As a network administrator, promptly identifying and addressing security vulnerabilities is crucial for maintaining network integrity. Metasploit, an open-source framework, is an invaluable tool that enables the identification, testing, and exploitation of vulnerabilities in systems, networks, and applications. By simulating real-world attacks, Metasploit assists security professionals in assessing and enhancing the security posture of their organizations. It includes numerous built-in exploits and provides the flexibility to create custom ones.
In this guide, you will learn how to install the Metasploit framework and conduct basic testing on a system running Ubuntu 22.04.
Prerequisites
- An Ubuntu 22.04 machine with at least 4 GB of RAM.
- A non-root user with sudo privileges.
- Ensure the uncomplicated Firewall (UFW) is active.
- Update all packages:
$ sudo apt update && sudo apt upgrade
- Install essential packages (some might already be installed):
$ sudo apt install wget curl nano ufw software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release ubuntu-keyring unzip -y
Step 1 – Install Nmap
Metasploit requires Nmap. It’s not bundled with the framework, so install it separately via the Ubuntu repository:
$ sudo apt install -y nmap
This guide presents three Metasploit installation methods: using the Nightly installer, compiling from source, and using the Deb package. Regardless of the method, Nmap installation is a prerequisite.
Step 2 – Install Metasploit using Nightly Installer
Utilizing the Nightly installer script simplifies Metasploit installation. This process includes Ruby and PostgreSQL 9.2 and integrates seamlessly with the APT package manager.
Create a temporary directory for the installer script:
$ mkdir msf-install && cd ./msf-install
Download and rename the installer script:
$ curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Set execution permissions:
$ chmod 755 msfinstall
Execute the script:
$ sudo ./msfinstall
The installer imports the Metasploit signing key, updates the APT package sources, downloads, and installs Metasploit, and sets appropriate PATH variables.
Start the Metasploit console:
$ cd ~ $ msfconsole
The initial console setup prompts to configure a database. Respond affirmatively:
** Welcome to Metasploit Framework Initial Setup **
Please answer a few questions to get started.
Would you like to use and setup a new database (recommended)? y
This setup creates a database in ~/.msf4/db and initializes it properly.
Step 3 – Install Metasploit using Source Code
Install Prerequisites
Ensure required packages are installed:
$ sudo apt install -y autoconf bison build-essential gpgv2 libaprutil1 libgmp3-dev libpcap-dev libpq-dev libreadline-dev libsqlite3-dev libssl-dev locate libsvn1 libtool libxml2-dev libxslt1-dev libyaml-dev libncurses-dev xsel zlib1g-dev
Install Git:
$ sudo apt install -y git
Install PostgreSQL
Ubuntu 22.04 natively supports PostgreSQL 14:
$ sudo apt install -y postgresql postgresql-contrib
Verify PostgreSQL status:
$ sudo systemctl status postgresql
Configure PostgreSQL
Switch to PostgreSQL user and create roles and databases:
$ sudo -i -u postgres $ createuser msfuser -S -R -P $ createdb msfdb -O msfuser $ exit
Edit the pg_hba.conf:
$ sudo nano /etc/postgresql/14/main/pg_hba.conf
Add an entry in the file:
.... host "msfdb" "msfuser" 127.0.0.1/32 md5
Install Ruby Version Manager (RVM)
Metasploit requires Ruby. RVM facilitates Ruby and Gem installations:
Import RVM’s GPG key and download the installation script:
$ gpg2 --keyserver hkp://keyserver.ubuntu.com --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
$ \curl -sSL https://get.rvm.io -o rvm.sh
$ cat rvm.sh | bash -s stable
$ source ~/.rvm/scripts/rvm
Download Metasploit
Fetch Metasploit source from GitHub and ensure you use the correct Ruby version:
$ cd ~
$ git clone https://github.com/rapid7/metasploit-framework.git
$ cd metasploit-framework
$ rvm install "ruby-3.0.5" --with-openssl-dir=$HOME/.openssl/openssl-1.1.1w
Install Ruby
Special procedures are required due to Ubuntu 22.04’s OpenSSL version. Use OpenSSL 1.1 for compatibility:
$ wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
$ tar zxf openssl-1.1.1w.tar.gz
$ cd openssl-1.1.1w
$ ./config --prefix=$HOME/.openssl/openssl-1.1.1w --openssldir=$HOME/.openssl/openssl-1.1.1w
$ make
$ make tests
$ make install
$ rm -rf ~/.openssl/openssl-1.1.1w/certs
$ ln -s /etc/ssl/certs ~/.openssl/openssl-1.1.1w/certs
$ cd ~/metasploit-framework
Install Metasploit
Complete the installation with additional Ruby requirements and start the Metasploit console:
$ cd ~/metasploit-framework
$ gem install bundler
$ bundle install
$ ./msfconsole
Configure database connections and verify:
open ~/.msf4/database.yml
production:
adapter: postgresql
database: msfdb
username: msfuser
password: [PASSWORD]
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5
...
Step 4 – Install Metasploit using Binary Package
For a straightforward installation, use the APT repository to download and install:
$ wget https://apt.metasploit.com/pool/main/m/metasploit-framework/metasploit-framework_6.4.1%2B20240326102606~1rapid7-1_amd64.deb
$ sudo dpkg -i metasploit-framework_6.4.1+20240326102606~1rapid7-1_amd64.deb
$ msfconsole
Step 5 – Test Metasploit
Minimize startup prompts using the -q option:
$ msfconsole -q
Explore available commands with:
msf6 > help
Display exploits list and test connections:
msf6 > show exploits
msf6 > info xorg_x11_server
In a test scenario, use Nmap for scanning and Metasploit for exploiting:
msf6 > nmap -sV 192.168.31.36
msf6 > search vsftpd
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.31.36
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
Step 6 – Update Metasploit
For installations via Nightly installer or Binary package, updates are seamless using:
$ sudo msfupdate
For source code installations, handle updates manually:
$ cd ~/metasploit-framework
$ git config --global user.name "YourName"
$ git config --global user.email "name@example.com"
$ ./msfupdate
Step 7 – Uninstall Metasploit
For Nightly installer or Deb package installations, remove Metasploit with:
$ sudo apt autoremove --purge metasploit-framework
For source-based installations, execute the following for removal:
$ rm -Rf ~/.rvm
$ rm -Rf ~/.gem
$ rm -f ~/.gemrc
$ rm -Rf ~/.bundle
$ rm -f ~/rvm.sh
$ rm -rf ~/.local/share/gem
To clean up additional configurations, edit .bashrc, .bash_profile, and .profile, removing any RVM paths, and finally, source them:
$ nano ~/.bashrc
$ nano ~/.bash_profile
$ nano ~/.profile
$ source ~/.bashrc
$ source ~/.bash_profile
$ source ~/.profile
Delete Metasploit directories and remove PostgreSQL if needed:
$ rm -rf ~/metasploit-framework
$ rm -rf ~/.msf4
$ sudo apt autoremove --purge postgresql postgresql-contrib
For OpenSSL, undo installations and clean directories:
$ cd ~/openssl-1.1.1w
$ make uninstall
$ cd ~/
$ rm -rf ./openssl-1.1.1w
$ rm openssl-1.1.1w.tar.gz
Conclusion
This tutorial has walked you through installing, testing, updating, and uninstalling Metasploit on Ubuntu 22.04. Should you have any questions or require further clarification, please do not hesitate to comment below.
Frequently Asked Questions (FAQ)
- What is Metasploit used for?Metasploit is used for security testing, identifying vulnerabilities, and simulating attacks on systems and networks to improve security postures.
- Is Metasploit free?Yes, Metasploit is open-source and free to use, although there are paid versions with additional features.
- Can Metasploit run on operating systems other than Ubuntu?Yes, Metasploit can be installed on various Linux distributions, as well as Windows and macOS.
- What are the system requirements for installing Metasploit?A system running a compatible OS, with at least 4GB of RAM and a non-root user with sudo privileges is recommended.
- How often should Metasploit be updated?Regular updates are crucial, as they provide new exploits and security patches. It’s recommended to update Metasploit frequently to ensure you have the latest capabilities.