The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports.
The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API.
There are currently two implementations of Metasploit's RPC:
- HTTP and messagepack - covered by a separate guide
- HTTP and JSON - covered by this guide
Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents.
## Starting the JSON API Server
The pre-requisite to running the JSON API Server is to run your Metasploit database. This can be initialized with `msfdb`.
Note that `msfdb` will ask if you wish to run the JSON RPC web service - but it is not required for this guide which
shows how to run the JSON service directly with [thin](https://github.com/macournoyer/thin) or [Puma](https://github.com/puma/puma):
First run the Metasploit database:
```
msfdb init
```
After configuring the database the JSON RPC service can be initialized with the [thin](https://github.com/macournoyer/thin) Ruby web server:
If you are wanting to develop or debug the Ruby implementation of the JSON RPC service - it can be useful to run the Metasploit API synchronously in the foreground.
This allows for console logs to appear directly in the terminal, as well as being able to interact with breakpoints via `require 'pry-byebug'; binding.pry`:
It is possible to debug Msfconsole's webservice component too:
[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[11/25/2020 17:34:54] [e(0)] core: Unable to load module /Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/gather/office365userenum.py - LoadError Try running file manually to check for errors or dependency issues.
Thin web server (v1.7.2 codename Bachmanity)
Maximum connections set to 1024
Listening on localhost:8081, CTRL+C to stop
[11/25/2020 17:35:17] [d(0)] core: Already established connection to postgresql, so reusing active connection.
[11/25/2020 17:35:17] [e(0)] core: DB.connect threw an exception - ActiveRecord::AdapterNotSpecified database configuration does not specify adapter
[11/25/2020 17:35:17] [e(0)] core: Failed to connect to the database: database configuration does not specify adapter```
```
## Concepts
The Metasploit RPC aims to follow the [jsonrpc specification](https://www.jsonrpc.org/specification). Therefore:
- Each JSON RPC request should provide a unique message ID which the client and server can use to correlate requests and responses
- Metasploit may return the following [error codes](https://github.com/rapid7/metasploit-framework/blob/87b1f3b602753e39226a475a5d737fb50200957d/lib/msf/core/rpc/json/error.rb#L3-L13).
## Examples
First ensure you are running the Metasploit database, and are running the JSON service before running these examples
Example response when the module is has not yet complete:
```json
{
"jsonrpc":"2.0",
"result":{
"status":"running"
},
"id":1
}
```
Example error response:
```json
{
"jsonrpc":"2.0",
"result":{
"status":"errored",
"error":"The connection with (192.168.123.13:443) timed out."
},
"id":1
}
```
Example success response:
```json
{
"jsonrpc":"2.0",
"result":{
"status":"completed",
"result":{
"code":"vulnerable",
"message":"The target is vulnerable.",
"reason":null,
"details":{
"os":"Windows 7 Enterprise 7601 Service Pack 1",
"arch":"x64"
}
}
},
"id":1
}
```
#### acknowledge module results
This command will also allow Metasploit to remove the result resources from memory. Not acknowledging module results will lead to a memory leak,
but the memory is limited to 35mb as the memory datastore used is implemented by [`ActiveSupport::Cache::MemoryStore`](https://github.com/rapid7/metasploit-framework/pull/13036/files#diff-6e31832215e40b17a184a7f7b82d2aabfbaa8d98fabb3c43033dd8579ad3caaeR102)
