Example 5-8. Top of a Ruby exploit script
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank
=
GoodRanking
HttpFingerprint
=
{
:pattern
=
>
[
/Apache/
]
}
include Msf::Exploit::Remote::HttpClient
Below the comments, the class
MetasploitModule
is a subclass of the parent
Msf::Exploit::Remote
, which means it inherits the elements of that class. You’ll also see
a property set below that. This ranking will, in part, give you an indication of the
potential for success for the exploit. This ranking tells us that there is a default target
and the exploit is the common case for the software targeted. At the bottom of this
fragment, you will see that additional functionality is imported from the Metasploit
library. For this script, because it’s an exploit of a web server, an HTTP client is
needed to communicate with the server.
Rather than starting development of security-related scripts on your own, it may be
much easier to just develop for Metasploit. However, you don’t have to be a developer
to use Metasploit. In addition to payloads, encoders, and other library functions that
can be imported, the modules include prewritten exploits. At the time this is being
written, more than 1,700 exploits and nearly 1,000 auxiliary modules provide a lot of
functionality for scanning and probing targets.
Metasploit is easy to get started with, though becoming really competent does take
some work and practice. We’ll take a look at how to get started using Metasploit and
how to use exploits and auxiliary modules. While Metasploit does have commercial
offerings, and the offerings from Rapid7 (the company that maintains and develops
the software) include a web interface, a version of Metasploit does come installed by
default with Kali Linux. There is no web interface, but you will get a console-based
interface and all of the same modules that you would get with other versions of Meta‐
sploit.
