Exploitation : Common Exploitation Tasks : Understanding Exploit Options

Understanding Exploit Options

The following table describes the options that are available for automated exploits:
Exploits are reliable, but depend on a specific version. Exploits cannot consistently auto-detect.
Exploits have a default target. Exploits can auto-detect the appropriate target or use an application specific return address after it runs a version check. Exploits can crash the target, but are the most likely to succeed.
Exploits never crash the service. Exploits include SQL injection, CMD execution, and certain weak configurations. Most web application flaws belong to this category.
Defines the IP address that the payload uses to connect back. Use this option when the address needs to be overridden, such as NAT or Amazon Elastic IPs.
Match exploits based on vulnerability references
Defines the number of simultaneous exploit attempts that the system runs. The best number varies based upon available CPU horsepower. If you utilize one concurrent attempt, you can debug issues with the task log if you encounter any issues.
Defines the number of minutes that the system waits for a given exploit. The default setting ensures that all exploits have sufficient time to complete, but you may need to increase this setting if target hosts are slow.
Low – Inserts a delay of between 1-10 seconds between TCP packets. The delay rate will be constant for a specific module, but will vary across multiple modules.
High – Combines the Low and Medium settings by transmitting small TCP packets and inserting delays between them.
Defines application-specific evasion options for DCERPC, SMB, and HTTP-based exploits. These are the only protocols that support evasions. Please note that not all protocols support all levels of evasion.
Low – Obscures the PIPE string, places extra padding between SMB headers and data, and obscures path names.
Low – Adds "header folding," which splits HTTP headers into separate lines joined by white space by the server, and adds random cases to HTTP methods. This option adds between 1-64 fake HTTP headers.
Medium – Adds 1-64 fake query strings to get requests. Adds 1-64 white space characters between tokens. Adds 1-64 POST parameters.
High – Encodes some characters as percent-u unicoded characters (half, randomly), adds a fake "end" to HTTP requests before the attack, and uses backslashes instead of forward slashes.
Performs a dry run on the exploit, which provides you with details of the exploit, but does not run the exploit.