The Metasploit framework, is a tool that helps penetration testers, in identifying information’s about vulnerabilities on a target machine. Developed by “HD Moore”, the tool is owned by the Boston, Massachusetts-based security company Rapid7.
Metasploit is the most powerful tool in red-teaming, and houses a huge repository of verified exploits (CVE’s), which can be used to test against a target, to determine if they are vulnerable, and the possibility of exploiting that vulnerability.
The Framework which is considered as an open source project, is written in “RUBY-Programming Language or Coding Language”, and comes as both a BSD (Berkeley Source Distribution), and proprietary licensing.
THERE ARE TWO VERSIONS OF METASPLOIT:
- Metasploit Framework (For Developers and Security Researches). This is commonly used by Pentesters who can’t afford the pro and so on.
- Metasploit Pro ( For Penetration Testers & IT Security Teams). Big cooperation’s, very high profile organizations, and Advanced Security teams/Pentesters who can afford the cost, are major users of this version of the Metasploit Project.
To Know about the comparison of both versions, visit Rapid7
While the actual cost of the “Metasploit Pro” is not verified, there are speculations, that the license cost per year for the “Pro” is estimated to be: USD$ 15,000, and the express version are in price range of USD$ 2,000 to USD$ 5,000 per year according to esecurity planet.
HOW DO I USE METASPLOIT TO OBTAIN OPTIMUM RESULT ?
Metasploit runs on both Windows and Linux platform. However, if you desire to get the maximum use and result of the tool, then it is advisable to run the software on Linux. This does not only enable you to achieve simplicity using the tool, but also to have access to all exploits, and powerful functionality of the framework.
HOW DO I EXECUTE METASPLOIT?
- Launch your “Linux-Distro” via your computer or “Virtual-Machine”.
- Once the machine is on, login with your credentials and launch the terminal.
- In the terminal type the command “msfconsole“.
UNDERSTANING THE MODULES:
The structure by which Metasploit was built, is based on Modules. There are currently ” Seven (7) Modules” that comes with the “Metasploit Framework” as we are focused on the Framework, which is a free-version of the Metasploit-Project. These modules are listed and explained below:
- Auxiliary Module.
- Exploits Module.
- Payload Module.
- Post Module.
- Encoders Module.
- Nops Module.
- Evasion Module.
Auxiliary Module:
As the term stands “Auxiliary”, they provide help or information about a target. For example assuming you want to scan a target to see if they are vulnerable to a particular “exploit-version”, if that exploit has an auxiliary, you use the auxiliary Module of that exploit to scan the target. This also helps you to save time, than rather trying numerous exploit blindly. Consider the Auxiliary Module, to be a form of information/Data Gathering.
Exploit Module:
This is the actual “Exploit-Code”, that is used to exploit the vulnerabilities discovered via the “Auxiliary Module”. Using this exploit allows the Metasploit framework execute arbitrary code on the target. You don’t need to deliver an exploit, the exploit is the action itself.
These exploit information are also available on “Exploit-DB” an online repository. There are over 2,397 verified Exploits that are found in Metasploit Framework as of 2024. However you are not limited to these exploits alone. If the specific exploit you are looking for, is not found in Metasploit framework, head over to “Exploit-DB“, an online database, which contains 45,895 exploits, and out of these, 33,773 of them are verified. so you can always search the exploit suitable for the exploit-code you need to pawn a target which wasn’t located in Metasploit-framework, and of course read the instructions.
Payload Module:
Consider this module, as a gift of the Trojans, a magnificent wooden horse, with lots of “warrior soldiers hidden in it.” These soldier’s are likened to the “IP and Port number” of the “Attacker or threat actor’s machine”, and other commands the payload are able to execute.
The payload module consist of arbitrary code hidden in a “file” that is to be delivered to the target/victim. These code are written in such a way to perform specific task or functions, such as executing the “CMD: command line prompt”, “PowerShell”, and “Creating a User” on the target/victim’s machine. Currently in 2024, there are over 1,391 payloads in the Payload Module, found in the framework.
Consider the payload to be a last resort to use, if the target can’t be exploited using the “exploit module” as a result of no vulnerabilities, or due to system being up-to-date or patched. Easy way to deploy a payload, is if the target runs an active server on their machine, and you are able to find a possible way to upload the file to the target server.
Posts Module:
The “POST module” likened to performing additional invent (e.g. downloading a file, view text contents) on the target/victim after they have been compromised, via “exploit-module” or “payload-module”. The “POST Module” serves as a recon/Enum process after a meterpreter session has been obtained or the victim has been compromised.
For example “post/apple_ios/gather/ios_image_gather ” is a “POST-Module” for iOS devices 10.3.3 on the iPhone 5. when a target has been compromised, or a session has been obtained, running this module will download all image located on the iPhone devices to the attackers machine or system. To use a “POST Module”, it is mandatory to obtain a “Meterpreter session” on the target first. There are over 422 “post modules” which includes ” VPN, tomcat, aws-keys, keyloggers, turning on webcam via browser” and so on.
Encoders Module:
The encoder module, are easy way to obfuscate your payload to bypass Anti-virus, Anti-Malware detection, also encoders are ways to escape characters that are sanitized or filtered, in the case of a server running “PHP”.
In addition, the encoder serves as a method to encode a payload to the version of the code the target/victim machine is able to execute. There are 46 Encoders currently in the Metasploit Framework, as at 2024.
Nops Module:
Nops is considered as a term that stands for “No Operations”, this slides the program execution to the next memory. Nops can be used during an “RCE”, to basically generates a payload for buffer overflow. Currently there are 11 “NOPS MODULE”, in the Metasploit framework, as at 2024.
Evasion Module:
The evasion module are modules for obfuscation, from Anti-Spyware or Antivirus detection. The evasion module is similar to the “Encoder Module”. However, the “Evasion Module” focuses on windows defender and windows AppLocker evasion mostly. Currently there are 9 “Evasion Module”, in the Metasploit framework, as at 2024.
COMMON COMMANDS USE IN METASPLOIT:
Search:
Using the “search” command, users are able to search a specific exploit. To get more powerful results using the search in Metasploit, combine it with a list of additional tags. For example lets search exploit related to windows, that are ranked excellent, in 2023, and 2024.
Use:
The use command or options, is specified when a choice of “Auxiliary”, or “Payload” or “evasion” module, and so on has been determined, and the name of the specific module has been found. To do this, you can either specify the full path of the module name, or id number.
Info:
The show info command or option is to display information about the particular module name selected. once the module name has been selected, using the “use” command as shown above, then typing “info” will tell you information about that particular “module name”.
Show Options:
The show options is an important command to use. This will display a list of requirements to be fulfilled, before a particular “module name” can be executed.
Run:
This command is usually used, when a particular “Auxiliary Module Name” or “Exploit Module Name” has been selected or chosen using the “use” command. The command “run”, is considered executing the exploit or auxiliary that was selected.
Important-Note:
Exploits, that usually work and guarantees success are the exploits that are ranked "excellent and great". The exploits ranked "normal" in most cases has a 50% success rate.
Put your comments below in the comment section on your thoughts about this.
