The framework consists of various exploitation tools and penetration testing tools.
Information security teams most commonly use Metasploit for penetration testing (or “ethical hacking”) to identify and remediate any existing vulnerabilities across an organization’s networks.
Cybercriminals can maliciously use these same capabilities from Metasploit to identify and exploit vulnerabilities on a target system.
Created under the Metasploit Project, Metasploit was originally developed in 2003 by H.D Moore as a Perl-based portable network tool. In 2007, the framework was entirely rewritten in Ruby.
Metasploit has been a favorite tool among IT and security pros since 2003. Originally written in Perl in 2003 by H.D. Moore, Metasploit was rewritten in Ruby in 2007. The Metasploit Project was acquired by Rapid7 in 2009.
Rapid7 has since developed a commercial edition of Metasploit — Metasploit Pro. Metasploit Pro allows users with full penetration testing automation, along with other advanced features, including:
- Manual Exploitation
- Anti-virus and IPS/IDS Evasion
- Proxy Pivot
- Post-Exploration Modules
- Session Clean Up
- Credentials Reuse
- Social Engineering
- Payload Generator
- VPN Pivoting
- Vulnerability Validation
- Web Application Testing
How Does Metasploit Work?
The Metasploit Framework architecture consists of the following parts:
Interfaces are the different platforms through which users can access the Metasploit Framework.
There are four interfaces available:
- MSFConsole (Metasploit Framework Console): The most widely-used Metasploit interface, the Metasploit console allows users to access the Metasploit Framework through an interactive command line interface.
- MSFWeb: A browser-based interface that allows users to access the Metasploit framework.
- Armitage: Developed by Raphael Mudge in 2013, Armitage is a Java-based GUI interface that allows security red teams to collaborate by sharing their access to compromised hosts.
- RPC (Remote Procedure Call): Allows users to programmatically drive the Metasploit Framework using HTTP-based remote procedure call (RPC) services. In addition to Metasploit’s native Ruby, RPC services can operate through other languages, such as Java, Python, and C.
Libraries contain the different Metasploit Framework functions that allow users to run exploits without writing additional code.
There are three Metasploit libraries:
- REX: Enables most basic tasks; contains Base64, HTTP, SMB, SSL, and Unicode.
- MSF Core: Provides common API and defines the Metasploit Framework.
- MSF Base: Provides user-friendly API.
The Metasploit Framework uses software called modules that are used for performing tasks like scans and target exploitation.
There are five main Metasploit module types, categorized by which tasks they perform:
- Payloads: Payloads are shellcodes that perform the user’s intended actions once an exploit has compromised a target system. They can be used to open Meterpreters or command shells. Meterpreters are sophisticated payloads used during a cyber attack to execute code and perform further exploratory tasks.
- Exploits: Execute command sequences to leverage system or application weaknesses and gain access to target systems.
- Posts (Post-Exploitation Modules): Posts allow users to conduct deeper information gathering and further infiltrate a target system after exploitation. For example, posts can be used to perform service enumeration.
- Encoders: Encoders obfuscate payloads in transit to ensure they are successfully delivered to the target system and evade detection from antivirus software, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs).
- NOPs (No Operation): NOP generators create randomized sequences of bytes to bypass intrusion detection and prevention systems.
- Auxiliaries: Auxiliary modules include vulnerability scanning, port scanning, fuzzers, sniffers, and other exploitation tools.
Tools and Plugins
Tools and plugins are add-ons to the Metasploit framework that extend its functionality. For example, the pattern_create tool is often used during exploit development to form non-repeating string patterns; the pentest plugin helps perform common tasks undertaken during penetration testing.
Hackers are always on the hunt for more sophisticated methods of exploiting attack vectors, zero-day vulnerabilities, in cyber attacks.
Metasploit allows penetration testers to enact real-world hacking scenarios to keep up with hackers’ advanced techniques and avoid potential data breaches. The Metasploit Framework’s tools can be used to perform all stages of penetration testing, including:
- Information gathering: By using auxiliary modules: portscan/syn, portscan/tcp, srnb version, db nmap, scanner/ftp/ftp_version, and gather/shodan_search.
- Enumeration: By using smb/srnb enumshares, smb/srnb enumusers, and smb/srnb_login.
- Gaining access: By using Metasploit’s exploits and payloads.
- Privilege escalation: By using meterpreter-use priv and meterpreter-getsystem.
- Maintaining access: By using meterpreter - run persistence.
- Covering tracks: By using anti-forensics post-exploit modules.
Metasploit offers security teams many benefits that strengthen their cybersecurity practices, including:
- Real-World Scenario Simulation: Pentesters can view an organization’s systems from the perspective of a hacker. This visibility enables them to prepare them to improve network security by remediating discovered vulnerabilities and other attack vectors.
- Task Automation: Metasploit enables pentesters to automate many of the tedious tasks involved in the penetration testing process. Much of the basic code for these commands are stored in its libraries.
- Business Case Optimization: Metasploit provides clear reporting for executives on which vulnerabilities should be prioritized. With clear evidence of potential exploitations, security teams can build stronger business cases for the purchase of additional security tools that can mitigate the attack surface.
Despite its many benefits, Metasploit is not without its challenges. Some of the downfalls of Metasploit include:
- Hacker Usage: While Metasploit is a staple in any pentester’s toolkit, it is also misused by hackers with malicious intent. For example, cybercriminals can use Metasploit’s tools in conjunction with open source intelligence to identify and exploit zero-day vulnerabilities.
- Legal Ambiguity: The invasive nature of Metasploit presents legal risks for not just cybercriminals, but even ethical hackers. Many organizations are moving their workflows to the cloud and using other third-party services to deal with their sensitive data.
Testing data security across these systems could be in breach of contractual agreements, regardless of the relationship between the organization and the vendor. Organizations should ensure they are legally permitted to perform penetration testing on their vendors. Alternatively, they can invest in a third-party monitoring platform to assess vendors’ security postures.
- Technical Issues: When pentesters attempt to exploit a system, it can result in unwanted effects. Both successful and unsuccessful attacks can result in crashed applications, unintentional denial-of-service (DoS) attacks, and other system failures.
- Incomplete Attack Surface Coverage: Pentesters should not fully rely on Metasploit to manage their attack surface, as vulnerabilities emerge much faster than they can be discovered. Data breaches should remain front of mind for security teams, meaning they must also invest in other solutions. Additional tools, like data leak detection solutions, complement Metasploit’s capabilities by offering continuous monitoring of an organization’s attack surface.
How to Use Metasploit
The best way to get started with the Metasploit Framework is to download the Metasploitable virtual machine (VM). Metasploitable is an intentionally vulnerable target, prebuilt into Kali Linux.
The VM allows users to test out the msfconsole interface and get a feel for the framework.
Here are some useful resources for learning the basics of Metasploit and its uses:
- Rapid7’s Metasploit Documentation: Contains tutorials and additional information for both the Metasploit Framework and Metasploit Pro, available here.
- Metasploit Github Wiki: How-to guides and additional resources, available here.
- Metasploit Resource Portal: A collaboration of the open-source security community and Rapid7, available here.
- Offensive Security’s Metasploit Unleashed: A free, comprehensive course on how to use Metasploit for ethical hacking, available here.
How to Get Metasploit
The Metasploit Framework can be accessed through an operating system (msfconsole) or web browser (msfweb).
Metasploit is currently supported by the following operating systems (in 64-bit):
- Ubuntu Linux 18.04 LTS (Recommended)
- Ubuntu Linux 16.04 LTS
- Ubuntu Linux 14.04 LTS
- Microsoft Windows Server 2019
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2008 R2
- Microsoft Windows 10
- Microsoft Windows 8.1
- Microsoft Windows 7 SP1+
- Red Hat Enterprise Linux Server 8 or later
- Red Hat Enterprise Linux Server 7.1 or later
- Red Hat Enterprise Linux Server 6.5 or later
- Red Hat Enterprise Linux Server 5.10 or later
MSFWeb is currently supported through the following browsers:
- Google Chrome (latest version)
- Mozilla Firefox (latest version)
- Microsoft Edge (latest version)
Download the Metasploit Framework: Metasploit Framework open source code is available here, through GitHub.
Download Metasploitable: Metasploitable’s virtual machine is available here for free download.