How to Install Metasploit Framework on Debian 12, 11 or 10

The Metasploit Framework is a pivotal tool in cybersecurity, known for its robust penetration testing and vulnerability assessment capabilities. This guide is designed to navigate you through the process to install Metasploit Framework on Debian 12 Bookworm or the older stable releases of Debian 11 Bullseye or Debian 10 Buster. Utilizing the Metasploit Official APT for installation, it’s crucial to operate Metasploit in a dedicated system or a virtual environment to ensure the integrity of your primary tasks and sensitive applications.

Key Aspects of Metasploit Framework:

  • Comprehensive Testing: Metasploit provides extensive options for penetration testing, helping identify vulnerabilities in systems and networks.
  • Exploit Development: It aids in developing and testing exploits for identified vulnerabilities, enhancing system security.
  • Payload Crafting: Users can create payloads to gain control over compromised systems, providing a deeper understanding of potential threats.
  • Post-Exploitation Tools: Metasploit includes tools for extracting valuable data and maintaining access after a successful breach.
  • Network Analysis: It offers capabilities to analyze network structures and identify potential entry points for securing the network.

Following this guide will give you practical insights into deploying the Metasploit CLI for various cybersecurity tasks, enhancing the security posture of your projects or services. As we delve deeper into the installation and utilization of Metasploit on Debian, you will be equipped to leverage this powerful tool to its fullest potential.

Install Metasploit Framework on Debian 12, 11, or 10 via APT

Step 1: Install Initial Required Packages For Metasploit on Debian

Before diving into the installation of Metasploit, ensuring that your Debian system is up-to-date and has all the necessary dependencies in place is essential.

Update and Upgrade Debian:

To keep your Debian system updated, execute the following commands:

sudo apt update
sudo apt upgrade

Install Required Dependencies:

With the system updated, proceed to install the dependencies essential for Metasploit:

sudo apt install curl ca-certificates apt-transport-https software-properties-common lsb-release postgresql -y

Step 2: Import Metasploit APT Repository on Debian

Having the dependencies in place, the next step involves importing the Metasploit repository. This ensures you’re fetching genuine packages that haven’t been tampered with.

Import the GPG Key:

The GPG key ensures the authenticity of the packages. Import it with:

curl -fsSL https://apt.metasploit.com/metasploit-framework.gpg.key | sudo gpg --dearmor | sudo tee /usr/share/keyrings/metasploit.gpg > /dev/null

Add the Metasploit Repository:

With the GPG key imported, proceed to add the Metasploit repository:

echo "deb [signed-by=/usr/share/keyrings/metasploit.gpg] https://apt.metasploit.com/ buster main" | sudo tee /etc/apt/sources.list.d/metasploit.list

Even though it says Buster, this is a generic repository now and will install the same package for all APT-based distros and does work on the latest Debian releases.

Step 3: Install Metasploit on Debian via APT Command

With the repository in place, it’s time to install the Metasploit Framework.

Refresh APT Cache:

Update your package list to ensure the latest version of Metasploit Framework is available:

sudo apt update

Install Metasploit Framework:

Initiate the installation process with:

sudo apt install metasploit-framework

First-Time Setup Process:

Upon successful installation, you’ll need to configure Metasploit for its first use:

msfconsole

During this setup, you might encounter several prompts:

  • Setting up a New Database: It’s advisable to set up a new database for Metasploit. When prompted, type “yes” to proceed.
Would you like to use and setup a new database (recommended)?
Terminal process of initializing a new database in Metasploit on Debian.
Steps to initialize and configure a new database for Metasploit Framework on Debian Linux.
  • Initializing the Web Service: This step isn’t mandatory. By default, the answer is “no.” If you wish to enable the web service, type “yes.”
[?] Would you like to init the webservice? (Not Required) [no]:
  • Final Configurations: After addressing the prompts, the system will finalize configurations. This might take a few minutes. You’ll be presented with information regarding the configuration process.
Terminal confirmation of successful Metasploit CLI installation on Debian.
Terminal output confirming the successful setup of Metasploit CLI on a Debian system.

Upon completion, your Metasploit Framework is ready for use. As we delve deeper into subsequent sections, you’ll gain insights into harnessing the full potential of this powerful cybersecurity tool on your Debian system.

Metasploit Framework Terminal Commands on Debian 12, 11 or 10

Navigating the Metasploit Framework requires a good grasp of its terminal commands. This section provides a hands-on approach to using these commands effectively on Debian. A comprehensive table detailing all available commands will be presented by the end.

Step 1: Launching Metasploit Framework

To initiate the Metasploit Framework, access your terminal and input:

msfconsole

Upon execution, a banner will appear, displaying details about the current version, contributors, and some handy Metasploit Framework usage tips.

Step 2: Keeping Metasploit Updated

The Metasploit Framework is an evolving tool, regularly enhanced with new modules, features, and fixes. To ensure you’re using the latest version:

msfupdate

This command fetches and installs the most recent iteration of the Metasploit Framework.

Step 3: Searching for Exploits

A core functionality of the Metasploit Framework is its exploit search capability. To hunt for specific exploits:

search <search-term>

Replace <search-term> with relevant keywords or terms. For instance, to find exploits associated with the Apache Struts vulnerability:

search struts

This returns a list of exploits linked to the Apache Struts vulnerability.

Terminal output showing search results for 'struts' in Metasploit on Debian.
Results from a Metasploit search query for ‘struts’ vulnerabilities on Debian Linux.

Step 4: Engaging with Exploits

After pinpointing a desired exploit, you can activate its module:

use <exploit-name>

Replace <exploit-name> with the exact exploit module name. If you’re aiming to utilize the Apache Struts exploit module:

use exploit/windows/http/struts2_rest_xstream

This action activates the exploit module, revealing details like its name, author, target platform, and associated payload.

Step 5: Configuring Exploit Parameters

Before deploying an exploit, adjusting specific parameters, such as target IP, port, or chosen payload, is often necessary. To view an exploit’s configurable options:

show options

This command lists all tweakable parameters for the active exploit module.

To modify a specific parameter:

set <option-name> <value>

For instance, to designate the RHOST parameter to a target system’s IP address:

set RHOST 192.168.1.100

Step 6: Executing Exploits

With all parameters set, you can launch the exploit:

exploit

If the exploit succeeds, a confirmation message will appear, indicating a successful operation and the establishment of a session.

Leveraging Metasploit’s Meterpreter on Debian 12, 11 or 10

Meterpreter stands out as an advanced post-exploitation tool within the Metasploit Framework. It facilitates real-time interaction with compromised systems. To harness its capabilities, you first need an active session.

Step 1: Managing Sessions

To view all active sessions:

sessions -l

This command lists all sessions with their respective ID numbers.

To engage with a specific session:

sessions -i <session-id>

For instance, to interact with the first session:

sessions -i 1

This command initiates a Meterpreter shell for the chosen session, allowing you to run many commands on the compromised system.

Step 2: Extracting System Data

Upon securing a Meterpreter session, a logical first step is to collect data about the compromised system:

  • System Overview:
sysinfo

This command provides a snapshot of the system, detailing the OS version, CPU type, and system architecture.

  • User Identification:
getuid

This reveals the current user ID on the system.

  • User Privileges:
getprivs

This enumerates the current user’s system privileges.

Step 3: File Transfers

Meterpreter facilitates file transfers between your machine and the compromised system:

  • Uploading Files:
upload <local-file> <remote-file>

For instance, to transfer a local file named data.txt to the compromised system’s C:\Temp directory:

upload /localpath/data.txt C:\Temp\data.txt
  • Downloading Files:
download <remote-file> <local-file>

To retrieve a file named data.txt from the compromised system’s C:\Temp directory to your local machine:

download C:\Temp\data.txt /localpath/data.txt

Step 4: Probing WordPress Vulnerabilities with Metasploit

Given WordPress’s ubiquity as a CMS, it’s often a target for potential threats. Using Metasploit, you can assess your WordPress installations for known vulnerabilities. Remember, exploiting systems without permission is both illegal and unethical.

To identify Metasploit modules related to WordPress vulnerabilities:

search wordpress

This command lists Metasploit modules tailored for WordPress vulnerabilities.

Terminal screenshot displaying a list of WordPress exploits in Metasploit on Debian.
Comprehensive list of WordPress vulnerabilities accessible via Metasploit on Debian.

To engage with a specific module, for instance, the WP Paid Pro CODE SQLI vulnerability:

  • Search for the Exploit: Once Metasploit is running, you can search for the exploit to ensure it’s available in your Metasploit version:
search wp_paid_membership_pro_code_sqli
  • Use the Exploit: If the exploit is available, you can load it using the use command:
use auxiliary/scanner/http/wp_paid_membership_pro_code_sqli
  • Set the Options: You must set some options before running the exploit. At a minimum, you’ll need to set the RHOSTS option, which specifies the target IP address or domain:
set RHOSTS target_website_or_IP

You can view all the available options for the exploit by typing:

show options

Ensure you configure any other necessary options based on your specific scenario.

Terminal window highlighting the wp_paid_membership_pro SQLi exploit in Metasploit.
Demonstration of using Metasploit to identify the wp_paid_membership_pro SQLi vulnerability.
  • Run the Exploit: Once all the options are set, you can run the exploit:
run

If the target is vulnerable, Metasploit will attempt to exploit it and provide you with the results.

Metasploit Command Overview for Debian 12, 11 or 10

The Metasploit Framework is a vast tool with many commands at its disposal. While we’ve touched upon some commands in previous sections, it’s essential to understand those were just the tip of the iceberg. This section will provide a more detailed table of commonly used commands to help you navigate the framework more efficiently.

Exploit Commands

Exploit commands are pivotal in leveraging vulnerabilities within a target system.

CommandDescription
searchLocate a specific exploit or payload.
useChoose an exploit or payload for deployment.
show optionsDisplay available options for the chosen exploit or payload.
setDefine a value for a particular option.
exploitLaunch the selected exploit.
sessionsOversee active Meterpreter sessions.
backDepart from the current exploit or payload context.

Auxiliary Commands

Auxiliary commands cater to various tasks, from scanning and fuzzing to gathering crucial information.

CommandDescription
searchFind a specific auxiliary module.
useActivate a desired auxiliary module.
show optionsEnumerate current options for the selected auxiliary module.
setAssign a value to a specific option.
runInitiate the chosen auxiliary module.
backExit the current auxiliary module context.

Post-Exploitation Commands

Once access to a system is secured, post-exploitation commands come into play, allowing various operations on the compromised system.

CommandDescription
sysinfoRetrieve detailed system data.
getuidIdentify the active user ID.
getprivsEnumerate the privileges of the current user.
shellAccess a system command shell.
psList active processes.
migrateTransition to a different process.
downloadRetrieve a file from the compromised system.
uploadTransfer a file to the compromised system.

Database Commands

These commands facilitate interaction with the Metasploit Framework’s integrated database.

CommandDescription
db_statusVerify the database’s operational status.
db_rebuild_cacheRefresh the database cache.
db_nmapIncorporate an nmap scan result into the database.
hostsEnumerate all hosts registered in the database.
servicesList all services documented in the database.
vulnsDetail all vulnerabilities recorded in the database.

Module Management Commands

Managing modules within the Metasploit Framework is streamlined with these commands.

CommandDescription
loadIntegrate a module into the console.
reload_allRefresh all modules.
unloadRemove a module from the console.
infoProvide details about a specific module.
editModify a module’s parameters.

Conclusion and Final Thoughts

In this comprehensive guide, we’ve installed the Metasploit Framework on various Debian versions, including Debian 12 Bookworm, Debian 11 Bullseye, and Debian 10 Buster. We’ve covered the foundational steps, delved into command overviews, and explored the potential of Metasploit’s Meterpreter. As with any powerful tool, using the Metasploit Framework with a clear understanding of its capabilities and implications is crucial.

Disclaimer: It’s imperative to emphasize that the Metasploit Framework, like any cybersecurity tool, should be used responsibly and ethically. Only deploy it for cybersecurity research on your platforms or entities granted explicit permission. Unauthorized or malicious use can lead to severe legal consequences and breaches of ethical standards.

9 thoughts on “How to Install Metasploit Framework on Debian 12, 11 or 10”

  1. Somthing is wrong. I can’t run msfconsole from user (only from root) after update metasploit. When I start msfconsole from user, I receive:
    :~$ msfconsole
    Verifying msfconsole data service
    and the nothing happen anymore.
    When I push Ctrl+C, I receive:
    # terminated with exception (report_on_exception is true):
    /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:403:in `read’: stream closed in another thread (IOError)
    from /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:403:in `block (2 levels) in capture2e’
    /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:415:in `value’: Interrupt
    from /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:415:in `block in capture2e’
    from /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:227:in `popen_run’
    from /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:209:in `popen2e’
    from /opt/metasploit-framework/embedded/lib/ruby/3.0.0/open3.rb:398:in `capture2e’
    from /opt/metasploit-framework/embedded/framework/lib/msfdb_helpers/db_interface.rb:55:in `run_cmd’
    from msfdb:660:in `run_msfconsole_command’
    from msfdb:679:in `clear_default_data_service’
    from msfdb:1061:in `’
    How do I need remove metasploit-framework correctly? (After that I’ll tray install it again).

    Reply
      • Debian 12 (bookworm).
        This happened after entering a command “msfupdate” in the console.
        Before that I could run msfconsole as a normal user. Now only from root.
        Uninstalling and reinstalling the app didn’t help.
        I uninstalled through the purge command. And I”ll tray install it again. May be this will help.

        Reply
        • Seems to be working here, quickly installed it.

          https://www.linuxcapable.com/cdn-cgi/image/width=1360,height=768,fit=crop,quality=50,format=auto,onerror=redirect,metadata=none/wp-content/uploads/2023/10/metasploit-working-on-debian-12.png

          What I see i need to remove the msfupdate, its really not that important anymore and will cause confusion. since you can just use apt update now to update the installation given i’ve changed the method to link the apt.metasploit apt file directly to your sources list.

          do all the other commands work? i tested quite a few, everything working well here.

          Reply
          • Thank you for help.
            I’m sorry. I didn’t answer few days. I reinstalled program. Now I can run it as a regular user. Only at the first start the program did not ask Setting up a New Database and Initializing the Web Service. There may be something left after the uninstalling (Although I deleted using the purge command).
            Entering the show settings command gives the same result as you have.
            “Search struts” is work too.
            But, entering the “use exploit/windows/http/struts2_rest_xstream” gives result:
            msf6 > use exploit/windows/http/struts2_rest_xstream
            [-] No results from search
            [-] Failed to load module: exploit/windows/http/struts2_rest_xstream
            msf6 >

  2. ZSH: sudo nala install metasploit-framework
    =========================================================================================
    Installing
    =========================================================================================
    Package: Version: Size:
    metasploit-framework 6.3.40+20231021102610~1rapi 327.1 MB
    d7-1

    =========================================================================================
    Summary
    =========================================================================================
    Install 1 Packages

    Total download size 327.1 MB
    Disk space required 810.6 MB

    Do you want to continue? [Y/n] y
    Error: Client error ‘404 Not Found’ for url
    ‘http://downloads.metasploit.com/data/releases/metasploit-framework/apt/pool/main/m/metas
    ploit-framework/metasploit-framework_6.3.40%2B20231021102610%7E1rapid7-1_amd64.deb’
    For more information check: https://httpstatuses.com/404
    ╭─ Downloading… ────────────────────────────────────────────────────────────────────────╮
    │ Total Packages: 0/1 │
    │ Starting Downloads… │
    │ Time Remaining: -:–:– ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 0.0% • 0.0/327.1 MB • ? │
    ╰───────────────────────────────────────────────────────────────────────────────────────╯
    Error: Download failure. The following downloads failed:
    metasploit-framework_6.3.40+20231021102610~1rapid7-1_amd64.deb

    Reply
    • Thank you for bringing this to my attention. I’ve checked from my side as well and encountered the same 404 error. It seems every version and architecture is currently returning a 404. I’m inclined to believe that the issue might be on Metasploit’s end. I’ve been utilizing this method for many years and this is the first time I’ve come across such a widespread 404 issue. I’ll run another test tomorrow.

      Reply

Leave a Comment


Your Mastodon Instance
Share to...