Metasploit Framework & Metasploitable

Install on Crunchbang

Set up Developer Environment

Most of what I do is from the offical Rapid 7 Development Environment Guide

Install any missing deps:

sudo apt-get -y install \
build-essential zlib1g zlib1g-dev \
libxml2 libxml2-dev libxslt-dev locate \
libreadline6-dev libcurl4-openssl-dev git-core \
libssl-dev libyaml-dev openssl autoconf libtool \
ncurses-dev bison curl wget postgresql \
postgresql-contrib libpq-dev \
libapr1 libaprutil1 libsvn1 \
libpcap-dev git

Other steps that I am skipping for now:

Clone Repo

I usually do this into some sort of bin/ directory. I'll use ~/bin for now.

git clone https://github.com/rapid7/metasploit-framework.git

Bundle

rvm install ruby-1.9.3-p448
gem install bundler
cd bin/metasploit-framework
bundle install

Start Metasploit console:

Just run ./msfconsole to make sure that the whole thing working. Yay!

It should look something like this:

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with
Metasploit Pro -- type 'go_pro' to launch it now.

       =[ metasploit v4.7.2-2013103001 [core:4.7 api:1.0]
+ -- --=[ 1215 exploits - 660 auxiliary - 189 post
+ -- --=[ 322 payloads - 30 encoders - 8 nops

msf >

Usage

Disclaimer: This is not the definitive Metasploit guide. For a more complete tutorial checkout Metaploit Unleashed

My goal is to document some of my self study efforts into MSF against the Metasploitable VM.

Metasploitable

Metasploitable is an intentional vulnerable server image which can be used for educational or testing purposes. It's a pretty handy way to get oriented to the framework.

You can download the Metasploitable VM here.

Scanning with MSF & Nmap

You can use nmap directly from inside msf. A simple scan of the Metasploitable VM looks like this:


msf > nmap 10.13.37.136
[*] exec: nmap 10.13.37.136


Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-12 10:24 EST
Nmap scan report for 10.13.37.136
Host is up (0.0067s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
# Yikes!

Note: If you configure MSF to use a database such as postgres you can feed the nmap results directly in via the db_nmap command. I will be doing all of these exmaples without a databse connected.

Metasploitable Solutions