{"id":22288,"date":"2022-06-14T00:15:57","date_gmt":"2022-06-14T00:15:57","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=22288"},"modified":"2023-04-10T13:32:22","modified_gmt":"2023-04-10T13:32:22","slug":"metasploit-framework-tutorial","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/products\/metasploit-framework-tutorial\/","title":{"rendered":"Getting Started With the Metasploit Framework: A Pentesting Tutorial"},"content":{"rendered":"\r\n

The Metasploit project contains some of the best security tools available, including the open source Metasploit Framework. Both pen testers<\/a> and hackers use it to find and exploit vulnerabilities as well as to set up reverse shells, develop malicious payloads<\/a>, or generate reports.<\/p>\r\n\r\n\r\n\r\n

The tool, maintained by Rapid7<\/a>, even offers comprehensive documentation<\/a>, where you can learn the basics to start using it.<\/p>\r\n\r\n\r\n\r\n

However, Metasploit is not just another hacking tool. It\u2019s a whole platform with command lines and modules you can use to attack a target. It offers several different features, web interfaces, and free trials. But, here we\u2019ll focus on Metasploit Framework<\/a>, which is the free, open-source edition.<\/p>\r\n\r\n\r\n\r\n

Also read: 10 Top Open Source Penetration Testing Tools<\/a><\/p>\r\n\r\n\r\n\r\n

Setting Up a Test Environment<\/h2>\r\n\r\n\r\n\r\n

The idea with Metasploit is to attack another machine, so you\u2019ll need another machine to run your tests. Most beginners use a virtual machine with Kali Linux<\/a> and their own machine as a target.<\/p>\r\n\r\n\r\n\r\n

While it might seem convenient, it\u2019s not recommended to use such a configuration. It is better to use several virtual machines; for example, one for the attacker and one for the victim. This way, you can train with various operating systems and disable antivirus software<\/a> and firewalls<\/a> safely.<\/p>\r\n\r\n\r\n\r\n

Prerequisites<\/h3>\r\n\r\n\r\n\r\n

For convenience, we\u2019ll use Kali Linux<\/a>, but you can use Nightly Installers<\/a> if you prefer. The Metasploit Framework is available on all major operating systems, including macOS, Windows, and Linux distributions.<\/p>\r\n\r\n\r\n\r\n

If you\u2019re ready to install Kali, the easy way is to spin up a virtual machine<\/a>. Once you have that, connect to a new Kali session and search Metasploit Framework<\/em> in the menu to launch the console. Alternatively, you can open the terminal and type msfconsole<\/em>.<\/p>\r\n\r\n\r\n\r\n

\"\"<\/figure>\r\n\r\n\r\n\r\n

As a general rule, it is strongly recommended to keep your system up to date to get the latest version of exploits and other software. To do so, open the Kali terminal and type apt update<\/em>.<\/p>\r\n\r\n\r\n\r\n

While it might take some time, don\u2019t skip this step unless it\u2019s the first time you install and use Kali.<\/p>\r\n\r\n\r\n\r\n

Your First Exploit<\/h2>\r\n\r\n\r\n\r\n

Metasploit provides a great database of all kinds of exploits. For example, you can use the command search type:exploit platform:unix<\/em> to search exploits for Unix systems.<\/p>\r\n\r\n\r\n\r\n

You\u2019ll get a large list of potential exploits to attack your target. And commands such as use exploit\/unix\/local\/chkrootkit<\/em> can be used directly in the console.<\/p>\r\n\r\n\r\n\r\n

\"\"<\/figure>\r\n\r\n\r\n\r\n

If there\u2019s a default payload, Metasploit will select it for you, but you can show all payloads with the command show payloads<\/em>.<\/p>\r\n\r\n\r\n\r\n

\"\"<\/figure>\r\n\r\n\r\n\r\n

To select a payload, use the command set payload<\/em>. For example, set payload cmd\/unix\/bind_awk<\/em> would select the first option above.<\/p>\r\n\r\n\r\n\r\n

\"\"<\/figure>\r\n\r\n\r\n\r\n

After that, you would logically use the run<\/em> command. However, some payloads require additional configurations, like an active session and a host.<\/p>\r\n\r\n\r\n\r\n

To list all options you can continue with, type show options<\/em> in the terminal, and to get more information, you can type info<\/em>.<\/p>\r\n\r\n\r\n\r\n

These commands will give you everything you need to know, including the current status of your payload, parameters, all details about the exploit you are generating, and many more.<\/p>\r\n\r\n\r\n\r\n

Additionally, you can use the setg<\/em> command to set some parameters as global variables, so you won\u2019t need to type the same configurations again during your tests with other exploits.<\/p>\r\n\r\n\r\n\r\n

Once you have everything set correctly, you can type run<\/em> or exploit<\/em>. After that, the following steps usually consist of sending the generated executable to a targeted machine to exploit the vulnerability.<\/p>\r\n\r\n\r\n\r\n

Also read:<\/span><\/p>\r\n