Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys hackers Floyd here back again with another video in this video we're going to be looking at Metasploit alright no this is going to be the complete Metasploit course and this is going to take you from as an advanced user of the Metasploit framework alright now as I said this is going to be an advanced course and it's going to take a beginner to advanced so that is the goal of the course and I'm going to try and cover it within one week so I'm gonna you know make the videos and I'm gonna upload them and hopefully you guys like the format in which I'll be uploading them so I'm not gonna waste time on one series I'm going to complete it and then we move on to the next one right so I've made a lot of videos about Metasploit but I realized that I really didn't cover the basics and how to navigate around around this and you know for most of the beginners you really don't understand some of you guys did not understand the the format and and the way Metasploit worked alright so let's get started so this is going to be part 1 and we're gonna be looking at all the basics to get started with right okay so for those of you are already asking what operating system I'm using I'm using power tools for this demonstration I just seem to really really enjoy the latest update and I've been using it as my daily driver on my laptop as you can see I'm recording this on my laptop so yeah let's get started so what is Metasploit alright so Metasploit essentially is the you know it's the leading exploitation framework alright so it is used by nearly every penetration tester or ethical hacker or hacker for that matter and it is really really important that you master it for you to you know to enter this field right or to you know to prosper in this field now it was developed by rapid7 alright so rapid7 is a company that owns the different they don't these different vulnerability scanners like next pose and it again as it as I've said it or it owns Metasploit all right now looking at the Metasploit interfaces we have already looked at some throughout you know the channel and one of them is the MSF console alright so these are the the multiple Metasploit interfaces so we have MSF console we have Armitage alright so our method is is simply put a GUI framework that allows you to to use the Metasploit framework the MSF console is gives you an interactive command-line like interface that allows you to also use the the framework which is what we're going to be looking at because it's the most it's the easiest to set up you then have the MSF CLI which is a which is going to be a very little literal Linux command line interface that also allows you to use or the Metasploit framework you then have finally the MSF web which is the browser-based interface which is what we looked at where we set up the community version and we were able to scan for our targets and find the vulnerabilities right so as I said we're going to be focusing on MSF console now you know the first thing to understand is that Metasploit as we've looked at pre in previous videos I really didn't show you how to set it up correctly and how to make it faster because most of you realized it and a lot of you guys raised that question do I need to start any services yes you do need to start these services all right no you need to start the PostgreSQL database a service which does come with the major penetration testing distributions so if you if you're running this on a normal Linux distribution you know I recommend that you switch to a penetration testing distribution because these tools would be already pre-installed right so you don't need to run this on your main computer like I am you can also run it in a virtualized environment moving along so we have to start the PostgreSQL database all right so what this will do is it will allow Metasploit to run faster searches and that will allow Metasploit to store the information while you are performing the scanning and/or exploitation all right so I'm gonna open up my terminal here and what I'm going to do is now let me just try and zoom this in so I should have done that before I started the video but you know what we're just gonna run this through the pirate terminal because I don't want to confuse you guys right so let me just zoom that in so we can have a good view of what's going on all right so it's very very simple to start your PostgreSQL service as you know it Linux so it's service post very very simple post on Gress woops my bad sorry about that oops there we are alright so service boost please forgive my typing I am on a laptop right now boost rescue alright and we can start woops my bad again alright and you want to start the service now and it's gonna ask you for your root password so make sure you enter that and once the service is started we can then move on to use the MSF console alright which is the command line interface so again start it up so MSF console and you will see that it will load much much faster than when you if you didn't start up the PostgreSQL database alright so just give it give the first run a bit of time because again it's building the database and it should load up immediately right so as you can see it's starting the Metasploit framework console and give that a few seconds as always now one thing I want to just tell you and a lot of you guys have been asking me is what are the system requirements you know if if you want to become a penetration tester the truth is that the thing that you need the most is going to be RAM now the minimum I would recommend 2gb works fine but if you're going to be running a lot of penetration tests I would recommend that you get a minimum of 4 gigabytes of RAM and then you can post possibly upgrade to 8 and the ideal one would be 8 to 12 alright so again you also want to make sure that your processor can match that so I would recommend you know an i5 or 93 processor a good one quad core hopefully depending on you on what you can afford it really really doesn't matter but if you want some great efficiency I recommend you get a computer with some good RAM all right so yeah once it starts up it's really really very simple and I've gone through this before now if you're wondering what are the other ways of launching it what you can do is go to your you know in Kali Linux it's simply your it your menu in Paris it lies they like the same in the same category they lie in exploitation tools alright so when once you open exploitation tools you can see that the Metasploit framework exists and it gives you the various options that you can use you have Armitage the Metasploit framework and you can update it and this is another way of accessing it if you don't want to go through it through the terminal all right now let's look at the Metasploit keywords that are very very important now this is something that I did not fully cover so I'm gonna do it right now now Metasploit has six types of modules we use mostly four of them the most all right but I'm gonna explain them to you so the first thing we have these exploits all right it has exploits it has payloads it has the auxilary it has knobs it has post and it has encoders all right now let me explain what they are very very simply and very quickly now an exploit his model is a module that will take advantage of a system alright so it will take advantage of our systems vulnerability alright so it's not gonna you know just take advantage of a system that is patched or does not have any vulnerability it needs to have a vulnerability alright and then it will it will install a payload on the system all right now the payload can either be a reverse shell or a meta Preta all right so it will give you access to that computer in form of the payload now you know usually with other systems or in other environments you would usually call these payloads things like root kits and stuff like that but for now just understand that the payload is what the exploit will try and plant on the system alright so that that will give you that access to system obviously through an exploit a driven vulnerability that is then exploited right so hope that's simple now once I've explained that now let's look at some of the basic commands now one of the best comments that you know you can use is the help command and if I open up that up right now you can see that oops let me there there we are if you open this up it'll give you all the help commands all the commands that are very very important for you and again this is very very useful because it will give you the ability to at any time you know refer to this documentation so if you're lost this can be a very very good way of of using or of getting guidance using this framework so you can go through this if you're feeling a bit lost all right so that's the help command very very important and you'll find yourself using this quite a lot right alright now let's look at the other commands now one of the most useful ones is the use command because the use command will allow you to load a module alright so for example we can load many many modules here and one of the most you know the most common ones that you can start to load is the let's see one that comes straight off my head off the back of my head it is the explode yeah I think I remember this one this was quite an old exploit and allows us to exploit the the Adobe Flash I think it's the plugin yeah the Adobe Flash plugin alright so let me try to see if I remember so use exploit so use the use command it allows you to use modules so then you give the module name right so use exploit and then it was Windows alright so it is a Windows and then browser right and was it flash whoops let me just bring that into context here like so I think I already clicked on it I'm really really sorry about that let me just close that up there we are so use sorry for that I lost it by miss so remember to use exploit windows right [Music] windows was it windows browser I'm not sure if it is the correct one use windows browser and it is the Adobe oops Adobe Flash EVM two I believe was the vulnerability oops underscore my bad ATM - all right use exploit Adobe AVM - let's see if that's the correct one there we are alright so that is the exploit so I'm glad I remember it right so that is also very very useful one but I do believe it is patched by now all right so now it Metasploit has successfully loaded the module now one thing to understand is if it loads the module correctly it will display the module name in red all right so that's something you know you can take home now since it's become red we know that we can use it now the best command to use now in this case is the show command and the show command will allow you to it'll basically give you information on the module alright so if I say show there we are it's going to give us some information now it may seem overwhelming but really don't worry so it's gonna give you some information and you really don't need to worry about what it's telling me because I'm using a I'm using the flash player exploit and all of this may seem like nonsense to you but we'll get to how to use the correct modules alright so as you can see it's given me some options and very very nicely there you you know these are the it's given us information about the the exploit or the module right so now what we can do is we've already show then we've already shown what exists the information that exists now we can show options all right so the options will show us the options that we can change above the module all right so it will give us you know the it'll give us options that we can change so if I say show since there yeah it's gonna say what no these are things that you can customize depending on how you how and the method of exploitation all right so you have the server host you have the local machine the server port whether it has SSL at the SSL certificate you can change all of these options all right now the other options that we have is the payloads will show payloads all right also you show the payloads just give it a few seconds it's gonna take few seconds obviously right so give it a few seconds and it should load up really anytime now again please bear with me guys while I'm running this on a laptop there we are alright so these are all the payloads that you can load now these as we have looked at in previous videos with Metasploit give us different different ways of approaching an attack all right so it will give you or it will give you all the payloads that are compatible with this exploit all right now if we look at the other options so you we will be looking at all of this if we look at the other options we have the show targets alright so show targets will show you the targets that you can change which in this case is just we have not said anything all right now the targets we can it's going to display the targets that you're trying to target and you know the thing is with a different exploits you can have a lot of different targets you can specify many many targets all right and it's really important that you get this right now some other commands that we can use you know that can describe that can give us information about the module or the exploit that we are using is the show info alright the show info will give you information about it will give you information about the exploit all right so as you can see here this module exploits a vulnerability found in the active X component of the Adobe Flash Player before twelve point zero point zero point four three all right so again it's for a specific version and will not work on the latest one we already knew that right that's the trick now there's a lot of other comments that you can look at and one of them is at the MSF search alright so you can use this search command and the search command will give you the ability to search and find the module that you need all right now you know Metasploit has a lot of modules and finding one finding the right one is probably the you know the most important thing and it also can be the most time-consuming so you need to learn how to use the research command all right now with the search command it comes with with some very very important keywords the search command comes with the keywords like the platform all right so this is to target or to search for the platform specifically you then have the type right this will give you the type of module for example exploits payloads as we already discussed you then have the name and this is if you're searching for a specific name right so we can do this very very nicely right now alright so what I'm going to do is I'm just gonna I'm just gonna ctrl C whoops let me just exit this alright so I'm gonna start the MSF console again just to show you how this would work all right so I'm gonna start that up again and let's just give it a few seconds and I'm gonna show you how to do this alright so as I said using the search command allows you to search for exploits so that's great and then we'll be looking at the other ones right so let it start up I really really sorry about the slow startup times again you know just bear with me it should start up there yeah alright so that's all saying the most important one is this search right so if we search it's very simple so search type all right so that's the keyword type the type is going to be an exploit we're going to search for the same one so type exploit it is an exploit the platform was Windows the platform of Windows and flash all right so every search for that whoops my bad pardon me guys my typing today is there we are all right and it's going to give us all of these options now the correct one that we want is the is probably the first one it's gonna lie up here and there's a lot of them that you can use or that we can use you know some of them are they are sorted with the day their date and this allows you to you know specify or to get one that works okay so what we're going to do now is we need to set all right now when I'm saying set you that allows you to set a specific it allows you to set the specific payload or the exploit that you're trying to use in this case we can you know you can just use the first one because I don't want to go through all of these ones there's a lot that you can use over here and as you can see this is the one that we were using previously the exploit the AVM - it's very very popular one at some given time so we're gonna say set alright and I'm just gonna paste that in there there we are and whoops set option oh sorry about that guys apologies apologies apologies alright so we have to use the use and whoops I'm gonna piss that in there use there we are so that's the module that we were using and then we use this set to set the option so we can say show options like so and we have the options here and then to set the specific options what you just do is you use things like let's see if you wanted to set the server port so usually this would be set s RV server whoops server port alright and we'll set that to 80 right and that will set it to 80 we can then say we can that other things like we can set a lot of other stuff and once you're all set so let's say we could say set the server host to something like set the server host then that's going to be the host IP so SRV host all right to something like four nine to one sixty eight point zero point one of course this doesn't make any sense because I'm not really targeting a system and you can also set and then you say show options again as you can see it's going to show you the options that you did set which we set what the server host and the server port and once you're ready to exploit once you've set all the options all you have to do is just hit exploit and it will exploit it perfectly right so let's try that right now and of course it's not going to give us anything it's because we have not done anything so every exploit it's gonna hit exploit and it's probably not going to return anything important here right so just give it a few seconds all right again as you can see it's not displaying anything because there we are alright so it did start a reverse TCP Handler on a specific on this IP using deport you know four four four four four all right but we're not gonna get anything out of that really right now I'm pretty pretty sure of that right alright so once that's done once you're done exploiting or in this case as you can see we have not really exploited anything we can just let me just close this there we are and we're done now the last commands that I want to show you are the exit or the back command which takes you a step back and you can use the exit command to exit the Metasploit or the MSF console framework all right and these are or that is all the basics that I needed to cover in the first video now in the next video we're going to be looking at some really really advanced stuff so we're going to be looking at the module types we'll be looking at performing reconnaissance the Armitage GUI and we'll be looking at exploiting some Windows systems and then finally we'll be building our own custom payloads with the MSM venom framework or interface all right so thank you so much for watching this video guys if you found value in this video please leave a like down below and you know if you have any questions or suggestions let me know in the comment section down below or you can hit me up on my social networks for the documented article or the documented version of this video check out my website HS ploy comm link will be in the description and you can also get this on my application so guess again guys thank you so much for watching merry Christmas and I'll be seeing you in the next video peace [Music]
Info
Channel: HackerSploit
Views: 1,471,448
Rating: undefined out of 5
Keywords: hackersploit, metasploit, metasploit tutorial for beginners, metasploit tutorial, metasploitable, metasploit android, metasploit hacking, metaploit windows 10, metasploit pro, metasploit tutorial for beginners windows, metasploit tutorial for beginners kali linux, metasploit tutorial for beginners in hindi, metasploit tutorial for beginners ubuntu, metasploit project, hacking, linux, kali linux, kali metasploit, programming
Id: 8lR27r8Y_ik
Channel Id: undefined
Length: 22min 59sec (1379 seconds)
Published: Sun Dec 24 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.