Metasploit is perhaps the most versatile, freely-available, penetration testing framework ever to be made. It is currently developed by Rapid7. The Metasploit Framework (MSF) is far more than just a collection of exploits. It’s an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.
– Payloads: Payload modules are the payloads which run when an exploit module successfully exploits a vulnerability. There are different types of payloads; some of them are: OS specific command shell (bind/reverse), Meterpreter, VNC payloads, Download and Execute, and much more
– Exploits:The exploit module contains various scripts that contain code to exploit a vulnerability and return back a shell.
– Encoders:These are used to encrypt payloads and the attack vectors to avoid detection by antiviruses or firewalls.
– NOPS: NOPs module usage for makes the payloads stable.
– Auxiliary module: The auxiliary modules are built-in scripts that perform various types of scanning, fuzzing … However, these scripts never return a shell when they run. The major purpose of this module is to give the penetration tester a wide array of scripts that can help penetrate the target efficiently. For example, the mysql_enum auxiliary module will perform a basic level of information gathering on a given MySQL server.
Msfconsole is an interactive console of Metasploit. The msfconsole has many different command options to chose from. The following are a core set of Metasploit commands.
|back||Move back from the current context|
|banner||Display an awesome metasploit banner|
|cd||Change the current working directory|
|connect||Communicate with a host|
|exit||Exit the console|
|get||Gets the value of a context-specific variable|
|getg||Gets the value of a global variable|
|go_pro||Launch Metasploit web GUI|
|grep||Grep the output of another command|
|info||Displays information about one or more module|
|irb||Drop into irb scripting mode|
|jobs||Displays and manages jobs|
|kill||Kill a job|
|load||Load a framework plugin|
|loadpath||Searches for and loads modules from a path|
|makerc||Save commands entered since start to a file|
|popm||Pops the latest module off the stack and makes it active|
|previous||Sets the previously loaded module as the current module|
|pushm||Pushes the active or list of modules onto the module stack|
|quit||Exit the console|
|reload_all||Reloads all modules from all defined module paths|
|rename_job||Rename a job|
|resource||Run the commands stored in a file|
|route||Route traffic through a session|
|save||Saves the active datastores|
|search||Searches module names and descriptions|
|sessions||Dump session listings and display information about sessions|
|set||Sets a context-specific variable to a value|
|setg||Sets a global variable to a value|
|show||Displays modules of a given type, or all modules|
|sleep||Do nothing for the specified number of seconds|
|spool||Write console output into a file as well the screen|
|threads||View and manipulate background threads|
|unload||Unload a framework plugin|
|unset||Unsets one or more context-specific variables|
|unsetg||Unsets one or more global variables|
|use||Selects a module by name|
|version||Show the framework and console library version numbers|
Metasploit modules for pentest web application
1. Auxiliary modules related to web applications
In this subsection, we’ll see the usage of different kinds of auxiliary modules that will help us in reconnaissance of the target. Mainly, reconnaissance-related auxiliary modules will be listed under the auxiliary/scanner/http/ structure of the framework. This will be similar
to the following
For example we use auxiliary/scanner/http/brute_dirs module.
Running “show options” shows a comprehensive list of options supported by
the module. Set options with commnad “set [variable] [value]“, for example “set RHOST 192.168.223.128”
The various variables are self-explanatory.
• RHOST : This is the remote target or list of targets.
• RPORT : This is the variable for the port of the remote host.
• THREADS : This is the number of parallel threads to use to brute-force.
• FORMAT : This is the brute-force format: alphabet, uppercase, and digit.
• PATH : This is the starting directory from which the brute-force should start.
Then enter “exploit” to start scanning.
2. WMAP – Metasploit’s Web Application Security Scanner
WMAP is a feature-rich web application vulnerability scanner that was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct web application scanning from within the Metasploit Framework.
We begin by first creating a new database to store our WMAP scan results by run following commands:
[email protected]:~# service postgresql start [email protected]:~# msfdb init [email protected]:~# msfdb start
To running a web app scan, we first need to add a new target URL by use option “wmap_sites -a”. Afterwards, running “wmap_sites -l” will print out the available targets.
The first we use the “wmap_run -t” to list the modules that will be used to scan the remote system.
Now is to run the WMAP scan against our target URL with “wmap_run -e”
When scan has finished executing, use “wmap_vulns -l” for show list vulnerabilities: