Book Image

Metasploit Bootcamp

By : Nipun Jaswal
Book Image

Metasploit Bootcamp

By: Nipun Jaswal

Overview of this book

The book starts with a hands-on Day 1 chapter, covering the basics of the Metasploit framework and preparing the readers for a self-completion exercise at the end of every chapter. The Day 2 chapter dives deep into the use of scanning and fingerprinting services with Metasploit while helping the readers to modify existing modules according to their needs. Following on from the previous chapter, Day 3 will focus on exploiting various types of service and client-side exploitation while Day 4 will focus on post-exploitation, and writing quick scripts that helps with gathering the required information from the exploited systems. The Day 5 chapter presents the reader with the techniques involved in scanning and exploiting various services, such as databases, mobile devices, and VOIP. The Day 6 chapter prepares the reader to speed up and integrate Metasploit with leading industry tools for penetration testing. Finally, Day 7 brings in sophisticated attack vectors and challenges based on the user’s preparation over the past six days and ends with a Metasploit challenge to solve.
Table of Contents (15 chapters)
Title Page
About the Author
About the Reviewer
Customer Feedback

The fundamentals of Metasploit

Now that we have completed the setup of Kali Linux, let us talk about the big picture: Metasploit. Metasploit is a security project that provides exploits and tons of reconnaissance features to aid a penetration tester. Metasploit was created by H.D. Moore back in 2003, and since then, its rapid development has led it to be recognized as one of the most popular penetration testing tools. Metasploit is entirely a Ruby-driven project and offers a great deal of exploits, payloads, encoding techniques, and loads of post-exploitation features.

Metasploit comes in various editions, as follows:

  • Metasploit Pro: This edition is a commercial edition, offers tons of great features such as web application scanning and exploitation and automated exploitation, and is quite suitable for professional penetration testers and IT security teams. The Pro edition is used for advanced penetration tests and enterprise security programs.
  • Metasploit Express: This is used for baseline penetration tests. Features in this version of Metasploit include smart exploitation, automated brute forcing of the credentials, and much more. This version is quite suitable for IT security teams in small to medium-sized companies.
  • Metasploit Community: This is a free version with reduced functionality when compared to the Express edition. However, for students and small businesses, this edition is a favorable choice.
  • Metasploit Framework: This is a command-line version with all manual tasks such as manual exploitation, third-party import, and so on. This release is entirely suitable for developers and security researchers.


You can download Metasploit from the following link:

Throughout this book, we will be using the Metasploit Community and Framework versions. Metasploit also offers various types of user interfaces, as follows:

  • The graphical user interface (GUI) interface: This has all the options available at the click of a button. This interface offers a user-friendly interface that helps to provide cleaner vulnerability management.
  • The console interface: This is the most preferred interface and the most popular one as well. This interface provides an all-in-one approach to all the options offered by Metasploit. This interface is also considered one of the most stable interfaces. Throughout this book, we will be using the console interface the most.
  • The command-line interface: This is the more potent interface that supports the launching of exploits to activities such as payload generation. However, remembering each and every command while using the command-line interface is a difficult job.
  • Armitage: Armitage by Raphael Mudge added a neat hacker-style GUI interface to Metasploit. Armitage offers easy vulnerability management, built-in NMAP scans, exploit recommendations, and the ability to automate features using the Cortana scripting language. An entire chapter is dedicated to Armitage and Cortana in the latter half of this book.


For more information on the Metasploit community, refer to

Basics of Metasploit Framework

Before we put our hands onto the Metasploit Framework, let us understand the basic terminology used in Metasploit. However, the following modules are not just terminologies, but modules that are the heart and soul of the Metasploit project:

  • Exploit: This is a piece of code which, when executed, will trigger the vulnerability at the target.
  • Payload: This is a piece of code that runs at the target after a successful exploitation is done. It defines the type of access and actions we need to gain on the target system.
  • Auxiliary: These are modules that provide additional functionalities such as scanning, fuzzing, sniffing, and much more.
  • Encoder: These are used to obfuscate modules to avoid detection by a protection mechanism such as an antivirus or a firewall.
  • Meterpreter: This is a payload that uses in-memory stagers based on DLL injections. It provides a variety of functions to perform at the target, which makes it a popular choice.

Architecture of Metasploit

Metasploit comprises various components, such as extensive libraries, modules, plugins, and tools. A diagrammatic view of the structure of Metasploit is as follows:

Let's see what these components are and how they work. It is best to start with the libraries that act as the heart of Metasploit.

Let's understand the use of various libraries, as explained in the following table:

Library name



Handles almost all core functions, such as setting up sockets, connections, formatting, and all other raw functions.


Provides the underlying API and the actual core that describes the framework.


Provides friendly API support to modules.

We have many types of modules in Metasploit, and they differ regarding their functionality. We have payload modules for creating access channels to exploited systems. We have auxiliary modules to carry out operations such as information gathering, fingerprinting, fuzzing an application, and logging into various services. Let's examine the basic functionality of these modules, as shown in the following table:

Module type



Payloads are used to carry out operations such as connecting to or from the target system after exploitation or performing a particular task such as installing a service and so on.

Payload execution is the next step after the system is exploited successfully.

The widely used meterpreter shell is a standard Metasploit payload.


Auxiliary modules are a special kind of module that performs specific tasks such as information gathering, database fingerprinting, scanning the network to find a particular service and enumeration, and so on.


Encoders are used to encode payloads and the attack vectors to (or intending to) evade detection by antivirus solutions or firewalls.


NOP generators are used for alignment which results in making exploits stable.


The actual code that triggers a vulnerability.

Metasploit Framework console and commands

Gathering knowledge of the architecture of Metasploit, let us now run Metasploit to get hands-on knowledge of the commands and different modules. To start Metasploit, we first need to establish a database connection so that everything we do can be logged into the database. However, usage of databases also speeds up Metasploit's load time by making use of caches and indexes for all modules. Therefore, let us start the postgresql service by typing in the following command at the Terminal:

root@beast:~# service postgresql start

Now, to initialize Metasploit's database, let us initialize msfdb as shown in the following screenshot:

It is clearly visible in the preceding screenshot that we have successfully created the initial database schema for Metasploit. Let us now start the Metasploit database using the following command:

root@beast:~# msfdb start

We are now ready to launch Metasploit. Let us issue msfconsole in the Terminal to start Metasploit, as shown in the following screenshot:

Welcome to the Metasploit console. Let us run the help command to see what other commands are available to us:

The commands in the preceding screenshot are core Metasploit commands which are used to set/get variables, load plugins, route traffic, unset variables, print version, find the history of commands issued, and much more. These commands are pretty general. Let's see the module-based commands, as follows:

Everything related to a particular module in Metasploit comes under the module controls section of the Help menu. Using the preceding commands, we can select a particular module, load modules from a particular path, get information about a module, show core and advanced options related to a module, and even can edit a module inline. Let us learn some basic commands in Metasploit and familiarize ourselves with the syntax and semantics of these commands:




use [auxiliary/exploit/payload/encoder]

To select a particular module to start working with.

msf>use auxiliary/scanner/portscan/tcp        

show [exploits/payloads/encoder/auxiliary/options]

To see the list of available modules of a particular type.

msf>show payloads
msf> show options    

set [options/payload]

To set a value to a particular object.

msf>set payload windows/meterpreter/reverse_tcp
msf>set LHOST
msf> set RHOST
msf> set LPORT 4444
msf> set RPORT 8080 

setg [options/payload]

To assign a value to a particular object globally, so the values do not change when a module is switched on.

msf>setg RHOST


To launch an auxiliary module after all the required options are set.



To launch an exploit.



To unselect a module and move back.



To list the information related to a particular exploit/module/auxiliary.

msf>info exploit/windows/smb/ms08_067_netapi


To find a particular module.

msf>search hfs


To check whether a particular target is vulnerable to the exploit or not.



To list the available sessions.

msf>sessions [session   number]

Meterpreter commands




To list system information of the compromised host.



To list the network interfaces on the compromised host.

meterpreter>ipconfig (Windows)


List of IP and MAC addresses of hosts connected to the target.



To send an active session to background.



To drop a cmd shell on

the target.



To get the current user details.



To escalate privileges and gain system access.



To gain the process id of the meterpreter access.



To list all the processes running at the target.



If you are using Metasploit for the very first time, refer to for more information on basic commands.