Understanding Exploit Options
Exploits are reliable, but depend on a specific version. Exploits cannot consistently auto-detect. Exploits have a default target and are common to specific types of software. Exploits have a default target. Exploits can auto-detect the appropriate target or use an application specific return address after it runs a version check. Exploits can crash the target, but are the most likely to succeed. Exploits never crash the service. Exploits include SQL injection, CMD execution, and certain weak configurations. Most web application flaws belong to this category. Defines whether the exploit executes a Meterpreter or command shell payload. Defines the IP address that the payload uses to connect back. Use this option when the address needs to be overridden, such as NAT or Amazon Elastic IPs. Skip exploits that do not match the host OS Match exploits based on vulnerability references Defines the number of simultaneous exploit attempts that the system runs. The best number varies based upon available CPU horsepower. If you utilize one concurrent attempt, you can debug issues with the task log if you encounter any issues. Defines the number of minutes that the system waits for a given exploit. The default setting ensures that all exploits have sufficient time to complete, but you may need to increase this setting if target hosts are slow. This option enables you to send small TCP packets and insert delays between them.Low – Inserts a delay of between 1-10 seconds between TCP packets. The delay rate will be constant for a specific module, but will vary across multiple modules.Medium – Transmits small TCP packets; payloads are fragmented into 15 byte payloads.High – Combines the Low and Medium settings by transmitting small TCP packets and inserting delays between them. Defines application-specific evasion options for DCERPC, SMB, and HTTP-based exploits. These are the only protocols that support evasions. Please note that not all protocols support all levels of evasion.Low – Adds fake UUIDs before and after the actual UUID that the exploit targets.High – Sets the maximum fragmentation size of DCERPC calls to a value between 4 and 64.Low – Obscures the PIPE string, places extra padding between SMB headers and data, and obscures path names. Low – Adds "header folding," which splits HTTP headers into separate lines joined by white space by the server, and adds random cases to HTTP methods. This option adds between 1-64 fake HTTP headers.Medium – Adds 1-64 fake query strings to get requests. Adds 1-64 white space characters between tokens. Adds 1-64 POST parameters.High – Encodes some characters as percent-u unicoded characters (half, randomly), adds a fake "end" to HTTP requests before the attack, and uses backslashes instead of forward slashes. Opens one session per target and bypasses any targets that have a session open. Performs a dry run on the exploit, which provides you with details of the exploit, but does not run the exploit.
![]() |