The most important part of using Metasploit is choosing the right exploit for your target host. There is nothing magical about an exploit: it will only work if the target host has the unpatched vulnerability the exploit is designed to use.
Metasploit isn't particularly suited for telling you what vulnerabilities a host has; for that, you would use a vulnerability scanner (see Nessus). Alternately, if your port scanner (see Chapter 2) shows a particular port as open, you can try all exploits for that particular port and see whether any are successful. Occasionally, Metasploit is updated with an exploit for which no patch exists. If you happen to have one of these exploits, it's a good bet it will succeed as long as your target is running the correct operating system or application version.
To see the list of exploits currently provided by your version of Metasploit, type show exploits from the Metasploit console, or run the Metasploit CLI without any arguments. You should see output similar to this:
msf > show exploits
Exploits
========
Name Description
---- -----------
hpux/lpd/cleanup_exec HP-UX LPD Command Execution
irix/lpd/tagprinter_exec Irix LPD tagprinter Command Execution
linux/games/ut2004_secure Unreal Tournament 2004 "secure" Overflow
linux/http/peercast_url PeerCast <= 0.1216 URL Handling Buffer Overflow
linux/ids/snortbopre Snort Back Orifice Pre-Preprocessor Remote Exploit
...You'll notice the exploits are organized in a hierarchy of operating system/protocol/vulnerability. To get a list of exploits for a particular operating system, you can use the list from msfcli and pipe it through an appropriate grep. For example, to see a list of all the exploits for Mac OS X, you would type:
[bryan@velox metasploit-3.0]./msfcli | greposx/osx/afp/loginext AppleFileServer LoginExt PathName Overflow osx/arkeia/type77 Arkeia Backup Client Type 77 Overflow osx/browser/safari_metadata_archive Safari Archive Metadata Command Execution osx/ftp/webstar_ftp_user WebSTAR FTP Server USER Overflow osx/samba/trans2open Samba trans2open Overflow (Mac OS X)
To learn more about a particular exploit, you can type info exploitname. The info output provides useful information such as which operating system versions are supported by the exploit and which options you can set to customize the behavior.
To select an exploit from the Metasploit console, use the use command followed by the full name of the exploit. For example, to choose the osx/ftp/webstar_ftp_user exploit, you would type:
msf > use osx/ftp/webstar_ftp_user
msf exploit(webstar_ftp_user) >If you want to use tab completion for exploit names, prefix the exploit name with exploit/. For example, typing use exploit/windows/a, then double-tapping the Tab key displays a quick list of Windows exploits that start with the letter a.
Once you select an exploit, the name of the exploit is printed as part of the Metasploit console prompt to remind you which exploit you're using. Once you've configured the exploit to your liking (more on this in the following sections), launch the exploit using the exploit command. Once running, the exploit will typically print some progress messages, and if successful, you'll soon see the output from whatever payload you have selected. If the exploit fails, an error message will be printed, and you'll be returned to the Metasploit prompt.