Metasploit
Last updated
Last updated
Metasploit is a penetration testing framework developed by Rapid7. It has built-in support for exploits, payloads and its own extended shell system called Meterpreter.
These commands are adapted from the Metasploit Cheat Sheet created by TunnelsUp. Check it out here!
The Metasploit database saves data found during exploitation. Auxiliary scan results, hashdumps, and credentials show up in the database. For separate assignments, try using Workspaces (see below).
First, gather information using db_nmap and auxiliary modules. Auxiliary modules have numerous scanners, gatherers, fuzzers, and tools that allow you to scan a CIDR block or single IP and will save the results in the database.
Once information is gathered on the host, look at the results: What OS is running, what services were found? Use the search command to find suitable exploits or modules for further enumeration.
Enable port forwarding, opening port 3388 locally which forwards all traffic to 3389 on remote host:
portfwd [ADD|DELETE] -L <LHOST> -l 3388 -r <RHOST> -p 3389
Pivot through a session by adding a route within msf, it allows you to exploit or scan adjacent hosts
route add <SUBNET> <MASK> <SESSIONID>
Each workspace acts like a separate database. Need a fresh DB? Create a new workspace.
Command
Description
msfconsole
Launch Metasploit
version
Show Metasploit version
msfupdate
Update Metasploit
makerc <FILE.rc>
Save recent commands
msfconsole -r <FILE.rc>
Start Metasploit with command file
Linux command
Many work in Metasploit, try them!
Examples: ifconfig, nmap, ...
Command
Description
service postgresql start
Start the database
msfdb init
Initialize the Metasploit database
Command
Description
db_status
Show DB status: is it connected?
hosts
Show hosts in database
services
Show ports in database
vulns
Show all found vulnerabilities
Command
Description
db_nmap -sS -A <IP-ADDRESS>
Port scan + OS fingerprint, add to DB
show auxiliary
List all auxiliary modules (scanners, fuzzers, proxies...)
use auxiliary/scanner/smb/smb_version
Detect the SMB version in us
use auxiliary/scanner/ftp/anonymous
Scan for anonymous FTP users
use auxiliary/scanner/snmp/snmp_login
Scan for public SNMP strings
search <TERM>
Search all exploits, payloads, aux modules for <TERM>
show exploits
List all exploits
show payloads
List all payloads
Command
Description
use <MODULE>
Set the exploit to use
set payload <PAYLOAD>
Set the payload
show options
Show all options
set <OPTION> <SETTING>
Set an option to a specific setting
exploit or run
Execute the exploit
Command
Description
sessions -l
List sessions
sessions -i <ID>
Interact / Attach to session
background or CTRL + Z
Background / Detach from session
Command
Description
command / lcommand
Command on target / local command
sysinfo
Show system info
ps
List running processes
kill <PID>
Terminate a process
getuid
Show your user ID
upload
Upload a file
download
Download a file
pwd / lpwd
Print working directory
cd / lcd
Change directory
ls / lls
Show directory content
cat
Show contents of file
edit <FILE>
Edit a file with vim
shell
Drop into a shell on the target
migrate <PID>
Switch to another process
hashdump
Show all password hashes (windows only)
idletime
Display how long a user has been idle
screenshot
Take a screenshot and save locally
clearev
Clear the logs
Command
Description
use priv
Load privilege escalation script
getsystem
Attempt to elevate privileges
getprivs
Attempt to elevate privileges
Command
Description
use incognito
Load token manipulation module
list_tokens -u
Show all tokens
impersonate_token DOMAIN\\USER
Use token
drop_token
Stop using token
Command
Description
workspace -h
Help
workspace
List workspaces
workspace -a
Add a workspace
workspace -d
Delete a workspace
workspace -r
Rename a workspace