The Metasploit framework
Get started with the world’s leading penetration testing tool and hack your very own virtual machine. Grab a cuppa and make yourself comfortable…
We think having vulnerabilities and proof-of-concept exploits out in the open is, despite various straw man arguments to the contrary, A Good Thing. However, if you’re a pentester (or dream of being one) and want to test a target machine for several vulnerabilities, then unfortunately you’re in for a bit of a rough ride.
Proof of Concept (PoC) code will probably require some customisation and dependencies to be installed before it works. For memory-related vulnerabilities, code will need to be compiled, too. In addition, there’s all the rigmarole of trawling through mailing lists to get the code in the first place. Wouldn’t it be nice if someone had some sort of library of exploits and some sort of framework for uniformly launching them? Well, dear reader, such a thing exists, and it’s name is Metasploit. It comes in two editions: the premium Metasploit Pro (which costs money but has a nice web interface) or the free Metasploit Framework.
If you have enough RAM you can create a Kali Light live DVD and install the Metasploit Framework with apt install metasploit-framework . However, if you want to have a go at hacking the Metasploitable VM this will need to be installed on another machine, because it requires a fair bit of storage, at least 10GB.
If you’re confident using VMs you could happily set up one VM for running Kali — both the Light version (if you’re short on space) and the full fat version can be downloaded from www. kali.org/downloads — and then a second one for actually running the Metasploitable VM. Alternatively, add Metasploit Framework to your favourite distro using the installer and instructions at https://github.com/ rapid7/metasploit-framework/wiki/ Nightly-Installers. If you’d rather not use the all-in-one installer and stick with (mostly) packages from the Ubuntu/Debian repos, check out https://kb.help.rapid7.com/docs/ installing-the-metasploit-frameworkon-ubuntu-linux.
FIRE UP THE METASPLOITABLE VM
Besides attempting to takeover that dusty Windows XP machine that you haven’t fired up since about 2008, Rapid7 has released a specially crafted virtual machine, Metasploitable 3, that’s vulnerable to all kinds of attacks. We’ve touched on earlier versions of these VMs in the past, but this newer version uses Packer and Vagrant to build the virtual machine dynamically from a GitHub repository, so is a little more complex to set up, but we think you’ll manage, dear reader.
Note that the guidelines prescribe at least 6.5GB of free space to build the machine image, so you won’t be able to do this from the Kali Light live environment, at least not without adding some local storage paths. We’ll show you how to build a libvirt (Qemucompatible) virtual machine in Ubuntu, but it’s easy to build VMware and Virtualbox images, and to do so from any distro. The first step then, is to install Git, Packer and Vagrant, and then add the required plugins to the latter.
$ sudo apt install git packer vagrant
$ vagrant plugin install vagrant-reload
$ vagrant plugin install pkg-config
$ vagrant plugin install vagrant-libvirt
Now we clone the Metasploitable3 sources (around 250MB) from Github:
$ git clone https://github. com/rapid7/metasploitable3.git
The next stage is to build the base VM with Packer. If you’d rather build a VirtualBox image, set the ‘–only’ parameter to virtualbox-iso in the command below. By default, the build process uses /tmp to store temporary files. Since /tmp is usually set up to use tmpfs (in-memory) storage and likely to fill up, it’s wise to specify a directory on disk with lots of space instead. We’ll use /var/tmp:
$ cd metasploitable3/
$ TMPDIR=/var/tmp packer build --only=qemu ./packer/ templates/ubuntu_ 1404.json
A Qemu window will pop up, but do resist the urge to input anything. Packer will handle all of that automatically (after about a 20 second wait). It will get confused if you start selecting options, so just sit back and watch the show, make another cup of tea, or something. When it’s ready, we can build the Vagrant image from it with:
$ vagrant box add ./packer/ builds/ubuntu_ 1404_ libvirt_ 0.1.12.box --name=metasploitable3-ub1404 –provider=libvirt
Vagrant images are stored at ~/.vagrant.d/ boxes, but if your home directory doesn’t have much space (the base box takes up 2GB) this can be overridden by setting the environment variable VAGRANT_ HOME .
Finally, we can bring the machine up with $ vagrant up ub1404 --provider libvirt
You’ll be asked for your password so that /etc/exports can be modified on the host machine. However, we ran into a problem where the virtual machine couldn’t mount that NFS export (it complained about rpc.statd not running, which it was so we figured some incompatibility with newer NFS gubbins was afoot). If you run into such an issue, it can be worked around by running vagrant destroy ub1404 , then editing the Vagrantfile , adding the line config.vm.synced_folder “.”, “/vagrant”, disabled: true
and running the vagrant up command again. The machine should appear in Virtual Machine Manager (if you use this handy libvirt GUI, if you don’t you’ll have to use some other trickery to find its IP address) and you should be able to log in at the console with the username and password vagrant .
From here you can find the VMs IP address with a simple ip a , at which point you can log out of the console. Back on the host machine (or on a Kali VM if you’re feeling extra virtual) fire up Nmap (install it if you haven’t already) and scan that IP (we’ll pretend that it’s 192.168.1.100) on all ports with the following: $ nmap -p0-65535 192.168.1.100
You should find a handful of services available, including but not limited to, SSH HTTP, an SQL database and an IRC server. There are other services running too, but they’re only available locally. In order to see these you can SSH into the target VM again and run netstat -ltun . Let’s see what we can break “remotely” first, though. Point your web browser at http://192.168.121.100. Hello, what’s this? You should see a directory listing, which enables you to browse to a chat webapp (where you’ll find Papa Smurf), a Drupal installation, a PHP payroll app, and a PHPMyAdmin panel.