website logo

Metasploitable Framework Testing

The Metasploit Framework is an open-source security testing platform used to identify, validate, and understand security vulnerabilities in computer systems. Rather than being a single "hacking tool," Metasploit is a modular framework that organizes offensive security techniques into structured components with clear rules and workflows. Metasploit is designed to help us learn how attacks work, reproduce vulnerabilities in a controlled environment, and assess the effectiveness of security controls.

How Metasploit Is Structured

Metasploit is built around modules, each with a specific role:

  1. Auxiliary Module

    Used for scanning, enumeration, and information gathering. This module does not exploit the system and is typically used first to understand the target's vulnerabilities. This is the recommended starting point for beginners.

  2. Exploit Module

    Used to exploit known vulnerabilities in software or systems. This module attempts to gain unauthorized access and should only be used in authorized environments.

  3. Payload

    Code that runs after successful exploitation. The payload defines what happens after access is gained, such as opening a command shell or establishing a remote session.

  4. Post-exploitation module

    Used after access is gained to gather additional information, maintain access, or analyze the compromised system.

  5. Encoder and evasion module

    Advanced components used to modify the payload or evade detection. These are typically explored in later learning stages.

The Metasploit framework does not work simply by executing commands in the terminal. Each module follows a structured process:

  1. Select the appropriate module
  2. Review its configuration options
  3. Set the required parameters
  4. Execute the module

Steps

  1. Install the Metasploitable Framework on Linux

    Curl https://raw.githubusercontent.com/rapid7/metasploit
omnibus/master/config/templates/metasploit-framework
wrappers/msfupdate.erb > msfinstall && chmod 755 msfininstall
&& ./msfinstall
    Metasploit overview

  2. Run Metasploitable

    msfconsole
    Metasploit install output

  3. Metasploit Testing

    Metasploit can be tested in several ways

    a) TCP Port Scanning

    We will test by scanning the local host

    1. use auxiliary/scanner/portscan/tcp

    2. show options

      msfconsole running

    3. set RHOSTS 127.0.0.1

    4. set PORTS 22,80,443

    5. run

      Portscan module options

    b) HTTP Enumeration

    HTTP enumeration refers to the process of gathering information from a web server, such as the server type, accessible directories, and exposed resources, without exploiting vulnerabilities. In newer versions of Metasploit, this functionality is implemented through several dedicated auxiliary modules, rather than a single enumeration module. For this example, I will identify the web server.

    1. use auxiliary/scanner/http/http_version

    2. show options

      HTTP version module options

    3. set RHOSTS 127.0.0.1

    4. set RPORT 80

    5. run

      Portscan results

    The identification results indicate that the server is using Apache version 2.4.65 on a Debian-based operating system. This information is obtained through a standard HTTP response.

← Back to Projects