metasploit installation guide - charlie's · pdf...

Installation Guide

ProExpress

Nexpose UltimateCommunity

1

Table of Contents

InstallingMetasploit Pro, Ultimate, Express, and Community 2

Before You Begin 2

Supported Operating Systems 2

Minimum System Requirements 3

InstallingMetasploit and Nexpose 3

Installing Metasploit onWindows 3

Installing Metasploit on Linux 7

InstallingMetasploit on Headless Servers 11

Activating a License Key 17

InstallingMetasploit Pro, Ultimate, Express, and Community 2

Installing Metasploit Pro, Ultimate, Express, andCommunity

The standardMetasploit installer uses a graphical interface to guide you through the installation process.Installation is a simple process that takes you through a series of prompts to identify the location whereyou want to install Metasploit and the ports that you want Metasploit to use. After you define yourinstallation preferences, the installer installs the dependencies and services that are necessary to runMetasploit.

All Metasploit commercial editions use the same installer. The license key you use to activate the productunlocks the edition that you have purchased.

Before You Begin

l Obtain a license key: To activateMetasploit, you will need to have a license key. If you do not haveone, please submit a request.

l Verify that you can obtain root privileges or have administrator rights: Youmust have root oradmin privileges on the system to install Metasploit.

l Disable anti-virus software: Antivirus software detects Metasploit as malicious andmay causeproblems with the installation and runtime of Metasploit. Before you install Metasploit, disable anyantivirus software that your system uses.

l Disable any firewalls: Local firewalls, such as Iptables andWindows Firewall, interfere with theoperation of exploits and payloads. Disable any local firewalls before you install Metasploit.

Supported Operating Systems

Metasploit Pro is supported on the following operating systems:

Linux

l RedHat Enterprise Linux Server 5.10+



l Ubuntu Linux 10.04 LTS


http://www.rapid7.com/products/metasploit/metasploit-pro-registration.jsp



Minimum System Requirements 3


l Kali Linux 2.0

Windows

l Windows Server 2008 R2

l Windows Server 2012 R2

l Windows 7

l Windows 8.1

Minimum System Requirements

Your systemmust meet the followingminimum requirements to runMetasploit:

l 2 gigahertz (GHz) or faster processor

l 2 gigabyte (GB) RAM

l 1 gigabyte (GB) available hard disk space (50GB recommended)

l 10/100Mbps NIC

Installing Metasploit and Nexpose

It is recommended that you install Nexpose andMetasploit on separate systems. Youmay experienceperformance problems if you attempt to run both products on the samemachine. For more information oninstalling Nexpose, visit https://community.rapid7.com/docs/DOC-1385.

Installing Metasploit on Windows

1. Visit http://www.rapid7.com/products/metasploit/download.jsp and download theWindows installer.

2. After you download the installer, locate the installer file and double-click on the installer icon.

https://community.rapid7.com/docs/DOC-1385

https://community.rapid7.com/docs/DOC-1385

http://www.rapid7.com/products/metasploit/download.jsp


3. When the Setup screen appears, click Next to continue.

4. Read the license agreement. To proceed, youmust accept the license agreement. Select the I acceptthe license agreement option and click Next to continue.


5. Choose an installation directory for Metasploit. The directory you choosemust be empty. Click Next tocontinue.

6. When the Disable Anti-Virus and Firewall screen appears, click Next if you have disabled the anti-virussoftware and firewalls on your local system. If you have not disabled them, youmust disable them atthis time.

If the install detects that anti-virus software or a firewall is enabled, you will see a warning. Click OK toclose the warning. The installer will not allow you to continue the installation process until the firewallsand anti-virus software are disabled. If you cannot disable them, you will not be able to installMetasploit.


7. Enter the SSL port that theMetasploit service should use and click Next. By default, the server usesport 3790 for HTTPS. If the port is already bound to another process, you can use netstat to determineif a process is already listening on that port and kill the process, or you can enter another port such as8080 or 442.

8. Enter the web server name that you want to use to generate the SSL certificate and the number of daysthat the certificate should be valid in the Days of validity field.


9. Select Yes, trust certificate to install the self-signedMetasploit SSL certificate to your operatingsystem’s trusted certificate store. If you install the certificate, browsers that utilize the operatingsystem’s certificates, such as Internet Explorer, will not prompt you about an insecure SSL certificate.

Please note that the installer creates a temporary certificate authority to generate the certificate andimmediately discards it in order to prevent phishing attacks and the potential resigning of thecertificate.

The installer is ready to install Metasploit and all its bundled dependencies. Click Next to continue.

10. When the installation completes, click the Finish button.

After the installation completes, a window appears and prompts you to launch theMetasploit Web UI.At this point, you should launch theMetasploit Web UI to create a user account and to activate yourlicense key. You do not need to restart your system to launchMetasploit for the first time.

Installing Metasploit on Linux

1. Visit http://www.rapid7.com/products/metasploit/download.jsp and download the Linux 32 bit or 64 bitinstaller. Save the installer file to a location like the desktop.

2. Open the command line.

3. Download the Linux installer:

wget http://downloads.metasploit.com/data/releases/metasploit-latest-

linux-x64-installer.run

4. Change themode of the installer to be executable:

$ chmod +x desktop/metasploit-latest-linux-x64-installer.run

http://www.rapid7.com/products/metasploit/download.jsp


If you are installingMetasploit on a 32 bit system, replace 'x64' with 'x32'.

5. Run the installer:

$ sudo desktop/metasploit-latest-linux-x64-installer.run


6. When the Setup window appears, click Forward to start the installation process.

7. Read the license agreement. To proceed, youmust accept the license agreement. Select the I acceptthe license agreement option and click Forward to continue.


8. Choose an installation directory for Metasploit. The directory you choosemust be empty. Click Next tocontinue.

9. Select Yes to register Metasploit as a service (recommended). Then, click Forward to continue.


10. When the Disable Anti-Virus and Firewall screen appears, click Next if you have disabled the anti-virussoftware and firewalls on your local system. If you have not disabled them, youmust disable them atthis time.

If the install detects that anti-virus software or a firewall is enabled, you will see a warning. Click OK toclose the warning. The installer will not allow you to continue the installation process until the firewallsand anti-virus software are disabled. If you cannot disable them, you will not be able to installMetasploit.

11. Enter the SSL port that theMetasploit service should use and click Forward.

By default, the server uses port 3790 for HTTPS. If the port is already bound to another process, youcan use netstat to determine if a process is already listening on that port and kill the process, or youcan enter another port such as 8080 or 442.


12. Enter the web server name that you want to use to generate the SSL certificate and the number of daysthat the certificate should be valid in the Days of validity field.

13. Select Yes, trust certificate to install the self-signedMetasploit SSL certificate to your operatingsystem’s trusted certificate store. If you install the certificate, browsers that utilize the operatingsystem’s certificates will not prompt you about an insecure SSL certificate.

14. When the Ready to Install screen appears, click Forward to start the installation process.

15. When the installation completes, click the Finish button.

After the installation completes, a window appears and prompts you to launch theMetasploit Web UI.At this point, you should launch theMetasploit Web UI to create a user account and to activate yourlicense key. You do not need to restart your system to launchMetasploit for the first time.

Installing Metasploit on Headless Servers

The standard Linux installer guides you through installingMetasploit on Red Hat Enterprise and UbuntuLinux distributions. The installer takes you through a series of prompts to identify the location where youwant to install Metasploit and the port that you want Metasploit service to use. When installation begins,the dependencies and services that are necessary to runMetasploit are installed.

1. Open the Linux console.

2. Download the installer and save it to your system.

$ wget http://downloads.metasploit.com/data/releases/metasploit-latest-

linux-x64-installer.run



3. Change themode of the installer to be executable:

user@ubuntu:~4 chmod +x ./metasploit-latest-linux-x64-installer.run


4. Run the installer:

sudo ./metasploit-latest-linux-x64-installer.run


5. When theWelcomemessage appears, press Enter to start the installation process.

6. Read each part of the License Agreement and continue to press Enter until you have read all of it.


7. When you get to the end of the License Agreement, the installer shows the following screen. PressEnter to continue.

8. Enter Y to accept the License Agreement.

9. Press Enter to install Metasploit in the default location of /opt/metasploit or enter the locationyou want to install Metasploit and then press Enter.

10. Enter Y to install Metasploit as a service.This adds an init script that calls ctlscript.sh, whichenables you to start, stop, and restart theMetasploit service.

The next message alerts you to disable any firewall or anti-virus applications that are enabled on themachine. Verify that you do not have any firewall or anti-virus applications running, and then pressEnter.

11. Enter the port that you want theMetasploit service to run on and press Enter.


By default, theMetasploit service runs on port 3790. If you want to use the default port, leave the portfield blank and press Enter.

12. Enter the server name that you want to use to generate the SSL certificate.

If you want to use the localhost, press Enter.

13. Enter the number of days you want the SSL certificate to be valid and press Enter.

If you want to use the default value of 3650 days, press Enter.

13. Enter Y to trust the certificate.

14. The installation process is now ready to start. Enter Y and press Enter to install Metasploit and all ofits components.

The next message tells you that Metasploit is being installed. Please wait while the installationcompletes.

15. When installation is complete, press Enter to continue.

Creating a User Account on Headless Servers

After the installation completes, you will need to create a user account before you can activate yourMetasploit license key. The initial user account must be created by running the createuser script.

To create a user account:

1. From the Linux console, enter the following command to run the createuser script:

user@ubuntu:~? sudo /opt/metasploit/createuser


2. The script prompts you to enter a user name. Enter the user name that you want to assign to theaccount and press Enter.

The script creates the user account and automatically generates a password for you. You should copy thepassword so that you log in to theMetasploit Pro, Express, or Community web interfaces. You canchange the password after you log in toMetasploit for the first time.

Activating Your License Key with a Text Based Browser

If you do not have access to a web browser, you can activate your license key from a text based browser,like Lynx.

1. Launch your browser and go to https://<server address>:3790.

2. When the SSL self-signed certificate message appears, enter y to continue.

3. When the cookiemessage appears, enter y to add the cookie and to continue.

4. If the SSL self-signed certificate message appears again, enter y to continue.

5. When the login page appears, enter the user name and password that you created earlier and pressEnter.


6. If the SSL certificate and cookiemessages appear again, enter y to continue. You will need to do thisuntil you see theMetasploit menu.

7. When theMetasploit menu appears, press the space bar twice to view the License Activation screen.

8. Use the down arrow to navigate to the product key field and enter the license key. The license keyshould be entered using the following format: xxxx-xxxx-xxxx-xxxx.

9. Use the down arrow to navigate to the ACTIVATE LICENSE link and press Enter.

10. If the activation is successful, the Projects screen appears and indicates that the activation wassuccessful.


You are now ready to runMetasploit.

Launching the Pro Console

After you have activated your license key, you can runMetasploit from the command line. If you have aMetasploit Pro license, you can run the Pro Console. The Pro Console provides you command line accessto theMetasploit Framework, as well as Metasploit Pro-only features, such as the Discovery Scan, auto-exploitation, bruteforce, and reporting. Learnmore about the Pro Console.

To launch the Pro Console on a Linux system, open the command line terminal and type sudo msfpro

when the command prompt appears. Youmust run the console as root.

$ cd /opt/metasploit$ sudo msfpro

When the Pro Console loads, the command line drops to an msf-pro > prompt, as shown below:

Activating a License Key

Now that you've installedMetasploit, the next thing you need to do is activate your license key. Eachlicense key is bound to a specific edition of Metasploit and gives you access to the edition you that you'veregistered for.

1. Open a browser and go to https://localhost:3790.

If you receive a warning about the trustworthiness of the security certificate, select that youunderstand the risks and want to continue to the website. The wording that the warning displaysdepends on the browser that you use.


2. When the web interface for Metasploit Pro appears, the New User Setup page displays. Follow theonscreen instructions to create a user account for Metasploit Pro. Save the user account informationso that you can use it later to log in toMetasploit Pro.

3. After you create a user account, the ActivateMetasploit page appears. Enter the license key that youreceived from Rapid7 in the Product Key field.

4. If you need to use an HTTP proxy to reach the Internet, you can select the HTTP proxy option andprovide the information for the HTTP proxy server that you want to use.

5. Activate the license key.

After you activate the license key, the Projects page appears. You can now create a project and startworking on your first pentest.

metasploit installation guide - charlie's · pdf...

Documents