Metasploit Interview Questions & Answers

Question 1. What Is Kali Linux?

Answer :

Kali Linux is a Linux distribution for penetration testers that comes preloaded with a lot of open source penetration testing tools. It is brought to you by the same people who made BackTrack, currently the world’s most popular Linux distribution for penetration testing.

In other words, Kali Linux is an operating system that is optimized for penetration testing. You can think of it in the same way that Chromium OS is Linux operating system that is optimized for web browsing.

The open source Kali Linux project is managed by Offensive Security with the help of community contributors, such as Rapid7.

Question 2. What Is The Difference Between Kali Linux And Backtrack?

Answer :

Kali Linux is the next-generation version of BackTrack and therefore replaces BackTrack. While BackTrack is based on Ubuntu, Kali Linux is based on Debian.

Question 3. What’s New In Kali Linux Compared To Backtrack?

Answer :

BackTrack users will notice that Kali Linux is built in a much more structured way, which ensures a more professional and robust user experience.

Here is a list of the new benefits:

• Debian with an FHS-compliant system: Instead of having to navigate through the /pentest tree, you can now call any tool from anywhere in Kali Linux.
• Streaming security and package updates from Debian: Kali repositories synchronize with the Debian repositories 4 times a day, constantly providing you with the latest package updates and security fixes available.
• Debian-compliant packaging of every tool in Kali: This is where the Kali team has been spending most of its time and effort: relentlessly packaging dozens of useful tools, painstakingly making sure all packages are Debian compliant.
• Long-term packaging and maintenance of high-profile tools: Many of the tools in Kali need to be “bleeding edge”. The Kali team has taken on the task of packaging and maintaining upstream versions of many tools, so that users are constantly kept up to date where it matters. For example, Metasploit is a highprofile tool that is updated with new exploits every week; it was repackaged for Kali Linux with Rapid7’s contribution to ensure a robust user experience.
• Streamlined development process: As all source packages are now also Debian compliant, you can quickly and easily get the required sources of each tool, then modify and rebuild them with a couple of commands.
• Bootstrap builds and ISO customizations: One of the many benefits of Kali’s move to a Debian-compliant system is the ability to bootstrap a Kali Installation / ISO directly from Kali’s repositories. This means that you can easily build your own customizations of Kali, as well as perform enterprise network installations from a local or remote repository.
• Automating Kali installations: Kali Linux installations can now be automated using pre-seed files. This allows for enterprise-wide customization and deployment on multiple systems.
• Real ARM development: BackTrack 5 introduced support for ARM hardware. The ARM build-bot was a modified Motorola Xoom tablet, which - suffice to say - didn’t last for long. To help remedy this, Offensive Security has donated a Calxeda ARM cluster to the Kali project, allowing reliable and long term development of Kali Linux ARM images. Note: Metasploit Community and Pro are not supported on the ARM platform.
• Complete desktop environment flexibility: Kali’s new build and repository environments allow for complete flexibility in generating your own updated Kali ISOs, with any desktop environment you like, no matter whether you prefer KDE, LXDE, XFCE, or a custom desktop environment. 
• Seamless upgrades to future major versions: Another benefit derived from the move to a Debian compliant system is the ability to seamlessly upgrade future major version of Kali. No longer will you have to reinstall your penetration testing machine to upgrade to a new Kali version.

Question 4. Why Is Kali Linux No Longer Called Backtrack?

Answer :

Kali Linux is a huge step forward from BackTrack 5. Kali Linux has been built from scratch, changing the entire architecture. The new name reflects this overhaul.

Question 5. What Does “kali” Stand For?

Answer :

Is Kali the Hindu Goddess of time and change? A Philippine martial art? A cool word in Swahili? None of the above. “Kali” is simply the name we came up with for the new distribution.

Question 6. What Is New About Metasploit Support In Kali Linux?

Answer :

Recognizing the importance of the BackTrack project to the community, Rapid7 joined the Kali Linux project to contribute to the packaging and long-term support of Metasploit on the Kali Linux platform.

Metasploit is a large and ever evolving project which is difficult to package and support for any third-party. Although it was made available in BackTrack, Metasploit on BackTrack suffered from issues that impacted the user experience. Symptoms Metasploit users reported include issues with updates, databases, and general stability.

As a result of Rapid7’s involvement in the Kali project, Metasploit users should have a much more robust user experience on Kali Linux.

Question 7. What Is The Relationship Between Kali Linux And Rapid7?

Answer :

Rapid7 is now an official contributor of the Kali Linux project with the goal of improving the support for Metasploit on this important platform. Starting with the investment into the Metasploit Project in 2009, Rapid7 has continued to support the security community. Here are some of the ways that Rapid7 gets involved, support and give back.

• Building: Rapid7 is proud to have grown the Metasploit community to 175,000+ active users and contributors.
• Mentoring: Rapid7 supports fledgling open source projects Ghost, Buttinsky and Androguard providing promotional and strategic business guidance, as well as financial support to help them get off the ground.
• Backing: Rapid7’s Magnificent7 program supports more established open source projects such as John the Ripper and Cuckoo Sandbox, to help them achieve their next development goals.

Question 8. As A Metasploit Pro Customer, Can I Get Full Technical Support On Kali Linux?

Answer :

Yes, Rapid7 fully supports Metasploit Pro on Kali Linux, Windows, Ubuntu and Red Hat. 

Question 9. Should I Boot Kali Linux From A Cd Or Use A Persistent Installation?

Answer :

Kali Linux offers a much improved installation experience compared to BackTrack. For most users, a persistent installation is best because it will remember your settings, files, and product licenses. If you need to revert to a clean image for each new engagement, consider reverting to the snapshot of a clean, pre-installed virtual machine after each engagement.

Question 10. Should I Use Kali Linux As My New Secure Desktop System?

Answer :

No. Kali Linux is meant to be used as a platform for penetration testing, not as a secure operating system for desktops. We recommend that you use Kali Linux on a dedicated physical or virtual machine or boot it from a persistent external USB flash drive or hard disk for the duration of your penetration test. As a best practice, you should keep your personal files, such as email and office documents, on a separate system.

Question 11. What Version Of Debian Is Kali Based On?

Answer :

Kali is based on Debian Wheezy, with selective packages imported from upstream.

Question 12. Are Wireless Injection Patches Available In Kali?

Answer :

Yes.

Question 13. Is My $wireless_card Supported By Kali?

Answer :

This depends on the cards chipset and drivers. If kernel 3.7 supports your drivers, your card is supported.

Question 14. Armitage Does Not Display Hosts From The Database?

Answer :

Type hosts in the Metasploit Framework console. If you see hosts there, but not in Armitage, you have this issue. There are three possible causes:

The first (possible) cause is you are using the Metasploit Framework's workspaces (the workspace command). Armitage is not compatible with the Metasploit Framework's concept of workspaces. You must leave this at default and not change it.

The second potential cause is that Armitage is not using the same database configuration as the Metasploit Framework. This is driven by the database.yml file in your Metasploit Framework environment. Type db_status in a Metasploit Framework console and verify that this is the same database Armitage uses (go to Armitage -> Preferences and find the connect.db_connect.string value).

The third potential cause is that Metasploit made two default workspaces for you. Why? I don't know. This messes up things with Armitage though. Type workspace. If you see two workspaces with the name default, then this bit you. To fix it, type: workspace -D and restart Armitage.

Question 15. Armitage Is Slow Or Has Graphical Glitches

Answer :

Switch from OpenJDK to Oracle's Java environment. The OpenJDK implementation of Java has occasional bugs that affect the Armitage experience negatively. Random artifacts when updating UI components is not uncommon in the OpenJDK. As of this FAQ update, there is a bug in the OpenJDK packaged for Debian distributions (Kali Rolling!) that slowly consumes CPU/memory until the application crashes.

If you experience graphical or performance issues, change over to Oracle's Java and see if that resolves your issue.

Question 16. How Do I Run Armitage On Kali Linux?

Answer :

Armitage is not distributed with Kali Linux. It is in the Kali Linux repository though. To install it, type:

apt-get install armitage

Question 17. I Get A Database Error On Kali Linux. How Do I Fix It?

Answer :

Make sure the database is running. Use:

service postgresql start

Next, you may need to ask Kali to recreate the Metasploit framework database:

service metasploit start 
service metasploit stop

Sometimes you need to do the above after an msfupdate as well.

Question 18. Sometimes Armitage's Menus Stick (or I See Graphic Glitches)--how Do I Fix This?

Answer :

Kali Linux comes with Java 1.6 and 1.7 pre-installed. Unfortunately, it defaults to Java 1.6 which has a few issues. You'll need to tell Kali Linux to use Java 1.7 by default. Here's how:

32-bit Kali Linux:

update-java-alternatives --jre -s java-1.7.0-openjdk-i386

64-bit Kali Linx:

update-java-alternatives --jre -s java-1.7.0-openjdk-amd64

Question 19. Do Not See A Start Msf Button, What Is Wrong With My Armitage?

Answer :

Nothing. You're using the latest version of Armitage. The Start MSF button has been taken away. The Connectbutton now intelligently detects whether Metasploit is running locally or not. If Metasploit is not running, Armitage will ask you if you want it to start Metasploit. I suggest pressing Yes.

Question 20. Can Armitage Exploit Windows 7 And Vista Or Is It Windows Xp Only?

Answer :

I get this question, worded in this way, a lot. First, Armitage is a front-end that provides a workflow and collaboration tools on top of Metasploit. The correct question is: does Metasploit have attacks that work against Windows 7 and Windows Vista?

The answer is yes. Remote exploits against modern Windows versions are very rare. If you're hoping for this, please put these days behind you. Microsoft has a lot of smart people and they've put a lot of work into reducing mistakes that lead to exploitable conditions. They have also added mitigations to their software to make it harder to turn a programmer's mistake into an attack.

Attackers do what works and they have moved on. Now, to break into a modern system, you need to attack the applications the user is running and not the operating system. Client-side attacks against Internet Explorer, Firefox, Adobe Reader, Adobe Flash, Apple QuickTime, and Java are very common. Metasploit is the cutting edge of what's publicly available in this space.

Once you get a foothold, it's up to you to think like an attacker and use your position to gain access to other systems. There are resources available for your learning. I suggest that you go study them. If you're really serious about learning these ideas then invest in yourself and take a class.

Question 21. Why Can't I Type In Any Of The Tabs?

Answer :

On Windows and MacOS X you have to click in the editbox to focus the input area and type. This is a known issue. The editbox is at the bottom of the tab. Just click in it until you see a blinking cursor.

Question 22. Armitage Picked The Wrong Lhost, How Do I Fix It?

Answer :

Type:

setg LHOST [your IP address]

That's it. Armitage uses this value to tell reverse connect attacks where to connect to. You do not need to reset Armitage's listener when you change this value.

Question 23. I Can't Get Any Exploits To Work. What Am I Doing Wrong?

Answer :

Start with something that you know is exploitable. I recommend downloading the Metasploitable virtual machine. Hacking this will give you confidence that yes, exploits work and yes, you're probably using Metasploit correctly.

Not all exploits work in all situations. Remember that you're sending code to a system that is meant to trigger a flaw. If a firewall is on, then maybe the data isn't getting to the service. Maybe you're running a version of the software that no longer has the flaw.

Metasploit is not a magic key into other systems. Knowing what to use in different situations is a skill and it comes with experience.

Question 24. Why Do The Hosts In The Targets Area Move Back After I Move Them?

Answer :

Armitage automatically arranges the hosts in the targets area by default. You can turn this behavior off. Make sure no host is selected and right-click inside the targets area. Go to Auto Arrange -> None.

Question 25. What Are The Warning Messages In The Console I Launched Armitage From?

Answer :

These are harmless. They're debug output for me to read. I was too lazy to remove them. They always have the form Warning: some message here at file.sl:##. The scary "Warning" text is from the warn function in the language I used to write Armitage. Ignore it.

Question 26. How Do I Use Armitage Against An Internet Address?

Answer :

There are no restrictions in the software. I recommend experimenting with virtual machines on a private test network. If you choose to use this tool against an internet host, make sure you have a letter of permission from the system's owner.

Question 27. What's The Best Way To Learn How To Use Armitage For Metasploit?

Answer :

There are a lot of resources on both Armitage and Metasploit available to you. Here's a recommended order for you:

1. Armitage Lecture. This is a video from the SecurityTube Metasploit Framework Expert series. This video describes Armitage in a pretty succinct way.
2. Armitage and Metasploit Training. This 2011 course goes through Armitage and Metasploit, step-by-step. It's very old and I consider the material quite dated, but it's worth watching if you want to get the basics down.
3. Hacking Linux with Armitage. This article will take you through the entire network attack process using Armitage and the freely available Metasploitable virtual machine as a target. I recommend reading this article and reproducing each step in it.
4. Get in through the backdoor: Post-exploitation with Armitage. Many folks ask me how to hack a modern operating system (e.g., Windows 7) using Armitage. This article in Hakin9 will show you how to do this. You'll need to download the PDF of this issue to read the article.
5. The Armitage Manual. Technically you should read this first. But, if you didn't--I'll forgive you. This manual is a reference for Armitage. It doesn't give context like these other resources do. Still, you should read it to understand what Armitage can do and the technical details of setting up different features. This manual is always accurate with the latest version of Armitage.
6. Metasploit Unleashed. This is a free course offered by the Offensive Security folks. To be really effective with Armitage, you'll need to understand Metasploit. This course takes you through a lot of what Metasploit can do.

As a penetration tester, I find tools give me about 15% of what I need. The rest of my work is problem solving, system administration, and luck. If you want to learn how to hack, don't neglect these skills either. Here are a few other recommended items:

• De-ICE Pen Test LiveCD. These CDs are self-contained scenarios requiring you to use problem solving and Linux knowledge to penetration test a fake company. Keep in mind, the answers are not obvious.
• Penetration Testing and Vulnerability Analysis. This is a great course at NYU-Poly that will help you understand hacking from the perspective of the exploit developer.
• OWASP WebGoat Project. This is a LiveCD environment with several web application attack scenarios. It will guide you through the very basics of conducting a web application assessment.

If you get through all of the above and you want to take things to the next level:

• Advanced Threat Tactics (2015). This is a 9-part course with nearly six hours of material on modern red team operations with the Cobalt Strike product. Cobalt Strike started life as a derivative of Armitage, but now it's a stand-alone platform that does not use the Metasploit Framework. If you want to emulate a quiet actor with a long-term presence in a network, Cobalt Strike is the toolset to do it.

Question 28. Will You Teach Me To Hack?

Answer :

If you want my views on the hacking process and how to do it, then ask your organization to invite me to teach a course at your location. I have materials, labs, and an exercise for a threat emulation course. I've given this course several times now and my students have taken a lot from it.

Question 29. Why Does Armitage Exist?

Answer :

I've met too many security professionals who don't know how to use Metasploit. Sadly, I was one of them. I've always felt Metasploit could use a non-commercial GUI organized around the hacking process. So, I made Armitage

Armitage exists to help security professionals better understand the hacking process and appreciate what's possible with the powerful Metasploit framework. Security professionals who understand hacking will make better decisions to protect you and your information.

Question 30. What’s Significantly New In The 3.0 Series Of The Msf?

Answer :

Version 3.0 is almost a radical departure from version 2.0 in terms of the underlying technology and feature set. While the ability to develop and execute exploits has been enhanced, the new modules and plugins offer greater flexibility in managing multiple exploit sessions, automating the penetration testing cycle, storing results in a database, and even developing new tools built around the APIs exposed by the framework.

Significant IDS/IPS evasion capabilities have also been added, and the Web interface has been overhauled. Besides this, the framework has been coded in Ruby rather than in Perl.

Question 31. What About All The Cool Meterpreter And Vnc Dll Stuff?

Answer :

All of the powerful payloads—Meterpreter, VNC DLL, PassiveX—are present with the new release, and have been enhanced even further.The framework also allows specifying a class of payloads instead of a specific payload. However, little-used features such as Impurity ELF injection and InlineEgg have been removed. Eventually, all non-Windows exploitation methods will be moved to Meterpreter.

Question 32. What Is The Auxiliary Module System?

Answer :

The Auxiliary module system is essentially a collection of exploits and modules that add to the core capability of the framework. Exploits that don’t have payloads, such as Microsoft SRV.SYS Mailslot Write Corruption and Microsoft RRAS InterfaceAdjustVLSPointers NULL Dereference, are part of this system. More importantly, recon modules that allow scanning of remote systems and fingerprinting them are also present as auxiliary modules. For instance, one of the auxiliary modules scans a range of systems for the presence of UDP ports, and decodes six protocols and displays them at the console.Another module performs fingerprinting of Windows systems using the SMB protocol.

Question 33. What’s The Best Way To Remain On The Cutting Edge Of The Msf?

Answer :

The framework source code is now available through the Subversion CVS. Once you’ve downloaded the 3.0 release from the Metasploit Web site, you need to also download the Subversion client.Then navigate to the framework installation folder and run the svn checkout command. Once the code and other files have been downloaded, you can run the svn update command to keep yourself right on the bleeding edge of the framework.

Question 34. What Is Metasploit Intended For And What Does It Compete With?

Answer :

The MSF is an open-source tool, which provides a framework for security researchers to develop exploits, payloads, payload encoders, and tools for reconnaissance and other security testing purposes.Although, it initially started off as a collection of exploits and provided the ability for large chunks of code to be re-used across different exploits, in its current form it provides extensive capabilities for the design and development of reconnaissance, exploitation, and post-exploitation security tools.

The MSF was originally written in the Perl scripting language and included various components written in C, assembler, and Python.The project core was dual-licensed under the GPLv2 and Perl Artistic Licenses, allowing it to be used in both open-source and commercial projects. However, the 3.0 version of the product is now completely re-written in Ruby and comes with a wide variety of APIs. It is also now licensed under the MSF License, which is closer to a commercial software End User License Agreement (EULA) than a standard open-source license.The basic intent is to:

• Allow the MSF to remain open-source, free to use, and free to distribute.
• Allow module and plugin developers to choose their own licensing terms.
• Prevent the MSF from being sold in any form or bundled with a commercial product (software, appliance, or otherwise).
• Ensure that any patches made to the MSF by a third party are made available to all users.
• Provide legal support and indemnification for MSF contributors.

The MSF competes directly with commercial products such as Immunity’s CANVAS and Core Security Technology’s IMPACT. However, there is a major difference between the MSF and these commercial products in terms of its objectives.The commercial products come with user-friendly graphical user interfaces (GUIs) and extensive reporting capabilities in addition to the exploit modules, whereas the MSF is first and foremost a platform to develop new exploits, payloads, encoders, No Operator (NOP) generators, and reconnaissance tools. Moreover, it is also a platform to design tools and utilities that enable security research and the development of new security testing techniques.

Question 35. Why Ruby?

Answer :

The following reasons illustrate the rationale behind this decision:

• After analyzing a number of programming languages and seriously considering Python as well as C/C++, the Metasploit team found that Ruby offered a simple and powerful approach to an interpreted language.
• The degree of introspection and the object-oriented aspects of Ruby fulfilled the requirements of the framework quite well.
• The framework needed automated class construction for code re-use, and Ruby is well suited for this, compared with Perl, which was the primary programming language used in the 2.x series.
• Ruby also offers platform-independent support for threading.This has resulted in a significant performance improvement over the 2.x series.
• When the framework was developed on Perl, the team had to struggle to get it to work with ActiveState Perl, and ended up settling with Cygwin, although both resulted in usability issues.The natively compiled Ruby interpreter for Windows significantly improves performance and usability.
• For these and other reasons, the Metasploit team enjoyed working best with Ruby, and decided to port the whole framework for the 3.x series.

Question 36. Which Is The Better Platform For Metasploit, Linux Or Windows?

Answer :

The choice of platform is more or less personal, since the framework works almost the same on both operating systems. However, the majority of Metasploit downloads for its earlier versions were for the Windows platform. For version 3, Windows is only partially supported. My personal choice is Linux, since some of the bleeding-edge features such as database support and wireless exploits first came out for Linux, and then for Windows.

Question 37. What Is The Difference In Environment Variables Between Versions 3.0 And 2.0?

Answer :

In version 3.0, some of the variable names have been changed, and the way in which values with spaces are treated has changed.

Question 38. Of The Various Payload Options Available, Which One Should I Use?

Answer :

Chances are that you will usually get only one shot at launching and successfully executing your exploit, so the selection of a payload is very important.Your objective should be to get maximum mileage, while at the same time avoiding detection as much as possible.

In this regard, the Meterpreter might be your best bet. It executes within the context of the vulnerable process, and encrypts communication between client and server.

Moreover, if you have a programming background, you could code your chosen task and compile it as a DLL.You could then upload and execute this DLL or any binary through Meterpreter.The VNC DLL will open up a GUI, which increases the speed at which you can pivot onto other systems. It also increases the chances of being detected, since any mouse or keyboard action you execute on the remote system will also show up on the console of the remote system.

If you are very sure that no one would be monitoring the system console, or would be connected to VNC at the same time, you could go ahead and use this payload. If your objective is only proof of concept, you may be best suited by using a payload that will simply run a command (windows/exec, /bsd/x86/exec, cmd/unix/generic or /linux/x86/exec).To leave your mark on the system, you could create a local file in a specific location.

Question 39. How Easily Can I Customize The Meterpreter And Passivex Payloads?

Answer :

The Meterpreter supports any language that can compile code into a DLL. Once you understand the simple Type-Length-Value protocol specification required by the Meterpreter, you can easily create extensions.These can then be uploaded and executed on the fly on the remote system.

For PassiveX payloads, you could write your own ActiveX control and have that loaded by the Internet Explorer of the remote system.

Question 40. What Is Pivoting?

Answer :

Pivoting is a technique that Metasploit uses to route the traffic from a hacked computer toward other networks that are not accessible by a hacker machine.

Let’s take a scenario to understand how Pivoting works. Assume we have two networks:

• A network with the range 192.168.1.0/24 where the hacker machine has access, and
• Another network with the range 10.10.10.0/24. It is an internal network and the hacker doesn’t have access to it.

The hacker will try to hack the second network this machine that has access in both networks to exploit and hack other internal machines.