You may have heard of Metasploit or seen its functionalities portrayed in the TV show Mr. Robot. But when using Metasploit, you might wonder where you can start without feeling overwhelmed. Don't worry; we've got you covered.
This Metasploit tutorial will break it down for you step-by-step. From understanding what exactly Metasploit is to setting it up and exploring its various modules, we'll guide you through every aspect of how to use Metasploit effectively. And yes, you'll also learn how to launch an exploit.
So if you've been searching for a detailed tutorial on using Metasploit, you've come to the right place. Let's dive in!
What Is Metasploit?
Metasploit is classified as a penetration testing framework. Originally written in Perl but now written in Ruby, it was created in 2003 by H.D Moore and is currently owned and maintained by Rapid 7. It is used mainly by penetration testers to identify vulnerabilities, execute exploit code, and run payloads to compromise target systems.
Metasploit has two versions, the free “Metasploit Framework” and the paid “Metasploit Pro.” We will use the framework edition for this article, which is already included in Kali.
Metasploit has many benefits. It provides access to an extensive and continually growing database of exploits. The framework also includes a variety of payloads and a ranking system to gauge the effectiveness of exploits. And It's completely free and open source.
Metasploit Command Generator
Say goodbye to the hassle of trying to remember the exact syntax for your Metasploit commands! With our Metasploit Command Generator, you can simply say what you need Metasploit to do, and we will generate the command for you.
Get Kali Up And Running In No Time
Starting the Console
You can start Metasploit in Kali in two different ways. (At the time of writing, Kali is currently running version 2023.3.)
First, you can start Metasploit through the Applications menu. Go to Applications -> 08 Exploitation Tools -> metasploit framework and click on it.
Alternatively, you can open a terminal and start it by running the command msfconsole. This will launch the Metasploit console.
In Metasploit, a module is a component that executes specific operations, such as scanning or exploiting a target. A module can be categorized into seven types: auxiliaries, encoders, evasions, exploits, nops, payloads, and post modules.
- Auxiliary Modules: Non-exploit modules, like scanners and fuzzers, serve additional functionalities.
- Encoders: Encodes the raw payload code to evade detection by antivirus or other defenses. Different encoding algorithms are used, like XOR, shuffle, prepend, etc.
- Evasions: Contains techniques to generate payloads that avoid detection. This helps payloads bypass antivirus and host-based security.
- Exploits: Takes advantage of software vulnerabilities like buffer overflows, SQL injection, etc. Allows execution of arbitrary code provided by the payload component.
- Nops: Used to pad buffer overflows for increased reliability. It contains inert instructions that perform no operations.
- Payloads: Get executed upon successful exploitation and perform tasks such as opening shells or escalating privileges. While many payloads initiate a Meterpreter session, others might run code that performs actions like adding user accounts.
- Post: Executed on compromised hosts after exploitation to gather data, maintain persistence, and pivot to other hosts.
Searching for Modules
You can use Metasploit's versatile built-in search function to search for modules. As a basic example, let’s say we want to search for the module that will help us exploit EternalBlue (also known as security bulletin MS17-010), which exploits a vulnerability in Microsoft’s Server Message Block (SMB) Protocol.
You simply type in
search eternalblue, and Metasploit will return any results that match the keyword of eternalblue.
Metasploit allows you to refine your searches by chaining multiple search filters together. For example, say you want to locate Windows exploits related to CVEs reported in 2023. You could enter the following search query that filters by CVE year, module type, and target platform:
search cve:2023 type:exploit platform:windows
Some other useful search chains:
search type:post platform:windows rank:normal
(Windows post modules with a normal ranking)
search name:backdoor platform:windows rank:excellent
(Top Windows backdoor modules)
search type:auxiliary name:scanner ftp
(Scanner auxiliary modules with a keyword of ftp)
You can always refer to the help page for more information by entering
help search inside Metasploit.
Let's walk through searching for and then using a module in Metasploit. If you want to follow along with our demo, we are using the Metasploitable 2 VM. Just remember your IPs will be different than the ones we are using.
We’ve enumerated our target machine at 192.168.152.40 and found Apache Tomcat running on open port 8180. Further reconnaissance shows the Tomcat manager app is accessible using default credentials.
At this point, searching for potential exploits is a good idea. We’ve identified a potential exploit in the Tomcat manager application via an upload function. You can check if it's available in Metasploit using the framework's built-in search feature within the msfconsole.
search tomcat manager upload
This will list all the modules with the keyword “tomcat manager upload.”
We will be using the exploit/multi/http/tomcat_mgr_upload module. As you can see from the screenshot below, this exploit has a ranking of excellent.
Metasploit uses a ranking system for all its modules. Module rankings indicate the reliability and likelihood of an exploit working and not crashing a target service or system. Rankings help determine how safely and effectively a module can be used.
The rankings in Metasploit are:
- Excellent: The safest and most reliable. It won't crash the target service. Often assigned to exploits like SQL Injection or CMD execution.
- Great: Also very reliable. The exploit automatically chooses or verifies the right target without causing instability.
- Good: Reliable for commonly used software versions.
- Normal: Reliable but works only for a specific version of the target software and doesn't auto-detect that version.
- Average: Not very reliable, potentially hard to execute successfully.
- Low: Least reliable; the chance of successful exploitation is below 50%.
Using a Module
Now that we have selected our exploit, we must tell Metasploit to use it. We can do this by entering the word
use, followed by the number associated with the module or the module's full path. In our example, we are choosing the number two.
Now that we have our module selected, we must set the correct options for it to work successfully.
options in the command line to view the available options for a specific module. This will display a list of options that can be configured for that module.
Different modules have different options. The list will also indicate whether each option is required to run the module, denoted by “yes” or “no.”
We need to configure the following options for our exploit:
Even though HttpUsername and HttpPassword are marked as "not required," they are essential for this scenario because we need to authenticate with the target's manager application.
To set the options in Metasploit, type the word “set,” followed by the name of the option you want to change, a space, and then the new value you want to assign to that option. After this, press the Enter key to apply the changes.
set rhosts 192.168.52.140
HttpUsername and HttpPassword: These are the credentials used for HTTP authentication.
RHOSTS: This stands for "Remote Hosts." It specifies the IP address or addresses of the target system(s) you are trying to exploit.
RPORT: This stands for "Remote Port." It specifies which port on the target system to attack. Often, services have default ports, like HTTP on port 80, but it can differ based on the configuration.
TARGETURI: This is the directory path on the target system the exploit will target. For example, if you're exploiting a web application, the TARGETURI might be the path to that application on the web server, such as /manager.
LHOST: This stands for "Local Host." It's the IP address of your machine (the attacker's machine), which will receive the connection from the exploited target.
LPORT: This stands for "Local Port." Like RPORT, this is the port on your machine that will listen for incoming connections from the target.
It’s always a good idea to check your options after setting them to ensure you haven’t missed anything.
Every Metasploit exploit comes with a predefined target list, which indicates the systems the exploit has been tested on. If the specific target isn't listed, it's safe to assume the exploit hasn't been tested on that particular target.
The first item on this list is usually set for automatic targeting and is generally the default choice. However, you should never assume the exploit will automatically pick the correct target.
You can use the options command to see which target is currently selected and the
show targets command to view the list of supported targets. You can then select the appropriate target with the
set target command followed by the corresponding id or name.
In our example, our target is “Java Universal.”
Our final step before launching our exploit is to ensure that we choose the appropriate payload. A payload is a specific code executed on the target system once the exploit is successful.
Payloads can serve various purposes, from opening a bind or reverse shell for direct access to the system to initiating a Meterpreter session for advanced control. They can also install backdoors or even attempt to evade anti-virus protections.
When working in Metasploit, you will need to decide whether you want to use a bind or reverse shell and whether you want to use a staged or non-staged payload.
Let's quickly discuss the difference between a bind and reverse shell and a staged vs. non-staged payload.
A bind shell is when the target machine opens a port and listens for an incoming connection from the attacking machine.
A reverse shell is simply the reverse. The attacking machine opens a port and waits for the target machine to connect. In most cases, for CTFs and exams, you will want to use a reverse shell.
A staged payload is delivered in stages and tends to be smaller and harder to detect; an example is “windows/meterpreter/reverse_tcp.” A staged payload comprises two parts the “stager,” which establishes the connection and prepares the environment, and the “stage,” which delivers the actual payload. This is all done automatically.
In contrast, a non-staged payload sends the entire payload at once, making it generally larger and easier to detect. An example of this is “windows/meterpreter_reverse_tcp.”
Please see our reverse shell article for a more detailed description of these concepts.
To see a list of available payloads, simply enter
show payloads in the command line.
As you can see from the above screenshot, we have numerous payload options. Some are bind shells, while others are reverse shells. Additionally, there are staged and non-staged payloads. Some options even allow you to use a Meterpreter shell instead of a basic command shell.
Unlike basic shellcode, Meterpreter can dynamically add functionality with "extensions" or "modules." It runs in memory and leaves no trace on the target's disk, making it stealthy and hard to detect.
You can choose a payload by entering
set payload followed by the number associated with that specific payload.
In our example, we use the java/meterpreter/reverse_tcp payload to give us a reverse shell using Meterpreter.
Remember, the chosen payload must align with your goals for the exploit. Whether you're looking to open a simple shell or perform more complex tasks via Meterpreter, your choice of payload is crucial for successful exploitation.
Launching an Exploit
We've set all our options, selected our target, and chosen our payload. The final step is to execute the exploit and obtain a reverse Meterpreter shell on the target.
To run the exploit, you can type
run. But if you want to channel your inner hacker, type
As you can see, our exploit worked, and we now have a Meterpreter shell for the target machine.
Meterpreter allows you to download and upload files easily, run other modules, and perform tasks such as capturing screenshots, logging keystrokes, escalating privileges, gathering system information, and even moving laterally across a network to compromise additional systems.
Let’s show you how to upload a file from your machine to the target machine. In our example, we will upload the popular Linux privilege escalation script LinPeas.
First, if you need help performing a specific action within Meterpreter, you can type
help to see a broad range of available options. If you need help with a particular command, such as “upload,” you can type
help upload to get an overview of its usage and options.
Need Help With Metasploit Commands? See These Articles
As you can see, Metasploit is one powerful beast that's been around for quite some time. It's your go-to for running all sorts of modules, including exploits to help you get access to a target system.
We’ve shown you how it ranks these modules, so you know your best shots at success. You're not shooting in the dark here; you can zero in on a specific target setup and pick the payload to do the job.
But the best part? The Meterpreter payload. This is no ordinary shell—it's a Swiss Army knife that lets you do much more, like uploading files or attempting privilege escalation.
You should now have a better understanding of Metasploit. You can take it further with our courses to help you master techniques.