Introduction to Metasploit
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> An introduction to Metasploit.
00:00
Our learning objectives are to understand what
00:00
the Metasploit Framework is and how to use it.
00:00
Become familiar with how to search for modules,
00:00
select them and then read info about them,
00:00
and demonstrate how to run exploit modules.
00:00
Metasploit framework is a framework written
00:00
for pen testers and Ruby.
00:00
We'd been using Python a lot,
00:00
but this is written in Ruby and there's
00:00
a great introduction on the offensive security website.
00:00
Go to offensive security,
00:00
and you should see the course Metasploit unleashed.
00:00
It's free, but they do ask for a donation. Go through it.
00:00
This is where you have to plan your strategy.
00:00
You can use the Metasploit,
00:00
a module once, with the exception of multi handler,
00:00
which you've seen me use a few times
00:00
for like our ASP shell,
00:00
but you can only use a module once,
00:00
auxiliary exploit or post against one target.
00:00
A lot of people shy away from getting to know Metasploit.
00:00
I was just talking to someone about
00:00
this last week where
00:00
we both have OSEP and we were saying, hey,
00:00
we don't really know a lot about
00:00
Metasploit because you tried to stay away
00:00
from it in preparation for
00:00
OSEP because if you become too reliant on it,
00:00
then you don't know how to look for
00:00
exploit code and modify it,
00:00
which has all the great things that
00:00
OSEP tries to teach you.
00:00
When it came time for me to do ECPPT,
00:00
I was really over my head and when I came time to pivot,
00:00
I didn't know what to do.
00:00
When it comes time for you to
00:00
prepare and look at Metasploit,
00:00
have a familiarity with
00:00
it so that you do know how to use it.
00:00
My hope is that I can teach you how to do that.
00:00
You're not going to become an expert in
00:00
Metasploit unless you really
00:00
work towards it and you want to.
00:00
But as long as you know the basics of it,
00:00
you should be able to use it in OSEP,
00:00
and I can tell you one of
00:00
the scariest moments is when you decide,
00:00
hey, I want to use Metasploit and it doesn't work.
00:00
That's happened to me. Relax, take a step back.
00:00
Maybe it's your payload
00:00
that is incorrect and you need to change it.
00:00
Maybe it's not a bind shell,
00:00
maybe it's a reverse shell that you need,
00:00
or maybe it's not Linux,
00:00
it's Windows or you need to change the target.
00:00
That's why you need to know how or have
00:00
some idea of how to use Metasploit.
00:00
Finding an exploit module.
00:00
You may see this when you're searching in Exploit DB,
00:00
or you come across a service and you search for it and it
00:00
says this module requires Metasploit.
00:00
That's the clue. It is in the Metasploit framework.
00:00
I've heard of some people who in OSEP,
00:00
I've taken the Ruby code and
00:00
changed it and not use Metasploit,
00:00
but have used the code itself.
00:00
I don't know enough about Ruby to do that,
00:00
but just be aware that you will
00:00
know when you're searching for these vulnerable services,
00:00
that this will pop up and
00:00
it will be a clue that you can use Metasploit.
00:00
But as you can see with
00:00
the Konica Minolta vulnerability,
00:00
you can use Metasploit or there's public exploit code.
00:00
In that case, I would
00:00
definitely go with the public exploit code.
00:00
Starting Metasploit, you've seen me use
00:00
MSF console from the command line a lot.
00:00
You can also run the database and they talk about
00:00
that in the Metasploit unleashed course.
00:00
But you can off the bat run the database with MSF DB run.
00:00
It runs this database for you that keeps
00:00
track of all the searches that you've done,
00:00
all the loot that you've found.
00:00
I think it's beneficial to run the database off the bat.
00:00
Search and info.
00:00
You can see here that I'm searching Konica Minolta.
00:00
It found three different modules.
00:00
Notice the first one is a zero.
00:00
In programming, we start with zero, not one.
00:00
You can interact with it a few different ways.
00:00
You could do use zero or use one or use two,
00:00
or you can spell the whole thing out.
00:00
You could do use exploit windows FTP,
00:00
etc, or use two.
00:00
I think use two is a lot easier.
00:00
Also when you select the module in
00:00
that case, always run info.
00:00
I like to know what the module does
00:00
and you should know what the module does as well.
00:00
Because again, when you go to write
00:00
the pen test report and I keep
00:00
harping on the pen test report,
00:00
this will help you
00:00
explain what the exploit was that worked.
00:00
Now let's do a demo. I'm going to MSF DB run.
00:00
You can see the database is already running.
00:00
I've already started this up.
00:00
I'm going to do db_nmap
00:00
192.168.1.242 tack A, an aggressive scan.
00:00
That looks like the operating system
00:00
as well as our typical SB SC scan.
00:00
This may take a little bit.
00:00
But the thing that this is doing is it's putting
00:00
this host and what info it finds in the database.
00:00
If I type hosts now,
00:00
they can tell me the MAC address, the name,
00:00
and the OS of this system,
00:00
and we can also see the fact that
00:00
port 21 is open with Konica Minolta.
00:00
If I search Konica Minolta,
00:00
again, I see I have three different modules.
00:00
I could copy this and paste it here,
00:00
or I can just do use two.
00:00
You'll see here no payload configured,
00:00
defaulting into windows/meterpreter/reverse-tcp.
00:00
This is what I'm telling you is sometimes
00:00
the exploit you've selected is correct,
00:00
is the payload that you have wrong.
00:00
Maybe it's a bind shell and that doesn't work.
00:00
Or maybe reverse TCP.
00:00
But a bind shell works instead.
00:00
You can try messing around with that too.
00:00
I do info and read what this module does.
00:00
I can see what the target is.
00:00
It looks like I just need to set my rhosts.
00:00
You could probably tweak your targets.
00:00
In some cases, it may be different,
00:00
and here we just have one target.
00:00
But in other cases it really depends on
00:00
the version and the service pack of Windows.
00:00
I like to do show targets as well,
00:00
so we'll set rhosts to 192.168.1.242.
00:00
You can either do exploit or run.
00:00
I like to do run.
00:00
If you want to set this in the background,
00:00
if I just hit "Run" now and it runs through it,
00:00
I'll get a Meterpreter shell open.
00:00
If I want to do some other things,
00:00
I can do tac j and make it a
00:00
job and you'll see Meterpreter opened.
00:00
If I hit "Enter" again,
00:00
I'm still here in Metasploit and can do other things.
00:00
If I didn't do the tac j,
00:00
it will just open to a Meterpreter session.
00:00
I'll show you what that looks like too.
00:00
Otherwise here I could just do session 1.
00:00
Let me exit out of this.
00:00
This time was to exploit without doing the tac j.
00:00
You'll see I go right to
00:00
my Meterpreter session here and I do
00:00
this info and pay attention the architecture.
00:00
Architecture for this host is
00:00
x64 and arm interpreter is x86.
00:00
That may give us some issues later on.
00:00
If we're not an OSEP land,
00:00
if we're doing a CTF and we can keep using Metasploit,
00:00
we want to change our Meterpreter to the architecture of
00:00
this machine so that we can do things
00:00
like post exploitation where we can escalate privileges.
00:00
There's a module for that.
00:00
If we have it as the wrong architecture,
00:00
if we keep this x86,
00:00
is not going to work correctly.
00:00
What you can do is ps,
00:00
and you want to pick a process that is
00:00
x64 and probably something that's stable.
00:00
I see a lot of runtime broker, so let's migrate.
00:00
We're going to migrate to 6428.
00:00
Migrate 6428.
00:00
We see it died. That might happen
00:00
sometimes when you try to migrate processes,
00:00
it dies, in which case you have to go back again.
00:00
Sometimes your exploits will kill the service,
00:00
in which case you have to go back and restart the box.
00:00
Let's run this again.
00:00
Do ps again.
00:00
I don't know,
00:00
it's like rolling the dice here. We'll do 6592.
00:00
I was finally able to migrate to a process.
00:00
It took me a little bit of time.
00:00
But 8104, the Smart Screen is x64.
00:00
Now if I do sysinfo,
00:00
I see my Meterpreter shell
00:00
is x64 and my architecture is x64.
00:00
That will make things a lot easier for us now with
00:00
post exploitation and interacting with the shell.
00:00
Again, you need to be careful using
00:00
Metasploit because you can only use one module.
00:00
People are very, very careful with
00:00
Metasploit not to do too much.
00:00
Of course, Metasploit is very
00:00
robust and there are a lot of things that you can
00:00
use in this now to get loot
00:00
and crack hashes and find passwords and things like that.
00:00
But that's why people
00:00
don't get very familiar with Metasploit,
00:00
I would say in preparation for OSEP
00:00
because people are very careful.
00:00
At least I was very careful once I got a shell not to do
00:00
anything that would be considered using
00:00
another module and losing out.
00:00
Because if you use more than one,
00:00
you have zero points for that box.
00:00
Use it sparingly.
00:00
Understand Metasploit.
00:00
At a level where you can use it like this,
00:00
you can get a shell on a box.
00:00
But again, I would be careful with how much more you
00:00
do just because you don't want
00:00
it to be considered using another module.
00:00
But if you are preparing for other things or
00:00
do CTFs and hack the box and things like that,
00:00
you can become more familiar with Metasploit and should.
00:00
In summary, we should now understand what
00:00
the Metasploit framework is and how to use it.
00:00
Become familiar with how to search for modules,
00:00
select them and then read info about them,
00:00
as well as demonstrate how to run exploit modules.
Up Next
Using Metasploit or Not
Public Exploit Lab
Public Exploit
Virtual Lab
Public Exploit Lab Walkthrough
The Different Types of Shells
Instructed By
Similar Content
