the search
search <Keyword> 

#To select a module after searching we use the ID Number


#To see the options after selecting a module
OPTIONS
or
INFO

#To change an option

setg <Option-Name> <Option-Value> #setg can be used to set the value across modules until the framework is restarted.

#To see the targets
SHOW targets
#To run a module
RUN
or
EXPLOIT

Payloads

• There are three different types of payload modules in the Metasploit Framework:

  • Singles: Self-contained payloads, executed immediately on the target system, providing results immediately. More stable, but the size can get quite large.

  • Stagers: Typically used to set up a network connection between the attacker and the victim, designed to be small and reliable.

  • Stages: Payload components downloaded by Stagers, offering advanced features with no size limits.

• A staged payload is simply an exploitation process that is modularized and functionally separated, helping segregate the different functions it accomplishes into different code blocks, each completing its objective individually but working together to chain the attack.

• The Meterpreter payload is a specific type of multi-faceted payload that uses DLL injection to ensure the connection to the victim host is stable, hard to detect by simple checks, and persistent across reboots or system changes. Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive.

• Encoders were previously used to make payloads compatible with different processor architectures and to evade antivirus detection. However, nowadays most antivirus programs can easily detect even encoded payloads. Currently, msfvenom carries out the creation and encoding of the payload.

• Metasploit also offers a tool called msf-virustotal that we can use with an API key to analyze our payloads. However, this requires free registration on VirusTotal.

• To open a general listener for the payloads we create, we can use the multi/handler module.

• Command List:

#To check for available payloads
SHOW payloads

#To choose a payload
SET <Payload-Number>

Databases

• Databases in msfconsole are used to keep track of your results. msfconsole has built-in support for the PostgreSQL database system.

• Workspaces are like folders that we can use to segregate the different scan results, hosts, and extracted information by IP, subnet, network, or domain.

• Command list to setup:

#Start Postgresql Service
sudo systemctl start postgresql

#Initiate the database (Sometimes an error can occur if latest updates aren't installed.
sudo msfdb init

#Check the status of the database
sudo msfdb status

#Connect to the database and start metasploit
sudo msfdb run

#If there is an issue with the password of the msf user
msfdb reinit
cp /usr/share/metasploit-framework/config/database.yml ~/.msf4/
sudo service postgresql restart
msfconsole -q

#To check that the database is connected (In Metasploit)
db_status

#Check the current workspaces *Indicates the currently selected (In Metasploit)
workspace

#Create a new workspace
workspace -a <Workspace-Name>

#Switch to a workspace
workspace <Workspace-Name> 

#Import data from an external db (e.g. Nmap scan)
db_import <External-DB-Name>

#Run nmap from inside Metasploit
db_nmap <Parameters> <Targets>

#Display hosts
hosts

#Display services
services

#Display credentials
creds

#Display hashdumps
loot

#Export database
db_export -f  

Plugins

• Plugins are readily available software that has already been released by third parties and have given approval to the creators of Metasploit to integrate their software inside the framework.

• They can be useful for automating repetitive tasks, adding new commands to the msfconsole, and extending the already powerful framework.

• Plugins are stored by default in /usr/share/metasploit-framework/plugins. To install new custom plugins not included in new updates of the distro, we can take the .rb file provided on the maker's page and place it in the folder at /usr/share/metasploit-framework/plugins with the proper permissions.

Sessions

• MSFconsole can manage multiple modules at the same time. While running any available exploits or auxiliary modules in msfconsole, we can background the session as long as they form a channel of communication with the target host. This can be done either by pressing the [CTRL] + [Z] key combination or by typing the background command in the case of Meterpreter stages.

• If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]. If we did that, we would see that the port would still be in use, affecting our use of the new module. In this situation, we need to use jobs.

• Command List:

#To background a session
background

#To see the list of active sessions
sessions

#To access a backgrounded session
sessions -i <Session-Number>

#To run a module as a job
exploit -j

#To list all running jobs
jobs -l

#To kill a specific job
kill <Job-Number>

#To kill all running jobs
jobs -K