Updating Metasploit
Software updates contain new features and fixes that are necessary to continuously improve Metasploit. It is strongly recommended that you to install updates as soon as they are available.
Updating from Metasploit 4.14.1-2017112901
As of Metasploit 4.14.1-2017112901, we moved updates from HTTP to HTTPS. If you are currently running an earlier version of Metasploit Pro, and you attempt to update from 4.14.1-2017112901 using the update server, you may encounter an issue that prevents you from updating. To work around this issue, you'll need to manually apply the offline update, which you can find here: https://help.rapid7.com/metasploit/release-notes/archive/2017/12/#20171206.
Applying the Weekly Update
If you are an administrator, you should regularly check for available updates to Metasploit. If you are using the web interface, Notification Center alerts you when a newer version is available to install.
To apply the weekly update:
- Click Administration > Software Updates from the main menu.
- When the Software Updates window appears, select Use an HTTP Proxy to reach the Internet if you want to use an HTTP proxy server to check for updates. If you select this option, the proxy settings appear. Configure the settings for the HTTP proxy that you want to use.
- Click the Check for Updates button.
- If an update is available, the system shows you the latest version number and provides an install button for you to use to update the system.
- Install the update.
After the update completes, it prompts you to restart the back end services. If you restart the services, Metasploit terminates active sessions and requires up to ten minutes to restart.
Updating Metasploit Offline
Rapid7 provides offline update files that you can use to safely update Metasploit without an Internet connection. For each bi-weekly release, we will provide a download link on the release note section of the Rapid7 documentation website. Click on a offline update link to automatically download the bin file. You can move this file to a portable storage device or a shared network location so that you can easily transfer it to your Metasploit server.
To apply an offline update:
- Log in to the Metasploit web interface.
- Locate the footer at the bottom of the user interface.
- Identify the current release version of Metasploit that you have installed.
You will see the product edition, the release version, and the update version. For example, in 4.6.0 - Update 2013050101, the release version is 4.6.0.
- From the email that you have received from Rapid7, find and download the offline update files that you need.
- From within Metasploit, select Administration > Software Updates from the Global menu.
- Find the Product Updates area.
- Click the Offline Update File link.
- Browse to the location of the offline update file and select it.
The offline update file is the bin file that you downloaded from the Rapid7 email.
- Click the Install Update button.
Metasploit installs the update and restarts the Metasploit service when the update is done. Please wait a few minutes for the service to restart.
If there are additional updates that you need to install, you must repeat this process until you have the latest version of Metasploit.
Command Line Updates
You can also update Metasploit Pro from the command line. Before doing updates, Rapid7 recommends that you create a backup of your Metasploit data.
msfupdate
You can update Metasploit Pro using the command line for both online and offline updates using the msfupdate
command.
Offline Updates
To update Metasploit Pro while offline:
- Download the offline update. You can get the offline update from the release notes or from the Pro Installers page on GitHub. https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version
- Run the
sha1sum
command against the downloaded update to verify that it is a complete download. For example,sha1sum cca85392494d5b5d779c5a4dd0389d1d1e24dda4.bin
should return
cca85392494d5b5d779c5a4dd0389d1d1e24dda4 cca85392494d5b5d779c5a4dd0389d1d1e24dda4.bin
.
For the remaining steps, you must be logged in with root privileges.
- Run the update command.
msfupdate --offline-file <filename>
For example, msfupdate --offline-file cca85392494d5b5d779c5a4dd0389d1d1e24dda4.bin
The first portion of the command executes msfupdate
, which checks for the latest updates online. The second portion of the command, --offline-file,
tells msfupdate
that we are using an offline update file. The third and final portion of the command is the name of the offline update file.
If your prompt is not in the same directory as the offline update file, you will need to specify the full path to it. For example, /home/administrator/cca85392494d5b5d779c5a4dd0389d1d1e24dda4.bin.
If the offline update is successful, restart Metasploit services.
However, if it is not successful or the services do not run, a reinstall is the next step.
Linux machines automatically come with Checksum Verification. If you are a Windows user, see https://www.microsoft.com/en-us/download/details.aspx?id=11533 for a download.
Online Updates
To update while online, type msfupdate
into your terminal. Metasploit Pro will try to automatically pull the latest update.
Deleting the Browser Cache after an Update
After you update Metasploit, you must delete your browser’s cache so that the user interface renders correctly. If you do not delete your browser’s cache, some items may not display or appear distorted.
To learn how to delete your browser’s cache, read the documentation for your specific browser or visit this handy web page.
Fixing the Failed to Get Updates Error
If you are unable to get updates and are getting the "Failed to get updates: Failed to open TCP connection to updates.metasploit.com 443" error, verify the following to troubleshoot the issue:
- A firewall or proxy is not interfering with the activation process.
- You can connect to https://updates.metasploit.com over port 443 and there is no SSL stripping or inspection. You can visit https://updates.metasploit.com to verify that the update server is running.