i Metasploit for pentest web application – All things in moderation

Metasploit for pentest web application


Metasploit is perhaps the most versatile, freely-available, penetration testing framework ever to be made. It is currently developed by Rapid7. The Metasploit Framework (MSF) is far more than just a collection of exploits. It’s an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.

Metasploit architecture

Metasploit modules:

– Payloads: Payload modules are the payloads which run when an exploit module successfully exploits a vulnerability. There are different types of payloads; some of them are: OS specific command shell (bind/reverse), Meterpreter, VNC payloads, Download and Execute, and much more

– Exploits:The exploit module contains various scripts that contain code to exploit a vulnerability and return back a shell.

– Encoders:These are used to encrypt payloads and the attack vectors to avoid detection by antiviruses or firewalls.

– NOPS: NOPs module usage for makes the payloads stable.

– Auxiliary module: The auxiliary modules are built-in scripts that perform various types of scanning, fuzzing … However, these scripts never return a shell when they run. The major purpose of this module is to give the penetration tester a wide array of scripts that can help penetrate the target efficiently. For example, the mysql_enum auxiliary module will perform a basic level of information gathering on a given MySQL server.


Msfconsole is an interactive console of Metasploit. The msfconsole has many different command options to chose from. The following are a core set of Metasploit commands.

Command Description
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
go_pro Launch Metasploit web GUI
grep Grep the output of another command
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
rename_job Rename a job
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers

Metasploit modules for pentest web application

1. Auxiliary modules related to web applications

In this subsection, we’ll see the usage of different kinds of auxiliary modules that will help us in reconnaissance of the target. Mainly, reconnaissance-related auxiliary modules will be listed under the auxiliary/scanner/http/ structure of the framework. This will be similar
to the following

For example we use auxiliary/scanner/http/brute_dirs module.

Running “show options” shows a comprehensive list of options supported by
the module. Set options with commnad “set [variable] [value]“, for example “set RHOST

The various variables are self-explanatory.

• RHOST : This is the remote target or list of targets.

• RPORT : This is the variable for the port of the remote host.

• THREADS : This is the number of parallel threads to use to brute-force.

• FORMAT : This is the brute-force format: alphabet, uppercase, and digit.

• PATH : This is the starting directory from which the brute-force should start.

Then enter “exploit” to start scanning.

2. WMAP – Metasploit’s Web Application Security Scanner

WMAP is a feature-rich web application vulnerability scanner that was originally created from a tool named SQLMap. This tool is integrated with Metasploit and allows us to conduct web application scanning from within the Metasploit Framework.

We begin by first creating a new database to store our WMAP scan results by run following commands:

[email protected]:~# service postgresql start
[email protected]:~# msfdb init
[email protected]:~# msfdb start

To running a web app scan, we first need to add a new target URL by use option “wmap_sites -a”. Afterwards, running “wmap_sites -l” will print out the available targets.

The first we use the “wmap_run -t” to list the modules that will be used to scan the remote system.

Now is to run the WMAP scan against our target URL with “wmap_run -e”

When scan has finished executing, use “wmap_vulns -l” for show list vulnerabilities:

Leave a Reply