Metasploit Express Installation Guide

Metasploit Express Installation Guide Release 3.6 March 7, 2011

Table of Contents
Warnings ...................................................................................................................................... 3 Welcome ....................................................................................................................................... 4 About This Guide ........................................................................................................................ 5
Target Audience ................................................................................................................ 5 Organization ...................................................................................................................... 5 Document Conventions ...................................................................................................... 5 Support ............................................................................................................................. 6

Installing Metasploit Express .................................................................................................... 7

Programs Bundled with the Installer .................................................................................... 7 Prerequisites and Recommendations.................................................................................. 7 Minimum Hardware Requirements ................................................................................ 7 Supported Platforms .................................................................................................... 8 Windows XP/Vista/7 Installation ......................................................................................... 8 Installing Metasploit Express for Windows .................................................................... 8 Installing Metasploit Express on Linux .............................................................................. 12 Linux (RHEL / Ubuntu) Installation .............................................................................. 12 Linux Console (Command Line) Installation ................................................................ 16

Getting Started with Metasploit Express ............................................................................... 18

Creating a User Account .................................................................................................. 18 Running Metasploit Express ............................................................................................. 18 Launching Metasploit Express in Windows.................................................................. 18 Launching Metasploit Express in Linux ....................................................................... 18

Frequently Asked Questions ................................................................................................... 20

Metasploit Expr ess Installation Guide 3.6

Page 2

Warnings
Before installing Metasploit Express, please read the following information: Antivirus (AV) software such as McAfee, Symantec, and AVG will cause problems with installation and at run-time. You MUST disable your AV before installing and using Metasploit Express. Local firewalls, including the Windows Firewall, MUST be disabled in order to run exploits successfully. Alternatively, the "bind" connection type may be used, but some exploits still need to receive connections from the target host. The RPC service (:50505) on Metasploit Express runs as ROOT, so any Metasploit Express account has privileged access to the system on which it runs. In malicious hands, this can lead to system or network damage. Please protect the service accordingly. Metasploit Express is intended only for authorized users. Run Metasploit Express only on machines you own or have permission to test. Using this software for criminal activity is illegal and could result in jail time. Local firewalls, including the Windows Firewall, will need to be disabled in order to run exploits successfully. Alternatively, the "bind" connection type may be used, but some exploits still need to receive connections from the target host.

Metasploit Expr ess Installation Guide 3.6

Page 3

Welcome
Metasploit Express is an easy-to-use penetration testing solution that provides network penetration testing capabilities, backed by the worlds largest fully tested and integrated public database of exploits. Built on feedback from the Metasploit user community, key security experts, and Rapid7 customers, Metasploit Express enables organizations to take the next step forward in security. Metasploit Express was designed for corporate security professionals, security consulting practices, and existing Metasploit users. If you already use the open-source Metasploit Framework to develop and test exploit code, you will appreciate the increased execution and browsing functionality of Metasploit Express. In addition to the capabilities offered by the open source framework, Metasploit Express goes above and beyond by delivering a full graphical user interface, automated exploitation capabilities, complete user action audit logs, customizable reporting, combined with an advanced penetration testing workflow. Metasploit Express is fully supported by Rapid7 security and support specialists in addition to the large and growing Metasploit community. Metasploit Express is a part of the Metasploit Project, the open-source penetration testing and development toolset for security professionals. The Metasploit Project was acquired by Rapid7 to continue the open-source community involvement, and to expand the projects capability and ease-of-use. Metasploit Express can be installed on Windows and Linux machines and runs on almost any web browser, or you can continue to use the command line interface.

Metasploit Expr ess Installation Guide 3.6

Page 4

About This Guide

This Installation Guide provides comprehensive information and instructions for Metasploit Express. The following sections will describe the audience, organization, and conventions used within this guide.

Target Audience
This User Guide is intended for IT and security professionals who wish to use Metasploit Express as their penetration testing solution.

Organization
This guide is divided into the following chapters: Warnings About This Guide Installing Metasploit Express Getting Started with Metasploit Express FAQs Index

Document Conventions
The following table lists the conventions and formats used within this guide.
Table 1: Document Conventions

Conventions
Command

Code

Title Note:

Description Text in this typeface indicates Metasploit Express buttons, options, features, and commands as well as filenames. For example, Click Forward to continue and Locate the Reports tab. Text in this typeface represents command line, file directory, or code. For example, chmod +x Desktop/metasploit-3.6.0-linux-x64installer. Text in this typeface refers to document, chapter, and section names. For example, For more information, see the Metasploit Express User Guide. Refers to additional information you may need to be aware of.

Metasploit Expr ess Installation Guide 3.6

Page 5

Support
We are dedicated to delivering superior support for our products. Use the Customer Center to ask questions and get assistance for Metasploit Express. To log into the Customer Center, you will need to use the email and password you entered to create your account when you purchased Metasploit Express. The Customer Center can be accessed at the URL below: http://www.rapid7.com/customers/customer-login.jsp

Metasploit Expr ess Installation Guide 3.6

Page 6

Installing Metasploit Express

This chapter covers the setup of Metasploit Express on Windows, Red Hat Enterprise Linux 5+, and Ubuntu 8.04 (Red Hat Enterprise Linux5+ / Ubuntu 8.04+) systems. Metasploit Express will function on other operating systems but is not supported.

Programs Bundled with the Installer

Metasploit Express installs on both Windows and UNIX with a complete Ruby on Rails stack. The installer handles all dependencies required to run Metasploit Express and creates a number of services.

Prerequisites and Recommendations

The size of the Windows installer is 90MB, and the Linux (RHEL / Ubuntu) binary files are 80MB. Once installed, the software bundles will require at least 420 MB of hard drive space. You must have administrator privileges on your computer to install Metasploit Express. When you launch the installer file, you will be prompted to enter the following setting and configuration options: The destination folder on your hard drive or external disk where Metasploit should be installed. The port number that the bundled web server will use for SSL, Apache, and Mongrel access. A web server name that will be used to generate a self-signed SSL certificate specific to the installed device. The web server name can be in any name and does not need to be a fully qualified domain. Note: You should have this information readily available before launching the installer. Note: The automated installation process that follows can take 10-15 minutes to complete. If the process appears to freeze, wait 5-10 minutes before taking any action.

Minimum Hardware Requirements

2 GHz+ processor 2 GB RAM available (increase accordingly with VM targets on the same device) 500MB+ available disk space 10/100 Mbps network interface card

Metasploit Expr ess Installation Guide 3.6

Page 7

Supported Platforms
Windows XP SP2+ Windows Vista Windows 7 Windows 2003 Server SP1+ Windows 2008 RHEL 5 Ubuntu 8.08+

Windows XP/Vista/7 Installation

The following section provides instructions for installing Metasploit Express on Windows operating systems. Note: Antivirus (AV) software such as McAfee, Symantec, or AVG will cause problems with installation and at run-time. The open-source framework is detected as malicious. Please disable your AV before installing and using Metasploit Express. Note: Local firewalls, including the Windows Firewall, will interfere with the operation of exploits and payloads. Please ensure that system running Metasploit Express does not have any firewall software enabled.

Installing Metasploit Express for Windows

1. Log into the Customer Center at http://www.rapid7.com/customers/customer-login.jsp. To log into the Customer Center, you will need the email address and password you entered to create your account when you purchased Metasploit Express. 2. Locate the Windows Installer for Metasploit Express and download it. 3. Right-click on the link to Metasploit Express for Windows and save it on your Desktop. 4. Double-click on the installer icon on your Desktop. A security warning may pop up when you try to run the installer the first time. Click Run on the Security Warning screen. When the Setup Welcome screen appears, click Next to continue. On Windows 7, it may up to 10 minutes before the initial installation screen is displayed.

Metasploit Expr ess Installation Guide 3.6

Page 8

Figure 1: Accept the Security Warning

5. Accept the License Agreement.

Figure 2: Accept the License Agreement

6. Click Next to continue after you have read and accepted the Metasploit Express License Agreement. 7. Select a folder to install Metasploit Express. On the following screen, you can either choose to install Metasploit Express in the default c:\metasploit folder or click the folder icon to choose a different directory or hard drive. Please note that the directory you choose must be empty.

Metasploit Expr ess Installation Guide 3.6

Page 9

Figure 3: Select a folder location

8. Click Next after you have selected your destination directory. 9. Enter the SSL Port number. This will configure your Apache server for Secure Socket Layer (SSL). By default, Apache uses port 3790 for HTTPS. Click Next after you have entered a port number. Note: If the port you entered is open and responding to connections, then another process is already bound to it, and you will receive an error message that the installer was unable to bind to the port number. You can use netstat to determine if any process is listening on that port and kill the process, or you can just enter another port number such as 8080 or 442.

Figure 4: Enter an SSL port for your Apache server.

Metasploit Expr ess Installation Guide 3.6

Page 10

10. If there is a conflict during the port configuration, a screen suggesting a different port for the Mongrel server, database server, or Apache Web server will appear. If the port suggested is in use, click Next, and you will be prompted to enter a new port. You will repeat this step until the issue is resolved. 11. Generate an SSL certificate by entering the domain name of your Web server in the Server Name field. This will enable the browser running the Metasploit Express Web client to match the information.

Figure 5: Generate an SSL certificate.

12. Enter the number of days the certificate will be valid in the Days of validity field. 13. Click Next to continue. Note: A firewall warning about the Apache HTTP server may appear. Accept the warning to continue. 14. A dialog will alert you that it is ready to install Metasploit Express on your computer. Click Next to install Metasploit Express and its bundled dependencies. The next screen will run the rest of the installer, which can take 20-25 minutes. The Setup dialog will show the installation progress, and you will not be prompted again until the installation is complete. When the installation is complete, you can start Metasploit Express immediately without restarting your computer. Click Finish to end the installation. 15. Click the Finish button when Metasploit Express has finished installing on your computer. At this point, you can choose to start Metasploit Express immediately without restarting your computer. After you have completed the installation process, you should go to the Creating a User Account section of this Installation Guide to create an account.

Metasploit Expr ess Installation Guide 3.6

Page 11

Installing Metasploit Express on Linux

The following sections provide instructions for installing Metasploit Express on Linux operating systems.

Linux (RHEL / Ubuntu) Installation

1. Log into the Customer Center at http://www.rapid7.com/customers/customer-login.jsp. To log into the Customer Center, you will need the email address and password you entered to create your account when you purchased Metasploit Express. 2. Right-click on the Metasploit Express for Linux link, either 32-bit or 64-bit depending on your system and save it on your Desktop. Please note that the 32-bit installer is NOT compatible with 64-bit Linux operating systems. 3. Change the mode of the installer file to be executable by typing the following in your command line: chmod +x Desktop/metasploit-3.6.0-linux-x64-installer. 4. Run the installer by double-clicking on the installer icon on your desktop. 5. Click Forward when the Setup window displays.

Figure 6: Set up dialog

6. Read and accept the License Agreement.

Metasploit Expr ess Installation Guide 3.6

Page 12

Figure 7: License Agreement

7. Click Forward to continue. 8. Choose an installation folder for Metasploit Express. You can either choose the default folder provided or click the folder icon to select a different directory/hard drive.

Figure 8: Installation folder

9. Click Forward after you have selected your destination directory. Please note that the folder you select must be empty. 10. Select whether you want to install Metasploit Express as a service. It is highly recommended that you choose to install it as a service. This step will simple add an init script that will call $INSTALLERBASE/ctlscript.sh start at startup time.

Metasploit Expr ess Installation Guide 3.6

Page 13

Please note that if the service script already exists, it will prompt you to provide a new name.

Figure 9: Install as a service

11. Click Forward after you have made your selection. 12. Enter the SSL port that you will use to access Metasploit Express in the SSL Port field. By default, Apache uses 3790 for HTTPS.

Figure 10:

SSL Port

Metasploit Expr ess Installation Guide 3.6

Page 14

13. Click Forward to continue. 14. If there is a conflict during your port configuration, you will see a dialog that requests an alternative configuration for the service script, Mongrel server, Postgres database server, or Apache web server to use. You will be prompted to enter another port until the conflict is resolved. Please note that Metasploit Express can only be installed once on each PC, so make sure to uninstall before installing an alternative version. 15. Generate an SSL certificate by entering the domain name of your Web server in the Server Name field. This will enable the browser running the Metasploit Express Web client to match the information.

Figure 11:

SSL Certificate

16. Enter the number of days the certificate will be valid in the Days of validity field. 17. Click Forward to continue. 18. The next screen will run the rest of the installer, which will install all the bundled dependencies. This process can take 20-25 minutes. The Setup dialog will show the installation progress, and you will not be prompted again until the installation is complete.

Metasploit Expr ess Installation Guide 3.6

Page 15

After you have completed the installation process, you should go to the Creating a User Account section of this Installation Guide to create an account.

Linux Console (Command Line) Installation

1. Log into the Customer Center at http://www.rapid7.com/customers/customer-login.jsp. To log into the Customer Center, you will need the email address and password you entered to create your account when you purchased Metasploit Express. Please note that the 32-bit installer is not compatible with 64-bit Linux operating systems. 2. Change the mode of the installer file to be executable. To do this, type the following into your command line: chmod +x Desktop/ metasploit-3.6.0-linux-betainstaller.bin. 3. Launch the installer by typing the following into your command line: sudo ./Desktop/ metasploit-3.6.0-beta-linux-installer. 4. Select a directory to install Metasploit Express. You can either choose the default directory, /opt/metasploit-3.6.0, or enter in a different path. 5. Select whether you want to install Metasploit Express as a service. It is highly recommended that you choose to install it as a service. This adds an init script that will call $INSTALLERBASE/ctlscript.sh. 6. Enter the port Apache will listen to for SSL access. By default, this port is 80.

Metasploit Expr ess Installation Guide 3.6

Page 16

Figure 12:

Server Port

7. Enter the SSL port on which you will access Metasploit Express. By default, this port is 3790. 8. If there is a conflict during your port configuration, you will see a dialog that requests an alternative configuration for the service script, Mongrel server, Postgres database server, or Apache web server to use. You will be prompted to enter another port until the conflict is resolved. Please note that Metasploit Express can only be installed once on each PC, so make sure to uninstall before installing an alternative version. 9. Generate an SSL certificate by entering the domain name of your Web server so the browser running the Metasploit web client can match it. This can be in any name and does not need to be a fully qualified domain. Additionally, enter the number of days the certificate will be valid.

Figure 13:

SSL Certificate

10. The installation process will finish by installing all of the bundled dependencies. After you have completed the installation process, you should go to the Creating a User Account section of this Installation Guide to create an account.

Metasploit Expr ess Installation Guide 3.6

Page 17

Getting Started with Metasploit Express

Creating a User Account
The first launch of Metasploit Express opens a browser window with a Setup and Configuration web form. Here, you will be able to create a user account for the system. Note: To access the User Accounts area after the first launch, select Administration > User Administration from the navigational breadcrumbs located at the upper right corner of the interface. The user account creation process will be the same as the first time. To create a new user: 1. Enter your desired username in the Username field. 2. Enter your first and last name in the Full name field. 3. Enter a strong password in the Password field. Strong passwords are recommended because Metasploit Express runs as root. Use mixed case, punctuation, numbers, and at least 6 characters. Re-enter the password in the Password confirmation field. 4. Re-enter your password in the Password confirmation field. 5. Click Save Changes. Note: If you forget your password, there is a password reset script located in your Metasploit Express installation directory under $INSTALLERBASE/apps/pro/ui/script/resetpw. Once your user account has been successfully created, Metasploit Express will display the Projects page.

Running Metasploit Express

You can run Metasploit Express on Windows or in Linux. The following two sections detail how to launch Metasploit Express in both operating systems.

Launching Metasploit Express in Windows

To access Metasploit Express in Windows, navigate to Start > All Programs > Metasploit. To run the Web client, select the application Access Metasploit Express. You can manually install, start, stop, and uninstall Metasploit Express services by using the options under the Metasploit Express Service subdirectory.

Launching Metasploit Express in Linux

The Linux installer places a startup script in the root directory of the install $INSTALLERBASE/ctlscript.sh. This script can be used to start, stop, and check the

Metasploit Expr ess Installation Guide 3.6

Page 18

status of the Metasploit services. Additionally, if you chose to install Metasploit Express as a service, a symbolic link to the ctlscript.sh script will be placed in the /etc/init.d directory. To run the web client for Metasploit Express in Linux, browse to https://localhost:3790 (assuming the default SSL port was chosen).

Metasploit Expr ess Installation Guide 3.6

Page 19

Frequently Asked Questions

Where can I get more help? A: You can receive additional help by contacting the Rapid7 Support team through the Customer Center or by joining the Metasploit community. You can find more information about the community support options at the community portal: http://www.metasploit.com/community/ What are the minimum system requirements? A: 2 GHz+ processor 2 GB RAM available (increase accordingly with VM targets on the same device) 500MB+ available disk space 10/100 Mbps network interface card How will I know when there is an update to the product? A: Select Administration > System Updates from the Main menu. How can I create the initial user account from a remote system? A: Execute the diagnostic_shell script in the root of the installation, then execute ruby apps/pro/ui/script/createuser.

Metasploit Expr ess Installation Guide 3.6

Page 20