Introduction to Metasploit
Download as PPTX, PDF0 likes1,099 views
Metasploit is a free and open-source penetration testing framework that makes exploiting systems simple. It contains a large database of exploits and automated tools to identify vulnerabilities, execute exploits, and maintain access. The framework integrates with other security tools and allows users to practice penetration testing safely on vulnerable virtual machines. Metasploit is essential for both attackers and defenders to understand common hacking techniques.
Ad
More Related Content
What's hot (20)
Similar to Introduction to Metasploit (20)
![Chapter 9 system penetration [compatibility mode]](https://cdn.slidesharecdn.com/ss_thumbnails/chapter9systempenetrationcompatibilitymode-160414004635-thumbnail.jpg?width=560&fit=bounds)
Ad
Recently uploaded (20)
Ad
Introduction to Metasploit
- 1. INTRODUCTIO N TO METASPLOIT by: Mohammad Waris 170750107063
- 2. Contents… 1 2 3 4 5 6 7 What is Metasploit? History of Metasploit How to use Metasploit? How to learn Metasploit? Where to get Metasploit? Overview of Metasploit What is penetration testing?
- 3. Contents… 8 9 10 What is a vulnerability? What is an Exploit? What is Payload? 11 Summary References12
- 4. What is Metasploit? 1 • Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter. • Metasploit is a hacking framework written in ruby. It is designed to help make writing and executing exploits as simple as possible. • Capabilities include smart exploitation, password auditing, web application scanning, and social engineering.
- 5. History of Metasploit 2 HD Moore began working on Metasploit in the early ought's, and released 1.0, written in Perl, in 2003. The project has grown dramatically since then, from the original 11 exploits the project came with to more than 1,500 now, plus around 500 payloads, with a switch to Ruby under the hood along the way. Security outfit Rapid7 acquired both Metasploit and Moore in 2009. (Moore left the project in 2016.) Metasploit has since become the de facto framework for exploit development, despite competition from Canvas and Core Impact. Today it is common for zero day reports to include a Metasploit module as proof of concept.
- 6. Overview of Metasploit 3 1. Open source tool Used for: • Penetration testing • IDS Signature Development • Exploit Research 2. Consists of: • Web server • Console • Signatures 3. Runs on any operating system Source code for Linux/Unix/ MacOS X Portable to Windows via CYGWIN 4. Allows anyone to exploit & usually “root” certain machines with only an IP address and a basic background of the system 5. Requires no knowledge of the software bug, or exploit machine code
- 7. How to use Metasploit? 4 • During the information gathering phase of a pen-test, Metasploit integrates seamlessly with Nmap, SNMP scanning and Windows patch enumeration, among others. There's even a bridge to Nessus, Tenable's vulnerability scanner. Pretty much every reconnaissance tool you can think of integrates with Metasploit, making it possible to find the chink in the armor you're looking for. • Once you've identified a weakness, hunt through Metasploit large and extensible database for the exploit that will crack open that chink and get you in. • Once on a target machine, Metasploit quiver contains a full suite of post- exploitation tools, including privilege escalation, pass the hash, packet sniffing, screen capture, key-loggers, and pivoting tools.
- 8. How to learn Metasploit? 5 • Many free and cheap resources are available to learn Metasploit. The best place to start for many is probably downloading and installing Kali Linux, along with a vulnerable virtual machine (VM) for target practice. • Offensive Security, the folks who maintain Kali and run the OSCP certification, also offer Metasploit Unleashed, a free training course that asks only for a donation to hungry children in Africa in return. • The Metasploit project offers detailed documentation and its YouTube channel is another good resource for the beginning penetration tester.
- 9. Where to get Metasploit? 6 • Metasploit ships as part of Kali Linux, but you can also download it separately at the Metasploit website. Metasploit runs on *nix and Windows systems. The Metasploit Framework source code is available on GitHub. • Like Coca-Cola, Metasploit comes in different flavors. In addition to the free/ libre Metasploit Framework, Rapid7 also produces the Metasploit Community Edition, a free web-based user interface for Metasploit, and Metasploit Pro, the big daddy with the non-free add-ons for pen-testers who prefer a GUI or MS Office-like wizards to perform baseline audits, and want to phish their clients as part of an engagement. Rapid7 offers a feature comparison on its website.
- 10. What is penetration testing? 7 • Penetration testing, often called “pentesting”, “pen testing”, or “security testing”, is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. • The person carrying out a penetration test is called a penetration tester or pentester. • Penetration testing requires that you get permission from the person who owns the system. Otherwise, you would be hacking the system, which is illegal.
- 11. What is penetration testing? 7 You can become a penetration tester at home by testing your own server and later make a career out of it. To better understand penetration testing, you first need to understand the basic security concepts of: • Vulnerabilities • Exploits • Payloads
- 12. What is a vulnerability? 8 A vulnerability is a security hole in a piece of software, hardware or operating system that provides a potential angle to attack the system. A vulnerability can be as simple as weak passwords or as complex as buffer overflows or SQL injection vulnerabilities. Vulnerability scanning will allow you to quickly scan a target IP range looking for known vulnerabilities, giving a penetration tester a quick idea of what attacks might be worth conducting.
- 13. What is an exploit? 9 To take advantage of a vulnerability, you often need an exploit, a small and highly specialized computer program whose only reason of being is to take advantage of a specific vulnerability and to provide access to a computer system. Exploits often deliver a payload to the target system to grant the attacker access to the system. The Metasploit Project host the world’s largest public database of quality- assured exploits. Even the name Metasploit comes from the term “exploit”.
- 14. What is Payload? 10 A payload can be considered to be somewhat similar to a virus. A payload is a set of malicious codes that carry crucial information that can be used to hack any device beyond limits that you can't imagine. Generally, a payload refers to a set of codes which a hacker designs according to his/her requirements.
- 15. Summary 11 Metasploit is very easy to use, and very powerful • Web interface allows the scans to be run from any system, on any operating system. • Evidence may or may not be left behind on the system. • IDS/IPS will sense these exploits. • Only contains old & well known exploits.