Metasploit Cheat Sheet
by binca via cheatography.com/44948/cs/13466/
Overview
Most popular exploi​tation framework and largest Ruby project.
Commonly associated with network explot​ation but has useful
auxiliary modules for web app testing.
Uses modular approach for payloads an exploits allowing for flexib​‐
ility
Auxiliary modules available for scanning, crawli​ng/​spi​dering and
querying web servers; > 150 unique entries in auxili​ary​/sc​ann​er/​http.
Especially useful for testing off-th​e-shelf applic​ations including
WordPress, Joomla, Drupal, Oracle DB, SQL Server, SCADA
frontends and more.
Seeding Metasploit
Metasploit has two spiders:
auxiliary/crawler/msfcrawler
auxiliary/scanner/http/crawler
But Metasp​loit's crawlers are not a replac​ement for ZAP or Burp and
instead Metasploit can import results from other tools.
db_i​mport allows Metasploit to ingest the output files of certain
tools, parsing them into its own database structure.
db_i​mport -h provides a list of supported files and formats, many
tools are included including Acunetix, AppScan, Burp, NetSpa​rker,
Nikto, and Wapiti.
WMAP
A web scanning plugin in Metasp​loit, last updated in 2012 but still
useful.
Interfaces with Metasp​oit's backend database launching auxiliary and
exploit modules related to the web apps results within the database.
Can create custom profiles to run using wmap​_sa​mpl​e_p​rof​ile.txt
as a template.
Lack docume​nta​tion.
By binca Not published yet.
cheatography.com/binca/ Last updated 9th November, 2017.
Page 1 of 2.
BeEF and Metasploit
Having a hooked browser allows:
limited system privileges
low persistence
lacks the ability to exploit vulnerabilities
wealth of knowledge about browsing enviro​nment
Can configure BeEF to point at Meta​sploit RPC listener to expose
Metasploit modules.
Enabling integr​ation:
1. Update config.yml in beef direoctry
2. Configure Metasploit RPC in msfconsole by typing
load msgrpc Server​Hos​t=1​27.0.0.1
Pass = password
3. Update config.yml in extens​ion​s/m​eta​sploit directory with info
about Metasploit RPC
4. Start BeEF
5. Inject Metasploit
Sqlmap and Metasploit
2-way integr​ation: {{nl} Sqlm​ap.py can leverage a local Meta​spl​oit
install or use sqlmap module within Meta​spl​oit (less common)
Within Sqlmap, Metasploit is primarily used for shellcode (shell,
VNC, Meterpreter)
--os-pwn : leverage Metasploit
--priv-esc: Attempts privilege escalation on Windows
--msf-path: Defines local Metasploit install location
Metasploit and Known Vulner​abi​lities
Main use in web apps is for known vulner​abi​lities
Custom applic​ation testing can be done with WMAP or auxiliary
modules but exploi​tation is the main purpose.
Exploits against CMS, databases, specified SQLi Flaws, and major
vulner​abi​lities such as ShellS​hock, Heartb​leed, Drupal​geddon
Drupal and Drupal​geddon
One of the most common CMS serving content to end users and
providing functi​ona​lity.
CMS are high-value targets because of their critical purpose.
Drup​alg​eddon (CVE-2​014​-37​04) and patched on October 15, 2014
Flaw is an unauth​ent​icated SQLi vulner​ability present on all Drupal 7
installs.
Successful exploi​tation provides data access, remote code
execution and local privilege execut​ion.
Widespread automated exploi​tation within hours.
Sponsored by CrosswordCheats.com
Learn to solve cryptic crosswords!
http://crosswordcheats.com
 Metasploit Cheat Sheet
by binca via cheatography.com/44948/cs/13466/

Drupal and Drupal​geddon (cont)

Reason for the flaw lies within Drupal's use of prepared statements for
SQL queries meant to defend against SQLi.
Drupal includes expa​ndA​rgu​men​ts() that explodes the arrays but it
did not handle specially crafted input properly.
Compounded by Drupal's use of PHP Data Objects (PDO), which
employs emulated prepared statements allowing for multiple queries
as one request.
The result was unfiltered input was passed to expa​ndA​rgu​men​ts()
fnction allowing for an exploit entry point (SELECT pivot to INSERT)

Metasploit and Drupal​geddon

expl​oit​/mu​lti​/ht​tp/​dru​pal​_dr​upa​lge​ddon is the exploit in msfconsole

The searcher who discovered posted 2 POC:
1. Hijacks an admin session
2. Enabled remote code execution

When Tools Fail

Tools often fail because of diff​erences in server confgu​rat​ions,

quality issues, some may not be reliable, or results are indete​rmi​‐
nate
Additional testing may reveal an altern​ative tool or it may require
manual exploi​tation. Resear​ching the vulner​ability and exploit may
help.
CVE-​201​4-1​6010 is a MediaWiki vulner​ability with a Metasploit exploit
available expl​oit​/mu​lti​/ht​tp/​med​ia_​wik​i_t​humb and it uses either a
DjVu (default) or PDF. The default fails.
The vulner​ability allowed for a PHP backdoor to be uploaded via
command execution
The Metasploit module works by manually uploading a PDF

By binca Not published yet. Sponsored by CrosswordCheats.com

cheatography.com/binca/ Last updated 9th November, 2017. Learn to solve cryptic crosswords!
Page 2 of 2. http://crosswordcheats.com