🎯 Targets¶
In Metasploit, a target defines the specific combination of operating system version, architecture, service pack level, and application version that an exploit is designed to work against. Selecting the correct target is critical — using the wrong one can cause the exploit to fail or crash the target service.
1️⃣ Viewing Available Targets¶
After selecting an exploit module, use show targets to list all supported target configurations:
msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 exploit(windows/smb/ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (AlwaysOn NX)
4 Windows XP SP3 English (AlwaysOn NX)
5 Windows 2003 SP0 Universal
...
67 Windows XP SP3 Japanese (NX)
2️⃣ Setting the Target¶
# Set a specific target by ID
set TARGET 3
# Or use automatic targeting (if available — usually target ID 0)
set TARGET 0
Automatic Targeting¶
Many modern exploits include an Automatic Targeting option (ID 0) that attempts to fingerprint the remote service and select the correct target automatically. This is the safest option when available.
Tip
Always prefer Automatic Targeting when it's available. Manual target selection should only be used when automatic detection fails or when you know the exact target configuration from prior enumeration.
3️⃣ Why Targets Matter¶
Exploits — especially buffer overflows — often depend on exact memory layouts that vary between:
| Factor | Impact |
|---|---|
| OS Version | Memory addresses, system call numbers, and security features differ between Windows XP, 7, 10, Server 2012, etc. |
| Service Pack / Patch Level | Patches change the memory layout of vulnerable functions. |
| Architecture (x86 vs x64) | Register sizes, calling conventions, and address space layout differ drastically. |
| Language / Locale | DLL base addresses can differ between language packs (e.g., English vs. Japanese Windows). |
| Application Version | Different versions of a vulnerable application (e.g., Apache, IIS) have different offsets. |
Concept
A buffer overflow exploit works by overwriting a specific memory address (e.g., a return address on the stack) with the address of your shellcode. If the target OS or patch level is different from what the exploit expects, the overwrite will hit the wrong address — causing a crash instead of code execution.
4️⃣ Target-Related Options¶
Some exploits expose additional target-related options beyond the TARGET ID:
Common advanced options:
| Option | Description |
|---|---|
ForceExploit |
Run the exploit even if the check command reports the target is not vulnerable. |
DisablePayloadHandler |
Don't start a payload handler (useful when you have a separate listener). |
WfsDelay |
Time (seconds) to wait for the session to be created after the exploit runs. Increase for slow or laggy targets. |
AutoRunScript |
Automatically run a post-exploitation script when a session is created. |
5️⃣ Gotchas¶
Note
Wrong target = crashed service. If you select the wrong target for a buffer overflow exploit, you will likely crash the remote service. In a production environment, this can cause a denial-of-service and alert the blue team. Always verify the target configuration before running the exploit.
Note
Not all exploits have multiple targets. Web application exploits (e.g., SQL injection, file upload) and logic-based exploits often have a single universal target because they don't depend on memory layout.
Note
Service fingerprinting helps. Run auxiliary/scanner/smb/smb_version or Nmap's -sV flag to identify the exact OS and service version before selecting a target.
Warning
Running exploits with incorrect target settings can crash production services. Always test in a controlled environment first.