Ready to Start Your Career?

Understanding the Metasploit Framework

S-Connect 's profile image

By: S-Connect

October 29, 2015

Finally, you're here. Before we step in, I'd like to clear up this misconception about Metasploit: Metasploit is not a tool or software; it’s a ‘Framework.’ Let's start begin:Architecturem-architecture LibraryREX

Basic Library for most tasks

Handles sockets, protocols, text transformation and others

SSL, SMB, HTTP, XOR, Base64, Unicode

 Msf: Core

Provides the ‘basic’ API

Defines the Metasploit Framework

 Msf: Base

Provides the ‘Friendly’ API

Provides simplified APIs for use in the Framework


Exploits - as Modules that use payloads

Auxiliary - An exploit without a payload

Payloads - Consist of code that runs remotely, Create at run-time with various component

Encoders - Ensure that payloads make it to their destination

Nops - Keep the payload sizes consistent

 Mixins and Plugins

Mixins - 'Include' one class into another; add new features and allows module to have different 'flavors'

 i. Protocol-specific (HTTP, SMB)

ii. Behavior-specific (Brute Force)

iii. Connect ()

Plugins - Work directly with the API

 - Manipulate the framework as a whole

 - They automate the specific tasks which would be tedious to do manually

 PayloadsThree different types of payload module types in Metasploit:

i. Single

ii. Stagers

iii. Stages


Payloads that are self-contained and completely standalone i.e as simple as adding user to the target system or running calc.exe.

StagersSetup a network connection between the attacker and victim and are designed to be small and reliable.StagesPayload components that are downloaded by Stagers modules.Provide advanced features with no size limits such as Meterpreter, VNC Injection and the iPhone 'ipwn' Shell.Note: Payload stages automatically use "middle stagers" MeterpreterMeterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. Design GoalsSteathly --> Meterpreter resides entirely in memory and writes nothing to disk.No new processes are created, as Meterpreter injects itself into the compromised process and can migrate to other running processes easily.By default, Meterpreter uses encrypted communications.All of these provide limited forensic evidence and impact on the victim machine.Meterpreter utilizes a channelized communication system. 
Stay Linked!Thanks,Tabish Ali
Schedule Demo