Metasploit

Educational Purposes Only!

The Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code.

The Metasploit Framework contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection.

At its core, the Metasploit Framework is a collection of commonly used tools that provide a complete environment for penetration testing and exploit development. - https://docs.rapid7.com/metasploit/msf-overview/


Standard Usage:

1. msfconsole

2. search <suspected vulnerability>

3. use <path shown in search>

4. show options (shows exploit specifics)


Example:

use exploit/unix/webapp/wp_admin_shell_upload

set RHOST http://example.com

set RPORT 80

set TARGETURI /exploit

Tip: setg can set the values globally


More options:

1. show targets

2. show payloads

NOTE: when you show options, it only shows options for the module, not metasploit itself. If you are using a reverse shell, you need to set LHOST for example which isn't shown at first. Also it can be useful to specify directory


How to find CVEs:

  • Enumerate the services and ports

  • Connect to the port/service - curl, nc, FTP, SSH etc..

  • Check if you can find versions

  • Check if there are any CVEs that include the version

  • Check if Metasploit has any modules


It is important to note that such tools are fairly automated, intuitive and abstracted. A good understanding of the technology exploited (ethically) is necessary to learning and proper usage - This should really be used for efficiency reasons.