Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules
The msfconsole command will place you in the Metasploit console menu, which will look something like the following
Within Metasploit there is a hierarchy of menu options with tools, exploit code, post-exploit code all being under a separate branch. This keeps everything neat and makes finding the particular item you’re looking for quite simple. The top level of the hierarchy looks a little like this:
Auxiliary modules – are used for information gathering, enumeration, port scanning and that sort of thing. There are plenty of useful tools in there too for things like connecting to SQL databases and even tools for performing man-in-the-middle attacks.
Exploit modules – are generally used to deliver exploit code to a target system. It’s worth mentioning that Nessus adds a note to its detected issues if a Metasploit module is available. However you can also perform a search for modules using the search command. Say for example that you know a host is vulnerable to MS08-067 you could use the following command to find an appropriate Metasploit module
Post modules – offer post exploitation tools such as the ability to extract password hashes and access tokens and even modules for things like taking a screenshot, key-logging and downloading files.
Payload modules – are used to create malicious payloads for use with an exploit, generally if possible the aim would be to upload a copy of “meterpreter” which is the default payload of metasploit and I’ll add more details about this module in its own section.
Exploiting a Host
Things are a touch more complex when it comes to exploiting a host, generally this is a three step process. There is executing an appropriate exploit, uploading an appropriate payload and running post-exploitation modules. So whereas most auxiliary modules are standalone it’s common to see exploit, payload and post all used together.
So to show how I might chain these modules together I have an example here of using the PSExec module to capture password hashes from a machine. I’ve spoken briefly about this before, however here’s just a quick run through of the steps. First of all we would select an exploit module, here I’ll use PSExec to connect to the machine and upload a meterpreter payload before choosing the hashdump post module to capture additional passwords.