The Metasploit Framework is a complete software platform used for testing and executing exploits. Metasploit can also be used as a very flexible penetration testing system and is perhaps the most popular penetration testing tool used across the broad spectrum of ethical hackers, security researchers, and, unfortunately, malicious hackers.
There are several editions of Metasploit. The Metasploit Framework edition is free and contains a basic command line (CLI), supports third-party import, and manual exploitation and brute force attacks. The free edition also includes Zenmap and a Ruby compiler. The professional edition includes many more features—check on the Rapid7 website here https://www.rapid7.com/products/metasploit/ to learn more about what is available in the product today. There are older editions of Metasploit still floating around, including a Community edition and an Express edition. Both of these have been discontinued.
Metasploit does a good job of performing vulnerability assessment in both network and web applications. You can get Metasploit with plug-ins for vulnerability scanners such as OpenVAS, Nexpose, and Nessus.
There are many interfaces to use with Metasploit and each one has its own trade-offs. The MSF CLI brings a command line interface (CLI) to the Metasploit Framework. This enables you to add Metasploit exploits into your scripts. MSF CLI is very easy to use when launching new exploits, developing or testing a new exploit, and good to use in scripts and with basic automation. It doesn’t support the advanced features of the MSF console.
Metasploit exploits include active and passive. Active exploits will target and exploit a specific host and run completely through completion. Passive exploits wait for incoming hosts and then exploit these hosts as they connect. Passive exploits are client-centric to FTP clients and web browsers.
Payloads are an important part of Metasploit – a payload refers to a specific exploit module. The Metasploit framework supports several types of payloads. If you look at Metasploit’s payload list, you will also notice that some payloads have similar names but appear in slightly different formats. As an example: windows/shell/reverse_tcp and windows/shell_reverse_tcp. The staged payload has a forward slash, and the version with the underscore is a single payload. The definition of a these are:
- Singles. A single payload is essentially for a use and ignore type of payload. This is useful when the target has no network access.
- Staged. A staged payload has two main components: a small stub loader and the final stage payload. When you deliver windows/shell/reverse_tcp to the target machine, for example, you are actually sending the loader first. And then when that loader gets executed, it will ask the handler (on the attacker’s end) to send over the final stage (the larger payload), and finally you get a shell.
There are many other types of different payloads. Metasploit has hundreds of payloads and more are being added all the time. These include:
- Inline or Non-Staged. In this case, a single payload contains the exploit and complete shell code for the targeted tasks.
- Meterpreter. Meterpreter is a payload that works via DLL injection. Meterpreter is memory resident and generally leaves forensics on the hard drive. Meterpreter was initially implemented in C (the server) and the client can be written in almost any language, although Metasploit does have support for a Ruby client API. Meterpreter typically flies “under the radar” and it may be considered to be quite stealthy. All Meterpreter communications are encrypted, and no new processes are created when Meterpeter injects into a compromised process. This makes it relatively easy for Meterpreter to migrate to other processes. Meterpreter is also fairly extensible and allows features to be added to Meterpreter without requiring a rebuild.
- PassiveX. PassiveX is a type of payload that can help in getting around challenging outbound firewalls. An ActiveX control creates a hidden instance of Internet Explorer and then communicates with the attacker via HTTP.
- NonX. NonX or No eXecute is a CPU feature to prevent code execution in select areas of memory. Windows has NX implemented as Data Execution Prevention (DEP) and Metasploit payloads are designed to get around DEP.
- ORD. ORD or ordinal payloads are Windows stager based payloads that work on every version of Windows going back to Windows 9x. ORD payloads are generally less stable than other stagers.
- IPV6. IPV6 payloads are designed to work over IPv5 networks.
- Reflective DLL injection. Reflective DLL injection is a specialized way to inject a stage payload into a targeted host memory resident process. Reflective DLL injection doesn’t use the hard drive.
Metasploit has well over 1,000+ exploits. Over the past year or two they have continue to be added at a rate of over one new exploit per day. It would help to search for these and then review some detailed listings to understand what is available and by what version. They are sorted by platform here alphabetically:
Metasploit has internal support for the PostgreSQL database. This enables penetration testers to maintain and track activity during the testing activity. The database allows users relatively fast access to scan results and allows the import and export of results from 3rd party tools. All of this can be well organized and easily accessible.
Once Metasploit is set up, it is prudent to export data. This is done by using the command “db_export” which pulls all of our gathered information into an XML file format. XML is excellent for generating a variety of report formats later. The db export command allows you to export all the active workspace information. It also provides a pwdump format to export collected credentials.
There are many vulnerability scanning features supported by the Metasploit Framework. Vulnerability scanning allows you to quickly scan a target IP range looking for known vulnerabilities. Once in hand, penetration testers can make decisions about which attack vectors to use. This is a very powerful asset for penetration testing. In context, vulnerability scanning has some trade-offs and is known by reputation to have high false positive rates.
These are the highlights of the vulnerability scanning capabilities within the Metasploit Framework:
- Scanning using SMB Login. This allows you to check multiple hosts to determine if an unauthorized, but valid, credential set might be used. This tool is very noisy and will lave forensics pointing to failed login attempts in the events logs of the probed Windows systems.
- VNC authentication. The VNC Authentication None Scanner hunts for a range of IP addresses, looking for targets that are running a VNC Server without a password properly configured.
- WMAP. WMAP is a web application vulnerability scanner that was derived from SQLMap. WMAP allows web application scanning from the Metasploit Framework.
- NeXpose vulnerability scanner. NeXpose works well with Metasploit. Reports in Nexpose can be saved as XML, which can then be imported into Metasploit. NeXpose scans can be run from MSFconsole if you have the Nexpose plugin installed.
- Nessus. Nessus is another vulnerability scanner that can produce vulnerability scan result file results, which can then be imported by Metasploit. Nessus vulnerability scanning can also be done directly in Metasploit. This is done by connecting to the Nessus server directly from within the command line MSFconsole.
- Fuzzing or fuzz testing is an automated software testing technique that involves inputting invalid or random data to a software program. The program is then monitored for crashes, failing built-in code assertions, potential memory leaks, and other exceptions. Metasploit Framework provides many libraries that can help in the development of a basic URL fuzzer or a full network fuzzer.
It should be noted that Metasploit has limited but excellent tutorials available. They include a good overview of Pass the Hash, Testing a Single Credential, and a more generalized Credentials Tutorial. All of this and the detailed documentation allows you to get up to speed rapidly, so you can start vulnerability testing and execute decisively on your penetration testing strategy.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.