Exploitation proves a vulnerability is real, safely and within scope. Use a framework against a lab target to demonstrate impact — the goal is evidence, not damage.
Why: exploitation confirms a vulnerability is genuinely exploitable and demonstrates its business impact — a "potential" finding becomes an "we proved an attacker can read your database" — which is what drives remediation. When: only exploit what is in scope, with the least-invasive proof, and never run destructive payloads. Where: the aim is a screenshot and an artifact, not disruption; stop the moment impact is demonstrated.
Exploitation exists to PROVE risk, not to cause harm:
- stay strictly in scope
- prefer the least-invasive proof of impact
- NO denial-of-service, NO data destruction, NO pivoting out of scope
- capture evidence (command + output + timestamp), then STOP
- if you find something critical/dangerous, pause and notify the clientWhy: exploitation frameworks like Metasploit package known, tested exploits so you can demonstrate a vulnerability reliably against an authorized target — this is the standard training workflow against Metasploitable. When: match the module to the identified CVE, set the target, and run it in your lab. Where: understanding how these run is equally valuable defensively — it is what your EDR and detection rules must catch.
# In your OWN lab, against Metasploitable (never a real target without scope):
msfconsole
search vsftpd 2.3.4 # find a module matching the finding
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101 # your lab target
run # demonstrates the vuln -> capture evidence
# Defensive mirror: this activity should light up your IDS/EDR. If it
# doesn't, that's a detection gap to fix (see the Threat Detection course).Why: weak credentials are one of the most common footholds, so testing them (within scope) shows real risk — but rate limits, lockouts, and authorization boundaries must be respected. When: test provided/known accounts or agreed wordlists against in-scope services, honoring lockout policies. Where: the defensive lesson is direct — MFA, lockouts, and strong password policy remove this entire class of finding.
# Only against in-scope services, honoring lockout/rate-limit rules:
hydra -l admin -P wordlist.txt 192.168.56.101 ssh -t 4
# Stop on success — you've proven the weak-credential risk. Don't hammer
# accounts into lockout during business hours.
# Defensive fix that kills this finding: MFA + lockout + strong passwords.