Exploitation is the main course. This is what you’ve been waiting for. This is where we need to use everything we have learned during the information gathering phase. Exploitation is the most exciting part of the penetration testing process where you actually get into the system of your target and have a little fun. The goal of exploitation is to deliver a payload (say, some malware) and ensure it’s survival. We hope to be able to get access to the command prompt of the target (with root privileges, preferably).
Let’s look at a few of the commands we will be using:
use command is used to equip an exploit. You can think of it as picking up a weapon before getting ready for battle.
use (exploit name)
In the example above, exploit name is needed. So how do you find out the exploit name? You get it during the information gathering stage. To view all exploits available, type
Show Exploits and you will be served with a list of exploits that can be used.
After setting the exploit itself, you need to see which options it uses. They have to be set manually. Some of them though do not need to be set. You can check if it is required by looking under “Required” option.
Most exploits will require RHost and RPort. Browser based ones will Require SRVHost And SRVPort (which we’ll get to later on). These are just variables that need to be filled and are different for every system and scenario. Think of it as loading the GPS coordinates into your metaphorical “missile” (Exploit).
RHost is remote host. It is our target, IP address of the system that we are attempting to exploit. RPort is set by default and should not be changed.
We need to set a payload that will be delivered. We do that by typing:
Set Payload (Payload name)
Payloads need LPort (Local Port) and LHost (Local Host). LPort has to be forwarded to the attacker system if you want this to work on WAN.
All payloads can be viewed by typing:
Types of Payloads:
There are two types of Payloads. Reverse and Bind ones. Reverse payloads are left on the attacker machine and they connect back to you, and thus connection is reverse. On the attacker machine, there exists a listener, which accepts all incoming connections. That’s how you get your session. Reverse payloads are generally more used then bind ones. Payloads can be made persistent by dumping them into registry. For future sessions to be established, you will need to start the listener manually. Bind payloads bind to the victim machine and through them attacker enters. In this case, connection is not reverse but direct.