The fundamentals of Metasploit

Now that we have completed the setup of Kali Linux, let us talk about the big picture: Metasploit. Metasploit is a security project that provides exploits and tons of reconnaissance features to aid a penetration tester. Metasploit was created by H.D. Moore back in 2003, and since then, its rapid development has led it to be recognized as one of the most popular penetration testing tools. Metasploit is entirely a Ruby-driven project and offers a great deal of exploits, payloads, encoding techniques, and loads of post-exploitation features.

Metasploit comes in various editions, as follows:

Metasploit Pro: This edition is a commercial edition, offers tons of great features such as web application scanning and exploitation and automated exploitation, and is quite suitable for professional penetration testers and IT security teams. The Pro edition is used for advanced penetration tests and enterprise security programs.
Metasploit Express: This is used for baseline penetration tests. Features in this version of Metasploit include smart exploitation, automated brute forcing of the credentials, and much more. This version is quite suitable for IT security teams in small to medium-sized companies.
Metasploit Community: This is a free version with reduced functionality when compared to the Express edition. However, for students and small businesses, this edition is a favorable choice.
Metasploit Framework: This is a command-line version with all manual tasks such as manual exploitation, third-party import, and so on. This release is entirely suitable for developers and security researchers.

You can download Metasploit from the following link:
https://www.rapid7.com/products/metasploit/download/editions/

Throughout this book, we will be using the Metasploit Community and Framework versions. Metasploit also offers various types of user interfaces, as follows:

The graphical user interface (GUI) interface: This has all the options available at the click of a button. This interface offers a user-friendly interface that helps to provide cleaner vulnerability management.
The console interface: This is the most preferred interface and the most popular one as well. This interface provides an all-in-one approach to all the options offered by Metasploit. This interface is also considered one of the most stable interfaces. Throughout this book, we will be using the console interface the most.
The command-line interface: This is the more potent interface that supports the launching of exploits to activities such as payload generation. However, remembering each and every command while using the command-line interface is a difficult job.
Armitage: Armitage by Raphael Mudge added a neat hacker-style GUI interface to Metasploit. Armitage offers easy vulnerability management, built-in NMAP scans, exploit recommendations, and the ability to automate features using the Cortana scripting language. An entire chapter is dedicated to Armitage and Cortana in the latter half of this book.

For more information on the Metasploit community, refer to https://community.rapid7.com/community/metasploit/blog.

Basics of Metasploit Framework

Before we put our hands onto the Metasploit Framework, let us understand the basic terminology used in Metasploit. However, the following modules are not just terminologies, but modules that are the heart and soul of the Metasploit project:

Exploit: This is a piece of code which, when executed, will trigger the vulnerability at the target.
Payload: This is a piece of code that runs at the target after a successful exploitation is done. It defines the type of access and actions we need to gain on the target system.
Auxiliary: These are modules that provide additional functionalities such as scanning, fuzzing, sniffing, and much more.
Encoder: These are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.
Meterpreter: This is a payload that uses in-memory stagers based on DLL injections. It provides a variety of functions to perform at the target, which makes it a popular choice.

Architecture of Metasploit

Metasploit comprises various components, such as extensive libraries, modules, plugins, and tools. A diagrammatic view of the structure of Metasploit is as follows:

Let's see what these components are and how they work. It is best to start with the libraries that act as the heart of Metasploit.

Let's understand the use of various libraries, as explained in the following table:

Library name	Uses
REX	Handles almost all core functions, such as setting up sockets, connections, formatting, and all other raw functions.
MSF CORE	Provides the underlying API and the actual core that describes the framework.
MSF BASE	Provides friendly API support to modules.

We have many types of modules in Metasploit, and they differ regarding their functionality. We have payload modules for creating access channels to exploited systems. We have auxiliary modules to carry out operations such as information gathering, fingerprinting, fuzzing an application, and logging into various services. Let's examine the basic functionality of these modules, as shown in the following table:

Module type	Working
Payloads	Payloads are used to carry out operations such as connecting to or from the target system after exploitation or performing a particular task such as installing a service and so on. Payload execution is the next step after the system is exploited successfully. The widely used meterpreter shell is a standard Metasploit payload.
Auxiliary	Auxiliary modules are a special kind of module that performs specific tasks such as information gathering, database fingerprinting, scanning the network to find a particular service and enumeration, and so on.
Encoders	Encoders are used to encode payloads and the attack vectors to (or intending to) evade detection by antivirus solutions or firewalls.
NOPs	NOP generators are used for alignment which results in making exploits stable.
Exploits	The actual code that triggers a vulnerability.

Metasploit Framework console and commands

Gathering knowledge of the architecture of Metasploit, let us now run Metasploit to get hands-on knowledge of the commands and different modules. To start Metasploit, we first need to establish a database connection so that everything we do can be logged into the database. However, usage of databases also speeds up Metasploit's load time by making use of caches and indexes for all modules. Therefore, let us start the postgresql service by typing in the following command at the Terminal:

root@beast:~# service postgresql start

Now, to initialize Metasploit's database, let us initialize msfdb as shown in the following screenshot:

It is clearly visible in the preceding screenshot that we have successfully created the initial database schema for Metasploit. Let us now start the Metasploit database using the following command:

root@beast:~# msfdb start

We are now ready to launch Metasploit. Let us issue msfconsole in the Terminal to start Metasploit, as shown in the following screenshot:

Welcome to the Metasploit console. Let us run the help command to see what other commands are available to us:

The commands in the preceding screenshot are core Metasploit commands which are used to set/get variables, load plugins, route traffic, unset variables, print version, find the history of commands issued, and much more. These commands are pretty general. Let's see the module-based commands, as follows:

Everything related to a particular module in Metasploit comes under the module controls section of the Help menu. Using the preceding commands, we can select a particular module, load modules from a particular path, get information about a module, show core and advanced options related to a module, and even can edit a module inline. Let us learn some basic commands in Metasploit and familiarize ourselves with the syntax and semantics of these commands:

Command	Usage	Example
`use` [auxiliary/exploit/payload/encoder]	To select a particular module to start working with.	msf>use exploit/unix/ftp/vsftpd_234_backdoor msf>use auxiliary/scanner/portscan/tcp
`show` [exploits/payloads/encoder/auxiliary/options]	To see the list of available modules of a particular type.	msf>show payloads msf> show options
`set` [options/payload]	To set a value to a particular object.	msf>set payload windows/meterpreter/reverse_tcp msf>set LHOST 192.168.10.118 msf> set RHOST 192.168.10.112 msf> set LPORT 4444 msf> set RPORT 8080
`setg` [options/payload]	To assign a value to a particular object globally, so the values do not change when a module is switched on.	msf>setg RHOST 192.168.10.112
`run`	To launch an auxiliary module after all the required options are set.	msf>run
`exploit`	To launch an exploit.	msf>exploit
`back`	To unselect a module and move back.	msf(ms08_067_netapi)>back msf>
`Info`	To list the information related to a particular exploit/module/auxiliary.	msf>info exploit/windows/smb/ms08_067_netapi msf(ms08_067_netapi)>info
`Search`	To find a particular module.	msf>search hfs
`check`	To check whether a particular target is vulnerable to the exploit or not.	msf>check
`Sessions`	To list the available sessions.	msf>sessions [session number]

Meterpreter commands	Usage	Example
`sysinfo`	To list system information of the compromised host.	meterpreter>sysinfo
`ifconfig`	To list the network interfaces on the compromised host.	meterpreter>ifconfig meterpreter>ipconfig (Windows)
`Arp`	List of IP and MAC addresses of hosts connected to the target.	meterpreter>arp
`background`	To send an active session to background.	meterpreter>background
`shell`	To drop a cmd shell on the target.	meterpreter>shell
`getuid`	To get the current user details.	meterpreter>getuid
`getsystem`	To escalate privileges and gain system access.	meterpreter>getsystem
`getpid`	To gain the process id of the meterpreter access.	meterpreter>getpid
`ps`	To list all the processes running at the target.	meterpreter>ps