The Metasploit Framework is an open-source project that provides public resources for vulnerability research and code development. It allows security professionals to detect intrusions into their network and identify threats and vulnerabilities in various areas such as software, systems, or networks. Metasploit comes jam-packed with existing exploits but gives the framework to create your own custom exploits.
In this tutorial, you will learn How to Install and use Metasploit on Debian 11 Bullseye.
Table of Contents
- Recommended OS: Debian 11 Bullseye
- User account: A user account with sudo or root access.
Update Operating System
Update your Debian operating system to make sure all existing packages are up to date:
sudo apt update && sudo apt upgrade -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
Example output showing sudo status:
[joshua@debian~]$ sudo whoami root
To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Debian.
To use the root account, use the following command with the root password to log in.
The tutorial will utilize the terminal for the installation found in Activities > Show Applications > Terminal.
Install Metasploit on Debian
By default, Debian 11’s repository does not come with the software, so you will need to download the package installer. Luckily, Rapid 7, the company behind Metasploit, has an open-source installer that you can download to install the latest version.
Run the following command to download the Metasploit installer:
If the above command did not work, more than likely you do not have the wget package installed, use the following command to install it.
sudo apt install wget -y
Now you will need to make the installer executable by giving it the +x permission as follows:
sudo chmod +x ./metasploit-latest-linux-x64-installer.run
The next step is to install Metasploit now, and this is a straightforward process. Run the following command in your terminal:
Next, you will see a series of pop-ups which the tutorial will explain in steps.
Step 1. A welcome popup will be shown; click the Forward button to proceed with the installation.
Step 2. License agreement and terms will now be shown; click on the I accept the agreement and click the Forward button to proceed.
Step 3. The installation folder screen will be shown; next, most users leave it as the default unless you need to store it elsewhere. Click the Forward button to proceed to the next screen.
Step 4. Install as a service will be the next selection; this is user preference, so select YES OR NO, then click the Forward button to proceed.
Note, the default is to set YES.
Step 5. Disable Anti-Virus and Firewall will be shown next; obviously, given the nature of the software you are installing, it will likely interfere, so you will need to disable whatever firewalls and virus scanners you have on your system manually; once done, click on the Forward button.
Step 6. Metasploit Service SSL port, change or keep the default and click the Forward button.
Step 7. Generate an SSL Certificate, provide the hostname; if installing on the local system, use localhost. Once done, click the Forward button.
Step 8. Choose the Database port that Metasploit will utilize. The default should be fine for most users. Once done, click the Forward button.
Step 9. Choose the Thin service port, as with the previous Database port, and the default Thin port should suit most users. Once done, click the Forward button.
Step 10. The ready to install screen will appear; now click on the Forward button to finish the installation.
Now you will come to the finished window notifying you that you have successfully installed Metasploit and would like to Access the Metasploit Web UI now.
If you selected to access the Metasploit Web UI, you would come to a welcome screen below with some information about Metasploit and how it operates in your browser, and some points that you may need to know about the service.
As above, you will be directed to go to the hostname name or IP you set up during the installation. For most default cases, this should be localhost.
Depending on your browser, you may get a notification about a potential security risk ahead, click Advanced and Accept the Risk and Continue.
From here, you can proceed to create a user account using the WebUI:
Lastly, enter the license key, which you can visit Rapid7 to attain by clicking the “GET PRODUCT KEY” link.
How Launch Metasploit in Terminal
Metasploit can be used in your Debian terminal with a command-line utility named msfconsole.
Launch Metasploit in your terminal:
Below are some common commands that you can use with Metasploit.
|version||Display current version|
|msfupdate||Pull the weekly update|
|makerc ||Saves recent commands to file|
|msfconsole -r ||Loads a resource file|
Executing an Exploit / Scanner / Module
|use ||Set the exploit to use|
|set payload ||Set the payload|
|show options||Show all options|
|set ||Set a setting|
|exploit or run||Execute the exploit|
|sessions -l||List all sessions|
|sessions -i ||Interact/attach to a session|
|background or ^Z||Detach from session|
Using the Database
The DB saves data found during exploitation. Auxiliary scan results, hash dumps, and credentials show up in the DB.
First Time Setup
|service postgresql Start||Start DB|
|msfdb Init||Init the DB|
Inside msfconsole Terminal
|db_status||Should say connected|
|hosts||Show hosts in DB|
|services||Show ports in DB|
|vulns||Show all vulns found|
Meterpreter Session Commands
The Meterpreter is a payload within the Metasploit Framework that controls an exploited target system, running as a DLL loaded inside any process on a target machine.
|sysinfo||Show system info|
|ps||Show running processes|
|kill ||Terminate a process|
|getuid||Show your user ID|
|upload / download||Upload/download a file|
|pwd / lpwd||Print working directory (local/remote)|
|cd / lcd||Change directory (local / remote)|
|cat||Show contents of a file|
|edit ||Edit a file (vim)|
|shell||Drop into a shell on the target machine|
|migrate ||Switch to another process|
|hashdump||Show all PW hashes (Windows only)|
|idletime||Display idle time of user|
|screenshot||Take a screenshot|
|clearev||Clear the logs|
|use priv||Load the script|
|getsystem||Elevate your privs|
|getprivs||Elevate your privs|
Token Stealing (Windows only)
|use incognito||Load the script|
|list_tokens -u||Show all tokens|
|impersonate_token||DOMAIN\USER Use token|
|drop_token||Stop using token|
|portfwd [ADD/DELETE] -L ||Enable port forwarding|
|route add ||Pivot through a session by adding a route within msf|
|route add ||Pivot through a session by adding a route within msf|
|route add ||Deleting a route within msf|
Finding an Exploit / Payload to Use
|search ||Searches all exploits, payloads, and auxiliary modules|
|show exploits||Show all exploits|
|show payloads||Show all payloads|
|show auxiliary||Show all auxiliary modules (like scanners)|
Comments and Conclusion
The tutorial has taught you how to install Metasploit on Debian 11 Bullseye and access the Web UI basics. Overall, you can perform pre-identified attacks such as password-free victim logging, webcam hacking, web server hacking, email server hacking, or generate exploits.
Ideally, this is to be used for improving your network security and should be regarded as such, and you should not use these tools against targets without their permission. You can wind up in legal trouble, depending on your country.