The Serpent

// Cursing the Internet since 1998

Metasploit on the Pi

Well, it works... barely
Posted July 30, 2012 Archive

The Pi makes a great little security tool, so I figured I’d try the latest Metasploit to see if it can really be the complete security pen-testing tool. The results were somewhat mixed. If you’d like to give it a try, the steps are below. However you’ll immediately notice that you’ll run into issues with the database, and above all - the memory consumption.

First, you need to install a few packages into the default Wheezy Debian OS image. To get Metasploit running, install:

ruby
ruby1.9.1-dev
subversion

If you wish to use the database functions with Metasploit, you’ll also need:

postgresql
postgresql-server-dev-9.1

Next, grab yourself a copy of the latest Metasploit Framework, found here, and extract it to a directory of your choice (I’d recommend something like /opt/msf3). The Linux manual installation doesn’t work, so the source code distribution will be required. Extracting does take some time, so be patient ;)

Next, you can start up ./opt/msf3/msfconsole. You might notice at this point the memory usage goes right up, leaving around 10-12MB free, and the start-up time can take quite a few minutes. You can change the memory split between the CPU\GPU for the Pi using raspi-config to give your system more memory from the GPU if necessary.

If you wish to use the Metasploit database features, you’ll need to do a little more. The latest framework only supports postgreSQL, so you’ll need to configure the database connection. Log in as root and change the default Debian postgres password:

root@linux:/ # passwd postgres
Enter new UNIX password:

Next, login as postgres and create yourself a new database, and change the default password:

postgres@linux:/ $ createdb msf3

Assuming this works OK, you can test the DB connection whiled logged in as postgres using psql.

postgres@linux:/ $ psql
psql (9.1.4)
Type "help" for help.

postgres=# ALTER USER postgres WITH PASSWORD 'new_password';

Finally, you can setup the database from Metasploit. Drop back to your normal user account and start up msfconsole again, then execute:

msf > gem install pg

If you get errors, check you’ve installed all packages listed above. Once this has completed, check the DB connection:

msf > db_status
[*] postgresql selected, no connection
msf > db_connect postgres:password@localhost/msf3
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"

Metasploit should now be connected to database, and will create the necessary tables.

Using Metasploit on the Pi somewhat slow and cumbersome, due to it between 150-200MB of memory. I’m looking into ways to reduce the memory footprint, but if anyone has other suggestions, I’d love to hear them.

Metasploit on the Pi
Posted July 30, 2012
Written by John Payne