Question

You have many options when it comes to installing Metasploit. There is the Metasploit Framework Open Source, the Framework for Linux or Windows, Metasploit Community, and Metasploit Pro. When you navigate to www.metasploit.com , there is a link on this Rapid7 site to github.com where you can download either the Linux/Mac OS version or the Windows 32‐bit version. These installers are rebuilt every single night. These installers also include the dependent software needed like Ruby and the PostgreSQL database that will manage all the information you collect during a penetration test. It will integrate seamlessly with the package manager, so they are easy to update on Linux.

Another option is to download a new operating system called Kali Linux. Kali is an evolution of Debian Linux that is designed and maintained by an organization called Offensive Security. Kali has more than 600 penetration testing programs, including Metasploit Framework as well as some I have already covered in this book, such as Nmap and Wireshark. It also has some tools yet to be covered in this book (like Burp, which is covered in Chapter 11 ). Kali can run on bare metal as an operating system on a hard drive, or you can boot from it on a USB drive. The most popular way of running Kali is in a virtual environment. I have done all of these, and my personal favorite is running it in a virtual environment. The benefit of deploying Kali in a virtual machine is the ability to take a snapshot. A snapshot is when you preserve the state of a machine at a specific moment in time. It is cyber time travel and a safeguard should you make a mistake. You are able to return to that specific moment in time over and over again.

I covered Nmap in Chapter 3 , “Nmap: The Network Mapper,” and the Nexpose Community as a vulnerability scanner in Chapter 4 , “OpenVAS: Vulnerability Management.” Both of these products give you data that can be imported into Metasploit. In this chapter, I cover installing Metasploit Community on a bare‐metal Windows machine. The two reasons we are going to be using Metasploit Community are it is free and this is the GUI version.

As security practitioners, we know that practice makes perfect. Once you have Metasploit installed, you have an option of downloading vulnerable systems from the Open Web Application Security Project (OWASP) or Rapid7 to practice different types of exploitation. The Open Web Application Security Project is a not‐for‐profit organization that focuses on improving security in software. It has many different vulnerable machine downloads so that you can explore exploiting different types of web applications. In future labs and examples in this book, I will be using a vulnerable system called Metasploitable2. Metasploitable2 was purposefully crafted for training Metasploit and has many vulnerabilities to experiment with.

In Lab 10.1 , you'll install Metasploit Community on a Windows system.

---

LAB 10.1 : INSTALLING METASPLOIT COMMUNITY

1. Download Metasploit Community from the following website:

   www.rapid7.com/products/metasploit/download/community 

   ---

   NOTE

   If that link does not work, you can search for Metasploit community free download.

   ---

2. After you fill out and submit the form for the free license, you will have an option to download the Windows 32‐bit, 64‐bit, or Linux 64‐bit version (see Figure 10.1 ). Download the appropriate architecture for your Windows or Linux machine. An email containing your license key will be sent to the email you provided on the registration page.

   

   Figure 10.1 : Select the correct version of Metasploit Community for your platform and architecture.

3. Find and double‐click the Metasploit Community .exe file. During the installation, you will get a warning regarding your antivirus and firewall settings, like you see in Figure 10.2 . When you are pen testing with Metasploit, it is best practice to use a dedicated asset if at all possible. Do not put Metasploit on a system that you use for personal email, social media, or any financial accounting. It is a bad idea to put QuickBooks financials on a machine you are hacking with. I mention this because I've seen it.

   

   Figure 10.2 : You must disable the antivirus function, or the install process might be corrupted.

4. Metasploit Community naturally binds to port 3790. Leave the defaults for generating a certificate for accessing the software through a browser and complete the install. As the message in Figure 10.3 says, it will take a few minutes for the Metasploit services to start.

   

   Figure 10.3 : Waiting for Metasploit to start

---

Welcome to Metasploit! The splash screen you see makes for very informative reading. In Figure 10.4 , there is an explanation of why there might be a warning regarding an insecure SSL certificate. It also explains that the Metasploit service can take upward of 10 minutes to initialize, and if you get a 404 error, just keep hitting the Refresh button. The URL you will navigate to in your browser is https://localhost:3790/ . You can use your Start menu and navigate down to the Metasploit folder to open the Metasploit Web UI. You will also have access to updating, starting, and stopping services as well as resetting your password.

Figure 10.4 : Metasploit Community splash screen

Please have your license that was emailed to you ready. You are going to need it after you provide your username and password of choice. This credential pair needs to be as robust as possible especially since this software can provide details about your network, operating systems, topology, and software you do not want out in the public. After you create this initial account, you will be asked for the Metasploit license you requested in Lab 10.1 . As you see in Figure 10.5 , you will need to enter the 16‐digit license and activate your license while you are connected to the Internet.

Figure 10.5 : Activating the Metasploit Community license

After successful activation of your license, you are greeted with the Metasploit Community dashboard and the default project. If you click the blue hyperlink named default , you will open the overview page of a project. Think of a project as a container that holds all your notes. In Figure 10.6 , you see the default project overview. Since you have just installed the software, you see there are no hosts or services discovered. There are no vulnerabilities identified, but there are several different ways to bring in data. You can launch a new scan, import a previous scan, launch an ad hoc Nexpose scan, or if you have the Metasploit Pro version, use a tool called Sonar.

Figure 10.6 : Exploring the default project in Metasploit Community

You will have to name the project, and you will want to add a description to remind you why you created this project. The beauty of Metasploit Community versus Framework for the beginner is this ability to create projects through a GUI. It also makes reporting easier when you are done with your penetration test.

So, with a unique project name and description, all the passive and active reconnaissance you did earlier comes into play. You will need to define the network range you want to use in this specific project. As your strategy grows, you will the need to carve out projects for not just your organization as a whole but for individual departments or devices. You can create individual projects to test human resources, marketing, engineering, and IT and give solid, logical feedback to each department. It also allows you to do some comparative analysis and present your findings to the proper entity, probably the person who signed your permission slip at the beginning of this engagement.

When you enter a default network range in the beginning of project creation, it will automatically populate the rest of the campaign. Be careful when you are entering project scope here in the form of IP addresses. If you make a simple mistake in just one octet of an IP address range, you might end up testing and compromising systems that do not belong to you. I normally triple‐check my scope in this phase of project creation so I do not have to worry quite so much running modules based on the project definition—I define the IP, triple‐check the range, and then check the box to restrict the network range. This is a safeguard to keep you within your network range. No tasks will be run against a target if their IP address doesn't fall in the network range you have provided.

In Lab 10.2 , you'll create a Metasploit Community project.

---

LAB 10.2 : CREATING A METASPLOIT PROJECT

1. Click the New Project button on the Project Listing toolbar. It is a green circle with a plus in the center.
2. When the New Project page appears, you must enter a project name. When you see an asterisk after a field like Project Name, it means that the field is required before you can move to the next step. For the purposes of this lab, name this project MC1 .
3. Under Description, enter the following text: This is my first Metasploit Community project.
4. Note that there is not an asterisk by the Network Range field. You are not required to enter a network range nor is the restriction to network range checked. This will be a decision you make based on how critical it is for you to stay in scope. The default range is 192.168.1.1–254. For this initial project, that range will be sufficient.
5. Click Create Project.

---

If you need to edit a project in the future, you can select the project in question from the Project Listing page and click the Settings button in the toolbar, as shown in Figure 10.7 . It is not necessary to delete the entire project and start over.

Figure 10.7 : List of projects in Metasploit Community

In Lab 10.3 , you'll discover assets that might be vulnerable to attack.

---

LAB 10.3 : DISCOVERING VULNERABLE ASSETS

1. Click the Metasploit Community logo in the upper‐left corner of the home page to refresh the page.
2. Open your MC1 project.
3. Click the Scan button in the Discovery window (see Figure 10.8 ).

   

   Figure 10.8 : Metasploit Community project overview

4. Review the target settings. If you are using a private class A or class B address, you can change the range to align with your personal network.
5. Click the Advanced Options button under the target addresses. Under the advanced options, you can exclude assets from being targeted as well as customize the scan itself. You can also choose the port scan speed depending on how stealthy you are trying to be.
6. Leave all the defaults as they are and click Launch Scan in the lower‐right corner of the home page.
7. Watch the different phases in the task pane as Metasploit discovers the devices that are available in the range you defined in the project (see Figure 10.9 ). The actions in the task pane are color coded as follows:

   

   Figure 10.9 : Task pane of the initial scan of MC1 completed with 7 new hosts and 26 new services

   • White = information
   • Green = progress
   • Yellow = success
   • Red = failure

---

NOTE

The scan shown in the figure is targeting my network. Your results will be different.

---

---

By watching the task pane, you see each of the four distinct phases. The first phase you saw in the discovery scan was the ping. Ping determines if an asset is online. After you know there is a response, then Metasploit runs Nmap to identify the ports that are open and by default will look for commonly open ports such as HTTP and SSH. The third phase that kicked in was looking at key indicators or fingerprints of operating systems and versions. The last action was bubbling that information up into the project.