A Beginner's Guide to Metasploit in Kali Linux (With Practical

Examples)
BYRUMAISA NIAZI
PUBLISHED FEB 11, 2022

Learn about the basic interface and modules of Metasploit and how to use them
to exploit MySQL vulnerabilities in Metasploitable 2.
Readers like you help support MUO. When you make a purchase using links on our site, we may earn an affiliate commission. Read More.

Kali Linux comes pre-equipped with all the tools necessary for penetration
testing. One such tool is the Metasploit framework that allows red teamers to
perform reconnaissance, scan, enumerate, and exploit vulnerabilities for all types
of applications, networks, servers, operating systems, and platforms.
MUO VIDEO OF THE DAY

Even though the main functionality of Metasploit focuses on pre- and post-
exploitation pentesting tasks, it is also helpful in exploit development and
vulnerability research.
This article introduces the main components of the Metasploit framework. It
demonstrates how to use Metasploit modules for scanning, enumeration, and
exploitation on a vulnerable MySQL database hosted on a machine known as
Metasploitable 2.

Metasploit Interface and Its Modules

Metasploit is the most commonly used pentesting tool that comes pre-installed
in Kali Linux. The main components of Metasploit are msfconsole and the
modules it offers.

What Is msfconsole?
msfconsole is the most commonly used shell-like all-in-one interface that allows
you to access all features of Metasploit. It has Linux-like command-line support
as it offers command auto-completion, tabbing, and other bash shortcuts.
It's the main interface that'll allow you to work with Metasploit modules for
scanning and launching an attack on the target machine.

Metasploit Modules
Metasploit has small code snippets that enable its main functionality. However,
before explaining the modules, you must be clear about the following recurring
concepts:
  Vulnerability: It is a flaw in the design or code of the target that makes it
vulnerable to exploitation leading to the disclosure of confidential
information.
 Exploit: A code that exploits the found vulnerability.
 Payload: It's a code that helps you achieve the goal of exploiting a
vulnerability. It runs inside the target system to access the target data, like
maintaining access via Meterpreter or a reverse shell.
Now moving towards the five main modules of Metasploit:
 Auxiliary: The auxiliary module contains a set of programs such as fuzzers,
scanners, and SQL injection tools to gather information and get a deeper
understanding of the target system.
 Encoders: Encoders encrypt the payloads/exploits to protect them against
signature-based antivirus solutions. As payloads or exploits contain null or
bad characters, there are high chances for them to be detected by an
antivirus solution.
 Exploit: As discussed earlier, an exploit is a code that leverages the target
vulnerabilities to ensure system access via payloads.
  Payload: As mentioned before, payloads help you achieve the desired goal
of attacking the target system. That means they will either help you get an
interactive shell or help you maintain a backdoor, run a command or load
malware, etc. Metasploit offers two types of payloads: stageless payloads
and staged payloads.
 Post: The post-exploitation module will help you gather further information
about the system. For instance, it can help you dump the password hashes
and look for user credentials for lateral movement or privilege escalation.
You can use the following commands to view each module and its categories:
cd /usr/share/metasploit-framework/modules
ls
tree -L 1 module-name/
How to Use Metasploit’s Interface:
msfconsole
To begin using the Metasploit interface, open the Kali Linux terminal and
type msfconsole.
By default, msfconsole opens up with a banner; to remove that and start the
interface in quiet mode, use the msfconsole command with the -q flag.

The interface looks like a Linux command-line shell. Some Linux Bash
commands it supports are ls, clear, grep, history, jobs, kill, cd, exit, etc.
Type help or a question mark "?" to see the list of all available commands you
can use inside msfconsole. Some of the most important ones that we will use in
this article are:

Command Description

Allows you to search from the Metasploit database based on the given
search
protocol/application/parameter

use Allows you to choose a particular module and changes the context to module-specific commands

info Provides information about the selected module

show Displays information about the given module name and options for the current module

check Checks if the target system has a vulnerability

set It's a context-specific variable that configures options for the current module

unset Removes previously set parameters

run Executes the current module

Before beginning, set up the Metasploit database by starting the PostgreSQL
server and initialize msfconsole database as follows:
systemctl start postgresql
msfdb init

Now check the database status by initializing msfconsole and running

the db_status command.

MySQL Exploitation Using

Metasploit
For demonstration purposes, set up the open-source vulnerable Linux machine
Metasploitable2.

MySQL Reconnaissance With msfconsole

Find the IP address of the Metasploitable machine first. Then, use
the db_nmap command in msfconsole with Nmap flags to scan the MySQL
database at 3306 port.
db_nmap -sV -sC -p 3306 <metasploitable_ip_address>

You can run the regular nmap -p- <metasploitable_ip_address> command to

confirm MySQL database's port number.
RELATED:NMAPFOR BEGINNERS: GAIN HANDS-ON EXPERIENCE WITH
PORT SCANNING
Use the search option to look for an auxiliary module to scan and enumerate the
MySQL database.
search type:auxiliary mysql
From the above list, you can use
the auxiliary/scanner/mysql/mysql_version module by typing the module
name or associated number to scan MySQL version details.
use 11

Or:
use auxiliary/scanner/mysql/mysql_version

Now use the show options command to display the necessary parameters
required for executing the current module:
The output displays that the only required and unset option is RHOSTS which is
the IP address of the target machine. Use the set rhosts command to set the
parameter and run the module, as follows:

The output displays the similar MySQL version details as

the db_nmap function.

Bruteforce MySQL Root Account With msfconsole

After scanning, you can also brute force MySQL root account via
Metasploit's auxiliary(scanner/mysql/mysql_login) module.
You'll need to set the PASS_FILE parameter to the wordlist path available
inside /usr/share/wordlists:
set PASS_FILE /usr/share/wordlistss/rockyou.txt

Then, specify the IP address of the target machine with the RHOSTS command.
set RHOSTS <metasploitable-ip-address>
Set BLANK_PASSWORDS to true in case there is no password set for the root
account.
set BLANK_PASSWORDS true

Finally, run the module by typing run in the terminal.

MySQL Enumeration With msfconsole

msfconsole also allows you to enumerate the database with the help of
the auxiliary(admin/mysql/mysql_enum) module. It returns all the accounts
with details such as associated privileges and password hashes.
To do that, you'll have to specify the password, username, and rhosts variable.
set password ""
set username root
set rhosts <metasploitable-ip-address>

Finally, run the module by typing:

run
MySQL Exploitation With msfconsole
From the enumeration phase, it's clear that the root account has file privileges
that enable an attacker to execute the load_file() function. The function allows
you to exploit the MySQL database by loading all data from the /etc/password
file via the auxiliary(/admin/mysql/mysql_sql) module:
Again, set the username, password, and rhosts variable. Then, execute a query
that invokes the load_file() function and loads the /etc/passwd file.
set sql select load_file(\"/etc/password\")
Learn Metasploit for Penetration
Testing on Linux
Metasploit modules help in all phases of penetration testing. Metasploit also
enables users to create their own modules.
This article summarizes some main modules of the Metasploit framework and
demonstrates how to scan, enumerate, and exploit a MySQL database on the
Metasploitable 2 machine.
Metasploit isn't the only penetration testing tool that you'll use as a cybersecurity
professional. There are several other utilities that you'll need to familiarize
yourself with if you want to become a security expert.