The Metasploit Framework is an open source Ruby-based penetration testing and development platform, developed by the open source community and Rapid7, that provides you with access to the huge number of exploits, payloads, shellcodes, encoders, fuzzing tools, and much more.
Metasploit Framework: The Most Used Penetration Testing Framework
Metasploit Framework can be used to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. It simply helps you to find, exploit, and validate vulnerabilities. If you are a pentester, cybersecurity researcher, tester, programmer or freestyler, the Metasploit Framework is all you need. Can be used for both legitimate and unauthorized activities, but we’re strongly suggest you to behave, and use this awesome pentesting framework to test your systems, help attack prevention and rise cybersecurity awareness.
Metasploit was created as a portable network tool written in Perl, but by 2007 the Metasploit Framework has been completely rewritten in Ruby. In 2009, Metasploit Project has been acquired by Rapid7 (still owned maintained by them).
It contains a fully loaded pentesting toolkit (short explanation):
Exploits: An exploit is a method by which the attacker takes advantage of a flaw within a system, service, application etc. Exploits are always accompanied by payloads.
Payloads: A payload is the piece of code which is run in the successfully exploited system.
Auxiliary: Provides additional functionality such as – fuzzing, DoS attack, scanning, recon, but it doesn’t inject a payload like exploits.
Encoders: Obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall. (e.g. backdoor creation).
Nops: Prevents payload from crashing while using jump statements in its shellcode.
Post-exploitation: A post-exploitation module enables you to gather more information or to gain further access to an exploited target system.
Shellcode: Set of instructions that an exploit uses as the payload.
Rapid7 distributes the commercial and open source versions of Metasploit:
There are also more commercial editions: Metasploit Express and Nexpose Ultimate.
Metasploit Framework Main Features:
- Penetration testing framework with more than 1800 exploits.
- It has 1000+ auxillary modules, 300+ post-exploitation modules, 500+payloads, a lot of encoders and nops.
- Metasploit has a
meterpretermodule, an advanced, dynamically extensible payload (see bellow).
- Command-line interface (
mfsconsole– see bellow), manual exploitation, manual credentials brute forcing, and much more.
Metasploit Pro Features:
- Web Interface & Metasploit Pro console (create and manage projects, scan and enumerate hosts, import and export data, configure and run modules, run automated exploits, view information about hosts, collect evidence from exploited systems, etc.).
- Team collaboration capabilities (share host data, view collected evidence, create host notes, divide pentest into multiple parts, assign members a specific network segment to test, etc.).
- It runs the following services: PostgreSQL (database), Ruby on Rails (Metasploit Pro Web Interface), Metasploit service, bootstraps Rails, the Metasploit Framework, and the Metasploit RPC server.
- Penetration testing workflow with smaller and more manageable tasks and database exploit through a web based user interface.
- Web app testing for OWASP Top 10 vulnerabilities, phishing awareness management and spear phishing, and much more.
If you want to see comparative features of the different editions, visit Metasploit features page.
Metasploit Framework Install
- Linux, Windows, and OS X.
- Obtain Administrator Privileges (You must have administrator privileges on the systemto run Metasploit)
- Disable Anti-virus Software (It detects the framework as malicious and may cause problems with the installation)
- Disable Firewalls (Local firewalls/Windows Firewall, may interfere with exploits and payloads)
- Download the Windows Installer.
- Double-click the installer icon to start the installation process
- Follow the installation instructions
mfsconsole, run the following:
Linux & OS X:
Open the terminal and run the following:
$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall
After installation start
mfsconsole as follows:
yes to create the initial database. You should now see:
** Metasploit Framework Initial Setup Complete ** .,,. . .\$$$L..,,==aaccaacc%#s$b. d8, d8P d8P #$$$$$$$$$$$$$$b. `BP d888888p d888888P '7$$\""""''^^`` .7$$|D*"'``` ?88' d8bd8b.d8p d8888b ?88' d888b8b _.os#$|8*"` d8P ?8b 88P 88P`?P'?P d8b_,dP 88P d8P' ?88 .oaS###S*"` d8P d8888b $whi?88b 88b d88 d8 ?8 88b 88b 88b ,88b .osS$$*" ?88,.d88b, d88 d8P' ?88 88P `?8b d88' d88b 8b`?8888P'`?8b`?88P'.aS$$Q*"` `?88' ?88 ?88 88b d88 d88 .a#$$$"` 88b d8P 88b`?8888P' ,s$$$$"` 888888P' 88n _.,,,ass;: .a$$$$P` d88P' .,.ass%#S$$$$$$$' .a$###$$P` _.,,-aqsc#SS$$$$$$$$$$$$$' ,a$###$P` _.,-ass#S$$$$$$$$$$$$$$$$####SSSS' .a$$$$$SSS$$$$$$$$$$$$$$SS##==--""''^^/$$$' _______________________________________________________________ ,&$$$'_____ ll&&$$' .;;lll&&&&' ...;;lllll&' ......;;;llll;;;.... ` ......;;;;... . . =[ metasploit v4.17.18-dev- ] + -- --=[ 1818 exploits - 1029 auxiliary - 315 post ] + -- --=[ 539 payloads - 42 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
To read Metasploit Framework wiki, click the documentation button bellow.