Provide Understanding Of Metasploit Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The practical phase of this project begins with setting a penetration test environments that are including different user interfaces for Metasploit Framework. During this phase, we shall see how to conduct a penetration test followed by examining and summarize the results and benefits of penetration testing. Finally, this report will explore the relation between computer forensics and penetration testing.


In the last decade, the Internet has been subject to extensive security attacks. A large collection of threats: Worms, break-ins, , crackers, hijacking hackers, phreakers, spoofing, man-in-the-middle, password-sniffing, denial-of-service, and many other attacks. Since the Internet was a result of academic researches to share information, high security measures were overseen. In Fact In some of its modules, security was intentionally weak for easiness in sharing. Although the introduction of electronic commerce has pushed for "tougher security" in the Internet, there is yet an enormous amount of users extremely vulnerable to attacks, mostly because they are not aware of the simplicity of the attacks and still believe that a "strong" password is enough.

The accomplishment of the Internet has brought change to the world ; however, not all of these changes have been prolific. The increasing connectivity of computers through the internet, the increasing extensibility of systems, and the unrestrained development of the size and complexity of systems has made internet security a bigger headache [1]. With thousands of sites introduction daily and limited means available to monitor the integrity and security of these sites the existence of vulnerabilities was foreseeable.

Eventually, exploits became widespread causing the information security experts to step up and act. The result was the emergence of vulnerability testers to attempt to exploit such vulnerabilities far before others got the opportunity. In an attempt to solve the security problem and comply with the required security procedures, security experts have developed several security reassurance methods including software engineering environments, layered design, proof of correctness and penetration testing.

H.D. Moore in 2003 founded the Metasploit Project. His sole purpose was to create a penetration testing tool that could be easily operated by even beginner users to execute penetration testing, patch verification, and development the project known formerly today as the Metasploit Framework. Like any other security tool, this software is often described as double-edged sword for that it could cause significant harm if it used for the wrong cause. [1].

Penetration testing is an inclusive method to test the operational, integrated, and trusted computing base [1]. The practice involves an active investigation of the system for any possible vulnerability, including poor or inadequate system configuration, software and hardware defects, and operational flaws in the process or technical measures [3].

Security functional testing is different from penetration testing. Its validates the correct performance of the system's security controls while penetration testing states the difficulty and complexity for an exploiter to penetrate an institute's security measures to prevent unauthorized access to its information systems. It is done by imitating an unauthorized user attacking the system using either manual method or automated tools or a combination of both.

Understanding Metasploit Framework

The Metasploit Framework is a tool that collectively combines exploits into one central location ideally for security researchers. Originally developed using the Perl scripting language. Version 1.0 was written solely by H.D. Moore using Perl sporting a curses based front-end. Version 2.0, also written in Perl, and included the help of a few additional developers. For Version 3.0, Metasploit received a complete overhaul. Written in the powerful scripting language Ruby, Metasploit 3.0 now boasts the power of automation due to the nature of Ruby's status as an object -oriented language. Additionally, Metasploit is considered multi -platform running on most variations of Unix and Windows [1].

The Metasploit Framework was developed with the purposes of making security experts' lives easier. The original major users were considered to be network professionals, network security administrators, developers, and other security researches. Each would use the tool within the guidelines of their own discipline; network security professionals for penetration testing, security administrators for patch installation verification, product vendors for regression testing, and other security researchers for perhaps development of other exploits [1].

1.3 Terminology

The Metasploit Framework can be a bit confusing for novice users as the Linux distribution offers no Graphic User-Interface (GUI). Therefore learning the semantics and syntax of the framework is essential to the effective use of the software.

The primary outline of the majority of attacks in Metasploit revolves around the following foundation;

1. Selecting an exploit and configuring it.

2. Inspection for susceptibility.

3. Selecting a payload and configuring it.

4. Selecting an encoding system.

5. Performing the exploit.

One of the key components of Metasploit is in fact the exploits. At the time of this paper's writing Metasploit contains 613 exploits, 306 auxiliary modules, 215 payloads, and 20 encoders. Exploits target specific Operating Systems, applications, and/or services [2].

Additionally, auxiliary modules exist within the context of Metasploit and can be declared just as easily as exploits. In Metasploit an auxiliary module is defined as a module without a payload. Auxiliary modules serve as accessories to the Metasploit Framework and can be used in a variety of facets to expand upon the capabilities of the program. Just a few of their features include making Metasploit act as a vulnerability scanner, port scanner, HTTP client, FTP client, SMB client, and etc [1].

Next there are the various payloads that exist for each exploit. After an exploit is initiated and the remote target or targets are selected a payload must be selected to be executed after the breach. The payloads of Metasploit are Operating System specific, though generic payloads do exist [1].

Additionally, payloads in Metasploit come in three main variations; singles, stagers, and stages [3].

Singles are independent of any other and are generally simple command-line executions such as adding a user to a target system. Stagers establish are liable network connection while remaining small enough to deliver the stage. Because sometimes acquiring both a reliable connection and limited overhead can be difficult, several variations in stagers exist.

Stages are the final piece of the puzzle of stagers as they provide the components for the stager to deploy. Table 1 shows the differences between the three in syntax form.

Payload Type








Table 1. Showing Payload Types

Here you can see that the single payload type includes the whole process of 'shell_bind_tcp,' while the later two differ in path. The stager in this case is the 'bind_tcp' module while the 'shell' acts as the stage by which the stager can download its resources [3].

Overall, payloads serve as post -exploitation commands that can be as simple as adding a user to

the targeted system or binding a command shell to a designated port. Additional options include ; VNC injection, remote shell execution, meterpreter execution, and backdoor installations [1].

Lastly, in order to provide another layer of promiscuity payload encoders may be added to the exploit to ensure the connection between the attacker and victim remains encrypted. Those works in much the same way as hashes by encapsulating the content of the payload with predetermined key obfuscating it from detection.

Now that we understand the dictation and origins of Metasploit we can move on to the applications of the product. We will begin with a brief synopsis of a few common attacks followed by some distinguishing characteristics of the Metasploit Framework. While Metasploit is primarily identified as a one-stop exploitation application its sole purpose revolves not just around the exploitation of remote systems, but also around the development of new ones as well. With the 3.0 iteration of Metasploit, near complete automation is possible as scanning, fingerprinting, identifying vulnerabilities, exploiting, and reporting can be configured with some degree of work.

2.1 Example Attacks

It is without a doubt that the field of computer security is an on-going battlefield where the victor is solely based on time. On the second Tuesday of every month Microsoft releases patches for its many applications and operating system variations to what has affectionately become known in the information security field as "Patch Tuesday." Upon their release, black hatters of all likes begin the reverse engineering process to discover the original vulnerability. Topping the list of commonly exploited programs include third-party applications such as Adobe Flash, Adobe Reader, JavaScript, and QuickTime. For the direct purpose of this paper though we'll address exploits pertaining to apache web server and oracle.

Considering one of the most commonly attacked sources are web servers it seems scary to think that Metasploit houses an exploit that within eight commands can compromise an Apache Web Server[4].

The attack we're referring to utilizes chunked encoding to specially craft an invalid request on the server causing at the bare minimum a Denial-of-Service attack; though with some OSes remote code execution is possible. This is instigated by a stack overflow that is controlled on 64-bit OSes where return addresses are stored on the stack heap. In the collaborative experiment of Rajani, Mohamed, and Stanbury, the results indicated a successful breach with remote code execution being successful in the form of adding users with full permissions and writing files to the root directory on the web server[4].

In the days of prevalent E-commerce some are considering these additions to the Metasploit Program as haphazard.

Another big target for exploits reside in database servers that house large amounts of data ranging from social security numbers to financial data. One of the leaders in database management is Oracle with a n approximate market share of 40 percent [ 5].

The majority of databases use the same language, Structured Query Language (SQL), thus often exploits targeting databases are based off the use of this language. Because of this no free penetration testing software currently offers an independent direct exploit to the system [6].

As we mentioned previously, a key feature of the Metasploit Framework is development. At the Black Hat USA Conference in 2009 Chris Gates and Mario Ceballos, presented a method for exploiting Oracle through SQL injection techniques utilizing custom-built auxiliary modules [6]. Their attacks consisted of seven steps that make up what they considered the basis of pen testing;

1. Locate a system running Oracle.

2. Determine Oracle Version.

3. Determine Oracle SID.

4. Guess/ Brute force Username/Password.

5. Privilege Escalation via SQL Injection.

6. Manipulate Data/Post Exploitation

7. Cover Tracks

To do this a separate auxiliary module was required for each step. To locate a system the inclusive NMap was used to direct a port scan searching for commonly used Oracle ports, 1521 1540. A homemade TNS mix-in was added to the Metasploit trunk allowing it to craft TNS packets to determine the Oracle version. In order to guess the Oracle SID a SID enumerator was used as subsequent to version Oracle no longer freely gives out this information. Bruteforcing the username/password combination was done by using the pre-existing auxiliary module for Bruteforce logins using a dictionary list by Pete Finnigan. Privilege escalation of the username gathered in step four was accomplished with a SQL injection vulnerability in the DBMS_EXPORT_EXTENSION package. For post exploitation the win32exec module was used to execute a remote command on the machine to create a user on the system for future access [6].

2.2 Meterpreter

One of the more powerful payloads discussed above, meterpreter, originally emerged in Metasploit version 2.2 [1]. What makes meterpreter so powerful is its elusiveness in being detected by even the most knowledgeable security analysts. Meterpreter is an advanced dynamically integrated payload that resides entirely in-memory by injecting DLL stagers. Once a compromised system is discovered and exploited the meterpreter payload establishes a client side command interpreter with which to communicate [7].

This allows the attacker to remotely interact with the host system without having to establish separate connections. Under normal circumstances, once a system is exploited a single payload is delivered that is only able to execute one command and then it is done. This one command could be something as simple as adding a user or opening a remote shell with which to communicate. In doing this a resulting cmd.exe process would be created in the process list with SYSTEM rights [8].

Immediately, this would raise red flags. However, with meterpreter DLL injection is used to upload the meterpreter process into the compromised processes' heap. Normally, an uploaded DLL would be written to the disc, yet meterpreter alters the way the Load Library utilizes core API calls redirecting them to the memory location of the meterpreter DLL [7].

The truly beautiful thing about meterpreter is its ability to remain undetectable by most commonly implemented host based IDSes. By embedding itself into preexisting processes and not altering system files on the hard-drive, the HIDS is never made any wiser. Not to mention, the process in which meterpreter hides can be changed at a whim so tracking it and stopping the process becomes rather difficult even to the trained eye.

2.3 Penetration Testing Automation

For years the dream of automating penetration testing, often abbreviated as pentesting, has been considered just that, a dream. The challenges facing post-exploitation automation include; visible processes, file transfer capabilities, and exploit expiration [8].

The problem of readily visible processes with suspicious user rights was previously discussed in section 2.1. The only way around executing a separate visible process would be to install a root kit or backdoor, though this requires the transfer and installation of additional malware. This brings up the capability of a payload to transfer/install files to the remote system. To do this requires an advanced payload that will most likely be compromised in its writing of data to the remote system. Lastly, exploit expiration refers to the acknowledgement that some exploits can only be run once. Without separate sessions to enlist multiple tasks the process can become time consuming if not impossible. This would require the use of another exploit to complete other tasks [8].

According to Irani and Weippl's research on post - exploitation automation, meterpreter in conjunction with commonly installed scripting languages provides just the right tools for a solution to these problems [8].

Meterpreter's innate ability to remain hidden in current processes through DLL injection allows a method around the visible process problem. Additionally, because the process is not blatantly listed the use of a root kit or back door is not necessary, thereby, voiding the need for file uploading and the risk of running into anti -virus scans. Though, on that note, an analysis conducted by Mark Baggett found that only 3 out of 32 reputable antivirus programs interpreted a stand - alone meterpreter payload as a security risk [9].

Lastly, meterpreter also provides users with the ability to open independent sessions allowing for efficient multitasking. With the help of meterpreter post -exploitation scripts can be ran with the capability of not only further exploiting the current system, but previously non-exploitable machines as well. This technique of using an exploited machine to exploit a previously safe-guarded machine is known as pivoting [8].

Not to go into too much detail, but the port forwarding service of meterpreter provides this capability allowing for a connection back to the initial attacker. The point is that the automation of post -exploitation tasks extends far beyond just automating the initial system. With the right script automation can be implemented to scan an entire network for vulnerabilities.


With a tool like the Metasploit Framework freely available for anyone to use it's extremely important to keep up-to-date on the advancements in securing data as even a novice user can pick up this tool and within hours become dangerous threat. For this reason, it seems imperative that administrators implement every security measure feasible to protect their network. Here we'll cover a few pieces of software that will help in thwarting the threats of this product.

3.1 Antivirus

According to a study conducted in 2008 by Mark Baggett of the SANS Institute, "today's antivirus products are all but completely ineffective in detecting Metasploit payloads" [9]. Baggett's technique involved extracting Metasploit payloads to run them through the collective virus database housed at The results provided suggested that without the use of encoders payloads were detection approximately 19% of the time, while with

the use of encoders this percentage dropped to around7% [9].

While the majority of antivirus distributions picked up little to nothing there was a common trend in the one's that did recognize a threat. F-Secure performed the best with a 72% detection rate, while notably Panda and Kaspersky did well against encoded and non-encoded attacks, respectively [9].

Overall, though some of the big names of the industry were quite often fooled. Based on the research provided by Baggett it seems relatively safe to say that the answer for protection against Metasploit payloads doesn't reside in antivirus software.

3.2 ModSecurity (modsec)

ModSecurity is an open-source intrusion detection and prevention system that is designed for web servers. Just like any other IDS, Modsec, checks inbound requests against a set of preconfigured rules that are designated by the user. However, unlike most IDSes Modsec performs not as a separate application, but as a module of the web server.

Additionally, requests are screened at the HTTP level rather than the TCP/IP level allowing for a much greater range of specifications to be tested at the application layer [4].

In research presented earlier in section 2.1 a vulnerability in Apache web server concerning chunked encoding was used to remotely run arbitrary code. In order to circumvent this attack, the George Mason University researchers employed the tactics of Modsec to specifically reject all incoming chunk encoded requests to the server. The result was a success in that all chunk encoded requests were dropped disallowing the attack to succeed [4].

For many, attacking systems on the Internet is an easy and affordable mean to learn penetration tactics because it provides a wealth of targets and opportunities. It is illegal approach that results in many cases of people going to jail or having to pay large sums of money in fines and restitution. However, it is possible for those who wish to learn penetration testing without any legal risks by staging a penetration test environment.

Creating a PenTest lab to learn and practice different techniques of ethical hacking for purely educational purposes or to create or replicate exploits, does not require specific hardware or in depth knowledge of networking. In fact, the whole PenTest environment could be built on one desktop computer or laptop it all depends on the utilization of the applications used to create the penetration test environment.

The minimum requirements for creating a working PenTest environment are;

A computer or a laptop with a CPU speed more than 500 MHz and 2GB RAM.

Internet Protocol (LAN TCP/IP).

An active (DHCP) server (if no network present a soft DHCP could be used) configured with Pool Starting Address: and IP Subnet Mask:

VMware Player or Oracle VM VirtualBox.

Metasploit Framework or any Metasploit Framework user interface.

The above minimum configuration is enough to attempt replicating any penetration test carried out in this project although, the PenTest lab for this project created to provide near to a real environment with different OS platforms to test, several Metasploit Framework interfaces and internal and external networks.


[ 1 ] Ma y n o r , D. , & Mo o k h e y , K. K. ( 2 0 0 7 ) .

Me t a s p l o i t t o o l k i t f o r p e n e t r a t i o n t e s t i n g ,

e x p l o i t d e v e l o pme n t , a n d v u l n e r a b i l i t y

a s s e s sme n t [ p p . 1 - 3 0 ] . R e t r i e v e d f r om

h t t p : / / b o o k s . g o o g l e . c om/ b o o k s ? i d = b z ZG5 a 1 k

Ew4 C&l p g = PA1&o t s = 3 6 s oAr I c v d&d q =me t a s p

l o i t&l r&p g = P P 1 # v = o n e p a g e&q&f = f a l s e

[ 2 ] T h e Me t a s p l o i t Pr o j e c t . ( 2 0 1 0 , Oc t o b e r 2 0 ) .

R e t r i e v e d f r om h t t p : / / t a s p l o i t . c om/

[ 3 ] Ah a r o n i , M. , C o p p o l a , W. , & Ke a r n s , D.

( 2 0 1 0 , Oc t o b e r 1 5 ) . Me t a s p l o i t u n l e a s h e d .

R e t r i e v e d f r om h t t p : / /www. o f f e n s i v e -

s e c u r i t y . c om/me t a s p l o i t - u n l e a s h e d /

[ 4 ] R a j a n i , M.A. , Mo h ame d , A. , & S t a n s b u r y ,

H. C. ( 2 0 0 6 ) . E - c omme r c e s e c u r i t y

t e c h n o l o g i e s : a n e v a l u a t i o n u s i n g t h e

me t a s p l o i t f r ame wo r k (ms f ) . I n f o rma l l y

p u b l i s h e d ma n u s c r i p t , C omp u t e r S c i e n c e ,

Ge o r g e Ma s o n Un i v e r s i t y , F a i r f a x , Vi r g i n i a .

R e t r i e v e d f r om

h t t p : / /www. q a t a r . cmu . e d u / i l i a n o / c o u r s e s / 0 6 S

-GMU - ISA7 6 7 / p r o j e c t / p a p e r s /mo h ame d -

r a j a n i - s t a n s b u r y . p d f

[ 5 ] B a b c o c k , C . ( 2 0 0 8 , Ap r i l 2 5 ) . I n d a t a b a s e

ma r k e t , o r a c l e g e t s b i g g e r , o t h e r s h a n g o n .

I n f o rma t i o nWe e k , R e t r i e v e d f r om

h t t p : / /www. i n f o rma t i o nwe e k . c om/ n ews / s o f tw

a r e / d a t a b a s e _ a p p s / s h owAr t i c l e . j h tml ? a r t i c l e I

D= 2 0 7 4 0 2 2 3 0

[ 6 ] Ga t e s , C . , & C e b a l l o s , M. ( 2 0 0 9 ) . Or a c l e

p e n e t r a t i o n t e s t i n g u s i n g t h e me t a s p l o i t

f r amewo r k . Pr o c e e d i n g s o f t h e Bl a c kHa t US A

2 0 0 9 ,

h t t p : / /www. b l a c k h a t . c om/ p r e s e n t a t i o n s / b h -

u s a - 0 9 /GATE S / BHUSA0 9 -Ga t e s -

Or a c l eMe t a s p l o i t - PAP ER. p d f

[ 7 ] S i l b e rma n , P . , & Da v i s , S . ( 2 0 0 9 ) .

Me t a s p l o i t a u t o p s y : r e c o n s t r u c t i n g t h e s c e n e

o f t h e c r ime . Pr o c e e d i n g s o f t h e Bl a c kHa t

US A 2 0 0 9 ,

h t t p : / /www. bl a c k h a t . c om/ p r e s e n t a t i o n s / b h -

u s a - 0 9 / S ILB ERMAN/ BHUSA0 9 - S i l b e rma n -

Me t a s p l o i tAu t o p s y - PAP ER . p d f

[ 8 ] I r a n i , M. T. , & We i p p l , E. R. ( 2 0 0 9 ) .

Au t oma t i o n o f p o s t - e x p l o i t a t i o n . S e c u r e

B u s i n e s s Au s t r i a , R e t r i e v e d f r om

h t t p : / /w ww. s b a - r e s e a r c h . o r g /wp -

c o n t e n t / u p l o a d s / p u b l i c a t i o n s / Ta b a t a b a i I r a n i _

Au t oma t i o nOf P o s t E x p l o i t a t i o n _ 2 0 0 9 . p d f

[ 9 ] B a g g e t t , M. ( 2 0 0 8 ) . E f f e c t i v e n e s s o f

a n t i v i r u s i n d e t e c t i n g me t a s p l o i t p a y l o a d s .

S ANS I n s t i t u t e I n f o S e c Re a d i n g Ro om ,

R e t r i e v e d f r om

h t t p : / /www. s a n s . o r g / r e a d i n g _ r o om/wh i t e p a p e

r s / c a s e s t u d i e s / e f f e c t i v e n e s s - a n t i v i r u s -

d e t e c t i n g -me t a s p l o i t - p a y l o a d s _ 2 1 3 4