# Tools and Utilities
Here we can find some tools and utilities commonly used for processes related to exploitation:
## **Exploit DB**
* A web repository that retains exploits for software and applications
*
## Searchsploit
* Kali package for accessing *ExploitDB*
### Commands
* Installation
{% code overflow="wrap" lineNumbers="true" %}
```bash
sudo apt install exploitdb
```
{% endcode %}
***
* Usage
{% code overflow="wrap" lineNumbers="true" %}
```bash
searchsploit $Keywords
```
{% endcode %}
## Metasploit
* An exploitation framework with tools for every phase of pen-testing
### Modules
* **Auxiliary:** Any supporting module
* **Encoders:** Encode exploit and payload for bypassing signature-based antivirus
* **Evasion:** For antivirus evasion
* **Exploits:** Exploits, organized by target system
* **Nops:** No Operation, CPU will do nothing for one cycle, often used as a buffer to achieve consistent payload sizes
* **Payloads:** Different payloads that can open shells on the target system
* **Adapters:** Convert single payloads into different forms
* **Single:** Also called *in-line*, does not need to download an additional component to run.
* **Stagers:** Set up a connection channel between *Metasploit* and the target system. First, the stager is uploaded on the target system, and then it downloads the rest of the payload (stage)
* **Stages:** Downloaded by the stager, allowing the use of larger-sized payloads
* **Post:** For post-exploitation
{% hint style="info" %}
The difference between staged and single payloads is the use of `_` or `/` in notation
**Example:** `shell_reverse_tcp` (Single) ---`shell/reverse_tcp` (Staged)
{% endhint %}
### Common parameters
* **RHOSTS:** IP address of the target system
* **RPORT:** Port on the target system where the vulnerable application is running
* **PAYLOAD:** Payload that will be used with the exploit
* **LHOST:** Attacking machine (local) IP address
* **LPORT:** Port (local) that will be used for the reverse shell to connect back to
* **SESSION:** Session ID of the connection with Metasploit. Used with post-exploitation modules connected to the target system
### Commands
* Installation
{% code overflow="wrap" lineNumbers="true" %}
```bash
sudo apt install metasploit-framework
```
{% endcode %}
***
* Start the console
{% code overflow="wrap" lineNumbers="true" %}
```bash
msfconsole
msf6\> sessions #See all sessions
msf6\> session -i $id #Change to a session
```
{% endcode %}
***
* List modules
{% code overflow="wrap" lineNumbers="true" %}
```bash
tree -L 1 /usr/share/metasploit-framework/modules #Types
tree -L 1 /usr/share/metasploit-framework/modules/$type #Specific module type
```
{% endcode %}
***
* Search module
{% code overflow="wrap" lineNumbers="true" %}
```bash
msf6\> search $query
msf6\> use $queryNumber #Use module from last search list (0 is the first)
msf6 > search type:$type $query #Filter by specific module type
```
{% endcode %}
{% hint style="info" %}
The *query* value can be a keyword, CVE number, exploit/module name, or target system
{% endhint %}
***
* Usage
{% code overflow="wrap" lineNumbers="true" %}
```sh
msf6\> use exploit/$exploit path
# This will enter the context of the exploit. Below is an example
msf6\> use exploit/windows/smb/ms17_010_eternalblue #The exploit used
msf6 exploit(windows/smb/ms17_010_eternalblue)\> #The terminal context set
'''\> info #Display information about the module (''')
'''\> show options #Display options for the actual context
'''\> show payloads #Display payloads that can be used with the exploit
'''\> show $module #Can be used with every module type
'''\> set $parameter $value #Set parameters in context
'''\> unset $parameter #Unset a parameter
'''\> unset all #Unset all parameters
'''\> setg $parameter $value #Set parameters globally
'''\> unsetg $parameter #Unset global parameter
'''\> check #Verify if vulnerable without exploiting
'''\> exploit #Run exploit
'''\> run #Same that exploit
'''\> exploit -z #Run exploit and background session
'''\> background #Background session, also CTLR+Z can be used
'''\> back #Exit from context
meterpreter > $commands #Once an exploit is accessed, the terminal will change to meterpreter, and here we apply the commands of the specific module
```
{% endcode %}
***
* Common and useful scripts
msf6\> use exploit/multi/handler # Handles payloads from exploits
msf6\> set payload windows/meterpreter/reverse_tcp #Example with Reverse Shell
msf6\> use auxiliary/scanner/portscan/tcp #Performs a TCP port scan
msf6\> use post/windows/gather/hashdump #Dumps password hashes from Windows
msf6\> use multi/script/web_delivery #Set a web server to host a malicious payload
msf6\> set payload windows/meterpreter/reverse_tcp #Example with Reverse Shell
## Payloads for Everything
A repository that contains payloads for diverse purposes and attacks
*
## Evil-WinRM
Tool to connect remotely to a Windows WinRM instance
* Install
{% code overflow="wrap" lineNumbers="true" %}
```bash
sudo apt install evil-winrm
```
{% endcode %}
***
* Access to WinRM
{% code overflow="wrap" lineNumbers="true" %}
```bash
sudo evil-winrm -i $ip -u $user -p $password
```
{% endcode %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://kryptocoder.gitbook.io/hacking-knowledge/penetration-testing/process-stages/exploitation/tools-and-utilities.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.