How to Install Metasploit on Ubuntu

Published:31 August 2022 - 7 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Finding security vulnerabilities in systems and patching them has become one of the most important jobs for network administrators. Metasploit is a popular exploitation tool that helps security professionals find and expose system vulnerabilities.

In this tutorial, you will learn how to install Metasploit on Ubuntu and use it to scan for vulnerabilities in your systems.

Read on to never worry about a system’s security again!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have

  • An Ubuntu Linux system. This tutorial uses Ubuntu 20.04, but any recent version should work fine.
  • You will also need root privileges on your system to install Metasploit. This tutorial uses a root account, but for security purposes, it is recommended that you use a sudo-enabled user.

Installing Metasploit Using the Shell Script Installer

The official Metasploit shell script installer is the quickest way to install Metasploit on Ubuntu. This method works on any Debian-based system, including Ubuntu. This shell script takes care of all the dependencies and configuration for you.

1. Run the following wget command to download the latest version of the Metasploit installer from GitHub.

wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run
Downloading the latest version of the Metasploit installer.
Downloading the latest version of the Metasploit installer.

2. Verify that the file download was successful by listing its contents.

ls -la metasploit-latest-linux-x64-installer.run

You will see a similar output below.

Verifying the file download
Verifying the file download

3. Before you can run the installer, you need to make the file executable. Run the following chmod command to give the installer file executable permissions.

chmod +x ./metasploit-latest-linux-x64-installer.run

4. Now, you can run the installer by pretending the name with ./.

./metasploit-latest-linux-x64-installer.run

5. Press Enter to read the Metasploit license agreement

Reading the Metasploit license agreement.
Reading the Metasploit license agreement.

6. Type y and press Enter to accept the terms and continue.

Typing y and press Enter to accept the terms and continue.
Typing y and press Enter to accept the terms and continue.

7. Select a folder to install Metasploit. For this tutorial, you will leave the default installation directory at /opt/metasploit and press Enter to continue.

Select a folder to install Metasploit.
Select a folder to install Metasploit.

8. To install Metasploit as a service, type Y and press Enter.

By default, Metasploit will not run as a service. You can start, stop, and restart Metasploit from the command line manually, or you can install Metasploit as a service. Installing Metasploit as a service will allow it to start automatically when your system boots up.

Install as a service.
Install as a service.

9. Metasploit uses some techniques that could be flagged by your antivirus or firewall program. To avoid any issues, it is recommended that you disable these programs while working with Metasploit. To Disable Anti-Virus and Firewall, press Enter.

10. Enter the port that you want Metasploit to use. The default port is 3790, but you can choose any open port on your system. For this tutorial, you will be using the default port of 3790. Press Enter to continue.

Choose a port over 1000 and non-standard to avoid potential conflicts with other programs.

Enter the port that the Metasploit service will use.
Enter the port that the Metasploit service will use.

11. By default, Metasploit will use localhost as the Server Name. For this tutorial, leave the default and press Enter to continue.

12. The Metasploit shell script installer will default generate and install an SSL Certificate valid for 3650 days (10 years). For this tutorial, you leave the default value of 3650 days and press Enter to continue.

13. The script will generate a self-signed SSL Certificate for Metasploit. Type y to trust the certificate and press Enter to continue.

Generating and installing an SSL Certificate.
Generating and installing an SSL Certificate.

14. Finally, type Y and press Enter to start the Metasploit installation process.

Starting the Metasploit installation process.
Starting the Metasploit installation process.

15. Wait for the installation to complete. Once the installation has finished, you will see a message that says go to https://localhost:3790 from your web browser to access the web UI. You have successfully installed Metasploit on your Ubuntu system.

Successfully installed Metasploit
Successfully installed Metasploit

16. Open a web browser and navigate to https://localhost:3790 to load the Metasploit web interface.

Accessing the web UI.
Accessing the web UI.

17. To access the Metasploit console from the command line, run the below command.

msfconsole
Accessing the Metasploit console
Accessing the Metasploit console

Installing Metasploit From Source

Why would you want to compile and install Metasploit from the source? Maybe you want the latest features that have not yet been released in the shell script. Or maybe you are developing a new module for Metasploit and need to test it.

But, this method requires manually downloading and compiling the source code, which can be a bit tedious. Follow the steps below to compile and install Metasploit from the source on your Ubuntu system.

1. Run the apt command below to update your package list to ensure you have the latest versions.

apt update -y
Updating your package list.
Updating your package list.

2. Install all of the required dependencies for building and installing Metasploit.

apt install gpgv2 autoconf bison build-essential postgresql libaprutil1 libgmp3-dev libpcap-dev openssl libpq-dev libreadline6-dev libsqlite3-dev libssl-dev locate libsvn1 libtool libxml2 libxml2-dev libxslt-dev wget libyaml-dev ncurses-dev  postgresql-contrib xsel zlib1g zlib1g-dev -y
Installing all of the required dependencies.
Installing all of the required dependencies.

3. Next, download the Metasploit source code by running the following command. This command saves the Metasploit source code to a file named msfinstall in your current working directory.

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
Downloading the Metasploit source code.
Downloading the Metasploit source code.

4. List the file to confirm you’ve downloaded the file successfully.

ls -la msfinstall
Verify that the source code was downloaded successfully.
Verify that the source code was downloaded successfully.

5. Before you can run and compile the source code, you must ensure that msfinstall is executable.

chmod 755 msfinstall

6. Finally, run the code to start the Metasploit installation.

./msfinstall

The installation process could last several minutes, depending on your system resources.

Starting the Metasploit installation.
Starting the Metasploit installation.

7. Access the Metasploit console and start using it.

msfconsole
Accessing the Metasploit console.
Accessing the Metasploit console.

Installing Metasploit on Ubuntu Using Deb Package

The reason to use a deb package is that you can install it offline. You do not need an active Internet connection to install Metasploit.

A deb package is an archive file containing all the files required to install a software application on Debian-based systems. A deb package is a software installation file, similar to an executable (exe) file on Windows.

Related: Comprehensive Guide to Installing Deb Packages on Ubuntu

Follow the steps below to install Metasploit on your Ubuntu system using a deb package.

1. Download the Metasploit deb file from the Metasploit download page.

wget https://apt.metasploit.com/pool/main/m/metasploit-framework/metasploit-framework_6.2.8%2B20220720103055~1rapid7-1_amd64.deb
Downloading the Metasploit deb file.
Downloading the Metasploit deb file.

2. List the content of the current working directory to ensure you successfully downloaded the file.

Verifying that the deb file was downloaded successfully.
Verifying that the deb file was downloaded successfully.

3. Run the dpkg -I command to show information about the deb file.

dpkg -I metasploit-framework_6.2.8+20220720103055~1rapid7-1_amd64.deb
Showing information about the deb file.
Showing information about the deb file.

4. Finally, Install Metasploit using the dpkg -i command.

dpkg -i metasploit-framework_6.2.8+20220720103055~1rapid7-1_amd64.deb
Installing Metasploit using the deb package.
Installing Metasploit using the deb package.

5. Access the Metasploit console and start using it.

msfconsole
Accessing the Metasploit console
Accessing the Metasploit console

Scanning for Vulnerabilities

Now that you have installed Metasploit on your Ubuntu system, it is time to perform a scan. A Metasploit scan has two types: network scans and host scans.

A network scan identifies the available hosts on a network. This type of scan is useful when performing a penetration test on a network to identify the systems available for further attacks.

On the other hand, a host scan identifies the services running on a host. This type of scan is useful when you want to identify the vulnerabilities in a system.

Follow the below steps to run a vulnerability scan with Metasploit.

1. Start the PostgreSQL service. Metasploit saves all of the data it collects in a database. By default, Metasploit uses the PostgreSQL database.

systemctl start postgresql

2. Run the below command as a non-root user to initialize a new database for Metasploit.

msfdb init
new database for Metasploit
new database for Metasploit

3. Access the Metasploit console.

msfconsole

4. Check the database connection. Metasploit uses the db_status command to check the database connection.

db_status

You will see the following output.

Checking the database connection.
Checking the database connection.

5. Load the msfcrawler module. The msfcrawler module is for crawling websites to find vulnerabilities in web applications.

use auxiliary/scanner/http/crawler
Loading the msfcrawler module.
Loading the msfcrawler module.

6. Set the RHOST and RPORT parameters. The RHOST parameter represents the target host, and the RPORT parameter represents the port number. In this case, you will scan the localhost on port 9000.

set RHOST localhost
set RPORT 9000
Setting the RHOST and RPORT parameters.
Setting the RHOST and RPORT parameters.

7. Run the below command to start the crawler. The crawler will start scanning the target host and port. This process can take several minutes, depending on the website’s size.

run
Starting the scrawler
Starting the scrawler

8. Next, load the WMAP module. This module scans web applications for vulnerabilities.

Loading the WMAP module.
Loading the WMAP module.

9. Run the wmap_sites -a localhost:9000 command to add the target host and port to the scan list.

wmap_sites -a localhost:9000
Adding the target host and port to the scan list.
Adding the target host and port to the scan list.

10. List all the available target hosts and ports.

wmap_sites -l
Listing all the available target hosts and ports.
Listing all the available target hosts and ports.

11. Finally, select a target host and start the scan.

wmap_targets -t 127.0.0.1:9000
wmap_run -e
Select a target host and start the scan.
Select a target host and start the scan.

Wait for the scan to finish. This process can last hours, depending on the website’s size. This example takes over two hours to finish.

12. When the scan is complete, view the results by running the below command.

vulns

As you can see, the scan found no vulnerabilities since you are scanning a local host with no web applications. In real-world scenarios, you will get many more results.

TIP: You can use grep, or Linux commands like less, tail, cat. etc., to filter the output.

Viewing the scanning results.
Viewing the scanning results.

Conclusion

In this article, you have learned how to install Metasploit on Ubuntu and how to use it to find vulnerabilities in a web application. Metasploit is a powerful tool that can be used for many different purposes. Now that you know the basics, you can start exploring all its features.

With this newfound knowledge, why not start performing penetration tests on your own systems or systems belonging to your clients? Remember to always get permission before starting a penetration test. Otherwise, you could be breaking the law.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!