At this point, we should have a Meterpreter console running in the background within msfconsole, so we can begin to scan the target’s subnet for other live systems. To do this, we’ll upload nmap to the target and run it from the Windows machine.

First, download nmap from insecure.org in an executable format and save it locally. We’ll be uploading this to our target. Next, we’ll connect to the target via Microsoft’s Remote Desktop Protocol (RDP), a built-in graphical remote administration protocol that lets you interact with the Windows Desktop as if you were sitting in front of the remote machine. After we’re connected with our Meterpreter session, we’ll use the getgui Meterpreter script to tunnel RDP back out to us over port ...