What is Metasploit?

The Metasploit Framework (MSF) is far more than just a collection of exploits–it is
also a solid foundation that you can build upon and easily customize to meet your
needs. This allows you to concentrate on your unique target environment and not
have to reinvent the wheel. We consider the MSF to be one of the single most useful
security auditing tools freely available to security professionals today. From a
wide array of commercial grade exploits and an extensive exploit development
environment, all the way to network information gathering tools and web
vulnerability plugins, the Metasploit Framework provides a truly impressive work
environment.

Metasploit Framework
----------------------
The Metasploit Framework is a Ruby-based, modular penetration testing platform that
enables you to write, test, and execute exploit code. The Metasploit Framework
contains a suite of tools that you can use to test security vulnerabilities,
enumerate networks, execute attacks, and evade detection. At its core, the
Metasploit Framework is a collection of commonly used tools that provide a complete
environment for penetration testing and exploit development.

Metasploit Architecture
------------------------
Metasploit is written in Ruby. In Kali Linux, Metasploit is provided in the
metasploit-framework package and is installed in the /usr/share/metasploit-
framework directory, the top-level of which is shown below.

Metasploit Filesystem
----------------------
The MSF filesystem is laid out in an intuitive manner and is organized by
directory. Some of the more important directories are briefly outlined below.

a) Data

The data directory contains editable files used by Metasploit to store binaries
required for certain exploits, wordlists, images, and more.

ls /usr/share/metasploit-framework/data/

b)Documentation

a11y.text documentation

As its name suggests, the documentation directory contains the available

documentation for the framework.
ls /usr/share/metasploit-framework/documentation/

3) lib

The lib directory contains the ‘meat’ of the framework code base.
ls /usr/share/metasploit-framework/lib/

4)Modules

The modules directory is where you will find the actual MSF modules for exploits,
auxiliary and post modules, payloads, encoders, and nop generators.
ls /usr/share/metasploit-framework/modules/

5) Plugins
Metasploit includes many plugins, which you will find in this directory.
ls /usr/share/metasploit-framework/plugins/

6) scripts

The scripts directory contains Meterpreter and other scripts.

ls /usr/share/metasploit-framework/scripts/

7) tools

The tools directory has various useful command-line utilities.

ls /usr/share/metasploit-framework/tools/

Metasploit Libraries
--------------------

There are a number of MSF libraries that allow us to run our exploits without
having to write additional code for rudimentary tasks, such as HTTP requests or
encoding of payloads. Some of the most important libraries are outlined below.

1) Rex

The basic library for most tasks

Handles sockets, protocols, text transformations, and others
SSL, SMB, HTTP, XOR, Base64, Unicode
2) Msf::Core

Provides the ‘basic’ API

3) Msf::Base

Provides the ‘friendly’ API

Provides simplified APIs for use in the Framework

Modules and Locations

----------------------

Interaction with Metasploit will be through its many modules, which it looks for in
two locations. The first is the primary module store under /usr/share/metasploit-
framework/modules/ and the second, which is where you will store custom modules, is
under your home directory at ~/.msf4/modules/.
ls /usr/share/metasploit-framework/modules/

All Metasploit modules are organized into separate directories, according to their
purpose. A basic overview of the various types of Metasploit modules is shown
below.

Exploits
--------

In the Metasploit Framework, exploit modules are defined as modules that use
payloads.
ls /usr/share/metasploit-framework/modules/exploits/

Auxiliary
----------

Auxiliary modules include port scanners, fuzzers, sniffers, and more.

ls /usr/share/metasploit-framework/modules/auxiliary/
Payloads, Encoders, Nops
--------------------------

Payloads consist of code that runs remotely, while encoders ensure that payloads
make it to their destination intact. Nops keep the payload sizes consistent across
exploit attempts.
ls /usr/share/metasploit-framework/modules/payloads/
ls /usr/share/metasploit-framework/modules/encoders/
ls /usr/share/metasploit-framework/modules/nops/

Loading Additional Module Trees

--------------------------------

Metasploit gives you the option to load modules either at runtime or after
msfconsole has already been started. Pass the -m option when running msfconsole to
load additional modules at runtime:

msfconsole -m ~/secret-modules/

If you need to load additional modules from with msfconsole, use the loadpath
command:

msf > loadpath

Usage: loadpath </path/to/modules>

Loads modules from the given directory which should contain subdirectories for
module types, e.g. /path/to/modules/exploits

msf > loadpath /usr/share/metasploit-framework/modules/

Loaded 399 modules:
399 payloads

Understanding the Metasploit Object Model

--------------------------------------------
MSF architecture

In the Metasploit Framework, all modules are Ruby classes.

Modules inherit from the type-specific class

The type-specific class inherits from the Msf::Module class
There is a shared common API between modules

Payloads are slightly different.

Payloads are created at runtime from various components

Glue together stagers with stages

Mixins and Plugins

------------------

Every Class only has one parent

A class may include many Modules
Modules can add new methods
Modules can overload old methods
Metasploit modules inherit Msf::Module and include mixins to add features.

Metasploit Mixins
------------------
Mixins are quite simply, the reason why Ruby rocks.

Mixins include one class into another

This is both different and similar to inheritance
Mixins can override a class’ methods

Mixins can add new features and allows modules to have different ‘flavors’.

Protocol-specific (HTTP, SMB)

Behaviour-specific (brute force)
connect() is implemented by the TCP mixin
connect() is then overloaded by FTP, SMB, and others

Mixins can change behavior.

The Scanner mixin overloads run()

Scanner changes run() for run_host() and run_range()
It calls these in parallel based on the THREADS setting
The BruteForce mixin is similar

Metasploit Plugins
------------------

Plugins work directly with the API.

They manipulate the framework as a whole

Plugins hook into the event subsystem
They automate specific tasks that would be tedious to do manually

Plugins only work in the msfconsole.

Plugins can add new console commands

They extend the overall Framework functionality
------------------------------------------------------------------------------
class MyParent
def woof
puts “woof!”
end
end

class MyClass > MyParent

end

object = MyClass.new
object.woof() => “woof!”

================================================================

module MyMixin
def woof
puts “hijacked the woof method!”
end
end

class MyBetterClass > MyClass

include MyMixin
end
----------------------------------------------------------------------------------
Msfconsole
------------
What is the MSFconsole?

The msfconsole is probably the most popular interface to the Metasploit Framework
(MSF). It provides an “all-in-one” centralized console and allows you efficient
access to virtually all of the options available in the MSF. MSFconsole may seem
intimidating at first, but once you learn the syntax of the commands you will learn
to appreciate the power of utilizing this interface.
Benefits to Using MSFconsole

It is the only supported way to access most of the features within Metasploit.
Provides a console-based interface to the framework
Contains the most features and is the most stable MSF interface
Full readline support, tabbing, and command completion
Execution of external commands in msfconsole is possible:
---------------------------------------------------------------------------------
msf > ping -c 1 192.168.1.100
[*] exec: ping -c 1 192.168.1.100

PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.

64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=10.3 ms

--- 192.168.1.100 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.308/10.308/10.308/0.000 ms
msf >
-----------------------------------------------------------------------------------
-

Launching MSFconsole
--------------------

The MSFconsole is launched by simply running msfconsole from the command line.
MSFconsole is located in the /usr/share/metasploit-framework/msfconsole directory.

The -q option removes the launch banner by starting msfconsole in quiet mode.

root@kali:# msfconsole -q
msf >

How to Use the Command Prompt

-----------------------------

You can pass -h to msfconsole to see the other usage options available to you.
root@kali:~# msfconsole -h

msf > help

Tab Completion
---------------

The MSFconsole is designed to be fast to use and one of the features that helps
this goal is tab completion. With the wide array of modules available, it can be
difficult to remember the exact name and path of the particular module you wish to
make use of. As with most other shells, entering what you know and pressing ‘Tab’
will present you with a list of options available to you or auto-complete the
string if there is only one option. Tab completion depends on the ruby readline
extension and nearly every command in the console supports tab completion.

use exploit/windows/dce
use .*netapi.*
set LHOST
show
set TARGET
set PAYLOAD windows/shell/
exp
-----------------------------------------------------------------------------------
msf > use exploit/windows/smb/ms
use exploit/windows/smb/ms03_049_netapi
use exploit/windows/smb/ms04_007_killbill
use exploit/windows/smb/ms04_011_lsass
use exploit/windows/smb/ms04_031_netdde
use exploit/windows/smb/ms05_039_pnp
use exploit/windows/smb/ms06_025_rasmans_reg
use exploit/windows/smb/ms06_025_rras
use exploit/windows/smb/ms06_040_netapi
use exploit/windows/smb/ms06_066_nwapi
use exploit/windows/smb/ms06_066_nwwks
use exploit/windows/smb/ms06_070_wkssvc
use exploit/windows/smb/ms07_029_msdns_zonename
use exploit/windows/smb/ms08_067_netapi
use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
use exploit/windows/smb/ms10_046_shortcut_icon_dllloader
use exploit/windows/smb/ms10_061_spoolss
use exploit/windows/smb/ms15_020_shortcut_icon_dllloader
msf > use exploit/windows/smb/ms08_067_netapi
-----------------------------------------------------------------------------------
--
The MSFconsole is the most commonly used interface for Metasploit. Making yourself
familiar with these msfconsole commands will help you throughout this course and
give you a strong foundation for working with Metasploit in general.