MSF Community Edition
When it comes to vulnerability verification, penetration testers often have an array of tools at their disposal. Metasploit Community Edition provides us with a graphical user interface (GUI) that simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nessus, Nexpose, and so forth.
Metasploit Community Edition enables us to:
- Map out our network - Host identification, port scanning and OS fingerprinting.
- Integrate with other vulnerability scanners - Import data from Nessus, NMAP, and other solutions. In addition, Nexpose scans can be initiated from within Metasploit Communication Edition.
- Find the right exploit - With the world's largest quality-assured exploits, finding the right exploit is just seconds away!
- Verify remediation - Do you think your host has been patched against a specific vulnerability? Fire an exploit and find out!
- And the best part? Metasploit Community Edition is provided to the InfoSec Community FREE of charge.
What about Metasploit Pro?
As the name suggests, this is the commercial version of Metasploit and requires a valid license. The difference between Metasploit Community Edition and Metasploit Pro can be best illustrated by the following diagram:
Clearly, Metasploit Pro has additional features such as Social Engineering, Web App Scanning, IDS/IPS evasion, superior reporting capabilities, and so forth.
Installing Metasploit Community Edition is a trivial process that begins by downloading the appropriate installer from Rapid7. For purposes of this guide, we will be installing Metasploit Community Edition on BackTrack 5 R2.
As was previously mentioned, the first step involves getting the installer, so let us do that:
wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run --2012-07-02 20:05:03-- http://downloads.metasploit.com/data/releases/metasploit-latest-linux-installer.run Resolving downloads.metasploit.com... 220.127.116.11, 18.104.22.168. Connecting to downloads.metasploit.com|22.214.171.124|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 272623783 (260M) [text/plain] Saving to: `metasploit-latest-linux-installer.run' 100% [=============================================>] 272,623,783 206K/s in 21m 57s 2012-07-02 20:27:01 (202 KB/s) - `metasploit-latest-linux-installer.run' saved [272623783/272623783]
Next, let us set executable permissions on the installer and run it:
chmod +x metasploit-latest-linux-installer.run;./metasploit-latest-linux-installer.run
The rest of the process is very intuitive, but let us walk through it together:
- Welcome Screen, click on 'Forward' to continue.
- License Agreement is now presented, read and accept the terms and then click on 'Forward' to continue.
- Choose Installation Folder, click on 'Forward' to continue. This is where Metasploit Community Edition will be installed.
- Install as a Service? If so, click on 'Forward' to continue. When installed as a service, Metasploit will be automatically started every time the machine is started.
- Choose Service Port, click on 'Forward' to continue. This is the port Metasploit will 'listen' for connections on.
- Generate SSL Certificate, click on 'Forward' to continue. Please note that by default, the self-signed certificate is valid for 10 years.
- Choose Database Server Port, click on 'Forward' to continue.
- Enable/Disable Automatic Updates, click on 'Forward' to continue.
- Ready to Install Screen, click on 'Forward' to continue.
- Setup Screen, wait and click on 'Forward' to continue.
- Completion Screen, click on 'Forward' to continue. You may now go for a cup of coffee!
The activation process is quite simple, so let us walk through it together:
- First, let us access the web interface by going to http://localhost:3790. Disregard the warning about the SSL certificate.
- Enter your email address and click on 'Go'.
- Check your email and look for the corresponding key, once you have it click on 'Next'.
- Verify activation key has not changed and then click on 'Activate License'.
- Congratulations!!! You have successfully activated your copy of Metasploit Community Edition.