This tutorial shows how to install it in Ubuntu Linux, how it works, and what you can do with this powerful security auditing tool.
What Is Metasploit?
Metasploit is a free open-source tool for developing and executing exploit code. It comes with a large database of exploits for a variety of platforms and can be used to test the security of systems and look for vulnerabilities. It is a framework rather than a single tool and includes a wide range of tools for conducting penetration tests and security research. Features of Metasploit:
Develops exploit code Automated security testing Reverse engineering Password cracking Social engineering
Note: you can’t just learn penetration testing without knowing what Kali Linux is. Learn all about Kali Linux and its full suite of penetration tools.
Why Use the Metasploit Framework
One of the biggest advantages of Metasploit is that it is a single, cohesive software suite. Similar to an integrated development environment, the Metasploit Framework links together different tools and allows you to use them through a common interface. Metasploit also categorizes each tool depending on its use case, making it useful not only to security experts but also to novice users. The developers of the Metasploit Framework designed the software suite to be completely modular and extensible. You can create and design a highly custom toolkit for any specific target.
Requirements
Before you can install Metasploit, make sure that you have the following resources:
Good amount of hard disk space. For the most part, you should allot between 10 to 20 GB of disk space for Metasploit, as the framework will create its own environment, along with its dependencies. 4 to 8 GB of system memory Machine that is capable of virtualization, allowing you to create isolated environments to test Metasploit.
Installing the Metasploit Framework in Linux
For the most part, the script does three things in your machine. First, it imports the signing key from the Metasploit Frameworks developers. The script, then, copies the repository address for Metasploit to your “/etc/apt.d/sources.list” directory. Lastly, it downloads the Metasploit package through apt and corrects the PATH variable for the package. The Metasploit console will ask a couple of questions about your setup. First, it will ask if you want to set up a database for your installation by pressing Y, then Enter. You will also be asked if you want to create a remote web service. This is useful if you want to create a headless instance for Metasploit. Press Enter here if you only want the program to run locally. The console will create and configure the necessary files to run Metasploit. This process should take one to two minutes, and then the console will reload itself and load the Metasploit prompt.
Installing the Metasploitable Virtual Machine
Once the Metasploit Framework is up and running, start installing the Metasploitable virtual machine, a basic Linux distribution designed to be as insecure as possible. Accomplish this by running the following commands:
Using Metasploit and Metasploitable in Linux
With the virtual machine in your system, you can now open Metasploitable 2 to test the Metasploit Framework. To do this, double-click the “metasploitable” entry in VirtualBox. This will load the virtual machine and expose it to a local internal network. Once it is done loading, log in to Metasploitable by typing msfadmin on both the username and the password prompts.
Learning the Basics of Metasploit
While the Metasploit Framework is a brilliant security auditing toolkit, it is also a great learning tool for beginners, as the framework provides a good amount of documentation for every function. To access this, run msfconsole again on your terminal window. This will load a console prompt that can access both your system programs and the Metasploit toolkit. Run the help command to print a short guide on the various commands for the Metasploit Framework. As discussed above, you can use the framework at every step of a penetration test. It gives you tools to conduct both information gathering through network scripts, machine access through exploits and system breach through payloads. These tools also vary widely depending on the architecture that you are targeting, which makes Metasploit incredibly flexible and adaptable. You can use the show -h command to create a brief list of every tool that is available to Metasploit. For example, you can run the following command to list all of the available exploits in the framework: Further, Metasploit also provides tool-specific documentation through the info command. Running info exploit/android/adb/adb_server_exec will print a short write-up on how this particular Android ADB exploit works.
Scanning Open Network Ports with Metasploit
One of the most basic actions that you can immediately do in Metasploit is to determine whether there are any insecure open ports in a target system. To use the tcp module, run the following command: Image credit: Unsplash. All alterations and screenshots by Ramces Red. To fix this, go to the Settings menu for Metasploitable. Click on “System -> Processor,” then click the “Enable PAE/NX” checkbox and reload VirtualBox.
