Tod Beardsley
5.8 KiB
Metasploit Development Environment
The Metasploit Framework is a pretty complex hunk of software, at least according to Ohloh. So, getting started with development can be daunting even for veteran exploit developers. This page attempts to demystify the process of getting your Metasploit development environment set up through submitting a "pull request" to get your exploit into the standard distribution.
This documentation assumes you're on some recent version of Ubuntu Linux. If not, then you're going to be on your own on how to get all your dependencies lined up. If you've successfully set up a development environment on something non-Ubuntu, and you'd like to share, let us know and we'll link to your tutorial from here.
Throughout this documentation, we'll be using the example user of "Fakey McFakepants," who has the e-mail address of "mcfakepants@packetfu.com" and a login username of "fakey."
Apt-Get Install
The bare minimum for working on Metasploit effectively is:
apt-get -y install \
build-essential zlib1g zlib1g-dev \
libxml2 libxml2-dev libxslt-dev locate \
libcurl4-openssl-dev git-core \
libssl-dev openssl autoconf bison curl wget \
postgresql postgresql-contrib libpq-dev
Note that this does not include an appropriate text editor or IDE, nor does it include the Ruby interpreter itself. We'll get to that in a second.
RVM
Most (all?) standard distributions of Ruby are lacking in one regard or another. Lucky for all of us, Wayne Seguin's RVM has been getting steadily more excellent in providing several proven Ruby interpreters. Visit https://rvm.io/ to read up on it, or just trust that it'll all work out with a simple:
$ curl -L get.rvm.io | bash -s stable
Followed by
$ source ~/.rvm/scripts/rvm
And finally:
$ rvm install 1.9.3-p125
What this all does is fetch RVM, which performs a bunch of shell voodoo, and finally installs Ruby version 1.9.3 patchlevel 125 (there are lots of other Rubies to choose from, but we like this one the most right now). Assuming all goes as planned, you should end up with something like this in your shell.
Editor / IDE
Once that's all done, you can move on to setting up your preferred editor. Far be it from us to tell you what editor you use -- people get really attached to these things for some reason. Once we have some docs put together for sensible defaults for a couple of the more popular editors out there, we'll list that here.
Create a GitHub Account
The entire Metasploit code base is hosted here on GitHub. If you have an old Redmine account over at dev.metasploit.com, that's not going to do much for you since the switch-over. The process for creating an account is pretty simple.
Find the Signup button
Create a free user
Come up with a decent username and password
None of this is exactly rocket science.
SSH for GitHub
Once that's all done, you need to set up an SSH key to associate with your new GitHub identity (this step is not optional, so good on GitHub for forcing this minimal level of security).
Create a new key
The Metasploit core developers recommend you set up new SSH key pair to associate with GitHub, rather than reuse that same old tired key you have in 50 other authorized_keys files around the world. Why not just start fresh? It's easy and fun:
$ ssh-keygen -t -rsa -C "mcfakepants@packetfu.com"
Just follow the prompts, pick a name for your key pair (I use "id_rsa.github"), set a password, and you should end up with something like:
Add your key
Next, go to https://github.com/settings/ssh (which can be navigated to via Account Settings > SSH Keys), and click "Add SSH key" :
You'll be presented with a screen to copy-paste your public SSH key (not the private one!). Easiest thing to do is to cat your newly created key, select, and copy-paste it:
Confirm your key
Once that's done, you'll have a key associated, and you'll get e-mail about it as well. Eyeball the fingerprint and make sure it all matches up. You don't have to actually click anything if it's all good.
The real moment of truth is when you test your SSH key. If you named it something funny like I did, don't forget the -i flag, and note that you are going to use literally "git@github.com" as the user and password (not your name or anything like that).
$ ssh -i ~/.ssh/id_rsa.github -T git@github.com
Your console should look like:
Alias GitHub in .ssh/config
So, I hate having to remember usernames and passwords for anything, and I've gotten in the habit of creating Host entries for lots of things in my ~/.ssh/config file so I can have two word ssh commands.
For the rest of these instructions, I'm going to assume you have something like this in yours:
Host github
Hostname github.com
User git
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa.github
To check that it works, just ssh -T github, and your result should be just like this:
Minimal Git config
Finally, you're ready to set up your local git config file, if you haven't already:
git config --global user.name "Fakey McFakepants"
git config --global user.email "mcfakepants@packetfu.com"
Cat your ~/.gitconfig to ensure you have at least that set (and remember, your e-mail address needs to match the address you set back when you ssh-keygen'ed):
