Intro to Penetration Testing
If you are new to penetration testing, let me explain what it is before I introduce you to an exploitation tool.
Penetration testing is hacking with permission. You might have seen cool hackers on TV attacking computer systems without getting caught. But that’s not how it works in the real world.
If you hack someone without permission, there is a high chance that you will end up in jail. So, if you are planning to learn hacking with evil intentions, I am not responsible for any damage you cause. All my articles are purely educational.
So, if hacking is bad, why learn it in the first place? Every device on the internet is vulnerable by default unless someone secures it.
It's the job of the penetration tester to think like a hacker and attack his or her organization’s systems. The penetration tester then informs the organization about the vulnerabilities and advises on patching them.
Penetration testing is one of the highest-paid jobs in the industry. There is always a shortage of pen-testers since the number of devices on the internet is growing exponentially.
I recently wrote an article on the top ten tools you should know as a cybersecurity engineer. If you are interested in learning more about cybersecurity, check out the article here.
Right. Enough pep talks. Let’s look at one of the coolest pen-testing tools in the market — Metasploit.
Metasploit — The Complete Framework
Metasploit is a penetration testing framework that helps you to find and exploit vulnerabilities in systems. It gives you everything you need from scanners to third-party integrations that you will need throughout an entire penetration testing lifecycle.
This includes reconnaissance, scanning, exploitation, privilege escalation, and maintaining access.
Metasploit is an open-source framework written in Ruby. Metasploit is written to be an extensible framework so that if you want to build custom features using Ruby, you can easily do that via plugins.
Rapid7, the company behind Metasploit, offers a premium version of Metasploit with advanced features.
Metasploit is also frequently updated with new exploits published in the Common Vulnerabilities and Exposures (CVE). So, if a new vulnerability is found and published, you can start scanning your systems right away.
Metasploit comes with anti-forensic and evasion tools built into it. Metasploit is also pre-installed in the Kali operating system.
Now that you know what Metasploit is, let's look at the core concepts of Metasploit.
Metasploit offers you a few key components to find and exploit vulnerabilities on a network. This includes exploits, payloads, auxiliaries, and so on. Let's look at each one of them in detail.
An exploit is a piece of code that takes advantage of a vulnerability in a system. These exploits perform specific actions based on how bad the vulnerability is.
Exploits can take advantage of software vulnerabilities, hardware vulnerabilities, zero-day vulnerabilities, and so on. Some of the common exploits include buffer overflows, SQL injections, and so on.
Metasploit offers a number of exploits that you can use based on the existing vulnerabilities in the target system. Metasploit exploits can be classified into two types:
- Active Exploits — Active exploits will run on a target system, exploit the system, gives you access or performs a specific task, and then exits.
- Passive Exploits — Passive exploits will wait until the target system connects to the exploit. This approach is often used by hackers on the internet asking you to download files or software. Once you do, you connect yourself to a passive exploit running on the hacker’s computer.
A payload is a piece of code that runs through the exploit. You use exploits to get into a system and payloads to perform specific actions.
For example, you can use a keylogger as a payload along with an exploit. Once the exploit is successful, it will install the keylogger in the target’s system.
Metasploit offers a good collection of payloads like reverse shells, bind shells, Meterpreter, and so on.
There are a few payloads that will work with the majority of exploits, but it takes some research to find the right payload that will work with the exploit. Once you choose an exploit, you can list the payloads that will work with that exploit using the ‘show payloads’ command in Metasploit.
There are a few types of payloads in Metasploit. The ones you will end up using the most are these three types:
- Singles — Payloads that work on their own. e.g. keyloggers.
- Stagers — Payloads that work with otherse.g.. two payloads: one to establish a connection with the target, the other to execute an instruction.
- Meterpreter — Advanced payload that lives on the target’s memory, is hard to trace and can load/unload plugins at will. We have a section on Meterpreter where I will explain it in detail.
Auxiliaries are modules that help you perform custom functions other than exploiting a system. This includes port scanners, fuzzers, sniffers, etc.
For example, you can use the CERT auxiliary to check for expired SSL certificates on a network. This is useful for system administrations to automate certificate management.
If you are familiar with Ruby, you can write your own auxiliaries. If you want to scan a network for specific vulnerabilities every week, you can write your own custom auxiliary module to do that. You can then use it to scan your network instead of using an existing scanner like Nmap.
Now that you know how Metasploit functions, let's look at the tools that Metasploit offers.
MsfConsole is the default interface for Metasploit. It gives you all the commands you need to interact with the Metasploit framework.
It takes a bit of a learning curve to familiarize yourself with the CLI, but once you do, it is easy to work with. Also, MsfConsole is the only way you can access all the features of Metasploit.
MsfConsole also offers tab completion for common commands. Making yourself familiar with the MsfConsole is an important step in your journey to becoming a Metasploit professional.
If you are working with large networks on a regular basis, chances are, you will need a place to store your data. This includes scan results, login credentials, and so on.
Metasploit offers a database management tool called msfdb. msfdb works on top of a PostgreSQL database and gives you a list of useful commands to import and export your results.
With msfdb, you can import scan results from external tools like Nmap or Nessus. Metasploit also offers a native db_nmap command that lets you scan and import results using Nmap within the msfconsole.
Finally, we have msfvenom (cool name, huh?). msfvenom enables you to generate custom payloads depending on your target.
Using an antivirus or a firewall can make a target system relatively secure. In those cases, existing Metasploit payloads might not work since they are generic for all systems falling under an operating system or a service.
msfvenom was built by combining two older tools that Metasploit had: msfpayload and msfencode. msfvenom lets you create and encode custom payloads for your exploits.
Based on the additional information you have on the target, you can craft your own payloads to achieve a higher success rate during your penetration test.
Meterpreter is an advanced payload in Metasploit. Unlike other payloads that perform a specific function, Meterpreter is dynamic and can be scripted on the fly.
If you can exploit a system and inject Meterpreter as the payload, here are some of the things you can do:
- Establish an encrypted communication between your system and the target.
- Dump password hashes from the target system.
- Search for files on the target’s filesystem
- Upload / Download files
- Take webcam snapshots
Meterpreter is also incredibly stealthy. Since Meterpreter lives in the memory of the target, it is extremely hard to detect. It is also hard to trace the Meterpreter using forensic tools.
You can write Meterpreter scripts on the fly using Ruby to carry out custom functions. Meterpreter also has a Python module that gives you additional commands to execute Python scripts on the target machine.
Armitage is a graphical user interface for Metasploit, written in Java. Armitage is considered to be a great addon for pen-testers familiar with the command-line interface.
The core feature of Armitage is to visualize targets and recommend exploits. Armitage is also scriptable, which means you can automate redundant tasks like host discovery.
Armitage is extremely useful when you are working with a large number of systems in a network. You can use Armitage’s GUI to escalate privileges, browse files, dump password hashes, and so on.
Metasploit provides a suite of tools for you to perform a complete security audit of a network. Metasploit is frequently updated with the vulnerabilities published in the Common Vulnerabilities and Exploits database.
You can also use other tools like Nmap and Nessus with Metasploit through integrations or by importing their scan reports into Metasploit. Metasploit also has a GUI tool called Armitage that lets you visualize targets and recommend exploits.
If you are interested in learning more about Metasploit, check out the detailed reference guide published by Offensive Security.