Exploitation is the main part of the whole process. This is where you need to use everything you have learned during the information gathering stage. This is the most exciting part where you actually get into the system of your target. Our main goal is to exploit a system within our network and deliver a payload. Eventually, we hope to be able to get access to the command prompt of the target, but that comes once we are inside the system so we’ll discuss this later on.
Let’s look at the commands we will be using:
‘Use’ command is used to equip an exploit. You can think of it as picking up a weapon before getting ready for battle.
use (exploit name)
In the example above, exploit name is needed. So how do you find out the exploit name? You get it during the information gathering stage. To view all exploits available, type “Show Exploits” and you will be served with (sometimes quite large) list of exploits that can be used.
After setting the exploit itself, you need to see which options it uses. They have to be set manually. Some of them though do not need to be set. You can check if it is required by looking under “Required” option.
Most exploits will require RHost and RPort. Browser based ones will Require SRVHost And SRVPort (which we’ll get to later on). These are just variables that need to be filled and are different for every system and scenario. Think of it as loading the GPS coordinates into your metaphorical “missile” (Exploit).
RHost is remote host. It is our target, IP address of the system that we are attempting to exploit. RPort is set by default and should not be changed.
We need to set a payload that will be delivered. We do that by typing:
Set Payload (Payload name)
Payloads need LPort (Local Port) and LHost (Local Host).
LPort has to be forwarded to the attacker system if you want this to work on WAN.
All payloads can be viewed by typing:
Types of Payloads:
There are two types of Payloads. Reverse and Bind ones. Reverse payloads are left on the attacker machine and they connect back to you, and thus connection is reverse. On the attacker machine, there exists a listener, which accepts all incoming connections. That’s how you get your session. Reverse payloads are generally more used then bind ones. Payloads can be made persistent by dumping them into registry. For future sessions to be established, you will need to start the listener manually. Bind payloads bind to the victim machine and through them attacker enters. In this case, connection is not reverse but direct.