Hello hacker! Welcome to this comprehensive cheat sheet for Metasploit! This powerful open-source framework is an essential tool for security professionals and ethical hackers who want to test and improve the security of their systems. With Metasploit, you can develop and execute exploits against target systems, scan for vulnerabilities, and conduct penetration testing.
In this cheat sheet, we will provide a comprehensive guide to Metasploit’s different components and commands in a table format. Our aim is to help you gain a solid understanding of how the framework works and how to use it effectively and ethically. Remember, it is important to use this tool for legitimate and ethical purposes only, with the explicit permission of the target system owner.
What Is Metasploit?
Metasploit is an open-source framework used for developing and executing exploits against target systems. It was developed by H.D. Moore in 2003 as a project to automate and standardize the process of exploiting vulnerabilities in computer systems.
Metasploit provides a wide range of pre-built modules for exploiting known vulnerabilities in target systems, as well as a scripting language that allows users to create their own custom modules. The framework can be used for a variety of security testing purposes, including penetration testing, vulnerability scanning, and network security assessments.
Metasploit is widely used by security professionals, including penetration testers, red teams, and blue teams, to identify and fix security vulnerabilities in target systems. It is a powerful tool for ethical hacking and security testing, but it should only be used with the explicit permission of the target system owner.
Metasploit’s collection of exploits, payloads, and tools to conduct penetration testing can speed up the testing process and take on much of the heavy lifting.
Most of the available tools and exploits only require filling in some basic information, such as the target ip address and port number and possibly operating system or software version of the target. Very little modification is required of the user.
It also has the ability to easily upload files to and download files from a target system, perform network scanning, routing network traffic, and manage multiple sessions at once.
Whether you’re a security professional or a student learning about cybersecurity, Metasploit is a valuable tool to have in your arsenal.
” Desktop View Recommended”
Framework Components
Metasploit Framework is composed of several key components that work together to provide a comprehensive penetration testing platform. Here are some of the main components:
- Metasploit Console: The Metasploit console provides a command-line interface for interacting with the framework. Users can access a range of modules and perform various tasks such as running exploits, payloads, and scanning modules.
- Module Database: The module database is a repository of all available modules, including exploits, payloads, encoders, and auxiliary modules. Each module contains detailed information on its functionality, configuration options, and usage.
- Exploit Development Environment: The Metasploit Framework includes a built-in exploit development environment that enables users to develop custom exploits and modules.
- Payloads: Payloads are pieces of code that are executed on the target system after successful exploitation. The Metasploit Framework includes a range of payloads, such as reverse shells, VNC, and Meterpreter.
- Encoders: Encoders are used to obfuscate payloads to bypass antivirus software and other security measures. The Metasploit Framework includes several encoders, including XOR, shikata-ga-nai, and ZLIB.
- Post-Exploitation Modules: Once a system has been compromised, post-exploitation modules can be used to gather information, escalate privileges, or perform other tasks. The Metasploit Framework includes a range of post-exploitation modules, such as keyloggers, screenshot capture, and password dumping.
- Scanner Modules: The Metasploit Framework includes a range of scanner modules, which can be used to scan for vulnerabilities in networks, operating systems, and applications.
- Reporting: The framework includes a reporting feature that allows users to generate reports on the results of penetration testing activities.
These components work together to provide a powerful platform for penetration testing, vulnerability assessment, and exploit development.
Networking commands
These commands allow you to manage network interfaces, routes, and connections, as well as perform network scanning and capture traffic. The route
command can be used to view or add/delete routes in the routing table. The ifconfig
command displays network interface configuration, and can be used to bring interfaces up or down. The arp
command displays the ARP table for the network. The ping
command sends an ICMP echo request to a specified host. The tcpdump
command captures network traffic. The nmap
command can be used to scan for open ports and services on a network. The netstat
command displays active network connections. The show options
command displays available options for a module, while the set
commands allow you to set options for a module, such as the remote host IP address, remote port number, local host IP address, local port number, payload, and exit function. These commands can be used for network reconnaissance and exploitation activities in penetration testing.
Command | Description |
---|---|
route | Displays the routing table |
route add [subnet] [netmask] [gateway] | Adds a route to the routing table |
route delete [subnet] [netmask] [gateway] | Deletes a route from the routing table |
ifconfig | Displays network interface configuration |
ifconfig [interface] up | Brings a network interface up |
ifconfig [interface] down | Brings a network interface down |
arp | Displays the ARP table |
arp -a | Displays the ARP table for all hosts |
ping [ip] | Sends an ICMP echo request to a host |
tcpdump | Captures network traffic |
nmap | Scans for open ports and services |
netstat | Displays active network connections |
show options | Displays available options for a module |
set RHOST [ip] | Sets the remote host IP address |
set RPORT [port] | Sets the remote port number |
set LHOST [ip] | Sets the local host IP address |
set LPORT [port] | Sets the local port number |
set PAYLOAD [payload] | Sets the payload to use |
set EXITFUNC [function] | Sets the exit function for the payload |
Basics and file handling command
Command | Description |
---|---|
help | Displays a list of available commands |
search [keyword] | Searches for modules based on a keyword |
use [module] | Selects a module for use |
show options | Displays the options for the selected module |
set [option] [value] | Sets an option value for the selected module |
run or exploit | Runs the selected module |
sessions | Displays active sessions |
sessions -i [session ID] | Interacts with a specific session |
sessions -k [session ID] | Kills a specific session |
background | Puts a session into the background |
jobs | Lists running jobs |
route | Configures routing |
route add [subnet] [netmask] [gateway] | Adds a new route |
route delete [subnet] [netmask] [gateway] | Deletes an existing route |
cd | Displays the current directory |
lcd | Changes the local directory |
pwd | Displays the present working directory |
ls | Lists the files and directories in the current directory |
dir | Same as ls |
cat [file] | Displays the contents of a file |
edit [file] | Edits a file |
upload [local file] [remote file] | Uploads a file to the target |
download [remote file] [local file] | Downloads a file from the target |
mkdir [directory] | Creates a new directory |
rmdir [directory] | Removes an empty directory |
rm [file] | Deletes a file |
Process Handling Commands
These commands can be used to manage processes on the target system, allowing you to stop or manipulate processes as needed. The ps
command lists the running processes, and you can use the kill
command to terminate a process. The migrate
command allows you to move the Meterpreter session to a different process, which can be useful for maintaining persistence or avoiding detection. The execute -f
command can be used to execute arbitrary commands on the target, while the shell
command drops the user into a shell on the target. The background
command puts the current session into the background, allowing you to continue working with other sessions or modules. Finally, the route
commands can be used to configure routing on the target, allowing you to redirect traffic through your Meterpreter session.
Command | Description |
---|---|
ps | Lists the running processes on the target |
kill [process ID] | Kills the specified process |
migrate [process ID] | Moves the current Meterpreter session to the specified process |
execute -f [command] | Executes a command on the target |
shell | Drops the user into a shell on the target |
background | Puts a session into the background |
route | Configures routing |
route add [subnet] [netmask] [gateway] | Adds a new route |
route delete [subnet] [netmask] [gateway] | Deletes an existing route |
Interface and Output commands
These commands allow you to customize the interface and output of Metasploit. The banner
command displays the Metasploit banner, while the color
command enables or disables colored output. The setg
and unsetg
commands allow you to set or unset global options, such as the prompt, user agent, or proxy settings. The setg output_directory
command allows you to set the output directory for module output. The setg verbose
, setg debug
, and setg quiet
commands control the level of detail in the output, while the setg timeout
command sets the timeout value for connections. These commands can be useful for tailoring Metasploit to your specific needs and preferences.
Command | Description |
---|---|
banner | Displays the Metasploit banner |
color [true/false] | Enables or disables colored output |
setg [option] [value] | Sets a global option value |
unsetg [option] | Unsets a global option value |
setg prompt [value] | Sets the prompt for the Metasploit console |
setg timestamp_output [true/false] | Enables or disables timestamped output |
setg output_directory [directory] | Sets the output directory for module output |
setg user_agent [value] | Sets the user agent string |
setg proxy [value] | Sets the proxy server |
setg proxy_port [value] | Sets the proxy port |
setg proxy_type [value] | Sets the proxy type |
setg proxy_user [value] | Sets the proxy username |
setg proxy_pass [value] | Sets the proxy password |
setg ssl [true/false] | Enables or disables SSL |
setg ssl_version [value] | Sets the SSL version |
setg verbose [true/false] | Enables or disables verbose output |
setg debug [true/false] | Enables or disables debug output |
setg quiet [true/false] | Enables or disables quiet mode |
setg timeout [value] | Sets the timeout value |
Password Management Commands
These commands allow you to manage and use credentials in Metasploit modules. The creds
command displays a list of stored credentials, which can be edited or deleted using the -e
and -x
options, respectively. The -t
option allows you to filter credentials by type. The setg
commands allow you to set global options for passwords, usernames, domains, and credential files. The setg PASS_LIST
, setg USER_LIST
, and setg USERPASS_FILE
commands allow you to set a list or file of passwords, usernames, or both to be used in modules. The setg BLANK_PASSWORDS
command enables or disables the use of blank passwords, while the setg STOP_ON_SUCCESS
command enables or disables stopping a module after a successful login. These commands can be useful for automating password attacks and testing credentials in penetration testing activities.
Command | Description |
---|---|
creds | Displays a list of stored credentials |
creds -e [id] | Edit the specified credential |
creds -x [id] | Delete the specified credential |
creds -t [type] | Filters credentials by type (e.g., smb, ftp, ssh) |
creds -h | Displays help information for the creds command |
setg PASSWORD [value] | Sets the password for use in modules |
setg USERNAME [value] | Sets the username for use in modules |
setg DOMAIN [value] | Sets the domain name for use in modules |
setg PASS_FILE [value] | Sets the path to a file containing passwords |
setg USER_FILE [value] | Sets the path to a file containing usernames |
setg PASS_LIST [value] | Sets a list of passwords to use |
setg USER_LIST [value] | Sets a list of usernames to use |
setg USERPASS_FILE [value] | Sets the path to a file containing usernames and passwords |
setg BLANK_PASSWORDS [true/false] | Enables or disables the use of blank passwords |
setg STOP_ON_SUCCESS [true/false] | Enables or disables stopping a module after a successful login |
msfvenom command options
msfvenom
is a powerful tool in Metasploit that is used for generating various types of payloads for exploitation. Here are some of the command options available in msfvenom
:
Option | Description |
---|---|
-p | Specifies the payload to use (e.g., windows/meterpreter/reverse_tcp) |
-f | Specifies the output format for the payload (e.g., exe, elf, apk) |
-a | Specifies the architecture to use (e.g., x86, x64, armle) |
-e | Specifies the encoder to use (e.g., x86/shikata_ga_nai) |
-b | Specifies a list of characters to avoid in the payload (e.g., \x00\xff) |
-n | Specifies the name of the output file |
-i | Specifies the number of times to encode the payload |
-x | Specifies the executable file to use as a template |
-k | Generates a payload that bypasses anti-virus |
--list | Displays a list of available payloads |
--list-options | Displays a list of options for a specified payload |
These options allow you to customize the payload generated by msfvenom
to suit your needs. The -p
option specifies the payload to use, which can be either a stager or a stage payload. The -f
option specifies the output format for the payload, such as executable or shellcode. The -a
option specifies the architecture for the payload, such as x86 or armle. The -e
option specifies the encoder to use for the payload, which can be used to obfuscate the payload to bypass anti-virus software. The -b
option specifies a list of characters to avoid in the payload, which can be used to avoid null bytes or other problematic characters. The -n
option specifies the name of the output file. The -i
option specifies the number of times to encode the payload. The -x
option specifies an executable file to use as a template for the payload. The -k
option generates a payload that is designed to bypass anti-virus. The --list
and --list-options
options allow you to view available payloads and options for a specified payload, respectively.
Exploit Development
These commands and tools are used in various stages of exploit development, from payload generation to assembly code conversion to building ROP chains. The msfvenom
command generates payloads and encoders for use in exploits, while the pattern_create.rb
and pattern_offset.rb
commands are used to identify memory offsets for buffer overflow exploits. The nasm_shell.rb
command converts assembly instructions into machine code, and msfelfscan
and ropgadget
are used to find function calls and gadgets in binaries for use in exploits. The msfconsole -x
and msfcli
commands can be used to execute modules and commands automatically, while msfrop
builds ROP chains for exploits. The msfupdate
command updates Metasploit to the latest version. These commands and tools are essential for exploit developers to create and test exploits for known vulnerabilities or target-specific systems.
Command | Description |
---|---|
msfvenom | Generates payloads and encoders for use in exploits |
pattern_create.rb | Generates a pattern for identifying memory offsets |
pattern_offset.rb | Identifies the offset of a specific value in a pattern |
nasm_shell.rb | Converts assembly instructions into machine code |
msfelfscan | Scans ELF binaries for function calls and gadgets |
ropgadget | Finds ROP gadgets in binaries |
msfconsole -x | Executes console commands and modules automatically |
msfcli | Executes modules from the command line |
msfrop | Builds ROP chains for exploits |
msfupdate | Updates Metasploit to the latest version |
Post-Exploitation
These commands and tools are used for maintaining access and performing actions on a compromised system after initial exploitation. For example, the getsystem
command attempts to escalate privileges to SYSTEM, while hashdump
retrieves password hashes from the target system. The keylogger_start
command starts a keylogger on the target system, while migrate
moves the Meterpreter process to a different process on the target system to evade detection. The portfwd
command forwards a port from the target system to the attacker system, while screenshot
takes a screenshot of the target system’s desktop. The webcam_snap
command takes a snapshot from the target system’s webcam. The timestomp
command modifies file timestamps to evade detection, while clearev
clears event logs on the target system. The shell_to_meterpreter
command upgrades a regular shell to a Meterpreter shell, while ps
and ls
list running processes and files and directories on the target system. The upload
and download
commands transfer files between the attacker and target systems, while execute
executes a command on the target system.
Command | Description |
---|---|
getuid | Retrieves the user ID of the current user |
getsystem | Attempts to escalate privileges to SYSTEM |
hashdump | Dumps password hashes from the target system |
keylogger_start | Starts a keylogger on the target system |
migrate | Moves the Meterpreter process to a different process on the target system |
portfwd | Forwards a port from the target system to the attacker system |
screenshot | Takes a screenshot of the target system’s desktop |
webcam_snap | Takes a snapshot from the target system’s webcam |
timestomp | Modifies file timestamps to evade detection |
clearev | Clears event logs on the target system |
shell_to_meterpreter | Upgrades a regular shell to a Meterpreter shell |
ps | Lists running processes on the target system |
ls | Lists files and directories on the target system |
upload | Uploads a file from the attacker system to the target system |
download | Downloads a file from the target system to the attacker system |
execute | Executes a command on the target system |
Auxiliary
These commands and modules are used for various scanning and reconnaissance tasks, as well as performing Denial of Service (DoS) attacks and gathering information from target systems. For example, the auxiliary/scanner/ftp/anonymous
module attempts to login to an FTP server anonymously, while auxiliary/scanner/http/dir_scanner
scans a web server for directories. The auxiliary/scanner/mssql/mssql_ping
module pings a Microsoft SQL Server, while auxiliary/scanner/portscan/tcp
performs a TCP port scan. The auxiliary/scanner/vnc/vnc_login
module attempts to login to a VNC server. The auxiliary/dos/tcp/synflood
module floods a target with SYN packets to exhaust resources, while auxiliary/admin/http/tomcat_administration
exploits Tomcat Manager Application authentication bypass vulnerability. The auxiliary/gather/browser_autopwn
module creates a fake update page for a specific browser to deliver a payload, while auxiliary/gather/wlan_wpa_eapol
captures WPA/WPA2 EAPOL packets to crack the password. These commands and modules are useful for reconnaissance and information gathering, as well as performing targeted attacks on vulnerable systems.Payloads
Command/Module | Description |
---|---|
auxiliary/scanner/ftp/anonymous | Attempts to login to an FTP server anonymously |
auxiliary/scanner/ftp/ftp_version | Determines the version of an FTP server |
auxiliary/scanner/http/dir_scanner | Scans a web server for directories |
auxiliary/scanner/http/jboss_vulnscan | Scans a JBoss application server for vulnerabilities |
auxiliary/scanner/mssql/mssql_ping | Pings a Microsoft SQL Server |
auxiliary/scanner/mysql/mysql_version | Determines the version of a MySQL server |
auxiliary/scanner/portscan/tcp | Performs a TCP port scan |
auxiliary/scanner/smb/smb_version | Determines the version of an SMB server |
auxiliary/scanner/snmp/snmp_enum | Enumerates SNMP objects |
auxiliary/scanner/ssh/ssh_version | Determines the version of an SSH server |
auxiliary/scanner/vnc/vnc_login | Attempts to login to a VNC server |
auxiliary/dos/tcp/synflood | Floods a target with SYN packets to exhaust resources |
auxiliary/admin/http/tomcat_administration | Exploits Tomcat Manager Application authentication bypass vulnerability |
auxiliary/gather/browser_autopwn | Creates a fake update page for a specific browser to deliver a payload |
auxiliary/gather/wlan_wpa_eapol | Captures WPA/WPA2 EAPOL packets to crack the password |
Payloads
These payloads can be used in conjunction with various exploits to deliver and execute malicious code on a target system. The windows/meterpreter/reverse_tcp
payload creates a Meterpreter shell that connects back to the attacker, while windows/meterpreter/bind_tcp
creates a Meterpreter shell that listens for incoming connections. The windows/shell/reverse_tcp
payload creates a command shell that connects back to the attacker, while windows/shell_bind_tcp
creates a command shell that listens for incoming connections. The windows/exec
payload executes a specified command on the target system, while windows/download_exec
downloads and executes a file from a specified URL. The windows/meterpreter/reverse_dns
payload creates a Meterpreter shell that connects back to the attacker using a DNS request. These payloads can be customized with various options to tailor their behavior to specific needs, such as setting the IP address and port number to use for the connection.
Payload | Description |
---|---|
windows/meterpreter/reverse_tcp | Creates a Meterpreter shell that connects back to the attacker |
windows/meterpreter/reverse_https | Creates a Meterpreter shell that connects back to the attacker over HTTPS |
windows/meterpreter/reverse_http | Creates a Meterpreter shell that connects back to the attacker over HTTP |
windows/meterpreter/bind_tcp | Creates a Meterpreter shell that listens for incoming connections |
windows/meterpreter/reverse_winhttps | Creates a Meterpreter shell that connects back to the attacker over a Windows HTTPS channel |
windows/shell/reverse_tcp | Creates a command shell that connects back to the attacker |
windows/shell_bind_tcp | Creates a command shell that listens for incoming connections |
windows/exec | Executes a specified command on the target system |
windows/download_exec | Downloads and executes a file from a specified URL |
windows/meterpreter/reverse_dns | Creates a Meterpreter shell that connects back to the attacker using a DNS request |
Encoders
These encoders can be used to obfuscate a payload and make it more difficult for antivirus software to detect. The x86/shikata_ga_nai
encoder uses a polymorphic XOR additive feedback algorithm to scramble the payload, while x86/fnstenv_mov
modifies the stack pointer and registers to avoid bad characters. The x86/call4_dword_xor
encoder replaces the CALL instruction with a new, encrypted CALL instruction. The x86/alpha_mixed
encoder randomly shuffles the bytes in the payload, while x86/countdown
inserts a countdown loop before executing the payload. The x86/nonupper
encoder subtracts 0x20 from uppercase letters to avoid bad characters, and x86/shikata_ga_nai_reverse
is the same as x86/shikata_ga_nai
, but with the output reversed. The cmd/powershell_base64
encoder encodes a payload as a Base64 string for use in PowerShell. Finally, generic/none
disables encoding entirely.
Encoder | Description |
---|---|
x86/shikata_ga_nai | Polymorphic XOR additive feedback encoder |
x86/fnstenv_mov | Modifies the stack pointer and registers to avoid bad characters |
x86/call4_dword_xor | Replaces the CALL instruction with a new, encrypted CALL instruction |
x86/alpha_mixed | Randomly shuffles the bytes in the payload |
x86/countdown | Inserts a countdown loop before executing the payload |
x86/nonupper | Subtracts 0x20 from uppercase letters to avoid bad characters |
x86/shikata_ga_nai_reverse | Same as x86/shikata_ga_nai , but with the output reversed |
cmd/powershell_base64 | Encodes a payload as a Base64 string for use in PowerShell |
generic/none | Disables encoding entirely |
Evasion
These evasion techniques can be used to avoid detection and improve the chances of a successful exploit. The polymorphic
technique generates random or semi-random code to avoid signature-based detection. Fragmentation
breaks up the payload into smaller pieces and sends them separately to evade detection. Encoding
encodes the payload to avoid detection, while padding
adds random data to the payload to change its signature. The timing
technique delays the payload execution to avoid detection by behavior-based analysis, while obfuscation
modifies the payload to make it harder to analyze and detect. Finally, stealth
techniques are used to hide the presence of the payload or activity on the target system.
Evasion Technique | Description |
---|---|
polymorphic | Generates random or semi-random code to avoid signature-based detection |
fragmentation | Breaks up the payload into smaller pieces and sends them separately to evade detection |
encoding | Encodes the payload to avoid detection |
padding | Adds random data to the payload to change its signature |
timing | Delays the payload execution to avoid detection by behavior-based analysis |
obfuscation | Modifies the payload to make it harder to analyze and detect |
stealth | Hides the presence of the payload or activity on the target system |
Reporting
Metasploit has several built-in reporting features that allow users to generate customized reports on the results of their security assessments. Some of the reporting options available in Metasploit include:
- Hosts Summary Report: Generates a report that summarizes the results of the assessment, including the number of hosts scanned, services detected, and vulnerabilities found.
- Vulnerability Report: Generates a report that provides a detailed list of vulnerabilities found during the assessment, including a description of the vulnerability, severity rating, and recommendations for remediation.
- Executive Summary Report: Generates a high-level report that provides a summary of the assessment results, including a list of the top vulnerabilities and recommendations for remediation.
- Penetration Testing Report: Generates a comprehensive report that includes detailed information on the assessment methodology, tools used, findings, recommendations, and remediation strategies.
- Compliance Report: Generates a report that provides evidence of compliance with specific regulatory requirements, such as PCI DSS or HIPAA.
- Custom Report: Allows users to generate a customized report by selecting specific criteria to include, such as host information, vulnerability information, and remediation recommendations.
Users can generate reports in a variety of formats, including HTML, PDF, and CSV, and can customize the output to meet their specific needs. Additionally, Metasploit provides integrations with other security tools and platforms, such as Nexpose and Rapid7 InsightVM, to allow for seamless reporting and vulnerability management.
Frequently Asked Questions
Q: What is Metasploit?
A: Metasploit is an open-source framework used for developing and executing exploits against target systems.
Q: What is an exploit?
A: An exploit is a piece of code or a technique used to take advantage of a vulnerability in a target system to gain unauthorized access or perform malicious actions.
Q: Is Metasploit legal?
A: Yes, Metasploit is legal to use for security testing and research purposes. However, it should only be used with the explicit permission of the target system owner.
Q: What operating systems does Metasploit support?
A: Metasploit is a cross-platform framework and can be used on Windows, Linux, and macOS.
Q: Do I need programming experience to use Metasploit?
A: While some programming experience can be helpful when using Metasploit, it is not required. Metasploit provides a user-friendly interface and a wide range of pre-built modules that can be used by security professionals with varying levels of technical expertise.
Q: Can Metasploit be used for ethical hacking?
A: Yes, Metasploit can be used for ethical hacking and penetration testing to identify and fix security vulnerabilities in target systems.
Q: Is Metasploit only used by hackers?
A: No, Metasploit is used by a wide range of security professionals, including penetration testers, red teams, and blue teams, to identify and fix security vulnerabilities.
Q: Are there any alternatives to Metasploit?
A: Yes, there are several alternatives to Metasploit, including Cobalt Strike, Core Impact, and Canvas. However, Metasploit is one of the most widely used and well-known security testing frameworks available.
Conclusion
In conclusion, Metasploit is a powerful open-source framework that is widely used by security professionals and ethical hackers for conducting penetration testing and improving the security of systems. This comprehensive cheat sheet has provided a quick guide to Metasploit’s different components and commands in a table format. We hope that this cheat sheet will serve as a valuable reference for security professionals who are new to Metasploit or looking to refresh their knowledge of the framework. It is important to remember that Metasploit should be used ethically and with the explicit permission of the target system owner.
Thank you! Best Metasploit Cheat Sheet out there.