Hit them where it hurts
Exploitation is the main course. This is what you’ve been waiting for. This is where we need to use everything we have learned during the information-gathering phase. Exploitation is the most exciting part of the penetration testing process where you actually get into the system of your target and have a little fun. The goal of exploitation is to deliver a payload (say, some malware) and ensure its survival. We hope to be able to get access to the command prompt of the target (with root privileges, preferably).
Let’s look at a few of the commands we will be using:
use the command is used to equip an exploit. You can think of it as picking up a weapon before getting ready for battle.
use (exploit name)
In the example above, an exploit name is needed. So how do you find out the exploit name? You get it during the information gathering stage. To view all exploits available, type
Show Exploits and you will be served with a list of exploits that can be used.
After setting the exploit itself, you need to see which options it uses. They have to be set manually. Some of them though do not need to be set. You can check if it is required by looking under the “Required” option.
Most exploits will require RHost and RPort. Browser-based ones will Require SRVHost And SRVPort (which we’ll get to later on). These are just variables that need to be filled in and are different for every system and scenario. Think of it as loading the GPS coordinates into your metaphorical “missile” (Exploit).
RHost is a remote host. It is our target, the IP address of the system that we are attempting to exploit. RPort is set by default and should not be changed.
We need to set a payload that will be delivered. We do that by typing:
Set Payload (Payload name)
Payloads need LPort (Local Port) and LHost (Local Host). LPort has to be forwarded to the attacker system if you want this to work on WAN.
All payloads can be viewed by typing:
Types of Payloads:
There are two types of Payloads. Reverse and Bind ones. Reverse payloads are left on the attacker machine and they connect back to you, and thus the connection is in reverse. On the attacker machine, there exists a listener, which accepts all incoming connections. That’s how you get your session. Reverse payloads are generally more used than bind ones. Payloads can be made persistent by dumping them into the registry. For future sessions to be established, you will need to start the listener manually. Bind payloads bind to the victim machine and through them, the attacker enters. In this case, the connection is not reverse but direct.