Hunt down vulnerabilities with the Metasploit pen-testing tool
Security Tools
Metasploit: Just hearing the word brings sweat to the brow of some, whereas others regularly use this hacking tool to test their own systems for vulnerabilities (pen testing). This kind of level pegging in the cyber arms race is essential to maintaining secure operations – and not just for critical systems. Vulnerability management is a big market, and the skills of experienced pen testers are in demand; strategies for red team/blue team training and catch-the-flag setups fill entire books.
The Metasploit Framework, a modular penetration testing platform that "contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection" [1], has been written up in a number of books. Linux Magazine reported more than 12 years ago [2] about how the Dalai Lama and many a government had exploits foisted on them in PDFs [3]. Metasploit is everywhere.
Charly Kühnast also covered the topic in his Linux Magazine sys admin column [4], writing that caution is advisable: "If you mess around with a pen-testing tool on your own network, you might survive the consequences, but chances are you'll take the prize for outstanding recklessness." Charly's advice: "Use Metasploitable, perhaps the most broken Linux ever."
My experience with careless pen testing came when an overzealous OpenVPN course participant at Linuxhotel used a pen-testing tool and started scanning around on the training cloud at Hetzner with a slightly off netmask. Within minutes, the monitoring tools identified this undesirable behavior and simply shut down the training network – rounded off by a warning message mailed in UPPERCASE to the course instructor.
Secure Environment
If you want to learn pen testing with standard tools, you should first think about your environment. Normally, a virtual setup, limited to and isolated on a subnet; a virtual LAN (VLAN); or even a physically separate network will be the answer. For most users and newcomers, a virtual network within a virtualization solution such as VirtualBox or Libvirt should be perfectly okay; containers will also work.
In the following example, I install four virtual machines – Parrot Linux, Kali Linux, Windows 10, and Metasploitable – on qemu-kvm
and Libvirt for gaming (Figure 1). The first victim, Metasploitable, is an intentionally vulnerable virtual machine with a version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Windows 10 acts as the second victim.
Parrot Linux and Kali Linux, which is the industry-standard OS for pen testing, conveniently already come with Metasploit in place. Parrot Linux also comes with a complete KDE desktop. The setup presented here also allows for uncomplicated testing of other pen-testing suites (e.g., Black Arch Linux with its 16GB of tools).
Overview
Much has happened since the last articles on Metasploit; the changelogs are long. Not all of the previously presented commands still work: Some have been renamed, and some have been removed or now have to be loaded retroactively as add-ons.
The development of the Metasploit project is progressing rapidly. Up-to-date information can always be found in the blog of Boston, Massachusetts, producer Rapid7 [5]. The Metasploit framework is open source software, was created around 2003 (in Perl at the time), and was re-implemented in Ruby starting in 2007. Rapid7 acquired the Metasploit project in 2009 and initially offered both an enterprise and a community edition; the latter was discontinued in 2019.
In this article, I introduce the (free) Metasploit Framework (MSF). It is by no means only available for Kali Linux or Parrot Linux, but if you want a fancy web GUI, you should take a look at MSF Pro (Figure 2), which is the name of the enterprise product Rapid7 has offered since 2010.
The Metasploit Framework is only one subproject, albeit the best known. The project also maintains a shellcode archive and the aforementioned Metasploitable image (Figure 3), among other things. "Maintaining" is perhaps too strong a word, because Metasploitable does not contain many new vulnerabilities, although it is certainly good enough to use for learning from an attacker's (red team) point of view.
Since around 2010, the number of exploits contained in Metasploit has exploded to more than 2,000. Additionally, countless new targets have been added, including software from Adobe and Oracle and new databases. The framework includes hundreds of payloads (malicious code to embed) and new modules for scanning, fuzzing, and sniffing. The auxiliary modules are divided into scanner, admin, and server modules.
Workflow
The Metasploit Framework is available for Windows, Linux, and Mac. The workflow is quite simple and always follows the same structure of five steps (Figure 4 shows four steps):
- Find a vulnerability, such as a security hole or a starting point for a potential attack (e.g., an insecure password or a running, outdated, or unpatched service).
- Configure a suitable exploit for the vulnerability.
- Select a payload (i.e., malware or a remote control program suitable for the attacker's purpose that you can install with the exploit through the security hole).
- Make various adjustments to the exploit and payload (e.g., configuration to reflect the address of the command-and-control server for the return channel).
- Execute the attack (
run
).
Working with pen-testing tools always follows the principle of trial and error. It is a kind of puzzle that can be great fun and frequently leads to adrenaline-fueled feelings of success, such as when you have hijacked a Windows 10 machine for the first time without entering a password. That said, it does makes sense to share your own experiences with the Metasploit community – for example, on GitHub [6].
Buy this article as PDF
(incl. VAT)