The common RHOSTS option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt).
Most modules support the ARCH, PAYLOAD, and SESSION options (for specifying target architecture, the payload to deliver, or session number to connect to). However, these are not shown when running show options
.
You can reset individual parameters using unset
, and reset the entire module using unset all
.
Equivalent module commands:
set -g
=setg
unset -g
=unsetg
run
=exploit
Some exploit modules have a check
option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don’t have a check at all. YMMV!
Payloads
Payloads can be divided into:
- Singles (self-contained; also indicated by the use of an
_
separating “shell” from the rest of the payload name, as inshell_reverse_tcp
) - Stagers (small applications that establish a connection back to the attacker to download a larger, more complex payload)
- Stages (payloads designed to be downloaded by a stager; also indicated by the use of a
/
separating “shell” from the rest of the payload name, as inshell/reverse_tcp
)
Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads).
INFORMATION
Metasploit defaults to sending 32-bit payloads, but an increasing number of things won’t work on a 64-bit system from a 32-bit meterpreter shell. It’s probably best to explicitly set the
payload
option to use a 64-bit payload unless you know that you’ll be dealing with a 32-bit system.
List all available payloads using msfvenom --list payloads
or show payloads
from within the Metasploit console.
A specific payload can be set in the Metasploit console use the set PAYLOAD full/path/to/payload
.
If you initially get a native shell, use the post/multi/manage/shell_to_meterpreter
module to upgrade to Meterpeter.
shell_to_meterpreter
creates a new connection on a new port, by default 4433.