Overview

Introduction

The Metasploit Framework (MSF) is an open-source, robust penetration testing and exploitation framework that is used by penetration testers and security researchers worldwide.

It provides penetration testers with a robust infrastructure required to automate every stage of the penetration testing life cycle, and this is why it's the first choice when it comes on choosing the pentest framework to use.

It is also used to develop and test exploits and this is why it has one of the world’s largest database of public, tested exploits. When a new vulnerability is exposed, within a month there's a high chance you can find a module to exploit that vulnerability.

The Metasploit Framework is designed to be modular, allowing for new functionality to be implemented with ease.

The Metasploit Framework source code is available on GitHub here.

Little bit of history

  • Developed by HD Moore in 2003

  • Originally developed in Perl

  • Rewritten in Ruby in 2007

  • Acquired by Rapid7 in 2009

  • Metasploit 5.0 released in 2019

  • Metasploit 6.0 released in 2020

Metasploit Editions

After the acquisition by Rapid7, two new commercial edition were released

  • Metasploit Pro

  • Metasploit Express

both requiring a license.

What at the beginning was called Metasploit Project became Metasploit Framework, which is the community edition, the one used by every penetration tester in the world.

Essential Terminology

  • Interface – Methods of interacting with the Metasploit Framework (metasploit console, metasploit command line, etc)

  • Module – Pieces of code that perform a particular task, an example of a module is an exploit.

  • Vulnerability –Weakness or flaw in a computer system or network that can be exploited.

  • Exploit – Piece of code/module that is used to take advantage a vulnerability within a system, service or application.

  • Payload – Piece of code delivered to the target system by an exploit with the objective of executing arbitrary commands or providing remote access to an attacker.

  • Listener – A utility that listens for an incoming connection from a target.

Metasploit Framework Interfaces

Metasploit Framework Console

The Metasploit Framework Console (MSFconsole) is an easy-to-use all in one interface that provides you with access to all the functionality of the Metasploit Framework. Metasploit Framework Console

Metasploit Framework CLI

The Metasploit Framework Command Line Interface (MSFcli) is a command line utility that is used to facilitate the creation of automation scripts that utilize Metasploit modules.

It can be used to redirect output from other tools in to msfcli and vice versa.

Note: MSFcli was discontinued in 2015, however, the same functionality can be leveraged through the MSFconsole. Metasploit Framework CLI

Metasploit Community Edition

Metasploit Community Edition is a web based GUI front-end for the Metasploit Framework that simplifies network discovery and vulnerability identification.

Armitage

Armitage is a free Java based GUI front-end for the Metasploit Framework that simplifies network discovery, exploitation and post exploitation.

It is essentially the GUI version of msfconsole: everything you do on msfconsole, you can do it here as well.

Metasploit Framework Architecture

MSF modules = piece of code that can be utilized by the MSF

MSF modules are categorized in:

  • exploit

  • payload

  • encoder

  • nop

  • auxiliary

MSF library = facilitate the execution of modules without having to write the code necessary in order to execute them.

They are essentially like shared objects on Linux or DLL on Windows, in the sense that they allow you to extend a functionality or contain the code to extend/initiate a functionality, like creating a TCP socket.

MSF Modules

  • Exploit: a module that is used to take advantage of vulnerability and is typically paired with a payload.

  • Payload: (malicious) code that is delivered by MSF and remotely executed on the target after successful exploitation. An example of a payload is a reverse shell that initiates a connection from the target system back to the attacker.

An exploit, as the word says, just exploits a vulnerability, but what gives you a meterpreter session is the payload (i.e. the malicious code)

  • Encoder: used to encode payloads in order to avoid AV (Anti Virus) detection. For example, shikata_ga_nai is used to encode Windows payloads (otherwise detected by Windows Defender).

  • NOPS: used to ensure that payloads sizes are consistent and ensure the stability of a payload when executed.

  • Auxiliary: a module that is used to perform additional functionality like port scanning and enumeration.

MSF Payloads

There are 2 types of payload:

  • Non-staged payload: payload that is sent to the target system as it is along with the exploit

  • Staged payload: a staged payload is sent to the target in two parts. The first part (stager) is used to establish a reverse connection back to the attacker, download the second part of the payload (stage) and execute it.

The stage is responsible for either executing arbitrary commands on the target or for providing us a reverse shell.

The type of payload you are gonna use depends on

  • target system

  • target infrastructure

  • your requirements

Meterpreter Payload

The Meterpreter (Meta-Interpreter) payload is an advanced multi-functional payload that is executed in memory on the target system making it difficult to detect. It communicates over a stager socket and provides an attacker with an interactive command interpreter on the target system that facilitates the execution of system commands, file system navigation, keylogging and much more.

MSF File System Structure

The MSF file system is organized in a simple and easy to understand format and is organized into various directories.

MSF stores modules under the following directory on Linux systems:

/usr/share/metasploit-framework/modules

User specified modules are stored under the following directory on Linux systems:

~/.ms4/modules

Penetration Testing With MSF

The MSF can be used to perform and automate various tasks that fall under the penetration testing life cycle. In order to understand how we can leverage the MSF for penetration testing, we need to explore the various phases of a penetration test and their respective techniques and objectives.

We can adopt the PTES (Penetration Testing Execution Standard) as a roadmap to understanding the various phases that make up a penetration test and how Metasploit can be integrated in to each phase.

The Penetration Testing Execution Standard (PTES) is a penetration testing methodology that was developed by a team of information security practitioners with the aim of addressing the need for a comprehensive and upto- date standard for penetration testing.

The following diagram outlines the various phases involved in a typical penetration test.

Last updated