Metasploit & Nexpose Hacking Part -II


Welcome to the second module of this workshop. In this module, you will be studying in depth the Metasploit Framework. This will also help you study the extraordinary benefits of this security tool, which also plays a key role in the exploit development lifecycle. Metasploit is the bread and butter for many information security professionals or pentesters.

There are a couple of good exploitation tools available in the market that are used by security professionals, however, Metasploit leads the industry due to a couple of reasons. There are other tools available, like Core Impact and Immunity Canvas, that lead the market along with Metasploit. The problem is that these tools are closed source and you would not be able to find even their crack or open version from any authentic source. Metasploit comes in a community edition, which doesn’t have any major differences in features in comparison to the pro version of Metasploit.

Many freelancers and small companies in security consulting use this community edition of Metasploit and the community edition is also used by many professionals who practice hacking in order to advance their hacking skills and exploitation techniques. I personally used Metasploit from its early days and still make good use of this framework when I need to perform exploit research and testing in my lab.

Metasploit framework is a modular framework; the most fundamental piece of the architecture is the Rex library, which is short for Ruby Extension Library. The lowest level is core library and this is followed by base.

Finally, base library is extended by framework UI, which implements support for the different types of user interfaces to the framework itself, such as command line and web interface. Separate from the framework itself are the modules and plugins that it’s designed to support. Metasploit Framework fundamentals include the msfcli, msfconsole, exploits, payloads, database and the famous meterpreter.

Metasploit is not just the exploitation tools; it has many features that will help you in exploits research and development. Plus, you can develop your own Metasploit Modules and add the flexibility as per your need or requirements for dedicated pen testing projects. Fundamentals are just the tools you can use or someone who just uses Metasploit as a click and go tool for performing pen testing or ethical hacking.

This tool is awesomely developed and helps in many different ways and is widely used by information security professionals. This module will highlight as much as possible, as this tool requires a complete workshop on it if you want to fully understand and become master of it. However, you will be able to learn the maximum professional usage of this great tool in pen testing.

Metasploit Commands to Memorize

If you want to learn Metasploit and use it in your pen testing projects or for any security research and exploit development, then there are some core commands you should understand and have hands-on experience with.

Use Metasploit Framework has been in the industry for a while now and it’s a first choice of security professionals when you talk about pen testing, however, not all security professionals have hands-on experience with Metasploit, they just use it as a tool that has the bulk of exploits available that can be launched by anyone. This is not the professional usage of Metasploit. If you, as a security professional, want to stand out from such professionals, then become an expert in using this great tool.

In order to have expert level experience with Metasploit, you should have the following skills developed by using this wonderful tool:

* At first you should understand how this tool works

* Exploiting and Pivoting

* Customization of Modules

* Developing a Metasploit Module

* Exploit Development with Metasploit

A couple of these skills will be covered in this module and the remaining will be explored in the last module with hands-on testing in the workshop.

The commands presented above only cover some basics of the command line usage of this tool. You will be able to explore more on the pro version of Metasploit. However, let’s quickly review what else you can do from the command line. Functionality available from the command line is given below with the usage details.

Now, you can also load different modules available in the Metasploit Framework, which works in integration with other security tools for advanced usage and basically professionally performing pen testing via a single command line platform of the Metasploit Framework. All the modules available by default when Metasploit Framework runs can be found in the module directory of the Metasploit Framework. This can be different and depends on the installation directory as well as the operating system on which you have installed the Metasploit Framework.

On Kali Linux, you can found these modules located in the following path as shown below in the snapshot.

However, there are some more modules that you can add at run time. These modules are shown below; each of these modules would be loaded into the run time environment by using the load command. You should practice loading these modules and use them one by one. Usage details are also available from the command and will be presented shortly here.

Once all of these modules are loaded, you will be able to see commands, or let’s say functionality, you can perform with these modules, like directly performing vulnerability scans from Metasploit Framework by use of Nessus and NeXpose modules just loaded, or run Web Application assessments with the help of “SQLMAP and WMAP” modules loaded and similarly for the other modules we have just loaded. The following snapshots show the available functionality after loading these modules.

After loading all of these modules, let’s look at what you will be able to perform from Metasploit Command Line Interface:

* Nessus Vulnerability Scans

* NeXpose Vulnerability Scans

* Database testing with “sqlmap”

This is called a full flashed pen testing platform that gives you flexibility to run multiple tasks from a single platform. This is the power of Metasploit and you can also develop your own module and import it into Metasploit Framework. You will be able to explore all of these features in the upcoming modules where you will be performing hands-on testing with these modules and developing your skills with Metasploit Framework.

But it’s not enough at this stage, you still need to explore exploit development features available in Metasploit that were stated earlier in the module. Exploit development features of Metasploit will be covered in the last module. In our opinion, Metasploit provides efficient use from the command line and, as a security professional, you should be an expert with the command line and that’s what the industry considers the standard, however, it is not the rule.

Originally published at on May 7, 2021.



Cyber Security Analyst & researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store