Metasploit, Exploits and eJPT

nebula105nebula105 Member Posts: 60 ■■■□□□□□□□
Hey guys,

I'm currently on the final lab of the eJPT course, and I'm a little confused and would like all of your input!

The lab basically goes:

1) Search for target,
2) Exploit target using Metasploit.

My first step here; would be to identify the target and the OS running on it using nmap.

I'm confused on the next step, which is finding an exploit to use.

What I think I can do next:

2a) Scan the target using Nessus or Nexpose

2b) Research for famous exploits on the vulnerable OS (Windows XP, in this case)

2c) Throw random exploits until it works

My first thinking would be to perform step 2a, which is to perform a vulnerability assessment; followed by exploiting the vulnerabilities that the tool has found.

In a real life pentesting situation, wouldn't this be extremely noisy on the traffic and be subject to tons of dropped packets by firewalls?

What would you do?

Share your thoughts!


  • MrAgentMrAgent Member Posts: 1,309 ■■■■■■■■□□
    Enumerate, enumerate, enumerate. Did I mention that you should try enumerating?
    Try doing an nmap scan with nmap -v -A -O -sV x.x.x.x and looking all the services that come back.
    If that doesn't help, try looking at additional options in nmap.
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    The same thing that MrAgent wrote. You dont' always have to use Nessus.

    I would use the command input that MrAgent wrote and also put it into a text file for later. Then search for the version of the software that nmap came up with within Metasploit.
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • kaizen_404kaizen_404 Member Posts: 16 ■□□□□□□□□□
    nebula105 wrote: »
    The lab basically goes:

    1) Search for target,
    2) Exploit target using Metasploit.

    For 1, to find the target, if you don't know the IP, try using netdiscover. Then from there enumerate. nmap is great to get detail. nmap -sV --version-all will aggressively query running services on the target. Also in metasploit you can run nmap commands using db_nmap to populate the metasploit database.
  • hopeshopes Member Posts: 8 ■□□□□□□□□□
    [I]nmap -p- -sV -oX scan.xml <target_ip>[/I]
    [I]searchsploit -nmap scan.xml[/I]
  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    Just some advice. When exploiting targets in a lab environment throwing exploits is fine when learning. However keep in mind that some exploits make the remote host unstable and can crash it. This can be devastating in a pen test on an organizations that has production hosts in scope. I think MrAgent forgot another enumerate :).
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    Did anyone mention enumeration???
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • nebula105nebula105 Member Posts: 60 ■■■□□□□□□□
    Amazing advice from everyone.

    I'll read up and research more then :)

    Thanks again everyone!
Sign In or Register to comment.