use token stealing and passing the hash to move further into the network.

from a "what next" meterpreter doesnt give you much in the way of choices unless you can code.  if you want to port scan you either have to upload something like scanline or write yourself a injectable dll that will do whatever it is you need to do.

metasploit will "pivot" but not quite the same way as core does and you cant make the agent persistent, so that kinda sucks.

i did a couple of blog posts on using some of the pass the hash and token stealing tools and i think the pivoting stuff.

that help?

ketchup you are exactly right on that first part, it is extremely hard to identify an exploitable host inside the lan. 

if msf is you only option you'll need to set up shop on that first host and scan from there (which kinda sucks)

you didnt put a paragraph in there, so can you maybe  reiterate your point?

that we should attempt to use something to hack besides one of the exploit frameworks? how?

your other options would be web and client side, but once you have a login or a shell you are back to network hacking and the problem already mentioned of finding more vulnerable boxes inside the network.

i agree core is loud and noisy, adding a single host and launching A single exploit at a box after you have done some enumeration is far better than the RPT

I definitely see what Kev is talking about.   You can upload a small footprint of tools that you normally use to the exploited machine, like cryptcat, rootkits, a small scanner, and a couple of well written exploit scripts.    If you had sufficient time, this method definitely works and is probably the most stealthy thing you can do, provided you know what you are doing.

There are issues with this in today's world though.  If you are dealing with Windows boxes, then you have to port your python, perl, or c code over to something windows can interpret on the fly.   I am not an expert in this, but porting Perl code to something like VBScript or another Shell, seems like a difficult task.   

Another issue is that many of us are doing this as part of a penetration test, we are not simply hacking.   As part of a pen test, we have to find the most number of vulnerabilities that we possibly can, in the smallest amount of time.   No one is going to pay me to hack a network for a few months manually, unfortunately.   It comes down to time and money.

At the same time, I do have to agree with Kev to some degree.   You at least have to be able to use the manual methods before you spend the money on an expensive tool, you don't fully understand.   At the same time, the advanced hackers out there won't use a tool like Core.   They probably will not use Metasploit either.  They also have access to tons of 0day code that most of us are unaware of.   A pen test will not simulate a determined hacker in my opinion.   It more simulates a determined script kiddie. 

Those are just my two cents.   

Ketchup

Chris, since I don't consider myself a hacker yet, I will defer to you on the Metasploit subject.   I have much learn as a young gwasshoppa

Still, it seems that Metasploit is a bit of a large footprint to move around with you.   If you develop a exploit in Metasploit, can you use it outside of the framework?

Also, with so much 0day stuff other, coupled with great rootkits, do experienced hackers really need tools like Metasploit?   I am primarily speaking of black hat hackers.   Remember, they are not after penetrating a machine from all different angles.

Again, not arguing, just curious what some of the more experienced folks think on this subject.

i would lean that if someone can confidently write exploits for metasploit they could port them to C and make binaries that could be run on exploited windows boxes on the inside.