You are on page 1of 33

ScriptScriptScriptScriptScriptScriptScriptScript

Featured Story: How to Post to Null


Byte [4.10.15 Revision]
Script

Null Byte: The aspiring white-hat


hacker/security awareness
playground
Script

WonderHowTo

Hack Like a Pro: Metasploit for the Aspiring


Hacker, Part 1 (Primer & Overview)

occupytheweb 2 years ago

Hack Like a Pro: Metasploit for the Aspiring Hacker, Part 1


(Primer & Overview)
Welcome back, my tenderfoot hackers!
I have written many tutorials on hacking using Metasploit, including leaving no evidence behind
and exploring the inner architecture. Also, there are my Metasploit cheat sheets for commands
and hacking scripts.

With this guide, I'm starting a sequential and cumulative series for learning and using

Metasploit. This first part will cover the very basics of Metasploit for those of you who are new to
Null Byte, and as a refresher for those of you who are not. With that in mind, this will be quick
and dirty first lesson on using one of the most powerful hacking platforms on planet Earth.

Metasploit Background & Installation


Metasploit was developed by HD Moore as an open source project in 2003. Originally written in
Perl, Metasploit was completely rewritten in Ruby in 2007. In 2009, it was purchased by Rapid7,
an IT security company that also produces the vulnerability scanner Nexpose.
Metasploit is now in version 4.9.3, which is included in our Kali Linux. It's also built into
BackTrack. For those of you using some other version of Linux or Unix (including Mac OS), you
can download Metasploit from Rapid7's website.

For those of you using Windows, you can also grab it from Rapid7, but I do not recommend
running Metasploit in Windows. Although you can download and install it, some of the
capabilities of this hacking framework do not translate over to the Windows operating system,
and many of my hacks here on Null Byte will not work on the Windows platform.

Metasploit now has multiple products, including Metasploit Pro (the full commercial version) and
the Community edition that is built into Kali and remains free. We will focus all of our efforts on
the Community edition, as I am well aware that most of you will not be buying the $30,000 Pro
edition.

Ways to Use Metasploit


Metasploit can be accessed or used in multiple ways. The most common method, and the one I
use, is the interactive Metasploit console. This is the one that is activated by typing msfconsole
at the command line in Kali. There are several other methods as well.

Msfcli
First, you can use Metasploit from the command line, or in msfcli mode. Although it appears
that when we are in the console that we are using the command line, we are actually using an
interactive console with special keywords and commands. From the msfcli, we ARE actually
using a Linux command line.
We can get the help screen for msfcli by typing:
kali > msfcli -h

Now to execute an exploit from the msfcli, the syntax is simply:


kali > msfcli <the exploit> payload = <the payload> rhost = <IP> lhost = <IP> E
Where E is short for execute.
In my tutorial on creating payloads to evade AV software, we are using the msfencode and
msfpayload command in the command line (msfcli) mode.
The drawback to using the msfcli is that it is not as well-supported as the msfconsole, and you
are limited to a single shell, making some of the more complex exploits impossible.

Armitage
If you want to use Metasploit with a GUI (graphical user interface), at least a couple of options
are available. First, Raphael Mudge has developed the Armitage (presumably a reference to a
primary character in the seminal cyberhacking science fiction work, Neuromancera must read
for any hacker with a taste for science fiction).
To start Armitage in Kali, simply type:
kali > armitage

If Armitage fails to connect, try these alternative commands:


kali > service start postgresql
kali > service start metasploit
kali > service stop metasploit

Armitage is a GUI overlay on Metasploit that operates in a client/server architecture. You start
Metasploit as a server and Armitage becomes the client, thereby giving you full access to
Metasploit's features through a full featuredthought not completely intuitiveGUI. If you really
need a GUI to feel comfortable, I don't want to discourage you from using Armitage, but
mastering the command line is a necessity for any self-respecting hacker.

Modules
Metasploit has six different types of modules. These are:
1.
2.
3.
4.
5.
6.

payloads
exploits
post
nops
auxiliary
encoders

Payloads are the code that we will leave behind on the hacked system. Some people call these
listeners, rootkits, etc. In Metasploit, they are referred to as payloads. These payloads include
command shells, Meterpreter, etc. The payloads can be staged, inline, NoNX (bypasses the No
execute feature in some modern CPUs), PassiveX (bypasses restricted outbound firewall rules),
and IPv6, among others.
Exploits are the shellcode that takes advantage of a vulnerability or flaw in the system. These
are operating system specific and many times, service pack (SP) specific, service specific, port
specific, and even application specific. They are classified by operating system, so a Windows
exploit will not work in a Linux operating system and vice versa.
Post are modules that we can use post exploitation of the system.
Nops are short for No OPerationS. In x86 CPUs, it is usually indicated by the hex 0x90. It
simply means "do nothing". This can be crucial in creating a buffer overflow. We can view the
nops modules by using the show command.
msf > show nops

Auxiliary includes numerous modules (695) that don't fit into any of the other categories. These
include such things are fuzzers, scanners, denial of service attacks, and more. Check out my
article on auxiliary modules for more in-depth information for this module.
Encoders are modules that enable us to encode our payloads in various ways to get past AV an
other security devices. We can see the encoders by typing:
msf > show encoders

As you can see, there are numerous encoders built into Metasploit. Once of my favorites is
shikata_ga_nai, which allows us to to XOR the payload to help in making it undetectable by AV
software and security devices.

Searching
Ever since Metasploit 4 was released, Metasploit has added search capabilities. Previously, you
had to use the msfcli and grep to find the modules you were looking, but now Rapid7 has
added the search keyword and features. The addition of the search capability was timely as
Metasploit has grown dramatically, and simple eyeball searches and grep searches were
inadequate to search over 1,400 exploits, for instance.

The search keyword enables us to do simple keyword searches, but it also allows us to be a bit
more refined in our search as well. For instance, we can define what type of module we are
searching for by using the type keyword.
msf > search type:exploit

When we do so, Metasploit comes back with all 1,295 exploits. Not real useful.
If we know we want to attack a Sun Microsystems machine running Solaris (Sun's UNIX), we
may want may to refine our search to only solaris exploits, we can then use platform keyword.
msf > search type:exploit platform:solaris

Now we have narrowed our search down to only those exploits that will work against a Solaris
operating system.
To further refine our search, let's assume we want to attack the Solaris RPC (sunrpc) and we
want to see only those exploits attacking that particular service. We can add the keyword
"sunrpc" to our serach like below:
msf > search type:exploit platform:solaris sunrpc

As you can see, this narrows are results down to just five exploit modules!

Metasploit has many capabilities that are still untapped by us, so I will continue this Metasploit
series to explore the simplest to the most complex. In the meantime, try some of my Metasploit
hacks outlined in many Null Byte posts and keep coming back to this series on Metasploit to
learn to hack like a pro!
Cover image via WeakNet Labs

Related

How to Hack Like a Pro:

Getting Started with Metasploit

News: How to Study for the


White Hat Hacker Associate Certification (CWA)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 4 (Armitage)

Hack Like a Pro: How to


Exploit and Gain Remote Access to PCs Running Windows XP

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 14 (Creating Resource Script Files)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 2 (Keywords)

How To: The Essential Skills


to Becoming a Master Hacker

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 10 (Finding Deleted Webpages)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 8 (Setting Up a Fake SMB Server to
Capture Domain Passwords)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 13 (Web Delivery for Windows)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 6 (Gaining Access to Tokens)

Hack Like a Pro: How to


Use Hacking Team's Adobe Flash Exploit

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 7 (Autopwn)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 9 (How to Install New Modules)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 3 (Payloads)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 11 (Post-Exploitation with Mimikatz)

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 5 (Msfvenom)

Hack Like a Pro: How to


Remotely Install a Keylogger onto Your Girlfriend's Computer

Hack Like a Pro: Linux


Basics for the Aspiring Hacker, Part 11 (Apache Web Servers)

Hack Like a Pro: Exploring

the Inner Architecture of Metasploit

Hack Like a Pro: How to


Hack Windows Vista, 7, & 8 with the New Media Center Exploit

Hack Like a Pro: Getting


Started with BackTrack, Your New Hacking System
News: Student Sentenced to 8mo. in Jail for Hacking Facebook

Hack Like a Pro: Hacking


Samba on Ubuntu and Installing the Meterpreter

Goodnight Byte:
HackThisSite, Realistic 3 - Real Hacking Simulations

Community Byte:
HackThisSite, Realistic 3 - Real Hacking Simulations

Community Byte:
HackThisSite, Realistic 5 - Real Hacking Simulations

Community Byte:
HackThisSite Walkthrough, Part 2 - Legal Hacker Training

Community Byte:
HackThisSite, Realistic 4 - Real Hacking Simulations

News: Anonymous Hackers


Replace Police Supplier Website With Tribute to Jeremy Hamm

Goodnight Byte:
HackThisSite Walkthrough, Part 8 - Legal Hacker Training

Community Byte:
HackThisSite Walkthrough, Part 1 - Legal Hacker Training

Community Byte:
HackThisSite, Realistic 1 - Real Hacking Simulations

22 Comments
1
Murphy Mason 2 years ago
very well explain
Reply
-5
Tolis Prokop 2 years ago
I would like to see a tutorial about FB hacking, remotely.
Not in local Wifi, and not a simple phising page via kali LINUX.
thanks bro !
Reply
1
bart 2 years ago
Nice!, I find this very helpful for my virtual running Kali on my android, MSF always freaks out
when I try to open the msf command line, the kali > msfcli -h function will be very helpful!,
thanks. I'm looking forward to the rest of these series!
Bart

Reply
1
Matt buller 1 year ago - edited 1 year ago
Sir OTW,
For some reasons, i had to uninstall metasploit and reinstall it again.
i downloaded it and i have done the instructions to install it.
the metasploit-framework folder is located in /root (myusername)
it works when i double-click on the ruby script, but it gives the following error when i type
"msfconsole" in Terminal:
root@kali:~# msfconsole
/usr/lib/ruby/1.9.1/rubygems/customrequire.rb:36:in `require': cannot load such file -/usr/local/bin/config/boot (LoadError)
from /usr/lib/ruby/1.9.1/rubygems/customrequire.rb:36:in `require'
from /usr/local/bin/msfconsole:45:in `<main>'
root@kali:~#
i NEED metasploit to launch when i type "msfconsole". (im not lazy, but i need it for some
reasons).
What should i do?? (im sorry to bother you with this long article).
Reply
1
Metasploitation 9 months ago
probably the gems need updating.
run...
apt-get upgrade && bundler update && bundle update
Reply
1
occupytheweb 1 year ago
Matt:
Metasploit is built into Kali. No need to install.
OTW
Reply
1
Matt buller 1 year ago
I already know that sir, but i deleted the metasploit files completely and
is=nstalled it again.
Reply

1
occupytheweb 1 year ago
You might find it easier to simply re-install Kali.
Btw, why did you uninstall Metasploit in the first place?
Reply
1
Matt buller 1 year ago
No matter, i fixed metasploit files manually.
Reply
1
Junior Z 1 year ago
cannot start because of error.
https://bugs.kali.org/print_all_bug_page_word.php?
search=&sort=&dir=DESC&type_page=html&export=-1&show_flag=0
Reply
1
occupytheweb 1 year ago
Are you running it on Kali?
Reply
1
Junior Z 1 year ago
Yes OTW. Just find your posts, thx so much for the tutorials.
root@kali:~# uname -a
Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x8664 GNU/Linux
Reply
1
occupytheweb 1 year ago
Have you tried running msfupdate?
Reply
1
Junior Z 1 year ago
yes, did the update.
Reply
1

Junior Z 1 year ago


Temp fix:
root@kali:~# msfconsole.framework
* Starting the Metasploit Framework console...######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
http://metasploit.pro
Save 45% of your time on large engagements with Metasploit Pro
Learn more on http://rapid7.com/metasploit
= metasploit v4.11.3-2015061001 [core:4.11.3.pre.2015061001 api:1.0.0]
-- --= 1463 exploits - 923 auxiliary - 243 post
-- --= 376 payloads - 37 encoders - 8 nops
-- --= Free Metasploit Pro trial: [http://r-7.co/trymsp
msf >
Reply
1
Jayson A. Coulter 11 months ago
very Informative Answered literally all my questions in one read through

Reply
1
Jason Slater 8 months ago
When I tried to use the 'msfcli' command I was approached with this error.
root@Kali:~# msfcli -h
bash: msfcli: command not found
Reply
1
occupytheweb 8 months ago
msfcli has been discontinued.
Reply
1
Jason Slater 8 months ago
Yeah just found that out and was about to delete my comment. Thanks anyway.
Just wondering, what are your opinions on the removal of msfcli?
I honestly am unsure how this comes into effect.
Reply
1
occupytheweb 8 months ago
It doesn't impact me at all. I use msfconsole
Reply
1
Jason Slater 8 months ago
So I'm not missing much?
Thanks for the help.
Reply
1
Lecres Van kersen 7 months ago
How would i be able to create a listener that a will use to a pc that we are in different networks...
My ip address keeps changing every time i restart my modem
Reply
Start a New Comment

Share Your Thoughts


You Login to Comment

Click to share your thoughts


Hot
Latest

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 1 (Primer & Overview)

How To: Use a


Misconfigured SUID Bit to Escalate Privileges & Get Root

How To: Diceware Gives You


Truly Random Yet Easy-to-Memorize Passwords

Mac for Hackers: How to


Enable Full Disk Encryption to Protect Your Data

News: It's Time to Ditch

Your Yahoo Account

Mac for Hackers: How to

Get Your Mac Ready for Hacking

News: Mirai Botnet Source


Release Threatens Increased DDoS Attacks from Smart Home
Devices

News: Hello to the Null Byte

Community!

News: The Cheap USB Kill


Stick That Destroys Any Computer You Want

News: Samy's MagSpoof


Hacking Device Was Just Featured on Mr. Robot

How To: Disable WPAD on


Your PC So Your HTTPS Traffic Won't Be Vulnerable to the Latest
SSL Attack

News: 'Beast' Cracks

Billions of Passwords in Seconds

How To: Create an


Undetectable Trojan Using a Domain Name

How To: VBScript for

DDosing Sites

How to: Bomb Someone's

Whatsapp with VBScript 2.0

How To: Kick People Off

Your Internet

How To: Untrust the


Suspicious Blue Coat Certificate Authority on Mac or Windows

How To: Perform a Local

Privilege Escalation on Mac.

How To: Theme Your Kali

Linux

How To: Install Flash on

Kali Linux 2.0 Rolling

How To: Change Grub Boot

Loader Background
All Features

Hack Like a Pro: Metasploit


for the Aspiring Hacker, Part 1 (Primer & Overview)

How To: Use a


Misconfigured SUID Bit to Escalate Privileges & Get Root

How To: 4 Ways to Crack a


Facebook Password & How to Protect Yourself from Them

How To: Diceware Gives You


Truly Random Yet Easy-to-Memorize Passwords

Mac for Hackers: How to

Get Your Mac Ready for Hacking

Mac for Hackers: How to


Enable Full Disk Encryption to Protect Your Data

How To: Crack Any Master


Combination Lock in 8 Tries or Less Using This Calculator

News: It's Time to Ditch

Your Yahoo Account

How to Hack Wi-Fi:


Cracking WPA2-PSK Passwords Using Aircrack-Ng

News: Hello to the Null Byte

Community!

How to Hack Wi-Fi: Get


Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

Hack Like a Pro: How to


Secretly Hack Into, Switch On, & Watch Anyone's Webcam
Remotely

How To: Get Unlimited Free


Trials Using a "Real" Fake Credit Card Number

How To: Hack Android

Using Kali (Remotely)

How To: The Hacks Behind


Cracking, Part 1: How to Bypass Software Registration

How To: Successfully Hack a

Website in 2016!

How To: Make Your Own

Bad USB

How To: Crack Wi-Fi


Passwords with Your Android Phone and Get Free Internet!

How To: Hack Wireless


Router Passwords & Networks Using Hydra

The Hacks of Mr. Robot:


How to Spy on Anyone's Smartphone Activity

Hack Like a Pro: How to


Spy on Anyone, Part 1 (Hacking Computers)

All Hot Posts


2016 WonderHowTo, Inc
Sections
Null Byte How-Tos
Python Training
Facebook Hacks
Security-Oriented C
Snort
Forensics
Hack Like a Pro
Metasploit Basics
Recon
Windows 7 Hacking
Dionaea
Electricity Basics
Linux Basics
Hacking Web Apps
Raspberry Pi
Evading AV Software
Networking Basics
Android
Advice from a Hacker
Mr. Robot Hacks
DB Hacking
Wi-Fi Hacking
Bluetooth Hacking
C/C++ for Hackers
Exploit Building
MitM
Password Cracking
Spy Tactics
Attack on Stack
Scripting
Kali Forensics
Shodan
Social Engineering
Listeners
Tor
Everything Else
News
Null Byte News
Anonymity & Darknets

Everything Else
Forum
Null Byte Forum
Featured Sites
WonderHowTo Home
Food Hacks Daily
Next Reality
Gadget Hacks
Null Byte
The Secret Yumiverse
MacGyverisms
Lock Picking
Mad Science
Mind Hacks
Categories
Alcohol
Arts & Crafts
Autos, Motorcycles & Planes
Beauty & Style
Business & Money
Computers & Programming
Dance
Dating & Relationships
Diet & Health
Disaster Preparation
Education
Electronics
Family
Film & Theater
Fine Art
Fitness
Food
Gambling
Games
Hobbies & Toys
Home & Garden
Hosting & Entertaining
Language
Magic & Parlor Tricks
Motivation & Self Help
Music & Instruments
Outdoor Recreation
Pets & Animals
Pranks & Cons
Software
Spirituality
Sports
Travel
Video Games
Weapons
Next Reality Sites
Next Reality Home

Augmented Reality News


Mobile AR News
Google Glass
Mixed Reality News
HoloLens
Magic Leap
Meta 2
Virtual Reality News
HTC Vive
Mobile VR News
Oculus Rift
Gadget Hacks Sites
Gadget Hacks Home
iOS Gadget Hacks
Android Gadget Hacks
Nexus
HTC One
Samsung Galaxy S5
Samsung Galaxy S3
Samsung GS4
Samsung Galaxy S6
Nexus 7
Samsung Galaxy Note 2
Samsung Galaxy Note 3
LG G3
Amazon Fire
OnePlus
Samsung Galaxy S7
Galaxy Note 4
Smartphones
Hacks, Mods & Circuitry
Mac Tips
Digiwonk
Internet
Windows Tips
Cord Cutters
Tablets
Tech Pr0n

Featured on WonderHowToFish Cooked in MilkIt's Not Gross, It's Magic

ScriptScriptScriptScriptScriptScriptScriptScriptScriptScriptScript

Script

You might also like