Jeff Cross

Installing Metasploit on Mac OS X

// April 28th, 2009 // 12 Comments » // Software, Technology

Note: This was originally posted on one of my blogs on April, 16th, 2007. Since this post remains popular, I am posting it here as the original site will be shutdown in the very near future. I have no idea what the validity of this content is at this point, I just know the information is accessed a number of times a day on the previous site and I want to continue to make it available.

I have known about the Metasploit framework for quite some time but have never really known how to use it or taken the time to learn. Recently, Chris inspired me to try it by showing me a movie explaining how to exploit a vulnerability in Microsoft Windows related to the .ANI Header Stack Overflow Vulnerability

Before I could begin working with this nifty little exploit in Metaspolit I had to get the framework installed on my MacBook. Metasploit is a suite of Ruby scripts and will run on virtually any Unix based operating system and Windows (with some minor tweaking). I checked the MacPorts for Metasploit and it was available as a port install but the latest version in the ports tree was 2.7. I needed at least version 3.0, and later determined I needed a development version, version 3.1, from the trunk to get the exploit I was after.

The first thing I did was upgrade my Subversion client on Mac OS X. I got the universal binary from here and installing and upgrading my Subversion was pretty painless. It installed like most other Mac applications from a package.

Once my Subversion client was up to date, I downloaded the Metasploit framework and unpcked it into /usr/local/msf/. I then made symbolic links to the different Metasploit related applications in /opt/local/bin/, the directory where MacPorts installs binaries and application related scripts. I did this by running the following command as root (or using sudo):

Now that I had the framework downloaded and in place, I installed an updated version of Ruby from MacPorts by running the following command:

I then downloaded the latest version of RubyGems, uncompressed it, changed into the uncompressed directory and ran the following command to install Ruby Gems:

Once that operation had completed, I installed the latest version of Rails by issuing the following command:

The original instructions for the steps performed above are available on the Metasploit wiki but I had to modify their instructions a bit due to some errors. The first error I encountered while using the MetaSploit instructions was with installing RubyGems. When following the instructions in the Metasploit wiki I received the following error:

I found some instructions in the RubyGems User Guide that led me to the ruby setup.rb command to install Gems.

The next issue I encountered when using the instructions in the Metaploit wiki was an error when trying to run gem install -v=1.2.2 rails I don’t have the exact error to give you but it was basically something to the effect that version 1.2.2 wasn’t found i the repository. I browsed the repository and saw that a newer version, version 1.2.3, was available so that is why I issued the command with -v=1.2.3.

Once all of the above was completed, I tried to run the exploit I was hoping to run and version 3.0 of the Metasploit framework. I tried to update Metasploit to a higher version but was returned the following:

I then grabbed a development snapshot by running the following command:

I placed the trunk/ directory in my /usr/local/msf/ directory and changed my symbolic links to point to the newly downloaded Metasploit components by issuing the following command:

I hope this helps other Mac users if and when they get ready to install the Metasploit framework, or Ruby, RubyGems, and Ruby on Rails on their Mac. It is also good for me to have things like this documented somewhere in case I need to revisit it in the future. Either way, Enjoy!

Until next time…