Dislaimer: The below article is meant to get you started with the basics, i.e. set up metasploit and run your first scan. You do this at your own risk, and make sure you have permission from the network owner before you do anything. Better yet, do it on your own network.
I highly recommend that you read this article to get a more in-depth understanding: https://www.offsec.com/metasploit-unleashed/port-scanning/
Installing metasploit
Metasploit comes preinstalled with Kali, so nothing to do here.
Update metasploit
To update metasploit, you can run the following commands:
sudo apt update
sudo apt install metasploit-framework
In the olden days, or if you installed Metasploit yourself, you would’ve run this command:
sudo msfupdate
But nowadays, you will get an error such as: “msfupdate is no longer supported when Metasploit is part of the operating system“
Metasploit basics
Hackthebox explains this really well, so give this article a read, but the below image summarizes things quite well for our purposes.
Article: https://www.hackthebox.com/blog/metasploit-tutorial
All of the above components can also be found on disk in this folder:
/usr/share/metasploit-framework
For example, the Modules folder contains folders for auxiliary, encoders, payloads, etc. This is very useful as everything is well organized. This also allows you to browse the folder structures to help you find what you are looking for.
Starting msfconsole
msfconsole is the command line interface we will use to interact with Metasploit. But there are 2 steps steps we should perform before we start msfconsole:
Step 1: Check if postgreSQL is running
msfconsole does not need postgreSQL, but, this will help a lot to keep track of hosts, host operating systems, module configs, etc.
systemctl list-units --type=service | grep postgresql
The above command is useful in case you have multiple postgreSQL instances running as it will show all of them. If you only have 1 postgreSQL instance instance you can enable and start it with these commands. The last command will show you the status, i.e. if postgreSQL is running or not.
systemctl enable postgresql.service
systemctl start postgresql.service
systemctl status postgresql.service
If you have more than 1 postgreSQL instance, you can enable and start it as such (just replace the version numbers with the output you received)
sudo systemctl enable [email protected]
sudo systemctl enable [email protected]
sudo systemctl start [email protected]
sudo systemctl start [email protected]
sudo systemctl status [email protected]
sudo systemctl status [email protected]
Step 2: msfdb
You only have to run the below command once. It will create the required database in postgreSQL and start up the necessary webservices for Metasploit:
sudo msfdb init
The init command will also start postgreSQL if it is not already started, but because so many things rely on postgreSQL, it is better to let it start up when Kali boots up like we did above.
If you want to check if msfdb has been set up before, you can run this command:
sudo msfdb status
If you need to reinitialize your database, which is useful if you are starting a new project, you can run the below command. Just keep in mind this will clear out your database.
sudo msfdb reinit
Searching Modules and Module Rank
The command “search” allows you to search all modules that contain a specific word. For example:
search snmp
This will show you a list of all modules containing the word “snmp” and it also shows the rank.
Module Rank
The module rank is rather important as can be see in the below table. Lower ranked modules could potentially crash a service on the remote host, or it might be more difficult to exploit. Modules with a dot as a rank means that it has not been ranked yet.
Scanning for hosts and ports
There are many ways you can scan for hosts. We will go through some of my favorites. There are many more scans that you can perform.
db_nmap
db_nmap will run nmap as per usual, but it will also add the hosts, its detected operating systems, etc to the database.
db_nmap -sV -A 192.168.0.1/24
db_nmap -Pn 192.168.0.1/24
The second command takes quite long as it will treat all hosts as up. This is useful if you know a host is up but it is not responding to any probes.
Now you can run the “hosts” command to see a list of hosts you discovered.
You can also run the “services” command to get a list of all open ports and any headers/banners nmap was able to get:
TCP Scanners
Metasploit contains many, many, different types of scanners. Below I will show some examples of my favorites.
Take note: Instead of setting RHOSTS manually, you can do “hosts -R” which will read in all hosts you discovered using db_nmap, which could speed things up greatly as only online hosts will be scanned.
Portscan
use auxiliary/scanner/portscan/tcp
set RHOSTS <target_ip>
set PORTS 1-1000
run
You can also run an SMB version scan:
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.122
run
And an SSH version scan:
use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.1.1
run
Don’t forget to scan for UDP services
db_nmap -sU -sV 192.168.1.114
Metasploit has several scanners for specific UDP services which are useful to run once your db_nmap scan is complete and picked up UDP services:
snmp scan
use auxiliary/scanner/snmp/snmp_login
set RHOSTS <target_ip>
run
Credentials
Lets say you ran the smb_login scanner and you successfully connected to an SMB share, Metasploit will store this credential (username and password) in the database.
use /auxiliary/smb/smb_login
set RHOSTS 192.168.1.122
set smbuser homeuser
set smbpass XXX
run