How do attackers actually build their attacks? The Metasploit framework provides an answer. The versatile tool allows the creation of attack packages, including suitable payloads for attacking a wide variety of targets.
Metasploit turns everyone into a hacker
Creating attacks is the great art of digital warfare. By hand, it is enormously complex, but as with the many other programming projects, there is help from frameworks. In this case, it’s Metasploit, an incredibly versatile and powerful tool. Even beginners can use it to create digital attacks and hack into systems in a short time.
A Metasploit attack basically consists of three components: The exploit, which provides access to the system, the payload, which is reloaded after the successful attack, and the post modules, which define what happens after the attack. Like in a construction kit, different attacks can be put together via the framework, depending on what is needed at the moment.
The big advantage of Metasploit is that users of the free community version also have access to the database of exploits. This is well filled, even attacks like Eternalblue can be integrated with a few clicks. The manufacturer Rapid7 has a very good guide that leads through installation and the first steps. A small note for Kali users: Before starting Metasploit for the first time, the Postgresql database must be started. This can be done with the command “service PostgreSQL start”. You can verify that the database has been started by typing “ss -ant”. The Metasploit database itself is loaded with “msfdb init”.
MSFconsole: The core of the framework
The heart of Metasploit is the MSFconsole. It can be used to control all functions, launch attacks and administer the database. The console is accessed by entering “msfconsole”. Afterward, a short check starts whether all important components are available. After the greeting by a changing welcome graphic one receives the input prompt before it should stand “msf”. An overview of all commands is provided by the command “help”. With “exit” or “quit” you can leave the console.
Basically, the handling is quite intuitive. Modules of any kind are loaded via “use” and then the path to the module. But where do you get the right module? The search function “search” helps. This is also very intuitive to use and consists of “search search operator:search term”. Alternatively, modules and exploits can be searched in Rapid7’s database and the path can then be transferred to Metasploit.
Auxiliary: Little helpers
Before you start the actual attack, you need a target. This can be found via any tool in Kali, alternatively, victims can be found directly from Metasploit. In addition, there are numerous other functions, for example, the network scanner Nmap can be started directly within Metasploit. In addition, there are scanners for ports, for SMB, and many other use cases.
Exploits: Intrusion tool
Things get really exciting with the exploits. These are the classic, ready-made attack packages built around known vulnerabilities. For example, a classic in Windows XP is MS08-067, an SMB vulnerability that provides direct access to the console in Windows. Another good choice against Windows systems is MS17-010, the Eternalblue attack.
In addition to the search function, exploits can also be displayed using the “Show Exploits” command. For each entry, there is a rating, such as normal, good, great, or excellent. This describes how valuable an attack is. The command “use” and the path to the exploit are used to load the attack. Once an exploit is loaded, numerous new options are available. “Show Targets”, for example, shows the targets against which an attack is effective. “Show Payloads” shows the payloads that this exploit supports. “Show Options” displays all possible options, “Show Evasion” shows ways to prevent detection. Depending on the exploit, the target host and other data must be entered.
Payload: What to do on the target?
Once the exploit is selected, it is now a matter of the payload. As mentioned above, “Show Payloads” shows all compatible payloads. Basically, there are several different versions: Inline, Stager, or Meterpreter. Inline is a single payload that is loaded immediately after the attack. Stager reloads the data piece by piece, establishing a connection to the attacker. This allows functions tailored specifically to the target system to be reloaded.
Meterpreter is a special case. This is basically a shell on the target system with which an incredible number of functions are possible. The difference from other exploits is perhaps most easily explained this way: inline or stager payloads are automated and assign a specific function to the hacked target. Meterpreter creates a versatile base for the attacker to attack other systems on the network.
No matter which payload is chosen, the command “set” and the path to the payload are used to select the appropriate load. Alternatively, Metasploit can choose a payload itself in an automated fashion. Once all decisions have been made, the targets must be defined via “set RHOST”. Once all settings are done, the attack can be triggered via “exploit”.
Post: After the attack
Once the system has been infiltrated, the post modules come into play. These control what happens after the infection. Meterpreter comes with numerous functions, alternatively, they can also be loaded individually. These include keyloggers for recording input and modules that scan the network for additional targets.
This article only scratches the surface of Metasploit. The database of modules is huge, with new ones being added all the time. Also, you don’t have to take ready-made exploits or payloads, you can write both yourself. Meterpreter is a tool that itself almost justifies a complete series of articles. What Metasploit does enormously well, however, is that it removes the entry hurdle for digital attacks and demystifies hacking a bit. With a little IT knowledge, you can have your first system hacked in a few hours (one under your own control, of course). It is also suitable to show superiors how easy such attacks are. If you want to learn more about the solution, you should watch the videos of Rapid7 and maybe read one of the many books about Metasploit.
Note: Metasploit quickly takes you into the illegal realm. Attacks should only be carried out against systems that you control yourself – for example, in a virtualized test network.