Metasploit: Exploitation

Overview

This room moves from Metasploit basics into practical use. It covers scanning with Metasploit modules, using the built-in database and workspaces, running vulnerability scans, exploiting services, and understanding how msfvenom and Meterpreter fit into the workflow.

1) Scanning with Metasploit

Metasploit includes many auxiliary modules for reconnaissance and service discovery.

• Search for scanners with commands like search portscan.
• Common port scanning modules live under auxiliary/scanner/portscan/.
• Important options usually include RHOSTS, PORTS, THREADS, and CONCURRENCY.

The room makes the practical point that Metasploit can scan, but if raw scanning speed matters, Nmap is often the better first choice.

2) Using Nmap from Msfconsole

You can run normal Nmap scans directly from within msfconsole.

• nmap -sS <target> works from the Metasploit prompt.
• This is useful when you want quick enumeration without leaving the framework.
• It keeps your workflow tighter while you move from recon to exploitation.

3) Service-Specific Scanners

The room highlights that Metasploit is often strongest when you use focused service scanners instead of generic port scans.

• UDP discovery: modules like scanner/discovery/udp_sweep can quickly identify services such as DNS or NetBIOS.
• SMB modules: useful examples include smb_version and smb_enumshares.
• Service-specific results can reveal host roles, shares, and other details that inform later exploitation.

4) The Metasploit Database

For larger engagements, the database feature helps track hosts, services, notes, loot, and vulnerabilities.

• It relies on PostgreSQL.
• You can check status with db_status.
• Once enabled, Metasploit exposes additional database-aware commands.

On TryHackMe AttackBox this is usually already configured, but on a local setup you may need to start PostgreSQL and initialize the database first.

5) Workspaces

Workspaces let you separate different projects or target environments inside the same Metasploit instance.

• List workspaces with workspace.
• Create one with workspace -a <name>.
• Switch by typing workspace <name>.
• Delete with workspace -d <name>.

6) Database-Aware Enumeration

When the database is active, Metasploit can store scan results and let you query them later.

• db_nmap runs Nmap and saves the results into the database.
• hosts lists discovered hosts.
• services lists discovered services.
• Other useful commands include loot, notes, and vulns.

This is the main difference between a quick one-off exploit session and a more realistic engagement workflow.

7) Exploitation Workflow

The room’s practical direction is straightforward: enumerate the target, identify a promising service, search for a relevant module, set the required options, choose a payload if needed, and run the exploit.

1. Scan or import target information.
2. Search for a relevant exploit module.
3. Review options with show options.
4. Set target values such as RHOSTS, RPORT, and payload parameters.
5. Run the module and handle the resulting session.

8) Msfvenom and Meterpreter

The room also introduces msfvenom and Meterpreter at a high level.

• msfvenom: used to generate payloads.
• Meterpreter: an advanced payload/session type that provides richer post-exploitation capability than a basic shell.
• These become important once exploitation moves beyond proof-of-concept and into controlled access and post-exploitation.

Exam Notes (PT1)

• Metasploit can scan, but Nmap is often faster and better for broad port discovery.
• Service-specific auxiliary modules are often more useful than generic scans.
• The database feature helps track hosts, services, vulnerabilities, notes, and loot.
• workspace separates projects; db_nmap stores Nmap results directly in the database.
• The standard Metasploit flow is: search module, inspect options, set values, choose payload, run, then manage the session.