I’ve always been a firm believer in the concept of hacking yourself. After all, if you don't hack yourself, the hackers will. So if you’re a good security administrator, you must learn about the various hacking tools that might be used against your environment, become familiar with them, and use them (see my previous columns about port knocking and malware analysis).
The Metasploit Framework is one of those tools. Created and maintained by four full-time analysts and additional part-time contributors, Metasploit is “click-click-click” hacking. It comes in both Windows and Unix flavors and has several interfaces -- command line, interactive console, and Web. The interactive console is the mostly commonly used interface.
With any of the interfaces, you can choose from many exploits (133 at latest count) and dozens of payloads (75 at last count). Exploits are how you break into a victim host; payloads are what you do when you’re in. For example, you can break in using the Windows RPC-DCOM exploit (MS-Blaster) and then shovel a cmd.exe shell to yourself, install VNC, or add a new user account to the administrator’s group. It is not usual for the Metasploit framework to have working zero-day exploits hours after their initial release.
You should run Msfupdate –uax to update the framework database engine in real time to make sure you have the latest code samples. You can type in "show exploits" to show all the available exploits, then type in "use <exploit>," where <exploit> is the full name of the exploit module.
Most exploits have predefined memory variables you must define. Type in "info <exploit>" to list required variables. Then use the set command to set the variables, such as "set RHOST 10.1.1.1 or RPORT 135," where RHOST stands for the remote victim’s IP address and RPORT stands for the remote port to attack. Most variables and commands are case-sensitive.
Next, you must choose which payload to execute after the exploit. Type in "show payloads" to show available payloads and then key in "set <payload>," where <payload> is one of the available payload module names. Type in "info <payload>" to list required variables. Then use the set command to set the variables. To make sure all the required variables are filled in, type "show options."
You can type in the keyword "check" to see whether the intended victim machine is vulnerable. This check should only query the host for the vulnerability hole and should not exploit the victim. Lastly, type in "exploit" by itself to launch the attack. If you shovel a shell back to yourself, you can usually break out of it by hitting Ctrl-C and Y and Enter.
If you start the Web-based console, the Metasploit framework launches a local Web server. Just browse to the local Web server using http://127.0.0.1:55555 and you will be able to click-click-click your way through the exploit and payload setup screens. You can launch a successful attack with about five clicks of the mouse, after filling in the required exploit and payload variables.
Commercial vulnerability assessment tools (one of which I will cover next week) usually have more exploits to choose from, better interfaces, easier automation, report options, and other improvements, but Metasploit Framework is an excellent testing tool, especially for the price. It is worth your time to fully explore Metasploit’s Web site -- it has many more hacking programs than just the Framework. Full Metasploit Framework documentation is available at http://www.metasploit.org/projects/Framework/documentation.html.
See my related blog entry for a document with more Metasploit details, better instructions, and step-by-step pictures.