Target exploitation is one area that sets a penetration test apart from a vulnerability assessment. Now that vulnerabilities have been found, you will actually validate and take advantage of these vulnerabilities by exploiting the system, in the hope of gaining full control or additional information and visibility into the targeted network and the systems therein. This chapter will highlight and discuss practices and tools that are used to conduct real-world exploitation.

In this chapter, we will cover the following topics:

• In the Vulnerability research section, we will explain what areas of vulnerability research are crucial in order to understand, examine, and test the vulnerability before transforming it into a practical exploit code.
• We will point you to several exploit repositories that should keep you informed about publicly-available exploits and when to use them.
• We will illustrate the use of one of the infamous exploitation toolkits from a target-evaluation perspective. This will give you a clear idea about how to exploit the target in order to gain access to sensitive information. The Advanced exploitation toolkit section involves a couple of hands-on practical exercises.
• In the end, we will attempt to briefly describe the steps for writing a simple exploit module for Metasploit.

Writing exploit code from scratch can be a time-consuming and expensive task. Hence, using publicly-available exploits and adjusting them to fit your target environment may require expertise, which would assist you in transforming the skeleton of one exploit into another, if the similarity and purpose is almost the same. We highly encourage the practice of publicly-available exploits in your own labs to further understand and kickstart writing your own exploit code.