# Metasploit

## General Info

Metasploit is a penetration testing framework developed by Rapid7.\
It has built-in support for exploits, payloads and its own extended shell system called Meterpreter.

## Commands

These commands are adapted from the Metasploit Cheat Sheet created by TunnelsUp.\
Check it out [here](https://www.tunnelsup.com/metasploit-cheat-sheet/)!

### General

| Command                   | Description                                                                                             |
| ------------------------- | ------------------------------------------------------------------------------------------------------- |
| `msfconsole`              | Launch Metasploit                                                                                       |
| `version`                 | Show Metasploit version                                                                                 |
| `msfupdate`               | Update Metasploit                                                                                       |
| `makerc <FILE.rc>`        | Save recent commands                                                                                    |
| `msfconsole -r <FILE.rc>` | Start Metasploit with command file                                                                      |
| *Linux command*           | <p>Many work in Metasploit, try them!</p><p>Examples: <code>ifconfig</code>, <code>nmap</code>, ...</p> |

### Using the database

The Metasploit database saves data found during exploitation. Auxiliary scan results, hashdumps, and credentials show up in the database. For separate assignments, try using Workspaces (see below).

#### First Time Setup

| Command                    | Description                        |
| -------------------------- | ---------------------------------- |
| `service postgresql start` | Start the database                 |
| `msfdb init`               | Initialize the Metasploit database |

#### Commands

| Command     | Description                      |
| ----------- | -------------------------------- |
| `db_status` | Show DB status: is it connected? |
| `hosts`     | Show hosts in database           |
| `services`  | Show ports in database           |
| `vulns`     | Show all found vulnerabilities   |

### Exploit handling

#### Finding an Exploit to use

First, gather information using db\_nmap and auxiliary modules. Auxiliary modules have numerous scanners, gatherers, fuzzers, and tools that allow you to scan a CIDR block or single IP and will save the results in the database.

Once information is gathered on the host, look at the results: What OS is running, what services were found? Use the `search` command to find suitable exploits or modules for further enumeration.

| Command                                 | Description                                                |
| --------------------------------------- | ---------------------------------------------------------- |
| `db_nmap -sS -A <IP-ADDRESS>`           | Port scan + OS fingerprint, add to DB                      |
| `show auxiliary`                        | List all auxiliary modules (scanners, fuzzers, proxies...) |
| `use auxiliary/scanner/smb/smb_version` | Detect the SMB version in us                               |
| `use auxiliary/scanner/ftp/anonymous`   | Scan for anonymous FTP users                               |
| `use auxiliary/scanner/snmp/snmp_login` | Scan for public SNMP strings                               |
| `search <TERM>`                         | Search all exploits, payloads, aux modules for \<TERM>     |
| `show exploits`                         | List all exploits                                          |
| `show payloads`                         | List all payloads                                          |

#### Executing an Exploit

| Command                  | Description                         |
| ------------------------ | ----------------------------------- |
| `use <MODULE>`           | Set the exploit to use              |
| `set payload <PAYLOAD>`  | Set the payload                     |
| `show options`           | Show all options                    |
| `set <OPTION> <SETTING>` | Set an option to a specific setting |
| `exploit` or `run`       | Execute the exploit                 |

### Sessions

| Command                    | Description                      |
| -------------------------- | -------------------------------- |
| `sessions -l`              | List sessions                    |
| `sessions -i <ID>`         | Interact / Attach to session     |
| `background` or `CTRL + Z` | Background / Detach from session |

### Meterpreter

#### General commands

| Command              | Description                             |
| -------------------- | --------------------------------------- |
| *command / lcommand* | *Command on target / local command*     |
| `sysinfo`            | Show system info                        |
| `ps`                 | List running processes                  |
| `kill <PID>`         | Terminate a process                     |
| `getuid`             | Show your user ID                       |
| `upload`             | Upload a file                           |
| `download`           | Download a file                         |
| `pwd / lpwd`         | Print working directory                 |
| `cd / lcd`           | Change directory                        |
| `ls / lls`           | Show directory content                  |
| `cat`                | Show contents of file                   |
| `edit <FILE>`        | Edit a file with vim                    |
| `shell`              | Drop into a shell on the target         |
| `migrate <PID>`      | Switch to another process               |
| `hashdump`           | Show all password hashes (windows only) |
| `idletime`           | Display how long a user has been idle   |
| `screenshot`         | Take a screenshot and save locally      |
| `clearev`            | Clear the logs                          |

#### Privilege Escalation

| Command     | Description                      |
| ----------- | -------------------------------- |
| `use priv`  | Load privilege escalation script |
| `getsystem` | Attempt to elevate privileges    |
| `getprivs`  | Attempt to elevate privileges    |

#### Windows Access Token Theft

| Command                          | Description                    |
| -------------------------------- | ------------------------------ |
| `use incognito`                  | Load token manipulation module |
| `list_tokens -u`                 | Show all tokens                |
| `impersonate_token DOMAIN\\USER` | Use token                      |
| `drop_token`                     | Stop using token               |

#### Port forwarding / pivoting

Enable port forwarding, opening port 3388 locally which forwards all traffic to 3389 on remote host:

`portfwd [ADD|DELETE] -L <LHOST> -l 3388 -r <RHOST> -p 3389`

Pivot through a session by adding a route within msf, it allows you to exploit or scan adjacent hosts

`route add <SUBNET> <MASK> <SESSIONID>`

### Workspaces

Each workspace acts like a separate database. Need a fresh DB? Create a new workspace.

| Command        | Description        |
| -------------- | ------------------ |
| `workspace -h` | Help               |
| `workspace`    | List workspaces    |
| `workspace -a` | Add a workspace    |
| `workspace -d` | Delete a workspace |
| `workspace -r` | Rename a workspace |