Cardboard Iguana Security
spells
Abusing wildcard expansion in Bash
Access the Windows Registry using PowerShell
Add Windows users at the command line
Aircrack-NG
ARP scanning
ARP
AS-REP roasting with Impacket
AS-REP roasting With Rubeus
AS-REP roasting
Automate Netlify builds with IFTTT
Automatically stabilize a reverse shell with socat
Avoid dropping privileges with SUID Bash
awk
Backdoor Visual Basic Scripts
basenc
Bash reverse shell
Bash scripting
Bulk edit Windows permissions
Burp Suite
Bypass the PowerShell execution policy
Bypass Windows antivirus with C Sharp
Calculate a file hash on Windows with CertUtil
Call Mimikatz from a meterpreter shell
cat
cewl
Change a branch name in Git
Change an RSA key passphrase with OpenSSL
Cisco IOS
Common Windows user types
Compact VM disk images
Confirm the existence of a Gmail address
crackmapexec
Create a GPG key with SSH support
Create a zip bomb
CUPP
Day One to Obsidian conversion script
DCERPC
Debugging Bash scripts
Default CIFS shares
dig
dir
Disable AMSI
DRSUAPI
Easy reverse DNS lookups
enum4linux
Enumerate AD CS templates with CertUtil
Equivalent Windows and UNIX commands
Evil-WinRM
Exploit LD_LIBRARY_PATH
Exploit LD_PRELOAD
Exploit local Windows services
Exploit local Windows tasks
Exploit remote Windows services
Exploit remote Windows tasks
Exploit the Bash PS4 prompt
Exploit the Windows DLL search order
Exploit the Windows FoDHelper
Exploit the WinLogon initialization sequence
Exploit VBA scripts with msfvenom
Exploit weak etc-passwd permissions
Exploit weak etc-shadow permissions
Exploit Windows file associations
Exploit Windows HTML applications with msfvenom
Exploit Windows services
Exploit Windows shortcut files
Exploit Windows tasks
Export highlights and annotations from Kobo eReaders
Extract the webpage title from a URL
ffmpeg
Find and replace a single line in a large text file
Find executables with SUID capabilities
find
findstr
finger
Fix EXIF data on Google Photos exports
FTP
FTPS
fuff
gdb
Gemini compatible markdown
Get a shell from ViM
Get an SSL certificate
Get-FileHash
Get-WinEvent
Git on Windows
gobuster
Golden and silver ticket attacks
grep
Hashcat
HTML applications
HTTP
Hydra
icacls
ICMP
iftop
IIS configuration data
IMAP
Impacket
Invoke-Mimikatz
Invoke-WebRequest
iOS quirks
ipconfig
IPSec
IPv4
Java
John the Ripper
JSON Web Tokens
Kerberoasting with Impacket
Kerberoasting with Rubeus
Kerberoasting
Kerberos
Kerbrute
less
Load a shell with a simple executable
Local file inclusion attacks
Look up unicode symbols and emojis
MAC address
Magic numbers
man
Match files to packages in Debian-based operating systems
Match files to packages in Red Hat-based operating systems
Metasploit MS SQL modules
meterpreter
Mimikatz
MITRE ATTaCK emulation plans
more
MS SQL
msfconsole
msfvenom
MySQL
nano
nbtscan
net
netcat
netsh
netstat
NFS
Nikto
Nmap
Node.js
nslookup
NTLM hashes
Oracle SQL Server
OSI model
OWASP ZAP
Perl
PHP local file inclusion attacks
PHP
ping
Poison null byte attack
Poison null byte in PHP
Polkit
Pop a SYSTEM shell on the Windows login screen using sticky keys
Pop a SYSTEM shell on the Windows login screen using Utilman
POP3
Port scanning with Bash
POSIX process signals
Powercat
PowerShell reverse shell
PowerView
ps
Pull SSL certificates from an external server
Python
Quick-n-dirty Python web server
Quickly bypass ssh-agent
Quickly find the canonical path of a file
RCE via XXE in PHP
Read a file beginning with a dash
reg
RegEx metacharacters
Remotely install a Windows package with PowerShell
Remove duplicate lines in Bash
Retrieve AIX fileset information
Retrieve AIX system information
Rubeus
Ruby
Run a remote Windows command using PowerShell
Run commands directly with PowerShell
RunAs
Send a command using OpenSSL
Set the PATH in a session on UNIX-like operating systems
Set the PATH in a session on Windows
Set up WMI in PowerShell
Shell stabilization
SIP
smbclient
smbget
smbmap
SMTP
socat
SQL injection attacks
SQLMap
ss
SSH
sudo
systemctl
systeminfo
tar
TCP header flags
TCP headers
TCP window size
TCP
tcpdump
Telnet
The Harvester
tmux
Transfer files over FTP using netcat
UDP
unbuffer
Uniform resource locators
UNIX file descriptors
UNIX password hashes
UNIX permissions
Unquoted path handling in Windows
Upgrade PostgreSQL
Use a Raspberry Pi 4B as hacking accessory
Use an alternate SSH key with Git
Use Bash functions to backdoor executables
Use Burp Suite with Firefox
Use Burp Suite with mobile apps
Use curl and jq with web APIs
Use OpenSSL to encrypt and decrypt files
Use the Windows Firewall to relay ports
Use unsupported display resolutions with Samsung DeX
Use WinRM with PowerShell
Useful built-in commands for Linux reconnaissance
Useful built-in commands for Windows reconnaissance
Useful Linux reconnaissance scripts
Useful scripts for Windows reconnaissance
ViM
Visual Basic for Applications
wfuzz
whoami
Wi-Fi
Windows DLL search order
Windows event IDs
Windows event logs
Windows local service accounts
Windows logon scripts
Windows permissions
Windows reconnaissance with PowerShell
Windows Remote Management
Windows Run and RunOnce Registry keys
Windows Scripting Host
Windows SeBackup and SeRestore permissions
Windows SeImpersonate and SeAssignPrimaryToken permissions
Windows service ACLs
Windows services
Windows SeTakeOwnership permission
Windows Startup folder
Windows unattended installation data
winrs
Wireshark
wmic
Work with base64 encoding using PowerShell
Work with remote services using WMI and PowerShell
Work with remote tasks using WMI and PowerShell
Working with services in PowerShell
XFreeRDP
XSS attacks
Xterm
xxd
XXE attacks
youtube-dl
Cardboard Iguana Security
Cardboard Iguana Security

msfconsole

Basic Metasploit flow:

  • use $MODULE_NAME
  • set $OPTIONS
  • run

You can use msfconsole as a shell, but there's no redirect functionality.

Commands

  • back - exit the current module
  • db_nmap $FLAGS $IP - run Nmap and dump the results into the Metasploit DB; all Nmap $FLAGS are supported and Metasploit will elevate privileges if necessary
  • help - get Metasploit help
  • history - display command history
  • hosts - display known hosts in DB
  • hosts -d - delete saved hosts from DB
  • info - show module information (including exploit target options)
  • jobs - check the status of background jobs
  • options (advanced) - show module/exploit options (or "advanced" options)
  • run/exploit - run the selected exploit
  • run -j - run the selected exploit as a background job
  • search - search modules; query to a particular type of module using the type: parameter (e.g., search type:exploit wordpress)
  • services - display services discovered in known hosts in DB
  • sessions - list open meterpreter sessions on a box
  • sessions -i $SESSION_NUMER - connect to meterpreter session $SESSION_NUMBER
  • show auxiliary - show auxiliary modules, filtered by relevancy if called from within a module
  • show exploits - show exploit modules
  • show options - show module options
  • show payloads - show payload modules, filtered by relevancy if called from within a module
  • spool - save all console output to a log file (useful for record-keeping)
  • use - select a Metasploit module/exploit
  • vulns - display vulnerabilities discovered in known hosts in DB
  • workspace - use workspaces; keeps database results isolated per engagement

Note that you can also call regular shell commands (ip, ls, etc.) from msfconsole. You can also background processes using Ctrl + Z (Metasploit will trap this, so you don't have to worry about backgrounding the entire msfconsole).

Modules

Module categories:

  • Auxiliary (odds-n-ends)
  • Encoders (re-encode exploits to thwart signature-based anti-malware solutions)
  • Evasion (attempt to directly evade anti-malware solutions)
  • Exploits
  • NOPS (no-op code that can be used to pad exploits to a needed size)
  • Payloads (what you want to run if the exploit is successful; often, but not always, some kind of shell)
  • Post (additional post-exploitation tools)

Note that Metasploit 6 apparently calls these "framework plugins" now.

  • Remember: Open up the port Metasploit's going to use in your firewall before running the exploit. Generally this is port 4444 by default (set with LPORT).
  • Also Remember: Be sure to set LHOST (and, when applicable, SRVHOST) correctly, even if it's not indicated by the module. Metasploit's guesses about which interface to use aren't always correct... (I find using the explicit IP address works better than specifying the interface device or leaving SRVHOST at the default of 0.0.0.0.)
  • Also also Remember: Sometimes you might find yourself in the position of trying to exploit a service over an SSH tunnel (for example, if you're trying to exploit a service that's not exposed externally in order to elevate your privileges). When doing this, remember that LHOST is still your machine's external address, as the exploit won't be connecting back over the SSH tunnel (obviously)! Since LHOST is also used to determine where the exploit's listener binds to, it's sometimes necessary to set the optional ReverseListenerBindAddress in these cases (typically when you do this, LHOST will be some remote system you're tunneled into, and ReverseListenerBindAddress will be 127.0.0.1).

Options

The common RHOSTS option accepts IP addresses, ranges, CIDR networks, and even a file with one target per line (specify as file:/path/to/file.txt).

Most modules support the ARCH, PAYLOAD, and SESSION options (for specifying target architecture, the payload to deliver, or session number to connect to). However, these are not shown when running show options.

You can reset individual parameters using unset, and reset the entire module using unset all.

Equivalent module commands:

  • set -g = setg
  • unset -g = unsetg
  • run = exploit

Some exploit modules have a check option which attempts to determine if a target is vulnerable without actually exploiting it. Alternately, other modules have a paired auxiliary scanner. Many don't have a check at all. YMMV!

Payloads

Payloads can be divided into:

  • Singles (self-contained; also indicated by the use of an _ separating "shell" from the rest of the payload name, as in shell_reverse_tcp)
  • Stagers (small applications that establish a connection back to the attacker to download a larger, more complex payload)
  • Stages (payloads designed to be downloaded by a stager; also indicated by the use of a / separating "shell" from the rest of the payload name, as in shell/reverse_tcp)

Payloads follow the OS/ARCHITECTURE/PAYLOAD (though ARCHITECTURE is not included for 32-bit Windows payloads).

Important

Metasploit defaults to sending 32-bit payloads, but an increasing number of things won't work on a 64-bit system from a 32-bit meterpreter shell. It's probably best to explicitly set the payload option to use a 64-bit payload unless you know that you'll be dealing with a 32-bit system.

List all available payloads using msfvenom --list payloads or show payloads from within the Metasploit console.

A specific payload can be set in the Metasploit console use the set PAYLOAD full/path/to/payload.

If you initially get a native shell, use the post/multi/manage/shell_to_meterpreter module to upgrade to Meterpeter.

Note

shell_to_meterpreter creates a new connection on a new port, by default 4433.

Scanners

Use search portscan to display built-in Metasploit port scanners. Note that msfconsole needs to be run as root for many scans to work - just like Nmap. That said, in my experience the fancier TCP scans (for example, SYN) don't work over a VPN... So maybe best to stick with Nmap.

Targeted scanners can be more useful, however:

  • The auxiliary/scanner/discovery/udp_sweep module will probe for common UDP services.
  • The auxiliary/scanner/http/http_version module will give you HTTP server version information.
  • The auxiliary/scanner/smb/smb_login module will allow you to conduct brute-force and password spraying attacks against Samba logins.

Metasploit has a variety of Samba/CIFS scanners too (use search scanner/smb to list them), as well as modules for basic enumeration such as smtp_version/smtp_enum (for SMTP) and mysql_sql (for MySQL, though this seems to just be a thin wrapper around the MySQL command line client).

Exploits

  • exploit/multi/handler - Catch a shell produced using msfvenom. Note that you'll need to use set payload to tell Metasploit what it's catching - for example, windows/meterpreter/reverse_tcp (or windows/x64/meterpreter/reverse_tcp). Both regular reverse shells and meterpreter sessions can be caught this way.
  • exploit/windows/smb/psexec - Call PsExec over SMB (instantiates meterpreter by default). Only works if SMBUser has admin privileges on the target!

Note that any Windows exploit that requires a password will also accept an NTLM hash (the LMHash part can be replaced by an appropriately-sized string of 0 characters if not available).

meterpreter

Potentially useful Metsploit modules to run from/besides meterpreter:

  • post/windows/gather/checkvm - try to determine if we're in a VM
  • post/multi/recon/local_exploit_suggester - find possible privilege escalation exploits (can be slow/unreliably on 64-bit architectures)
  • post/windows/gather/enum_shares - enumerate shares
  • auxiliary/scanner/smb/smb_enumusers_domain - enumerate SMB domain users (requires existing admin credentials)
  • post/windows/gather/hashdump - same as the hashdump command, but pushes the hashes into the Metasploit DB
  • post/windows/gather/smart_hashdump GETSYSTEM=FALSE - same as the hashdump command, but pushes the hashes into the Metasploit DB and ignores system accounts
  • auxiliary/analyze/crack_windows - sic John the Ripper or Hashcat on NTLM hashes stored in the Metasploit DB
  • post/windows/manage/enable_rdp - enable RDP access (requires admin privileges)
  • post/multi/manage/autoroute - manipulate target routing for pivoting
  • auxiliary/server/socks_proxy - start a SOCKS proxy
  • exploit/windows/local/persistence - sets up a persistent connection (you probably want to set STARTUP SYSTEM)... without a password!
Tip

It is generally more useful to background meterpreter and then run these commands through the Metasploit console, as within meterpreter they need to have all options specified on the "run" command line (in the console you can access help, actually see what the options are, etc.).

There seem to be a lot of options for the post/multi/manage/autoroute and auxiliary/server/socks_proxy modules, but I don't see a way to access them from meterpreter (it looks like to get help you need to background meterpreter and use the console).

The advantage of setting up a SOCKS proxy on the target is that you can then use proxychains to route through the target; this can allow you to pivot more deeply into the network that you're attacking. (You probably want to create a custom proxychains.conf file to do this. Fortunately, /etc/proxychains.conf is well documented.)

CIFS

Metasploit can also enumerate CIFS users using the auxiliary/smb/smb_lookupsid module.

Like Nmap, I've found this to be a bit unreliable on UNIX-like systems.

MS SQL

Metasploit MS SQL modules

Metasploit MS SQL modules

Metasploit provides a lot of tools for enumerating and exploiting MS SQL.

  • auxiliary/scanner/mssql/mssql_ping - Discover MS SQL servers (alternatively, use --script=ms-sql-info with Nmap)
  • auxiliary/scanner/mssql/mssql_login - Brute force logins
  • auxiliary/admin/mssql/mssql_enum - Enumerate databases
  • exploit/windows/mssql/mssql_payload - Get a shell

Links to this page
meterpreter
msfconsole
Interactive graph
On this page
msfconsole
Commands
Modules
Options
Payloads
Scanners
Exploits
meterpreter
CIFS
MS SQL
Powered by Obsidian Publish