Mastering Metasploit - The Ultimate Cheat Sheet For Exploit Devel
Mastering Metasploit - The Ultimate Cheat Sheet For Exploit Devel
Home » CheatSheet » Mastering Metasploit: The Ultimate Cheat Sheet for Exploit Development, Post-Exploitation, and More
CHEATSHEET
Share
Hello hacker! Welcome to this comprehensive cheat sheet for Metasploit! This powerful open-
source framework is an essential tool for security professionals and ethical hackers who want
to test and improve the security of their systems. With Metasploit, you can develop and
execute exploits against target systems, scan for vulnerabilities, and conduct penetration
testing.
In this cheat sheet, we will provide a comprehensive guide to Metasploit’s different
components and commands in a table format. Our aim is to help you gain a solid
understanding of how the framework works and how to use it effectively and ethically.
Remember, it is important to use this tool for legitimate and ethical purposes only, with the
explicit permission of the target system owner.
What Is Metasploit?
Metasploit is an open-source framework used for developing and executing exploits against
target systems. It was developed by H.D. Moore in 2003 as a project to automate and
standardize the process of exploiting vulnerabilities in computer systems.
Metasploit provides a wide range of pre-built modules for exploiting known vulnerabilities in
target systems, as well as a scripting language that allows users to create their own custom
modules. The framework can be used for a variety of security testing purposes, including
penetration testing, vulnerability scanning, and network security assessments.
Metasploit is widely used by security professionals, including penetration testers, red teams,
and blue teams, to identify and fix security vulnerabilities in target systems. It is a powerful
tool for ethical hacking and security testing, but it should only be used with the explicit
permission of the target system owner.
Metasploit’s collection of exploits, payloads, and tools to conduct penetration testing can
speed up the testing process and take on much of the heavy lifting.
Most of the available tools and exploits only require filling in some basic information, such as
the target ip address and port number and possibly operating system or software version of
the target. Very little modification is required of the user.
It also has the ability to easily upload files to and download files from a target system,
perform network scanning, routing network traffic, and manage multiple sessions at once.
Whether you’re a security professional or a student learning about cybersecurity, Metasploit
is a valuable tool to have in your arsenal.
” Desktop View Recommended”
Framework Components
Metasploit Framework is composed of several key components that work together to provide
a comprehensive penetration testing platform. Here are some of the main components:
1. Metasploit Console: The Metasploit console provides a command-line interface for
interacting with the framework. Users can access a range of modules and perform
various tasks such as running exploits, payloads, and scanning modules.
2. Module Database: The module database is a repository of all available modules,
including exploits, payloads, encoders, and auxiliary modules. Each module contains
detailed information on its functionality, configuration options, and usage.
3. Exploit Development Environment: The Metasploit Framework includes a built-in exploit
development environment that enables users to develop custom exploits and modules.
4. Payloads: Payloads are pieces of code that are executed on the target system after
successful exploitation. The Metasploit Framework includes a range of payloads, such
as reverse shells, VNC, and Meterpreter.
5. Encoders: Encoders are used to obfuscate payloads to bypass antivirus software and
other security measures. The Metasploit Framework includes several encoders,
including XOR, shikata-ga-nai, and ZLIB.
6. Post-Exploitation Modules: Once a system has been compromised, post-exploitation
modules can be used to gather information, escalate privileges, or perform other tasks.
The Metasploit Framework includes a range of post-exploitation modules, such as
keyloggers, screenshot capture, and password dumping.
7. Scanner Modules: The Metasploit Framework includes a range of scanner modules,
which can be used to scan for vulnerabilities in networks, operating systems, and
applications.
8. Reporting: The framework includes a reporting feature that allows users to generate
reports on the results of penetration testing activities.
These components work together to provide a powerful platform for penetration testing,
vulnerability assessment, and exploit development.
Networking commands
These commands allow you to manage network interfaces, routes, and connections, as well
as perform network scanning and capture traffic. The route command can be used to view
or add/delete routes in the routing table. The ifconfig command displays network interface
configuration, and can be used to bring interfaces up or down. The arp command displays
the ARP table for the network. The ping command sends an ICMP echo request to a
specified host. The tcpdump command captures network traffic. The nmap command
can be used to scan for open ports and services on a network. The netstat command
displays active network connections. The show options command displays available
options for a module, while the set commands allow you to set options for a module, such
as the remote host IP address, remote port number, local host IP address, local port number,
payload, and exit function. These commands can be used for network reconnaissance and
exploitation activities in penetration testing.
Command Description
route Displays the routing table
route add [subnet] [netmask] [gateway] Adds a route to the routing table
route delete [subnet] [netmask] [gateway] Deletes a route from the routing table
ifconfig Displays network interface configuration
ifconfig [interface] up Brings a network interface up
ifconfig [interface] down Brings a network interface down
arp Displays the ARP table
arp -a Displays the ARP table for all hosts
ping [ip] Sends an ICMP echo request to a host
tcpdump Captures network traffic
nmap Scans for open ports and services
netstat Displays active network connections
show options Displays available options for a module
set RHOST [ip] Sets the remote host IP address
set RPORT [port] Sets the remote port number
Command Description
set LHOST [ip] Sets the local host IP address
set LPORT [port] Sets the local port number
set PAYLOAD [payload] Sets the payload to use
set EXITFUNC [function] Sets the exit function for the payload
Command Description
help Displays a list of available commands
search [keyword] Searches for modules based on a keyword
use [module] Selects a module for use
show options Displays the options for the selected module
set [option] [value] Sets an option value for the selected module
run or exploit Runs the selected module
sessions Displays active sessions
sessions -i [session ID] Interacts with a specific session
sessions -k [session ID] Kills a specific session
background Puts a session into the background
jobs Lists running jobs
route Configures routing
route add [subnet] [netmask] [gateway] Adds a new route
route delete [subnet] [netmask] Deletes an existing route
[gateway]
cd Displays the current directory
Command Description
lcd Changes the local directory
pwd Displays the present working directory
ls Lists the files and directories in the current
directory
dir Same as ls
cat [file] Displays the contents of a file
edit [file] Edits a file
upload [local file] [remote file] Uploads a file to the target
download [remote file] [local file] Downloads a file from the target
mkdir [directory] Creates a new directory
rmdir [directory] Removes an empty directory
rm [file] Deletes a file
Command Description
ps Lists the running processes on the target
Command Description
kill [process ID] Kills the specified process
migrate [process ID] Moves the current Meterpreter session to the
specified process
execute -f [command] Executes a command on the target
shell Drops the user into a shell on the target
background Puts a session into the background
route Configures routing
route add [subnet] [netmask] Adds a new route
[gateway]
route delete [subnet] [netmask] Deletes an existing route
[gateway]
Command Description
banner Displays the Metasploit banner
color [true/false] Enables or disables colored output
setg [option] [value] Sets a global option value
unsetg [option] Unsets a global option value
Command Description
setg prompt [value] Sets the prompt for the Metasploit console
setg timestamp_output [true/false] Enables or disables timestamped output
setg output_directory [directory] Sets the output directory for module output
setg user_agent [value] Sets the user agent string
setg proxy [value] Sets the proxy server
setg proxy_port [value] Sets the proxy port
setg proxy_type [value] Sets the proxy type
setg proxy_user [value] Sets the proxy username
setg proxy_pass [value] Sets the proxy password
setg ssl [true/false] Enables or disables SSL
setg ssl_version [value] Sets the SSL version
setg verbose [true/false] Enables or disables verbose output
setg debug [true/false] Enables or disables debug output
setg quiet [true/false] Enables or disables quiet mode
setg timeout [value] Sets the timeout value
Option Description
-p Specifies the payload to use (e.g., windows/meterpreter/reverse_tcp)
Option Description
-f Specifies the output format for the payload (e.g., exe, elf, apk)
-a Specifies the architecture to use (e.g., x86, x64, armle)
-e Specifies the encoder to use (e.g., x86/shikata_ga_nai)
-b Specifies a list of characters to avoid in the payload (e.g., \x00\xff)
-n Specifies the name of the output file
-i Specifies the number of times to encode the payload
-x Specifies the executable file to use as a template
-k Generates a payload that bypasses anti-virus
--list Displays a list of available payloads
--list-options Displays a list of options for a specified payload
These options allow you to customize the payload generated by msfvenom to suit your
needs. The -p option specifies the payload to use, which can be either a stager or a stage
payload. The -f option specifies the output format for the payload, such as executable or
shellcode. The -a option specifies the architecture for the payload, such as x86 or armle.
The -e option specifies the encoder to use for the payload, which can be used to
obfuscate the payload to bypass anti-virus software. The -b option specifies a list of
characters to avoid in the payload, which can be used to avoid null bytes or other problematic
characters. The -n option specifies the name of the output file. The -i option specifies
the number of times to encode the payload. The -x option specifies an executable file to
use as a template for the payload. The -k option generates a payload that is designed to
bypass anti-virus. The --list and --list-options options allow you to view available
payloads and options for a specified payload, respectively.
Exploit Development
These commands and tools are used in various stages of exploit development, from payload
generation to assembly code conversion to building ROP chains. The msfvenom command
generates payloads and encoders for use in exploits, while the pattern_create.rb and
pattern_offset.rb commands are used to identify memory offsets for buffer overflow
exploits. The nasm_shell.rb command converts assembly instructions into machine code,
and msfelfscan and ropgadget are used to find function calls and gadgets in binaries for
use in exploits. The msfconsole -x and msfcli commands can be used to execute
modules and commands automatically, while msfrop builds ROP chains for exploits. The
msfupdate command updates Metasploit to the latest version. These commands and tools
are essential for exploit developers to create and test exploits for known vulnerabilities or
target-specific systems.
Command Description
msfvenom Generates payloads and encoders for use in exploits
pattern_create.rb Generates a pattern for identifying memory offsets
pattern_offset.rb Identifies the offset of a specific value in a pattern
nasm_shell.rb Converts assembly instructions into machine code
msfelfscan Scans ELF binaries for function calls and gadgets
ropgadget Finds ROP gadgets in binaries
msfconsole -x Executes console commands and modules automatically
msfcli Executes modules from the command line
msfrop Builds ROP chains for exploits
msfupdate Updates Metasploit to the latest version
Post-Exploitation
These commands and tools are used for maintaining access and performing actions on a
compromised system after initial exploitation. For example, the getsystem command
attempts to escalate privileges to SYSTEM, while hashdump retrieves password hashes
from the target system. The keylogger_start command starts a keylogger on the target
system, while migrate moves the Meterpreter process to a different process on the target
system to evade detection. The portfwd command forwards a port from the target system
to the attacker system, while screenshot takes a screenshot of the target system’s
desktop. The webcam_snap command takes a snapshot from the target system’s webcam.
The timestomp command modifies file timestamps to evade detection, while clearev
clears event logs on the target system. The shell_to_meterpreter command upgrades a
regular shell to a Meterpreter shell, while ps and ls list running processes and files and
directories on the target system. The upload and download commands transfer files
between the attacker and target systems, while execute executes a command on the
target system.
Command Description
getuid Retrieves the user ID of the current user
getsystem Attempts to escalate privileges to SYSTEM
hashdump Dumps password hashes from the target system
keylogger_start Starts a keylogger on the target system
migrate Moves the Meterpreter process to a different process on the target
system
portfwd Forwards a port from the target system to the attacker system
screenshot Takes a screenshot of the target system’s desktop
webcam_snap Takes a snapshot from the target system’s webcam
timestomp Modifies file timestamps to evade detection
clearev Clears event logs on the target system
shell_to_meterpreter Upgrades a regular shell to a Meterpreter shell
ps Lists running processes on the target system
ls Lists files and directories on the target system
upload Uploads a file from the attacker system to the target system
download Downloads a file from the target system to the attacker system
execute Executes a command on the target system
Auxiliary
These commands and modules are used for various scanning and reconnaissance tasks, as
well as performing Denial of Service (DoS) attacks and gathering information from target
systems. For example, the auxiliary/scanner/ftp/anonymous module attempts to login to an
FTP server anonymously, while auxiliary/scanner/http/dir_scanner scans a web server for
directories. The auxiliary/scanner/mssql/mssql_ping module pings a Microsoft SQL Server,
while auxiliary/scanner/portscan/tcp performs a TCP port scan. The
auxiliary/scanner/vnc/vnc_login module attempts to login to a VNC server. The
auxiliary/dos/tcp/synflood module floods a target with SYN packets to exhaust resources,
while auxiliary/admin/http/tomcat_administration exploits Tomcat Manager Application
authentication bypass vulnerability. The auxiliary/gather/browser_autopwn module creates
a fake update page for a specific browser to deliver a payload, while
auxiliary/gather/wlan_wpa_eapol captures WPA/WPA2 EAPOL packets to crack the
password. These commands and modules are useful for reconnaissance and information
gathering, as well as performing targeted attacks on vulnerable systems.Payloads
Command/Module Description
auxiliary/scanner/ftp/anonymous Attempts to login to an FTP server anonymously
auxiliary/scanner/ftp/ftp_version Determines the version of an FTP server
auxiliary/scanner/http/dir_scanner Scans a web server for directories
auxiliary/scanner/http/jboss_vulnscan Scans a JBoss application server for vulnerabilities
auxiliary/scanner/mssql/mssql_ping Pings a Microsoft SQL Server
auxiliary/scanner/mysql/mysql_version Determines the version of a MySQL server
auxiliary/scanner/portscan/tcp Performs a TCP port scan
auxiliary/scanner/smb/smb_version Determines the version of an SMB server
auxiliary/scanner/snmp/snmp_enum Enumerates SNMP objects
auxiliary/scanner/ssh/ssh_version Determines the version of an SSH server
auxiliary/scanner/vnc/vnc_login Attempts to login to a VNC server
auxiliary/dos/tcp/synflood Floods a target with SYN packets to exhaust
resources
Command/Module Description
auxiliary/admin/http/tomcat_administration Exploits Tomcat Manager Application authentication
bypass vulnerability
auxiliary/gather/browser_autopwn Creates a fake update page for a specific browser
to deliver a payload
auxiliary/gather/wlan_wpa_eapol Captures WPA/WPA2 EAPOL packets to crack the
password
Payloads
These payloads can be used in conjunction with various exploits to deliver and execute
malicious code on a target system. The windows/meterpreter/reverse_tcp payload creates
a Meterpreter shell that connects back to the attacker, while
windows/meterpreter/bind_tcp creates a Meterpreter shell that listens for incoming
connections. The windows/shell/reverse_tcp payload creates a command shell that
connects back to the attacker, while windows/shell_bind_tcp creates a command shell that
listens for incoming connections. The windows/exec payload executes a specified
command on the target system, while windows/download_exec downloads and executes a
file from a specified URL. The windows/meterpreter/reverse_dns payload creates a
Meterpreter shell that connects back to the attacker using a DNS request. These payloads
can be customized with various options to tailor their behavior to specific needs, such as
setting the IP address and port number to use for the connection.
Payload Description
windows/meterpreter/reverse_tcp Creates a Meterpreter shell that connects back to
the attacker
windows/meterpreter/reverse_https Creates a Meterpreter shell that connects back to
the attacker over HTTPS
windows/meterpreter/reverse_http Creates a Meterpreter shell that connects back to
the attacker over HTTP
windows/meterpreter/bind_tcp Creates a Meterpreter shell that listens for incoming
connections
Payload Description
windows/meterpreter/reverse_winhttps Creates a Meterpreter shell that connects back to
the attacker over a Windows HTTPS channel
windows/shell/reverse_tcp Creates a command shell that connects back to the
attacker
windows/shell_bind_tcp Creates a command shell that listens for incoming
connections
windows/exec Executes a specified command on the target system
windows/download_exec Downloads and executes a file from a specified URL
windows/meterpreter/reverse_dns Creates a Meterpreter shell that connects back to
the attacker using a DNS request
Encoders
These encoders can be used to obfuscate a payload and make it more difficult for antivirus
software to detect. The x86/shikata_ga_nai encoder uses a polymorphic XOR additive
feedback algorithm to scramble the payload, while x86/fnstenv_mov modifies the stack
pointer and registers to avoid bad characters. The x86/call4_dword_xor encoder replaces
the CALL instruction with a new, encrypted CALL instruction. The x86/alpha_mixed
encoder randomly shuffles the bytes in the payload, while x86/countdown inserts a
countdown loop before executing the payload. The x86/nonupper encoder subtracts 0x20
from uppercase letters to avoid bad characters, and x86/shikata_ga_nai_reverse is the
same as x86/shikata_ga_nai , but with the output reversed. The cmd/powershell_base64
encoder encodes a payload as a Base64 string for use in PowerShell. Finally, generic/none
disables encoding entirely.
Encoder Description
x86/shikata_ga_nai Polymorphic XOR additive feedback encoder
x86/fnstenv_mov Modifies the stack pointer and registers to avoid bad characters
x86/call4_dword_xor Replaces the CALL instruction with a new, encrypted CALL
instruction
Encoder Description
x86/alpha_mixed Randomly shuffles the bytes in the payload
x86/countdown Inserts a countdown loop before executing the payload
x86/nonupper Subtracts 0x20 from uppercase letters to avoid bad characters
x86/shikata_ga_nai_reverse Same as x86/shikata_ga_nai , but with the output reversed
cmd/powershell_base64 Encodes a payload as a Base64 string for use in PowerShell
generic/none Disables encoding entirely
Evasion
These evasion techniques can be used to avoid detection and improve the chances of a
successful exploit. The polymorphic technique generates random or semi-random code to
avoid signature-based detection. Fragmentation breaks up the payload into smaller pieces
and sends them separately to evade detection. Encoding encodes the payload to avoid
detection, while padding adds random data to the payload to change its signature. The
timing technique delays the payload execution to avoid detection by behavior-based
analysis, while obfuscation modifies the payload to make it harder to analyze and detect.
Finally, stealth techniques are used to hide the presence of the payload or activity on the
target system.
Evasion Description
Technique
polymorphic Generates random or semi-random code to avoid signature-based
detection
fragmentation Breaks up the payload into smaller pieces and sends them separately to
evade detection
encoding Encodes the payload to avoid detection
padding Adds random data to the payload to change its signature
timing Delays the payload execution to avoid detection by behavior-based
analysis
Evasion Description
Technique
obfuscation Modifies the payload to make it harder to analyze and detect
stealth Hides the presence of the payload or activity on the target system
Reporting
Metasploit has several built-in reporting features that allow users to generate customized
reports on the results of their security assessments. Some of the reporting options available
in Metasploit include:
Hosts Summary Report: Generates a report that summarizes the results of the
assessment, including the number of hosts scanned, services detected, and
vulnerabilities found.
Vulnerability Report: Generates a report that provides a detailed list of vulnerabilities
found during the assessment, including a description of the vulnerability, severity rating,
and recommendations for remediation.
Executive Summary Report: Generates a high-level report that provides a summary of
the assessment results, including a list of the top vulnerabilities and recommendations
for remediation.
Penetration Testing Report: Generates a comprehensive report that includes detailed
information on the assessment methodology, tools used, findings, recommendations,
and remediation strategies.
Compliance Report: Generates a report that provides evidence of compliance with
specific regulatory requirements, such as PCI DSS or HIPAA.
Custom Report: Allows users to generate a customized report by selecting specific
criteria to include, such as host information, vulnerability information, and remediation
recommendations.
Users can generate reports in a variety of formats, including HTML, PDF, and CSV, and can
customize the output to meet their specific needs. Additionally, Metasploit provides
integrations with other security tools and platforms, such as Nexpose and Rapid7 InsightVM,
to allow for seamless reporting and vulnerability management.
Frequently Asked Questions
Q: What is Metasploit?
A: Metasploit is an open-source framework used for developing and executing exploits
against target systems.
Q: What is an exploit?
A: An exploit is a piece of code or a technique used to take advantage of a vulnerability in a
target system to gain unauthorized access or perform malicious actions.
Q: Is Metasploit legal?
A: Yes, Metasploit is legal to use for security testing and research purposes. However, it
should only be used with the explicit permission of the target system owner.
Q: What operating systems does Metasploit support?
A: Metasploit is a cross-platform framework and can be used on Windows, Linux, and macOS.
Q: Do I need programming experience to use Metasploit?
A: While some programming experience can be helpful when using Metasploit, it is not
required. Metasploit provides a user-friendly interface and a wide range of pre-built modules
that can be used by security professionals with varying levels of technical expertise.
Q: Can Metasploit be used for ethical hacking?
A: Yes, Metasploit can be used for ethical hacking and penetration testing to identify and fix
security vulnerabilities in target systems.
Q: Is Metasploit only used by hackers?
A: No, Metasploit is used by a wide range of security professionals, including penetration
testers, red teams, and blue teams, to identify and fix security vulnerabilities.
Q: Are there any alternatives to Metasploit?
A: Yes, there are several alternatives to Metasploit, including Cobalt Strike, Core Impact, and
Canvas. However, Metasploit is one of the most widely used and well-known security testing
frameworks available.
Conclusion
In conclusion, Metasploit is a powerful open-source framework that is widely used by security
professionals and ethical hackers for conducting penetration testing and improving the
security of systems. This comprehensive cheat sheet has provided a quick guide to
Metasploit’s different components and commands in a table format. We hope that this cheat
sheet will serve as a valuable reference for security professionals who are new to Metasploit
or looking to refresh their knowledge of the framework. It is important to remember that
Metasploit should be used ethically and with the explicit permission of the target system
owner.
Rocky
Rocky is a versatile author sharing in-depth tutorials on web development, AI, and ethical
hacking. Unlock new possibilities and expand your knowledge with Rocky's empowering
content.
Related Posts
ETHICAL HACKING CHEATSHEET
Exploring Metasploit: The Powerhouse of 401 & 403 Bypass CheatSheet For Ethical
Penetration Testing Hacker
March 30, 2024 May 10, 2023
CHEATSHEET
VIEW 1 COMMENT
Search … SEARCH
Support Us
ABOUT US
This is the Codelivly blog. Here, you will find articles discussing various topics related to coding
and programming. Our goal is to provide helpful resources and advice for beginners and
experienced coders alike.
RECENT POSTS
About Us
Advertise With Us
Contact US
Privacy Policy
Refund Policy
Write For Us