Metasploit basics

The Metasploit framework is a very powerful tool which is used by cybercriminals and ethical hackers.

Metasploit has ready-made or already written codes which upon execution gives us some level of access depending on the payload or lets us the make changes on the vulnerable remote system which normally isn't supposed to happen or which isn't allowed .

no one but me how I feel when I use metasploit :

In this blog we are going to learn about the basics such as starting a database , connecting metasploit to the database and many more , In simple words in this blog we are going to take a tour around metasploit and try everything . Well isn't that a nice prespective :)

So without making this a drag blast up that cool terminal and get ready to make your hands dirty 🔥🔥🔥

Starting Database Service :

Firstly start the PostgreSQL service on the machine so that the information that we will be gathering will be saved in a tabular form using the PostgreSQL service .

Command :

sudo systemctl start postgresql

Fig : 1.1

For those who haven't heard of postgresql , it is a database service which helps us to store the information that we will be gathering.

Did not get anything ? well no worries cause I felt the same when I heard about it for this first time and it gets self explanatory as we go through . As my dumb brain got it , there's no doubt in you getting it 🙂 (feel pain inside me)

And now to check whether the service has started

Command :

sudo systemctl status postgresql (Refer Fig : 1.1)

Setting up user and database :

msfdb is a cool little script that’s going to automatically initialize the databases, creates database user and other requirements .

command :

msfdb init

Fig : 1.2

Msfconsole :

Msfconsole gives us access to metasploit-framework via terminal . This is the most commonly used interface to work with metasploit-framework.

Command :

msfconsole

Fig : 1.3

Thats that cool banner you will get when you enter metasploit , I am sure you didn't see that comming ;)

So now we are in metasploit-framework.

wait a second why do I fell ripped and super powerfull all of a sudden ?! 🤨

AAAAHHH.... Never Mind its coz I have entered metasploit 😁

You didn't see this comming as well , did ya 😅

To view different banners

Command :

banner

So what now ?

you have learned a new command already

Command :

Fig : 1.4

This shows a brief little overview of all the commands that we could use well there are very basic and we will go through some of the most popular and useful commands

Connection Status :

To check if metasploit is connected to the postgresql

Command :

db_status

This is used to check the connection between metasploit and postgresql database . you must see something like , Connected to msf. Connection type: postgresql. And we are good to go

Saving nmap results into the database :

command :

db_nmap <subnet range> (your subnet)

Fig : 1.5

db_nmap is a command that saves the nmap results into the database , so that it could be easier for us to analyse. db_nmap is not a new command, it is the same as nmap which is prefixed with db_ by which we are telling metasploit to save the results and if you wonder why is this ?

Then here is the explanation :

Actually we can also run normal bash terminal commands inside of metasploit , the nmap data will not be saved into the database of metasploit coz it considers it as in context of normal bash command , so instead of nmap use db_nmap so that it knows that it needs to save the results.

Viewing nmap results in the database :

Now as we have save the results of the nmap into the database , its time to view them !

Command :

hosts

Fig : 1.6

In Fig : 1.6 we can see alive hosts found by nmap stored in a tabular form in the database and this is why we have start the database service and connected metasploit to it .

You can also view the services or open ports on the target hosts

Command :

services

Fig : 1.7

Importing nmap results :

We could import the nmap scan results into our metasploit database as well . firstly we shall store the nmap results in a file , let it be nmap-default.xml

Command :

sudo nmap 192.168.216.0/24 -oX nmap-default.xml

Fig : 1.8

The reason for specifically stressing on .xml file is that metasploit can only understand xml and rejects another other file type

Now it is time to import the results into metasploit database

Command :

db_import PathOfTheFile

Fig : 1.9

And now perform the hosts and services command you will see the results reflected in the database .

Workspace :

For instance let’s say that you are pentesting two different companies , call it as company haha and company huhu . So you have scanned for the hosts in company haha and few days later you scanned for hosts in company huhu . Everything sounds perfect until now right ? , Well I got you right there my friend🙃

This means that you have the hosts of company haha and company huhu in the database . Now tell how you are going to differentiate between what hosts belong to which company ? isn't that a nightmare . Well for me it is ! , Imagine after going through all the scanning process and about to get into lovely exploitation phase 😚 and you are stuck in this situation .

Le me in that situtation :

Sometimes looks are deceiving lets see my inner feeling :

So let me introduce you to my laptop saver feature called Workspace :)

workspace acts like a separate database itself , it helps us to differentiate the database

So let see as actions speaks louder than words

Command :

workspace

Fig : 2.0

This command lists all the workspaces that we have and as we can see we only have one workspace which is default workspace which means all the scanning we do gets into the same table.

We can add a workspace

Command :

workspace –a NameOfTheWorkSpace

Fig : 2.1

In Fig : 2.1 we can see the new workspace created and selected as well , which denotes that we now using workspace naruto

you can also add multiple workspaces with space in between them

To switch between the workspaces

Command :

workspace NameOfTheWorkSpace

Fig : 2.2

In Fig : 2.2 we can see that we have switched from workspace naruto to workspace default

To delete workspaces :

Command :

workspace –d NameOfTheWorkSpace

Fig : 2.3

we can also delete multiple workspaces with space in between them

See what other options you have on workspace :

Command :

workspace --help

Fig : 2.4

This goes same with the hosts and services commands as well !

Information Gathering with Meatsploit :

Before Getting into the actual thing it’s good if we know the types of information gathering , actually there are 2 different modes of information gathering :

1) Active

2) Passive

Let me breakdown the two modes for you :)

In Active mode of information gathering we directly interact with the target to get the information which makes us less stealthy whereas in passive mode of information gathering we just listen and gather the information

Did not get it ? Let me make it a bit raw

Trigger Warning :

Words I speak out might make you cry so please skip the next example if you are especially a soft hearted guy

Example :

When your friend initiates a conversation with a random girl on the street and gets her number , It means he is in active mode where he gets noticed by the target which is the girl here in the context and comming to you , the one standing side to him who couldn't help but just listen the conversation and gets left behind unnoticed is in passive mode .

KABOOM !!!

Never thought that I am this good at roasting people 😂🙂

There there my friend let me wipe you eyes , you will get your day :) don't feel bad

Well atleast you got a friend who talks to a girl unlike my case 🥹 , Ok lets get back and get going

Now why are you consoling me bro ? I am not crying , It's just some dust gotten into my eyes and thats all it is 😤

Using Netdiscover in active mode :

netdiscover is a tool used to find out the hosts on the network

Command :

netdiscover -i eth0 -r 192.168.216.0/24

Fig : 2.5

here -i specifies the interface to listen on and -r gives the range of ip address to scan and this scans the network and then gives back the details and the number of hosts in the network.

So here the netdiscover tool sends the arp broadcast packets to all the hosts of the given range and concludes that a host is alive if it gets an arp reply back . And here you are directly making contact with the target computer and so it is called as acitve mode.

Passive mode :

Command :

netdiscover -i eth0 -r 192.168.216.0/24 -p

Fig : 2.6

Everything is the same except the new flag –p that’s hiding right over there ! Which means passive mode and So whats the difference ?

Well here you only listen to the traffic , to be specific you listen for arp broadcasts and conclude if the host is alive accordingly and so you are unnoticed by the girl , Sorry I mean the target , just a regular typo 🙂

Active mode :

Pros :

more info gathering and great understanding of in and outsite of the environment

cons:

could be detected

Passive mode:

Pros:

it is quite and undetectable

Cons :

we don't know how long is it going to take to get the correct and accurate info as we are just listening to the network

Getting familiar with modules in Metasploit :

Auxiliary
Payloads
Exploits
post

In this blog we will be focusing more on auxiliary module

auxiliary module :

This module is a mixture of lot of things but most of the time these are just scanners and it also contains some of brute force tools or tools for fingerprinting , proxies and a few exploits as well , but yes this module is mostly know for it’s scanners and so used for reconnaissance.

Fig : 2.7

You could do search auxiliary and you could see all the tools under the auxiliary module and you could see all the different type of tools and there are total 1175 and they increase as new type of attacks come , you can also search for portscan and see that every tool is inside the auxiliary module

And you could use that tool just by the command :

use IndexOfTheTool

use PathOfTheTool (Name section)

Fig : 2.8

Here in Fig : 2.8 have just used the index

You could see in Fig : 2.8 , we are in scanner/portscan/tcp and this tool just does the same as what nmap full tcp scan does but the scan results are automatically added to the database !!

To know more about the tool

Command :

show options

options

info

Fig : 2.9

In Fig : you could see different options availabe for the tool and these options mostly remain the same for all the other modules as well . Using info command gives you a bit extra information regarding the author , rank and some other things of the tool . So let's talk about some important options shall we !

PORTS

RHOSTS

THREADS

As PORTS option is self explanatory we are supposed to set the range of the ports we wanted to be scanned on the remote host . By default it is set to scan 10000 ports out of 65,535 , Let's set it to 1000 ports for now.

Fig : 3.0

In Fig : 3.0 you can see changes getting reflected

RHOSTS option which denotes remote hosts is used to set the target/targets

we can set rhosts to a specific ip address

Command :

set RHOSTS 192.168.216.32

or we can also set multiple hosts with space in between the ip addresses

set rhosts 192.168.216.140 192.168.216.146 192.168.216.235

Fig : 3.1

There is also a cool feature where you can add all the hosts in the database to rhosts option , which really helps

Command :

hosts -R

But hold one a sec !

Hold my beer

Before we perform this command , do make sure that you don't have your own ip address in the database , there's no problem as of now as the module is just scanning but when we perform modules like exploitation you should make sure you delete your ip address if it exists which prevents it from getting added to the rhosts option when using the above command . If you fail in doing so , then you are setting your own machine as the target which leads to exploitation of your machine if it is vulnerable !

I literally saved you !!

I know you wanted to thank me !

So to delete the ip address from the database

Command :

hosts -d ipaddress

Fig : 3.2

Now we can perform the command we are about the perform :

Fig : 3.3

Now threads denote the number of different concurrent connections

wait what ? Can you explain in simple words ? Well absolutely by friend !

Non-roasting good example :

let’s say that we wanted to collect 1 liter of honey , so we sent one honey bee so that it goes and collects the honey from the flowers . How much money do we get for one trip ? a few drops right , so takes time for that one honey bee to make 1 liter . But what if hundreds and thousands of bees collect honey ? We reach our goal a lot faster . The difference now is that we have got a lot of bees working parallelly as a result we got the desired result quicker , here I want you to think of the number of bees as the number of threads and the honey the information we wanted to gain . So it’s as simple as that , more threads more parallel connections and we get our information faster !!

Hope this has given a clear understanding .

But note that there is a limit to the value of the number of threads coz also your computer should be capable to handle them , so up till 30 threads is recommendable .

To Set the Threads

Command :

set THREADS 20

Fig : 3.4

Now we have set all the required options and ready to go !

To run the module

command :

run or exploit

Fig : 3.5

In Fig : 3.5 you can see that we are able to sucessfully scan the targets

waiting ................. waiting ...................... waiting ....................... I don't like waiting but many people complain that's what I make them do !

We all hate to wait don't we ? So for us metasploit came up with a new feature to run the processes in the background :)

Making process run in background :

Command :

run -j or exploit -j

Fig : 3.6

In Fig : 3.6 you can see we made the process run the background which helps us to move on and perform other commands instead of waiting for that particular process to complete . And yes the pop-up messages will be appearing infront the screen , you can simply ignore them and execute the commands you want . For instance in Fig : 3.6 we have executed the command jobs which displays any background processes if they exist and you can see the command returns a background process .

Commnad :

jobs

In Fig : 3.6 This gives back the background processes which are denoted as jobs here and you also see different attributes

Terminating background processes :

There might be cases where you gave the wrong settings and just wanted to terminate the background processes

Command :

jobs -k job-id

Fig : 3.7

In Fig : 3.7 we have terminated the background process with the help of job id

To terminate all the background processes

Command :

jobs -K (UpperCase)

Fig : 3.8

In Fig : 3.8 you can see it just stopped all the jobs or processes running in the background

Setting Values Globally :

Don’t you think setting values to threads , rhosts and other common options again and again for every module is a repeatative process ? Well you think the same ? , I am glad that we are on the same page !

To set values globally

Command :

setg option value

For instance , to set the value of threads to 20 globally :

setg THREADS 10

If we set the values of the options using command set :

Fig : 3.9

setting the values of the options using setg :

Fig : 4.0

In Fig : 4.0 we can see that using setg we are able to set the value of option THREADS globally which isn't the case when we use set command in Fig : 3.9 as the changes are local.

Note :

Remember that whether it is a set or setg , everyt option will be erased by default if you exit the metasploit tool and the database is persistant unlike the values of the options

Well That's all as of now !! see you all in my next blog where we will learn about exploits and payloads and much more cool stuff .............. Imma leave a line here before I go :)