How To Hack With Metasploit 101

Lets learn how to hack with Metasploit 

 

What is Metasploit ?

Metasploit is a popular open-source framework used for penetration testing, vulnerability assessment, and exploit development. It provides a comprehensive set of tools and resources that allow security professionals to test the security of computer systems, networks, and applications. Metasploit is widely recognized in the cybersecurity industry and is used by both ethical hackers and malicious attackers

Here are some key features and components of Metasploit:

  1. Exploits: Metasploit includes a vast collection of pre-built exploits, payloads, and auxiliary modules. These resources can be used to exploit known vulnerabilities in target systems, gain unauthorized access, and test for weaknesses.
  2. Payloads: Metasploit offers a range of payloads to deliver after a successful exploit, such as shellcode, remote shells, and Meterpreter. These payloads provide advanced capabilities for remote control, data manipulation, and lateral movement within compromised systems.
  3. Auxiliary Modules: Metasploit provides auxiliary modules that perform various tasks such as scanning, fingerprinting, and information gathering. These modules assist in the enumeration and reconnaissance phases of a penetration test.
  4. Post-exploitation Modules: Metasploit includes post-exploitation modules for maintaining access to compromised systems. These modules help in performing actions like privilege escalation, password cracking, file manipulation, and pivoting.
  5. Exploit Development: Metasploit facilitates the development and testing of custom exploits and modules. It provides an environment for vulnerability researchers and security professionals to create and refine their own exploits.
  6. Framework API: Metasploit offers a robust and flexible API (Application Programming Interface) that allows integration with other security tools, automation, and scripting.

Metasploit provides a powerful platform for both offensive and defensive security operations. It is essential to use Metasploit responsibly, with proper authorization and adherence to ethical guidelines, to ensure its effective and lawful use in security assessments and research.

 

Install and Run Metasploit on Linux

  1. Open a terminal.
  2. Update your system by running the following commands:
    sudo apt update
    sudo apt upgrade
  3. Install dependencies by running the following command:
    sudo apt install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libsqlite3-dev libpcap-dev git autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby-dev libffi-dev libgmp-dev libldns-dev libcurl4-openssl-dev libssl-dev libz-dev
  4. Install Ruby by running the following command:
    sudo apt install ruby ruby-dev
  5. Download Metasploit by cloning the repository from GitHub:
    git clone https://github.com/rapid7/metasploit-framework.git
  6. Change into the Metasploit directory:
    cd metasploit-framework
  7. Install required gems and dependencies:
    sudo gem install bundler
    bundle install
  8. Initialize the PostgreSQL database:
    sudo service postgresql start
    sudo msfdb init
  9. Start Metasploit by running the following command:
    ./msfconsole

Here’s a guide to help you choose the right tool:

  1. Identify the Objective: Clearly define your objective and what you aim to achieve. Are you looking to gain remote access, escalate privileges, execute code, or gather information? Knowing your objective will help you narrow down the appropriate tools.
  2. Understand the Target: Gain knowledge about the target system, including its operating system, installed services, and potential vulnerabilities. This information will assist in selecting the most suitable tool that matches the target’s characteristics.
  3. Research Vulnerabilities: Conduct thorough vulnerability research on the target system. Utilize vulnerability databases, security advisories, and other sources to identify known vulnerabilities that could be exploited. Cross-reference these vulnerabilities with the capabilities of Metasploit modules to find a suitable match.
  4. Evaluate Exploit Modules: Metasploit offers an extensive collection of exploit modules. Analyze the available modules related to the identified vulnerabilities. Consider factors such as reliability, target compatibility, and the likelihood of success. Review module documentation, user feedback, and exploit reliability scores to make an informed decision.
  5. Consider Payloads: Payloads define what actions you can perform on the compromised system. Evaluate the available payloads in Metasploit based on your objectives. Payloads provide features like shell access, remote control, data manipulation, or additional exploitation capabilities. Choose a payload that aligns with your desired outcomes.
  6. Assess Post-Exploitation Capabilities: Depending on your objectives, explore the post-exploitation modules available in Metasploit. These modules allow for various activities such as privilege escalation, lateral movement, password cracking, and data exfiltration. Consider the post-exploitation capabilities to enhance your overall attack strategy.
  7. Test in Controlled Environment: Before deploying any exploit tool, it’s crucial to conduct testing in a controlled lab environment or authorized penetration testing scenario. Verify the effectiveness and reliability of the selected tool against a similar setup to minimize the risk of unintended consequences.

The choice of the perfect tool depends on the specific context, target system, and your objectives. Continuously update your knowledge and skills to stay current with the latest vulnerabilities and exploit techniques. Always ensure that you have proper authorization and adhere to ethical guidelines when using Metasploit or any other security testing tool.

 

Now I will show you an example how to use Metasploit to gain access to a vulnerable machine. First you need to download a exploitable machine called metasploitable head over to the downloads section of the web page and download it first

After downloading the file the next thing you need to do is extract the file and install the machine on either vmware or virtualbox.

Next check the IP address of the metasploitable machine by typing ifconfig or ip a (ip a is the new way of checking the ip adress). There is another tool that we can use to check the ip adress which is called bettercap we can also use this tool to perform MTM attacks (Man In The Middle). we will talk more about Bettercap in a another tutorial. for now head over to your metasploitable machine and get the ip adress

Now open Nmap and run the following command and press enter (if you don’t know how to use nmap head over to the namp section of the website)

Now you are able to see all the open ports of the website and the services that are running on the port. As you can see there is lot of open ports, In a machine. Since this machine is made to exploit there is quite a number of open ports.

In this tutorial we will be selecting the port 21 which is running ftp service with a version number of vsftpd 2.3.4

Now go ahead and open Metasploit in a new terminal type msfconsole and press enter.

In metasplot now type this command search vsftpd and press enter.

Now you are able to see all the exploits related to vsftpd.

Now we need to select a tool in order to do that type this command use exploit/unix/ftp/vsftpd_234_backdoor and press enter.

now we are inside this tool type this command to see the options of the exploit — show options

Set the Rhosts to the ip adress of the metasploitable to do that type set set rhosts 172.16.204.128 and press enter.

Now we are ready to run the exploit. In this instance we don’t need to set the payload and target since it is all pre configured. In a future tutorial I will show you how to change all of that. finally check if the Rport number matches the target ftp port number.

now we are ready to run the exploit just type exploit and press enter.

As you can see we now have access to a shell just type whoami and press enter .

 

yay we have root privileges now we can pretty much do anything on this machine upload files download files pretty much anything. i will show you in a later post exploitation tutorial what we can do after exploiting a target. I hope you enjoyed the tutorial and if you have any questions get back to me on my email. Stay tuned for more hacking content.

You can find more information about Metasploit at https://www.metasploit.com/

If you have any questions please send me an email