Documente Academic
Documente Profesional
Documente Cultură
User Guide
Metasploit Pro was designed for corporate security professionals, security consulting
practices, and existing Metasploit users. If you already use the open-source Metasploit
Framework to develop and test exploit code, you will appreciate the increased execution and
browsing functionality of Metasploit Pro.
In addition to the capabilities offered by the open source framework, Metasploit Pro goes
above and beyond by delivering a full graphical user interface, automated exploitation
capabilities, complete user action audit logs, customizable reporting, combined with an
advanced penetration testing workflow. Metasploit Pro is fully supported by Rapid7 security
and support specialists in addition to the large and growing Metasploit community.
Along with the full range of features available in Metasploit Express, Pro offers several
additional features that make it a powerful and comprehensive penetration testing tool. Pro
features include antivirus evasion, customized reporting, social engineering capabilities, Web
application support, VPN Pivoting, and multi-user capabilities.
Metasploit Pro is a part of the Metasploit Project, the open-source penetration testing and
development toolset for security professionals. The Metasploit Project was acquired by
Rapid7 to continue the open-source community involvement, and to expand the project‟s
capability and ease-of-use.
Metasploit Pro can be installed on Windows and Linux machines and runs on almost any web
browser, or you can continue to use the command line interface.
0.0.0.0:3790 – Apache SSL Service – Metasploit Pro utilizes Apache as a front end web
server for the Rails UI application. This is the primary service you will be interacting with
when utilizing Metasploit Pro.
127.0.0.1:3001 –Thin Rails Server (bound to localhost) – Metasploit Pro utilizes Ruby on
Rails, and Thin is used as the glue layer between Apache and Rails.
127.0.0.1:7337 – PostgreSQL Database (bound to localhost) – Metasploit Pro uses
PostgreSQL as the host for the Pro datastore. PostgreSQL was chosen for performance
reasons.
127.0.0.1:50505 – Metasploit RPC Service (bound to localhost) – The Metasploit Pro RPC
service is similar to that provided with the open source framework, with additional
functionality added. This service makes it possible to communicate directly with the
Metasploit Pro system via RPC. The Rails UI utilizes RPC on this port to communicate
with the Metasploit Pro engine.
Target Audience
This User Guide is intended for IT and security professionals who use Metasploit Pro as their
penetration testing solution.
Organization
This User Guide is divided into the following chapters:
Welcome
About This Guide
New Features in Metasploit Pro
Metasploit Pro Interface Tour
Getting Started with Metasploit Pro
Administration
Metasploit Pro Tasks
Task Settings
Supported Targets
Warnings
Index
Document Conventions
The following table lists the conventions and formats used within this User Guide.
Conventions Description
Text in this typeface indicates Metasploit Pro buttons, options,
Command features, and commands as well as filenames. For example,
“Click Forward to continue” and “Locate the Reports tab”.
Support
We are dedicated to delivering superior support for our products. Use the Customer Center to
ask questions and get assistance for Metasploit Pro. To log into the Customer Center, you will
need to use the email and password you entered to create your account when you purchased
Metasploit Pro.
http://www.rapid7.com/customers/customer-login.jsp
Navigational Tour
There are five main areas of the interface that you can use to navigate through your project:
1. Main Menu – The Main menu enables you to manage your project settings, user account
settings, and administration duties.
2. Task Tabs – The Task tabs enable you to navigate between individual Task pages. Task
pages include Hosts, Sessions, Campaigns, Web Apps, Modules, Reports, and Tasks.
3. Navigational Breadcrumbs – The navigational breadcrumbs enable you to move,
between Task pages. Typically, there will be three breadcrumbs listed (Home > Project
Name > Task Page). Click on Home to access the Projects page.
4. Dashboard – The Dashboard provides you with a graphical breakdown of the services,
operating systems and session statues running on the system. Additionally, you can run
any of the main tasks from the Dashboard – including scans, exploits, and campaigns.
1. Navigational breadcrumbs – Use the Home link to access the Projects page.
2. Projects – All projects are listed on the Projects page. Simply click on a project name to
open it.
3. Host/Session status – Quickly view host and session statuses directly on the Projects
page.
4. New project – All new projects are created through this page.
5. Settings – All project settings can be modified through this page; this includes project
names, project descriptions, network ranges, and user access.
6. Delete projects – Easily delete any unnecessary projects directly from the Projects page.
7. Global Search – Search for any host in any project to which you have access.
1. Discovery – Run a discovery scan, data import, or NeXpose scan directly from the
Discovery pane.
2. Penetration – Bruteforce or exploit target hosts directly from the Penetration pane.
3. Web App – Run a web scan directly from the Web Apps pane.
4. Social Engineering – Create a new Campaign from the Web Apps pane.
5. Recent Events – Lists a log of recent activity on the system; use the Show link to view
more details on the event.
From the Web Apps page, you can perform several actions:
1. Search for an exploit module, post module, or auxiliary module – Run a search based on
the module‟s name, path, platform, type, and other parameters.
2. Look at totals - Review statistics about the total number of modules, and the breakdown
between exploit vs. auxiliary and server-side vs. client-side modules.
3. Manually launch an exploit - Select a module from the list of filtered module search results
to configure for a manual attack.
1. Apply changes to your Host Tags – Make your modifications to the Host Tag and then
click the Update button to apply changes to it.
2. Remove Host Tags – Click the Delete button to permanently remove the Host Tag.
3. Modify the attributes for a Host Tag – Choose to include the Host Tag in report
summaries, report details, and/or critical findings.
4. Delete hosts from the Host Tag – Deselect hosts to remove them from the Host Tag.
1. View an instant report - Click a report type from the Live Reports section.
2. Create a PDF report or in another format - Click Generate a Report and select the PDF
option or any of the other available formats (XML, Word, ZIP, etc.).
3. Generate a PCI Findings Report – Click Generate PCI Findings to generate an appendix
for your penetration test based on PCI standards.
4. Export data from the penetration test – Click Export Data to generate all the data found
during the penetration test. Select whether the report will be downloadable as a PDF,
XML, RTF, ZIP, PWDump, or Replay file.
5. Download or delete existing reports – Click the Download button to view an existing report
or Delete to permanently remove a report from the system.
6. Upload a custom report template – You can upload a custom template that references any
fields in the database and contains a custom logo, which will be used on every generated
report. The custom template must be in JRXML (Jasper) format. For more details on
creating a JRXML file, see http://jasperforge.org/projects/jasperreports
System Requirements
Before installing Metasploit Pro, make sure that your system meets the minimum system
requirements. See the specifications below:
2 GHz+ processor
2 GB RAM available (increase accordingly with VM targets on the same device)
500MB+ available disk space
10/100 Mbps network interface card
Operating Systems
Metasploit Pro is supported on the following operating systems:
Windows XP SP2+
Windows Vista
Windows 7
Windows 2003 Server SP1+
Windows 2008 Server
RHEL 5+
Ubuntu 8.08+
Now you are ready to get started with Metasploit Pro. The following sections will explain how
to launch the application and how to create a user account.
Additional Considerations
In order to provide VPN Pivot functionality on the Windows platform, Metasploit Pro must
install a new network driver. This driver, called msftap.sys, creates four virtual interfaces on
the installed system. This provides the ability to run up to four concurrent VPN Pivot sessions.
These drivers are automatically installed when the MetasploitProSvc service starts if the
virtual interfaces are not found. To reinstall or uninstall these drivers, two batch scripts are
If a user is assigned an Administrator role, they will be able to access all projects, manage
user accounts, and perform software updates. There can be multiple administrator roles
assigned.
Note: To access the User Accounts area after the first launch, select Administration >
User Administration from the navigational breadcrumbs located at the upper right corner
of the interface. The user account creation process will be the same as the first time.
Note: If you forget your password, there is a password reset script located in your
Metasploit Pro installation directory under $INSTALLERBASE/apps/pro/ui/script/resetpw.
Once your user account has been successfully created, Metasploit Pro will display the
Projects page.
After a valid key has been supplied, Metasploit Pro will prompt for activation. This will send
your key, along with a small amount of system information to the Metasploit licensing server.
A proxy can be entered at this phase, if necessary.
You can manually install, start, stop, and uninstall Metasploit Pro services by using the
options under the Metasploit Pro Service subdirectory.
To run the web client for Metasploit Pro in Linux, browse to https://localhost:3790 (assuming
the default SSL port was chosen).
If you‟re familiar with VMWare and have a Workstation or Server installation, that can be used
as a VM host. Alternatively, you can get the free VMWare Player here:
http://www.vmware.com/products/player/.
FTP
Secure Shell
Telnet
DNS
Apache
PostgreSQL 8.3
MySQL
Tomcat 5.5
DistCC
Postfix
Apache
MySQL
Wordpress
TextPattern
Seredipity
MediaWiki
TikiWiki
PHP Gallery
Moodle
PHPWebSite
Joomla
eGroupWare
Drupal
Php Bulletin Board
Sugar CRM
Owl
WebCalendar
Dot Project
PhpAdsNew
Bugzilla
OsCommerce
ZenCart
PhphMyAdmin
Webmin
Mutillidae 1.5 (OWASP Top 10 Vulns)
VMware Player requires approximately 150MB of disk space to install the application on the
host, and at least 1GB of disk space is recommended for each guest operating system. For
more details on minimum PC requirements, see the VMware Player Documentation.
You must have enough memory to run the host operating system, in addition to the memory
required for each guest operating system and the memory required for Metasploit Pro. Please
see your guest operating system and application documentation for their memory
requirements.
The vulnerable VM requires VMWare 6.5 or above and approximately 1.5GB of disk space to
run properly.
Once the VM is available on your desktop, open the device and run with VMWare Player.
Alternatively, you can also use VMWare Workstation or VMWare Server.
Once you have a vulnerable machine ready, it‟s time to begin your penetration test on
Metasploit Pro. You will need to log into your Metasploit Pro account to get started.
Host Vulnerabilities
After successfully compromising a target system with the product, the Vulns tab of the Host
screen will be updated to reflect what vulnerabilities were exploited. These vulnerabilities will
display their corresponding CVE references.
Reporting
The Detailed Audit Report, Exploited Vulnerabilities Report, and Generated Reports (PDF) will
each include references to any application CVE identifiers, as they relate to vulnerabilities
found on the tested network.
About CVE
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE
Identifiers) for publicly known information security vulnerabilities, while its Common
Configuration Enumeration (CCE™) provides identifiers for security configuration issues and
exposures.
CVE‟s common identifiers make it easier to share data across separate network security
databases and tools, and provide a baseline for evaluating the coverage of an organization‟s
security tools. If a report from one of your security tools incorporates CVE Identifiers, you may
then quickly and accurately access fix information in one or more separate CVE-compatible
databases to remediate the problem.
Error Recovery
Error Recovery will occur in any case where Metasploit Pro crashes or is unavailable.
Administrators can access the User Administration area by selecting Administration > User
Administration from the Main menu.
For information on setting the network range, see the section Setting the Network Range.
This will take you to the Software Updates page, which will display the license and
registration information for your version of Metasploit Pro. The Check for Updates button
located under the Product Updates area enables you to manually check for product updates.
If you want to use an HTTP Proxy server, then select the Use an HTTP Proxy to reach the
internet option before clicking the Check for Updates button. Once the proxy option is
selected, configurable proxy settings will display. Enter the information for HTTP proxy you
wish to use in the appropriate fields.
If an update is available, the application will list the available version. Click on the Install
button to install the latest update of Metasploit Pro.
If there are no current updates, you will receive a notification that you are using the latest
version.
Note: After the update has completed, a button will appear for restarting the backend
services. Restarting these services will terminate any active sessions and will require up to
5 minutes before the product is usable.
Note: There is currently no automatic rotation for these logs, and over time, the various
logs will grow to be very large. If disk space is an issue, please review these files regularly
(at least monthly).
Metasploit will then begin to remove all components of the software. This will take a few
minutes. When the uninstall is complete, click Finish.
Windows
To uninstall Metasploit Pro from your Windows machine:
1. Navigate to Start > All Programs > Metasploit and select Uninstall Metasploit.
2. Click Yes if you wish to delete all saved data from the penetration tests. Otherwise, click
No, which will leave the entire /apps directory intact. All Pro data can be found in this
directory.
Metasploit will then begin to shut down its services and remove all components of the
software. This will take a few minutes. When it has completed, click Finish.
1. Creating a project
2. Discovering devices
3. Gaining access to hosts
4. Taking control of sessions
5. Collecting evidence from target hosts
6. Cleaning up sessions
7. Generating reports
To provide a better overview of how these tasks are interrelated, the following chart illustrates
the Metasploit Pro workflow and shows how each process maps to a real-world penetration
test.
Use the flow chart to identify the options that are available with each step (or task) and to
determine which methods work best for your penetration testing needs. Each of the following
steps is broken down into sections within this chapter and the options available for each step
are described in detail within their respective sections.
A Metasploit Pro Project consists of a name and network boundaries (optional). Network
boundaries help you set and maintain scope, which prevent you from targeting devices
outside of the range of intended devices and provide a default range for tasks.
Projects can be created when testing different networks or different components of one
network. For example, when doing an internal and external penetration test, you may want to
create separate projects for each test. This allows you to have separate reports for each test
scenario and enables you to perform comparisons between the test results.
Project Name – This can be any name. You can change it later using the Settings
button located on the Projects list page.
Network Range – These are the IP addresses that should be used as the defaults for
all new tasks.
Description – Provide a description for the project.
Your new project will be added to the bottom of the Projects list. To open the project, click on
the project name.
Editing Projects
To edit a Project:
1. Click on the Home link (located in the navigational breadcrumbs) to access the Projects
page.
2. Click the Settings button for the project you would like to edit.
Network Boundaries
Network boundaries allow a Metasploit Pro administrator to lock tasks to a specific range,
defined in the project options. The tasks that support this option are discovery, bruteforce,
exploitation and reporting.
Host Tagging
Host tagging enables you to assign an identifier with a descriptive message to one or more
hosts. Tags can be used to organize assets, create work queues, and track findings for
automatic inclusion into the generated reports. A tag consists of a single word (no spaces)
that has a description and three flags indicating whether the tag should be displayed in the
generated reports. Hosts that are assigned a tag can be referenced throughout the product by
prefixing the tag with a pound or hash (#). Most components of the product allow a #tag to be
used in place of an included IP address or range. This simplifies the process of testing a
subset of the discovered systems. Tags can be added and removed easily through the Tags
tab of the user interface.
To tag hosts:
1. Click the Hosts tab.
2. Select the hosts you want to tag.
3. Enter a name for the tag in the field next to the Tag button.
4. Click the Tag button. All specified hosts will be grouped using the Host Tag.
5. Once you have tagged your hosts, you can modify the attributes for each Host Tag. To do
this, click on the Tags tab.
6. For each Host Tag, you can do any of the following:
Enter a description in the Description field.
Enable the Include in report summary option.
Enable the Include in report details option.
Enable the Critical Finding option.
Deselect any hosts you no longer want to include in the Host Tag.
7. Click the Update button for each Host Tag you have modified.
Host Comments
Host comments enable you to provide detailed descriptions or additional information about a
particular host. These comments are visible to all users.
Discovering Hosts
The first step in penetration testing is host discovery. Discovery is the Metasploit Pro term for
querying network services in an attempt to identify and fingerprint valid hosts. It enables
Metasploit Pro to determine the details of all the hosts in a target address range and
enumerate the listening ports. Please note that you are responsible for supplying Metasploit
Pro with a valid target address range.
6. Enter the Portscan Timeout in minutes. This is a per-host timeout that is passed to
Nmap.
7. Select whether to run UDP Services Discovery.
8. Select whether you want to Enumerate users via Finger.
9. Select whether you want Identify Unknown Services enabled.
10. Select Single Scan to scan each host individually.
11. Select Dry Run to determine what the scan will do without actually running the scan.
12. Optionally, you can set Additional TCP Ports, Excluded TCP Ports, and Custom TCP
Port Ranges, and Custom TCP Source Ports to scan outside the default ports typically
used in vulnerability scanning. The Custom ports option will ignore the standard ports
scanned by Metasploit Pro and scan just the port range entered. You can also enter an
SMB Username, SMB Password, and SMB Domain; this information will be used by
Metasploit Pro with SMB username and share discovery across the network.
After a scan is initiated, a Task page with a real-time log with a progress bar of the scanning
process will open in the Metasploit Pro interface. This task will be classified as “Discovering”.
Leaving this page will not interrupt the scanning process. If you leave and want to review the
scanning task log later, you can click the Tasks tab for this project and click on the task
number.
When the scan is complete, you can click the project name in the page breadcrumbs to go
back to the Overview page, where the total number of hosts discovered during the scan will
be revealed in the Discovery pane.
Note: If a bruteforce is kicked off before the scan task has finished normalizing data, you
may experience inaccurate results. It is suggested that you always allow scans to finish
completely before performing additional actions on the hosts.
Before you can run a NeXpose scan, you must download, install, and configure NeXpose.
Note: Metasploit Pro currently only supports scanning the number of hosts that are
licensed in NeXpose; if you supply more than your licensed number of hosts (32 in
Community), the scan will fail.
NeXpose Server & Port – Defines the local or remote NeXpose server that will be
used to perform discovery scanning.
5. Select a Scan Template; this is the template that will be used to scan the network. Only
predefined templates are supported.
Penetration Test Audit – Performs an in-depth penetration test of all systems using
only safe checks. Host-discovery and network penetration options will be enabled,
allowing NeXpose to dynamically discover additional systems in your network to target.
In-depth patch and hotfix checking, policy compliance checking, and application-layer
auditing will not be performed.
Full Audit – Performs a full network audit of all systems using only safe checks,
including network-based vulnerabilities, patch/hotfix checking, and application-layer
auditing. Only default ports are scanned, and policy checking is disabled, making this
faster than the Exhaustive scan.
Exhaustive – Performs an exhaustive network audit of all systems and services using
only safe checks, including patch/hotfix checking, policy compliance checking, and
application-layer auditing. Performing an exhaustive audit could take several hours or
even days to complete, depending on the number of hosts selected.
Discovery – Performs a discovery scan to identify live devices on the network,
including host name and operating system. No further enumeration, policy or
vulnerability scanning will be performed.
Aggressive Discovery – Performs a fast and cursory discovery scan to identify live
devices on high speed networks, including host name and operating system. Packets
are sent at a very high rate which may trigger IPS/IDS sensors, SYN flood protection
and exhaust states on stateful firewalls. No further enumeration, policy or vulnerability
scanning will be performed.
DoS Audit – Performs a basic network audit of all systems using both safe and unsafe
(denial-of-service) checks. In-depth patch/hotfix checking, policy compliance checking,
and application-layer auditing will not be performed.
6. Enter the Scan Credentials that will be used to scan the hosts. This information is
optional. Please note that multiple credentials are not supported; you will need to use
NeXpose directly for multiple credential support.
Note: Raw XML is only available in commercial editions of Nexpose, and includes much
more vulnerability information. Use this format when available.
Host Tagging
Host tagging enables you to tag your hosts and services. This feature is useful if you have
hosts and services existing on different IP ranges. For example, using the host tagging
feature, you can tag hosts that are “servers”, “windows hosts”, etc.
Once you‟ve tagged your hosts, you have the option of modifying the attributes for each Host
Tag – including whether to include the hosts in report summary, report details, and critical
findings.
To tag hosts:
1. Click the Hosts tab.
2. Select the hosts you want to tag.
Web Scanning
Web scanning is the process of spidering Web pages and applications searching for active
content and forms. There are two ways to access the Web scanning feature: from the
Overview page or from the Web Apps page.
Note: You may need to configure the spider settings multiple times before you get the
results you want. Typical applications can take 5,000 or more requests to spider.
Please note that these URLs were obtained from a previous scan or import.
8. Click the Launch Scan button.
Bruteforcing Hosts
In Metasploit Pro, the Bruteforce task attempts a large number of common username and
password combinations to gain access. You can use a number of preset bruteforce profiles
that allow you to tailor the attack to the appropriate environment. Alternatively, credentials can
be supplied through the import interface. Additionally, you can utilize your own wordlists (see
„Using your own credentials‟ below)
Metasploit Pro will color-code bruteforce task logs to help you identify successes and failures.
All successes will be recorded in the database as authentication notes, and you will be alerted
via the Hosts tab.
In the interface, you can select services you want to target in the bruteforce. Your choices are
SMB, Postgres, DB2, MySQL, MSSQL, HTTP, HTTPS, SSH, Telnet, FTP, Exec, Login, Shell,
VNC, and SNMP. The table shows the lockout risk of each service.
To bruteforce hosts:
1. Select a project from the Projects list. This will open the project‟s Overview page. (Note:
You can also access the Bruteforce button from the Overview page; however, this will
bruteforce all hosts. If you want more granular control over the hosts, then you should
configure the bruteforce attack from the Hosts page).
1. Click the Hosts tab. This will open the Hosts page. If you have not run a discovery scan
yet, you should do so at this time.
2. Select the hosts you would like to bruteforce. Use the Toggle button to select or deselect
all.
3. Click the Bruteforce button.
4. The Target Addresses field will be populated with the hosts found in the last scan. You
can edit this list by adding and removing addresses.
5. Enter any hosts you would like to exclude from the bruteforce attack in the Excluded
Addresses field.
6. Add your own credentials to the Additional Credentials field. Use the following format for
your credentials: username password.
If you are importing large sets of untested credentials or you are running scans in normal,
deep, and import only modes, use the Advanced Credential Management interface.
Note: The Additional Credentials field should only be used for known credentials and for
bruteforce attacks running with the Include known credentials option enabled.
All imported credential data can be downloaded and viewed as a single text file.
Deleting credentials will remove all imported credential data from your system.
Automated Exploitation
Automated exploits leverage known vulnerabilities on a device. Metasploit Pro provides two
options for running automated exploits: you can run all exploits or you can individually select
the exploits you want to run against your targets.
Note: The exploits that will be available depend on what you have selected for Minimum
Reliability.
Automated exploits are distinct from the bruteforce modules because they utilize a payload
(reverse connect or bind listener) and do not abuse normal authenticated control
mechanisms. The exploit feature cross-references open ports, imported vulnerabilities, and
fingerprint information with Metasploit exploit modules.
o Excellent – Exploits will never crash the service. Exploits with this ranking include
SQL Injection, CMD execution, and certain weak service configurations. Most web
application flaws fall into this category.
o Great – Exploits will have a default target and either auto-detect the appropriate
target, or use an application-specific return address after running a version check.
These exploits can crash the target, but are considered the mostly likely to
succeed.
o Good – Exploits have a default target and it is the "common case" for this type of
software (English, Windows XP for a desktop app, 2003 for server, etc.).
o Normal – Exploits are reliable, but depend on a specific version and cannot reliably
auto-detect.
o Average– Ranked exploits are difficult to reliably leverage against some systems.
o Low – The exploit fails more than 50% of the time for common platforms.
Select whether to Skip exploits that do not match the host OS.
Select whether to Match exploits based on open ports.
Select whether to Match exploits based on vulnerability references.
7. Under the Payload Settings section:
Click the Payload Type dropdown button to select whether the payload is Meterpreter
or Command shell.
Click the Connection Type dropdown button to select whether the connection type is
reverse, bind, or auto (determined by Metasploit Pro).
Enter the port or range of ports that will be used for reverse connect payloads in the
Listener Ports field. You may need to define more than one port for some exploits.
Enter the IP address for the payload to connect back with in the Listener Host field.
8. Under the Advanced Settings section:
Select the number of exploits you wish to run concurrently from the Concurrent
Exploits dropdown menu. The range is 1-10 simultaneous exploits.
Enter the maximum amount of time (in minutes) each exploit can run in the Timeout in
Minutes field.
Click the Transport Evasion dropdown button to select whether it is low, medium, or
high.
Manual Exploitation
Manual exploitation provides more granular control over the modules that are used in your
exploits. This method of gaining access enables you to select the modules and define the
module and evasion options.
In the same way that you would select exploit modules using the automated method, you can
use the same steps to determine which modules would best suit your test scenario and test
requirements.
Each open session will display a list of post-exploitation modules that are applicable for that
session.
Web Auditing
Web Auditing is the process of searching for vulnerabilities in Web forms and active content
that have been discovered on the target systems. The Web Auditor can discover the following
classes of issues: XSS, SQL Injection, and LFI/RFI.
You must perform a WebScan before you can use this feature.
Command shell sessions – These sessions allow you to run collection scripts and give
you a shell to run arbitrary commands against the host.
Meterpreter sessions – These sessions are much more powerful. They enable you to
gain access to the device using VNC and enable you to upload/download sensitive
information using a built-in file browser.
The type of session is determined by the mechanism used to create the session and the type
of environment on which the session runs; Meterpreter shells are currently only available for
All other successful authentication will result in an authentication note attached to the host,
and an entry in the corresponding reports. Some protocols and servers do not allow you to
execute commands directly. For example, you can utilize FTP to bruteforce credentials, but
once a valid credential is found, commands cannot be run directly on the server, thus, no
session can be obtained.
When cases like this are identified during a bruteforce or an exploit, an alert appears next to
your project‟s Hosts tab indicating that a valid account was identified, but that a session was
not able to be created. If new credential information is found for a particular host, you can
utilize these credentials to authenticate to the host outside of Pro.
Note: In order to interact with a Meterpreter session, you must have a session on an
exploited Windows target open.
Metasploit Pro cannot create a bridge to a network that it is already attached to because this
will cause a conflicting route for the target network system. Therefore, you should verify that
Metasploit Pro does not have a direct connection to any networks with the exact same IP
range and netmask as your target network.
Note: In order to provide VPN Pivot functionality on the Windows platform, Metasploit Pro
must install a new network driver. This driver, called msftap.sys, creates four virtual
interfaces on the installed system. This provides the ability to run up to four concurrent
VPN Pivot sessions. These drivers are automatically installed when the MetasploitProSvc
service starts if the virtual interfaces are not found. To reinstall or uninstall these drivers,
two batch scripts are present under $INSTALLROOT\apps\pro\data\drivers\<arch>\. These
scripts may be used to disable the VPN Pivot virtual interfaces or restore a previously
removed driver.
Metasploit Pro contains a VNC client in the form of a Java applet. Please install the latest
Java for your platform at: http://www.java.com/en/download/manual.jsp. Additionally, an
external client – such as VNC Viewer – can be used.
Accessing a Filesystem
For Meterpreter sessions, you can use the Metasploit Pro interface directly to browse the file
system. You can also upload, download, or delete any files to the filesystem.
Web Exploitation
Web Exploits allows you to exploit vulnerabilities found during the Web Audit.
Note: You must perform a Web Scan and Web Audit before you run a Web Exploit.
Reverse – A connection will be initiated from the target system to this system.
Bind – Forces the target to open a listening port.
Auto – Selects the best method for connection.
5. Select the vulnerabilities that will be exploited from the Target Web Vulnerabilities list.
Use the Toggle option to select or deselect all options.
6. Click the Launch Exploits button.
Evidence is an indicator of the success of exploits and can be used for further analysis and
penetration. The evidence typically includes system information, screenshots, password
hashes, SSH keys, and other sensitive information.
Evidence collection will begin and you can review the progress by clicking the Task tab.
Reporting
You have two options for viewing reports: you can either view a live report, which details the
most current (but incomplete) test information and statistics, or you can generate a report,
which you can download and export to multiple formats (e.g., PDF, Word, RTF, XML, etc.).
These reports summarize all the information discovered during the penetration test.
Executive Summary: A high-level summary of the actions taken during the project and
the results.
Detailed Audit Report: A large report containing every detail of the this project
Compromised Hosts: A report focused on the systems compromised
Network Services: A report focused on the exposed network services
System Evidence: A report focused on the data collected from compromised systems
Authentication Tokens: A report focused on the usernames and passwords obtained
Generating Reports
The reports page also provides the opportunity to create and store generated reports, which
are PDF, XML, and ODT reports that summarize all the findings in the penetration test.
Reports will be archived on the Metasploit Pro server and can be downloaded at any time.
Metasploit Pro tests for and reports on the following PCI standards:
2.2.1 – Implement only one primary function per server to prevent functions that require
different security levels from co-existing on the same server.
2.3 – Encrypt all non-console administrative access such as browser/Web-based
management tools.
6.1 – Ensure that all system components and software have the latest vendor-supplied
security patches installed. Deploy critical patches within a month of release.
8.2 – Employ at least one of these to authenticate all users: password or passphrase; or
two-factor authentication.
8.4 – Render all passwords unreadable for all system components both in storage and
during transmission using strong cryptography based on approved standards.
8.5 – Ensure proper user authentication and password management for non-consumer
users and administrators on all system components.
8.5.8 – Do not use group, shared, or generic accounts and passwords, or other
authentication methods.
8.5.10 – Require a minimum password length of at least seven characters.
8.5.11 – Use passwords containing both numeric and alphabetic characters.
After the report has finished generating, you will need to download the report from the
Generated Reports area.
Deleting Reports
To delete a report:
1. Click the Reports tab.
Types of Modules
Metasploit Pro‟s modules tab provides three types of modules: Exploits, Auxiliary, and Post.
Most modules available in the framework are available in Metasploit Pro; however, certain
modules may be excluded if their dependencies are not available. While this is subject to
change, currently-excluded modules include those depending on the following libraries:
When the results are returned, you can click on any Module name to view more detailed
information about that module and view all the configurable options for a manual attack.
SRVHOST – This refers to the address on which the local host will listen.
SRVPORT – This refers to the port on which the local port will listen.
SSL – Select this option to enable SSL negotiations for incoming SSL connections.
SSL Version – This refers to the version of SSL that will be used. SSL1, SSL2, and
SSL3 are supported.
11. Set the Advanced Options. Advanced options vary from module to module depending on
the exploit used; however descriptions for each option are provided next to the option
name.
12. Set the Evasion Options. Evasion options vary from module to module, depending on the
exploit used; however, descriptions of each evasion option are provided next to the option
name.
13. Click the Launch Attack button.
Social Engineering
Many of the vulnerabilities released in recent years have been client-side vulnerabilities,
which mean they're exploitable through vectors reachable only by a local user and not a
remote user. A PDF-containing an exploit is a good example of a client-side exploit,
therefore, a delivery mechanism was required to exploit these vulnerabilities. Email is the
most widely-used delivery mechanism, and Metasploit Pro natively supports this.
Metasploit Pro enables you to set up Campaigns, which encompasses client-side exploits and
phishing attacks. These Campaigns allow you to define Web server configurations, e-mail
configurations, and e-mail templates, which will be used to exploit client-side vulnerabilities.
In order to create a Campaign, you will need to create a Web server, set up the credentials for
the email account used to send the Campaign, upload a list of email addresses (a .txt file with
addresses comma separated), and create an email template.
To set up a Campaign:
1. Click on the Campaigns tab.
2. Click the New Campaign button.
3. Enter a name for the Campaign in the Campaign Name field.
4. Under the Web Settings area, select whether to Start a web server for the Campaign.
5. If you have selected to start a Web server:
Enter in the Web URI for it in the Web URI for Exploits field;
Enter the port number in the Web Port field (default 80);
Select whether to use SSL.
Note: If you did not choose to start a Web server, leave these fields blank, as they will not
be used.
Enter the SMTP server that will be used in the SMTP Server field;
Enter the SMTP port that will be used in the SMTP Port field (default 465);
Select whether to use SSL;
Enter the SMTP username in the SMTP Username field;
Enter the SMTP password in the SMTP password field;
Enter the sender address in the From address field;
Click the Browse button to locate the .txt file that contains all the email address to
which the Campaign will be sent.
Note: If you did not choose to send email, leave these fields blank, as they will not be
used.
8. Under the USB Drive Campaign area, select whether to Generate an executable for
manual delivery. This will generate a connect-back binary.
9. If you have selected to generate an executable:
Enter the Reverse connection address. The default address is 10.0.0.20.
Enter the Reverse connection port.
Enter an EXE filename.
10. Click the Save button. A new page will open, allowing you to create an email template for
the Campaign.
11. Enter a name for the template in the Template Name field.
12. Enter a subject for the email in the Subject field.
13. Enter a body for the email in the Body field.
14. Click the Add Attachment link to add an attachment to the email.
After you have created a Campaign, the next step is to create an email template.
Note: This screen will display only if you have enabled the Send e-mail option for the
Campaign.
After you have created an email template, the next step is to create a Web Template.
Once you have created a W eb Template, you can now import email addresses that will be
used for the Campaign.
The window to import addresses will display after you finish creating the Web Template.
Once you have imported all your addresses, you are ready to run the Campaign.
Running a Campaign
Once you have created all components of a Campaign – including creating the email template
and Web template and importing email addresses to phish – you are ready to run the
Campaign.
To run a Campaign:
1. Click the Campaigns tab.
2. Click on a Campaign Name. This will open up the Campaign‟s details page.
3. Click the Start Campaign button.
The first step is to run a Web Scan; this will determine if there are any active forms or content
running on the host. Once forms have been discovered, you can audit the Web Apps, and
Metasploit Pro is capable of finding Cross Site Scripting (XSS), SQL Injection (SQLi), Remote
and Local File Include, and Command Injection issues. It is also capable of replaying both
XSS and SQLi and exploiting Remote File and Command Injection.
Note: You may need to configure the spider settings multiple times before you get the
results you want. Typical applications can take 5,000 or more requests to spider.
Please note that these URLs were obtained from a previous scan or import.
8. Click the Launch Scan button.
You must perform a WebScan before you can use this feature.
Reverse – A connection will be initiated from the target system to this system.
Bind – Forces the target to open a listening port.
Auto – Selects the best method for connection.
5. Select the vulnerabilities that will be exploited from the Target Web Vulnerabilities list.
Use the Toggle option to select or deselect all options.
6. Click the Launch Exploits button.
Portscan Timeout The Portscan Timeout setting determines the amount of time
(Discovery Settings) Nmap spends on each hosts. By default, this value is set to
five minutes.
UDP Service The UDP Service Discovery option sets the scan to find all
Discovery (Discovery services currently on the network.
Settings)
Identify Unknown The Identify Unknown Services option sets the scan to find
Services (Discovery all unknown services and applications on the network.
Settings)
Bruteforce Settings
The following table describes the different scan settings that are available for bruteforcing.
Quick
Admin:admin
Admin:admin1
Admin:admin!
Test:test
Test:test1234
test123:test123
Bruteforce Depth cisco:cisco
user:user
administrator:administrator
root:root
root:toor
All usernames are then tried with [blank] passwords Known
credentials will be prepended to this quick list as well, as is the
case for all credential generation strategies.
Approximately 20 credentials are generated for all services to
be bruteforced.
Defaults Only
Normal
Deep
Known
Ignore Known-Fragile This option allows you to bypass any known-fragile devices.
Devices
Skip Exploits that Do This option allows you to bypass any exploits that do not apply
Not Match the Host OS to the target OS.
Valid authentication credentials from the previous step should
lead to the remote execution of a Metasploit payload, if
Run Payloads
possible. For SMB, this is psexec; for MSQQL this is
mssql_payload, etc.
This option enables you to send small TCP packets and insert
delays between them.
DCERPC
Low – Adds fake UUIDs before and after the actual UUID
targeted by the exploit.
High – Sets the maximum fragmentation size of DCERPC
calls to a value between 4 and 64.
SMB
These are all IP addresses that will not be tested. If the IP has
Excluded Addresses not been included in the „Target Addresses‟ box, it does not
need to be specifically excluded.
ContextInformationFile – This refers to the information file
that holds the context information.
DisablePayloadHandler – Select this option to disable the
handler code for the selected payload.
Advanced Options
DynamicSehRecord – Select this option to generate a
dynamic SEH record.
EnableContextEncoding – Select this option to use
transient context when payloads are being encoded.
Bruteforce
Discovery
Exploitation
Evidence collection
Report generation
Task log generation
User information retrieval
pro_bruteforce
This command bruteforces the specified addresses or address range. If no addresses are
specified, the network range will be used. The default scope setting is normal, but it can be
changed to quick, normal, deep, known, and defaults.
Options
Syntax
Example
pro_collect
Gathers evidence – such as hostname, OS name and version, passwords and hashes, and
ssh keys – from either the specified session or from all open sessions.
Options
Syntax
Example
pro_discover
This command scans for all hosts. If no host addresses are provided, the system will use the
project‟s network range.
Options
Syntax
pro_discover <address>
Example
pro_discover 10.0.0.0/24
pro_exploit
This command enables you to exploit target hosts. If no hosts are specified, then the system
will use the project‟s defined network range.
Options
-b <opt> Defines the Host blacklist (do not include the specified hosts).
-d Performs a dry run of the bruteforce.
-ea <opt> Sets the evasion level for target applications. Levels can be set between
1 and 3.
-et <opt> Sets the evasion level for TCP. Levels can be set between 1 and 3.
-h Displays the help for the specified command.
-l <opt> Sets LHOST for all payloads.
-m <opt> Sets the payload method to auto, bind, or reverse.
-p <opt> Defines the custom ports in nmap format.
-pb <opt> Quits bruteforce attempts after a logging in successfully.
-r <opt> Sets the minimum rank of exploits to try.
Syntax
pro_exploit 10.0.0.0
pro_report
This command generates a report from the current penetration test. All hosts that are in the
active penetration test will be included in the report. The generated report will be located in
the reports directory: c:/Metasploit/apps/pro/reports.
Options
Syntax
pro_report -t <report_format>
Example
pro_report -t pdf
pro_tasks
This command shows you the tasks that are currently running in the test and enables you to
display a log for and/or kill a task.
Options
Syntax
pro_tasks
pro_tasks -r
pro_tasks -k 1 -w 3
pro_user
This command, by itself, returns the current user for the project.
Options
Syntax
pro_user
Example
pro_user -l
Version
This command returns the version for the project.
Options
Syntax
version
Example
version
db_add_cred
This command adds a credential to a host:port.
Options
Syntax
Example
db_add_host
This command adds one or more hosts to the database.
Options
Syntax
Example
db_add_host 10.0.0.1
db_add_note
This command adds a note to a host.
The type column uses a hierarchical format similar to OIDs, with the top level of the "tree"
listed first and each successive element connected with a period. The last item in the type
name is the actual value. For example, the type "host.os.updates.last_updated_time"
indicates a value called "last_updated_time" within the "updates" branch of the "os" child of
the "host" tree. A new sub-category should be created when more than two types can be
grouped within it.
Options
Syntax
Example
db_add_port
This command adds a port to a host.
Options
Syntax
Example
Options
Syntax
db_autopwn [options]
Example
db_autopwn –r –b –T 5
db_connect
This command enables you to connect to an existing database.
Options
Syntax 1
db_connect <username:password>@<host:port>/<database>
db_connect –y [path/to/database.yml]
Example
db_connect user:pass123@10.10.10.1/metasploit
db_creds
This command lists all the credentials that are in the database.
Options
Syntax
db_creds
db_del_host
This command deletes the specified hosts from the database.
Options
Syntax
db_del_host [<host>]
Example
db_del_host 10.10.10.1
db_del_port
This command deletes the specified port from the database.
Syntax
Example
db_destroy
This command drops an existing database.
WARNING: Running this without options will delete your current database.
Options
Syntax
db_destroy [<username:password>@<host:port>/<database>]
Example
db_destroy user:pass123@10.10.10.1/metasploit
db_disconnect
This command disconnects you from the current database.
Options
db_disconnect
Example
db_disconnect
db_driver
This command specifies a database driver.
Options
Syntax
db_driver [driver-name]
db_exploited
This command lists all the hosts that have been exploited in the database.
Options
Syntax
db_exploited
db_export
This command exports a file containing the contents of the database.
Options
Syntax
Example
db_hosts
This command lists all the hosts in the database.
Options
Syntax
db_hosts
db_import
This command imports a scan result file. Use this command in place of deprecated
commands – such as db_import_amap_log, db_import_amap_mlog, db_import_ip360_xml,
db_import_ip_list, db_import_msfe_xml, db_import_nessus_nbe, db_import_nessus_xml,
db_import_nmap_xml, and db_import_qualys_xml – to import files.
Options
Syntax
db_import <filename>
db_loot
This command lists all loot in the database.
Syntax
db_loot
db_nmap
This command executes nmap and automatically records the output.
Options
Syntax
db_nmap
db_notes
This command lists all notes in the database.
Options
Syntax
db_notes
db_services
This command lists all services in the database.
Options
Syntax
db_services
db_status
This command shows the current database status.
Options
Syntax
db_status
db_sync
This command synchronizes the database.
Options
Syntax
db_sync
db_vulns
This command lists all vulnerabilities in the database.
Options
db_vulns
db_workspace
This command enables you to switch between database workspaces.
Options
Syntax
Example
db_workspace
db_workspace –a w2 –d w3
Bruteforce Targets
Use the following chart to determine the bruteforce capabilities of Metasploit Pro. See the key
below for descriptions of bruteforce, session, and untested.
Exploit Targets
Metasploit Pro targets have been categorized into four tiers. This is the current state of the
target support:
Antivirus (AV) software such as McAfee, Symantec, and AVG will cause problems with
installation and at run-time. You MUST disable your AV before installing and using
Metasploit Pro.
Local firewalls, including the Windows Firewall, MUST be disabled in order to run exploits
successfully. Alternatively, the "bind" connection type may be used, but some exploits still
need to receive connections from the target host.
The RPC service (:50505) on Metasploit Pro runs as ROOT, so any Metasploit Pro
account has privileged access to the system on which it runs. In malicious hands, this can
lead to system or network damage. Please protect the service accordingly.
Metasploit Pro is intended only for authorized users. Run Metasploit Pro only on machines
you own or have permission to test. Using this software for criminal activity is illegal and
could result in jail time.
Local firewalls, including the Windows Firewall, will need to be disabled in order to run
exploits successfully. Alternatively, the "bind" connection type may be used, but some
exploits still need to receive connections from the target host.
B H
Bruteforce · 46 host · 44
Bruteforce Depth · 87 host badges · 54
Bruteforce Speed · 89 host tagging · 37, 44
C I
Campaigns · 72 Identify Unknown Services · 84
cleanup · 66 imported credentials · 50
collect evidence · 14, 64 Insane · 40
Collected Evidence · 67
command shell session · 57
Command shell sessions · 56 J
Compromised Hosts · 66
Concurrent Exploits · 91 JRXML · 70
Custom TCP Port Range · 84
custom template · 70
L
D license key · 31
Linux
Depth · 48 launch · 24
Detailed Audit Report · 66 listener host · 52
discovery · 39 listener ports · 52
Discovery · 39, 42 listeners · 7
discovery scan settings · 83 live reports · 67
DoS Audit · 42
download report · 68
Dry Run · 85
M
Manual exploitation · 53
E Metasploit Framework · 6
Meterpreter · 61
email template · 75 Meterpreter session · 57, 58
Evasion options · 93 Meterpreter sessions · 56
Evasion Options · 93 Minimum Reliability · 90
T
P
Target Addresses · 83, 90
Paranoid · 40 tasks · 20
password · 23, 29 Thin Rails Server · 7
Penetration Test Audit · 42 transport evasion · 52, 91
phishing · 72
Polite · 40
Portscan Speed · 84 U
Portscan Timeout · 40, 84
Postgresql database · 7 UDP Service Discovery · 84
product key · 23 UltimateLAMP · 24
product updates · 31 uninstall
project Metasploit Express · 33
create · 36 URIPATH · 54, 72
Project Members · 37 user accounts · 22, 28
Project Owner · 37
Projects · 35
Proxy Pivot · 59 V
VNC session · 61
R VPN Pivoting · 59
vulnerable VM · 24, 26
remote filesystem · 62
replay scripts · 69
reports · 66, 67 W
Restrict Network Range · 31
RPC Service · 7 Web auditing · 78
Run Payloads · 91 Web Auditing · 56, 80
Web content · 78
Web exploitatio · 78
S Web Exploits · 64
Web scanning · 78
Scan Credentials · 85 Web templates · 76
Scan Data · 43 WebScanning · 45, 79
Scan Limitations · 86 Windows
Scan Template · 86 launch · 24
Search Filesystem · 64 Workflow Manager · 7