Before we take a deep dive into various aspects of the Metasploit Framework, let's first lay a solid foundation of some of the absolute basics. In this chapter, we'll conceptually understand what penetration testing is all about and where the Metasploit Framework fits in exactly. We'll also browse through some of the additional tools that enhance the Metasploit Framework's capabilities.
In this chapter, we will cover the following topics:
The following software is required:
For over a decade or so, the use of technology has been rising exponentially. Almost all businesses are partially or completely dependent on the use of technology. From Bitcoins to the cloud to the Internet of Things (IoT), new technologies are popping up each day. While these technologies completely change the way we do things, they also bring along threats with them. Attackers discover new and innovative ways to manipulate these technologies for fun and profit! This is a matter of concern for thousands of organizations and businesses around the world.
Organizations worldwide are deeply concerned about keeping their data safe. Protecting data is certainly important. However, testing whether adequate protection mechanisms have been put to work is also equally important. Protection mechanisms can fail, hence, testing them before someone exploits them for real is a challenging task. Having said this, vulnerability assessments and penetration testing have gained high importance and are now trivially included in all compliance programs. If the vulnerability assessment and penetration testing is done correctly, it significantly helps organizations gain confidence in the security controls that they have put in place and that they are functioning as expected!
We will now move on to understanding the difference between vulnerability assessments and penetration testing.
Vulnerability assessments and penetration testing are two of the most common phrases that are often used interchangeably. However, it is important to understand the difference between the two. To understand the exact difference, let's consider a real-world scenario.
A thief intends to rob a house. To proceed with his robbery plan, he decides to recon his robbery target. He visits the house (that he intends to rob) casually and tries to gauge what security measures are in place. He notices that there is a window at the back of the house that is often open and so it's easy to break in. In our terms, the thief just performed a vulnerability assessment. Now, after a few days, the thief actually goes to the house again and enters through the back window that he had discovered earlier during his recon phase. In this case, the thief performed an actual penetration into his target house with the intent of robbery.
This is exactly what we can relate to in the case of computing systems and networks. You can first perform a vulnerability assessment of the target in order to assess the overall weaknesses in the system and then later perform a planned penetration test to practically check whether the target is vulnerable or not. Without performing a vulnerability assessment, it would be difficult to plan and execute the actual penetration.
While most vulnerability assessments are non-invasive by nature, the penetration test could cause damage to the target if not done in a controlled manner. Depending on the specific compliance needs, some organizations choose to perform only a vulnerability assessment, while others go ahead and perform a penetration test as well.
Now that we have understood the difference between vulnerability assessments and penetration testing, let's move on to understand the need for a penetration testing framework.
Penetration testing is not just about running a set of a few automated tools against your target. It's a complete process that involves multiple stages and each stage is equally important for the success of the project. Now, for performing all the tasks throughout every stage of penetration testing, we would need to use various tools and might need to perform some tasks manually. Then, at the end, we would need to combine the results from all the different tools together to produce a single meaningful report. This is certainly a daunting task. It would be really easy and timesaving if one single tool could help us perform all the required tasks for penetration testing. This exact need is satisfied by a framework such as Metasploit.
Now let's move on to learning more about the Metasploit Framework.
The birth of Metasploit dates back to 16 years ago, when H. D. Moore, in 2003, wrote a portable network tool using Perl. By 2007, it was rewritten in Ruby. The Metasploit project received a major commercial boost when Rapid7 acquired the project in 2009. Metasploit is essentially a robust and versatile penetration testing framework. It can literally perform all the tasks that are involved in a penetration testing life cycle. With the use of Metasploit, you don't really need to reinvent the wheel! You just need to focus on the core objectives, the supporting actions will all be performed through various components and modules of the framework. Also, since it's a complete framework and not just an application, it can be customized and extended as per our requirements.
Metasploit is, no doubt, a very powerful tool for penetration testing. However, it's certainly not a magic wand that can help you hack into any given target system. It's important to understand the capabilities of Metasploit so that it can be leveraged optimally during penetration testing.
IMPORTANT NOTE:
Did you know? The Metasploit Framework has more than 3,000 different modules available for exploiting various applications, products, and platforms, and this number is growing on a regular basis.
While the initial Metasploit project was open source, after the acquisition by Rapid7, commercial-grade versions of Metasploit also came into existence. For the scope of this book, we'll be using the Metasploit Framework edition.
Ever since the Metasploit Framework was born 16 years ago, it has been through significant changes and improvements. In early 2019, Metasploit 5.0 was released, which is considered its first major release since 2011. While the Metasploit is commercially supported and developed by Rapid7, it also has rich community support, which enables its growth.
The latest Metasploit 5.0 version brings in a lot more features and improvements:
We'll now move on to learning when to use the Metasploit Framework in the penetration testing life cycle.
There are literally tons of tools available for performing various tasks related to penetration testing. However, most of the tools serve only one unique purpose. Unlike these tools, Metasploit can perform multiple tasks throughout the penetration testing life cycle. Before we check the exact use of Metasploit in penetration testing, let's have a brief overview of the various phases of penetration testing.
The following diagram shows the typical phases of the penetration testing life cycle:
Now let's move on to understanding the phases in detail:
Information gathering can be of two types, as follows:
Passive information gathering: Passive information gathering involves collecting information about the target through publicly available sources, such as social media and search engines. No direct contact with the target is made.
Active information gathering: Active information gathering involves the use of specialized tools, such as port scanners, to gain information about the target system. It involves making direct contact with the target system, hence there could be a possibility of the information gathering attempt being noticed by the firewall, Intrusion detection systems (IDS), or Intrusion prevention systems (IPS) in the target network.
Interestingly enough, Metasploit helps us in all the penetration testing stages listed previously.
The following table lists various Metasploit components and modules that can be used across all stages of penetration testing:
We'll gradually cover all the previous components and modules as we progress through the book. Now we move on to learn how we can make use of supplementary tools to make Metasploit even more effective.
So far, we have seen that Metasploit is a really powerful framework for penetration testing. However, it can be made even more useful if integrated with some other tools. This section covers a few tools that complement Metasploit's capability to perform more precise penetration on the target system. We'll start with the Nessus tool.
Nessus is a product from Tenable Network Security and is one of the most popular vulnerability assessment tools. It belongs to the vulnerability scanner category. It is quite easy to use, and it quickly identifies infrastructure-level vulnerabilities in the target system. Once Nessus tells us what vulnerabilities exist on the target system, we can then feed those vulnerabilities to Metasploit to see whether they can be exploited for real.
Its official website is https://www.tenable.com/.
The following screenshot shows the Nessus homepage:
Next, we will be discussing different OS-based installation steps for Nessus.
Please follow the following steps to install Nessus on Windows:
Please follow the following steps to install Nessus on Linux:
dpkg -i <name_of_installer>.deb.
Now we move on to understanding the next tool: Network Mapper (NMAP).
NMAP is a de-facto tool for network information gathering. It belongs to the information gathering and enumeration category. At a glance, it may appear to be quite a small and simple tool. However, it is so comprehensive that a complete book could be dedicated to how to tune and configure NMAP as per our requirements. NMAP can give us a quick overview of what ports are open and what services are running in our target network. This feed can be given to Metasploit for further action. While a detailed discussion of NMAP is out of the scope of this book, we'll certainly cover all the important aspects of NMAP in the later chapters.
Its official website is https://nmap.org/.
The following screenshot shows a sample NMAP scan:
While the most common way of accessing NMAP is through the command line, NMAP also has a graphical interface known as Zenmap, which is a simplified interface on the NMAP engine, as follows:
Next, we will be discussing different OS-based installation steps for NMAP.
Please follow the following steps to install NMAP on Windows:
Important Note:
WinPCAP is a program that is required in order to run tools such as NMAP, Nessus, and Wireshark. It contains a set of libraries that allow other applications to capture and transmit network packets.
Please follow the following steps to install NMAP on Linux.
NMAP is, by default, installed on Kali Linux. However, if it is not installed, you can use the following command to install it:
root@kali:~#apt-get install nmap
Now we move on to understand the next tool: w3af
w3af is an open-source web application security scanning tool. It belongs to the web application security scanner category. It can quickly scan the target web application for common web application vulnerabilities, including the OWASP Top 10. w3af can also be effectively integrated with Metasploit to make it even more powerful.
Its official website is http://w3af.org/:
We will now discuss the various OS-based installation steps for w3af.
w3af is not available for the Windows platform.
w3af is, by default, installed on Kali Linux. However, if it is not installed, you can use the following command to install it:
root@kali:~# apt-get install w3af
Now we move on to understanding the next tool: Armitage.
Armitage is an exploit automation framework that uses Metasploit at the backend. It belongs to the exploit automation category. It offers an easy-to-use user interface for finding hosts in the network, scanning, enumeration, finding vulnerabilities, and exploiting them using Metasploit exploits and payloads. We'll look at an overview of Armitage in Chapter 9, Cyber Attack Management Using Armitage.
Its official website is http://www.fastandeasyhacking.com/index.html.
We can see the console for exploit automation in the following screenshot:
The following are the various OS-based installation steps for Armitage:
root@kali:~# apt-get install armitage
PostgreSQL, Metasploit, and Java are required to set up and run Armitage. However, these are already installed on the Kali Linux system.
We started this chapter with understanding the relevance of penetration testing and then glanced at the practical difference between vulnerability assessment and penetration testing. We then tried to understand the exact need of a penetration testing framework and got introduced to the Metasploit Framework. We also covered the new features introduced as part of latest Metasploit 5.x Framework.
We also got an overview on when to use the Metasploit Framework in the penetration testing life cycle along with some other useful tools like Nessus, NMAP, and so on.
Now that we have got a high-level overview of what Metasploit is all about and the new features in the latest Metasploit 5.0 version, its applicability in penetration testing, and supporting tools, we'll browse through the installation and environment setup for Metasploit in the next chapter.
You can try the following exercises:
More information on the Metasploit Framework along with various versions can be found at https://metasploit.help.rapid7.com/docs.