Metasploit Tutorial for Beginners

The Metasploit project is an open-source penetration testing platform that enables you to find and exploit vulnerabilities. In 2003, H.D. Moore created Metasploit as a portable network tool. On October 21, 2009, the Metasploit project was acquired by Rapid7.

The Metasploit project helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments. The Metasploit project includes sub-project like Metasploit Framework and its commercial counterparts: Metasploit Pro, Express, Community, and Nexpose Ultimate.

Minimum System Requirements:

Supported Operating System:

Required Browser version:

Basic Terms of Metasploit

Vulnerability: A vulnerability is a weakness which can be exploited by an attacker to perform unauthorized actions with a computer system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities.

Exploit: Exploit is a piece of code, or a chunk of data, or a sequence of commands that take the advantage of a vulnerability present in a computer system to cause unintended behavior to occur on a computer system such as giving unauthorized access to a system or allowing privilege escalation.

Payload: The payload is the part of the private user text which could also contain malware such as worms or viruses which performs the malicious action; deleting data, sending spam or encrypting data.

Auxiliary: Auxiliaries are modules present in Metasploit that are used to perform scanning, sniffing, and fuzzing. Auxiliary modules are not useful to give you a shell, but they are extremely useful to brute force passwords or for scanning vulnerabilities.

Post: Post modules are used for post exploitation that is used on a compromised target machine to gather evidence or pivot deep within the network.

Encoders: Encoder module is used to ensure the payload makes it to the destination.

Nops: Nops are used to keep the size of the payload consistent across exploit attempts.             

A cheat sheet of Basic Commands

To start the Metasploit framework we type msfconsole on the terminal. We are greeted by a banner; it spawns a banner every time we start the msfconsole.

msfconsole

After starting the Metasploit framework, we can check for the basic commands by using “help” command.

msf > help

Core Commands:

Module Commands:

Job Commands:

Resource Script Commands:

Developer Commands:

Database Backend Commands:

To see all the payloads that are available on the Metasploit framework we use command “show payloads”. It lists all the available payloads in alphabetic order.

msf > show payloads

To see all the exploits that are available on the Metasploit framework we use command “show exploits”. It lists all the available payloads in alphabetic order and it also shows the date it was disclosed and the rank of the exploit ranging from “Excellent-average”.

msf > show exploits

To see the list of all the auxiliaries available in Metasploit framework we can use the command “show auxiliary”. As mentioned earlier, auxiliary modules include scanners, denial of service modules, fuzzers, and more.

msf > show auxiliary

To see the list of all the post-exploitation modules available in Metasploit framework we can use command “show post”. Post modules are used for post exploitation that is used on a compromised target machine to gather evidence or pivot deep within the network.

msf > show post

To see the list of all the encoders available in Metasploit framework we can use the command “show encoder”. These are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.

msf > show encoders

To see the list of all the nops available in Metasploit framework we can use the command “show nops”. They are used to keep the size of payload consistent across exploit attempts.

msf > show nops