Metasploit

General Info

Metasploit is a penetration testing framework developed by Rapid7. It has built-in support for exploits, payloads and its own extended shell system called Meterpreter.

Commands

These commands are adapted from the Metasploit Cheat Sheet created by TunnelsUp. Check it out here!

General

Command	Description
msfconsole	Launch Metasploit
version	Show Metasploit version
msfupdate	Update Metasploit
makerc <FILE.rc>	Save recent commands
msfconsole -r <FILE.rc>	Start Metasploit with command file
Linux command	Many work in Metasploit, try them! Examples: ifconfig, nmap, ...

Using the database

The Metasploit database saves data found during exploitation. Auxiliary scan results, hashdumps, and credentials show up in the database. For separate assignments, try using Workspaces (see below).

First Time Setup

Command	Description
service postgresql start	Start the database
msfdb init	Initialize the Metasploit database

Commands

Command	Description
db_status	Show DB status: is it connected?
hosts	Show hosts in database
services	Show ports in database
vulns	Show all found vulnerabilities

Exploit handling

Finding an Exploit to use

First, gather information using db_nmap and auxiliary modules. Auxiliary modules have numerous scanners, gatherers, fuzzers, and tools that allow you to scan a CIDR block or single IP and will save the results in the database.

Once information is gathered on the host, look at the results: What OS is running, what services were found? Use the search command to find suitable exploits or modules for further enumeration.

Command	Description
db_nmap -sS -A <IP-ADDRESS>	Port scan + OS fingerprint, add to DB
show auxiliary	List all auxiliary modules (scanners, fuzzers, proxies...)
use auxiliary/scanner/smb/smb_version	Detect the SMB version in us
use auxiliary/scanner/ftp/anonymous	Scan for anonymous FTP users
use auxiliary/scanner/snmp/snmp_login	Scan for public SNMP strings
search <TERM>	Search all exploits, payloads, aux modules for <TERM>
show exploits	List all exploits
show payloads	List all payloads

Executing an Exploit

Command	Description
use <MODULE>	Set the exploit to use
set payload <PAYLOAD>	Set the payload
show options	Show all options
set <OPTION> <SETTING>	Set an option to a specific setting
exploit or run	Execute the exploit

Sessions

Command	Description
sessions -l	List sessions
sessions -i <ID>	Interact / Attach to session
background or CTRL + Z	Background / Detach from session

Meterpreter

General commands

Command	Description
command / lcommand	Command on target / local command
sysinfo	Show system info
ps	List running processes
kill <PID>	Terminate a process
getuid	Show your user ID
upload	Upload a file
download	Download a file
pwd / lpwd	Print working directory
cd / lcd	Change directory
ls / lls	Show directory content
cat	Show contents of file
edit <FILE>	Edit a file with vim
shell	Drop into a shell on the target
migrate <PID>	Switch to another process
hashdump	Show all password hashes (windows only)
idletime	Display how long a user has been idle
screenshot	Take a screenshot and save locally
clearev	Clear the logs

Privilege Escalation

Command	Description
use priv	Load privilege escalation script
getsystem	Attempt to elevate privileges
getprivs	Attempt to elevate privileges

Windows Access Token Theft

Command	Description
use incognito	Load token manipulation module
list_tokens -u	Show all tokens
impersonate_token DOMAIN\\USER	Use token
drop_token	Stop using token

Port forwarding / pivoting

Enable port forwarding, opening port 3388 locally which forwards all traffic to 3389 on remote host:

portfwd [ADD|DELETE] -L <LHOST> -l 3388 -r <RHOST> -p 3389

Pivot through a session by adding a route within msf, it allows you to exploit or scan adjacent hosts

route add <SUBNET> <MASK> <SESSIONID>

Workspaces

Each workspace acts like a separate database. Need a fresh DB? Create a new workspace.

Command	Description
workspace -h	Help
workspace	List workspaces
workspace -a	Add a workspace
workspace -d	Delete a workspace
workspace -r	Rename a workspace