📒
My Pentesting Cheatsheet
  • Home
  • Commands Only Summary
    • Some other cool websites
  • Preparation
    • Documents
    • Contract - Checklist
    • Rules of Engagement - Checklist
    • Contractors Agreement - Checklist for Physical Assessments
  • Information Gathering
  • Vulnerability Assessment
  • Pentesting Machine
  • Enumeration
    • NMAP Scan types explained
    • Firewall and IDS/IPS Evasion
  • Footprinting
    • Google Dorks
    • Samba (smb)
    • NFS
    • DNS
    • SMTP
    • IMAP/POP3
    • SNMP
    • MySQL
    • MSSQL
    • Oracle TNS
    • IPMI
    • SSH
    • RDP
    • WinRM
  • Web Information Gathering
    • Whois
    • DNS & Subdomains
    • Fingerprinting
    • Crawlers
    • Search Engine Discovery
    • Automating Recon
  • Vulnerability Assessment
  • File Transfers
    • Windows Target
    • Linux Target
    • Transferring Files with Code
    • Miscellaneous File Transfer Methods
    • Protected Files Transfer
    • Catching Files over HTTP/S (Nginx)
    • Living Off The Land
    • Evading Detection
  • Shells & Payloads
    • Reverse Shells + Bind + Web
  • Password Attacks
    • John the ripper
    • Remote password attacks
    • Password mutations
    • Password Reuse / Default Passwords
    • Windows Local Password Attacks
    • Linux Local Password Attacks
    • Windows Lateral Movement
    • Cracking Files
  • Attacking Common Services
    • FTP
    • SMB
    • SQL
    • RDP
    • DNS
    • Email Services
  • Pivoting, Tunneling, and Port Forwarding
    • Choosing The Dig Site & Starting Our Tunnels
    • Playing Pong with Socat
    • Pivoting Around Obstacles
    • Branching Out Our Tunnels
    • Double Pivots
    • Final considerations
  • Active Directory Enumeration & Attacks
    • Initial Enumeration
    • Sniffing out a Foothold
    • Sighting In, Hunting For A User
    • Spray Responsibly
    • Deeper Down the Rabbit Hole
    • Kerberoasting - Cooking with Fire
    • Access Control List (ACL)
    • Advanced Privilege Escalation in Active Directory: Stacking The Deck
    • Domain trusts
    • Domain Trusts - Cross Forest
    • Defensive Considerations
  • Using Web Proxies
  • Login Brute Forcing
  • SQL Injection Fundamentals
    • Mitigating SQL Injection
  • SQLMap Essentials
    • Building Attacks
    • Database Enumeration
    • Advanced SQLMap Usage
  • Cross-Site Scripting (XSS)
    • Prevention
  • File Inclusion
  • File Upload Attacks
    • Basic Exploitation
    • Bypassing Filters
    • Other Upload Attacks
    • Prevention
  • Command Injections
    • Exploitation
    • Filter Evasion
  • Web Attacks
    • HTTP Verb Tampering
    • Insecure Direct Object References (IDOR)
    • XML External Entity (XXE) Injection
    • GraphQL
  • Attacking Common Applications
    • Application Discovery & Enumeration
    • Content Management Systems (CMS)
    • Servlet Containers/Software Development
    • Infrastructure/Network Monitoring Tools
    • Customer Service Mgmt & Configuration Management
    • Common Gateway Interfaces
    • Thick Client Applications
    • Miscellaneous Applications
  • Privilege Escalation
    • Linux Privilege Escalation
      • Information Gathering
      • Environment-based Privilege Escalation
      • Service-based Privilege Escalation
      • Linux Internals-based Privilege Escalation
      • Recent 0-Days
      • Linux Hardening
    • Windows Privilege Escalation
      • Getting the Lay of the Land
      • Windows User Privileges
      • Windows Group Privileges
      • Attacking the OS
      • Credential Theft
      • Restricted Environments
      • Additional Techniques
      • Dealing with End of Life Systems
      • Windows Hardening
    • Windows (old page)
  • Documentation & Reporting
    • Preparation
    • Reporting
  • Attacking Enterprise Networks
    • Pre-Engagement
    • External Testing
    • Internal Testing
    • Lateral Movement & Privilege Escalation
    • Wrapping Up
  • Deobfuscation
  • Metasploit
    • msfvenom
  • Custom compiled files
  • XSS
  • Azure AD (Entra ID)
Powered by GitBook
On this page
  • Useful exploits
  • Adding exploits to msfconsole
  • Search
  • GREP
  • Payload Types
  • Encoders
  • Databases
  • Workspaces
  • Importing nmap scans
  • Save Found Credentials
  • Backup data
  • Loot
  • Plugins
  • Installing new plugins
  • Some plugins
  • Sessions
  • Jobs
  • Useful meterpreter commands

Metasploit

yup, this who page is just for it :3

  • msfconsole to start it

Command
Description

search exploit <term>

Searches for the term in the exploits

use <exploit_path>

Selects the exploit to use (or use the number after a search)

show options

Shows the selected exploit's options

set <variable> <value>

Sets the option's value

check

Checks if the server is vulnerable

exploit

Runs the exploit

Useful exploits

  • multi/handler to catch shells from msfvenom

  • windows/smb/ms17_010_psexec EternalBlue (scan with auxiliary/scanner/smb/smb_ms17_010)

  • post/multi/recon/local_exploit_suggester After successful shell, suggests possible exploits

  • multi/manage/shell_to_meterpreter Upgrade generic shell to meterpreter, more here

Adding exploits to msfconsole

For example, find it from searchsploit:

searchsploit Lightweight Facebook-styled blog 1.3

the script has a metasploit module but it's not included by default so we have to import it

cd /usr/share/metasploit-framework/modules/exploits
# optionally mkdir php
searchsploit -m php/webapps/50064.rb

msfconsole -m /usr/share/metasploit-framework/modules/
# OR from metasploit
msf6> loadpath /usr/share/metasploit-framework/modules/
# OR
msf6> reload_all

The critical folders are also symlinked in our home and root folders in the hidden ~/.msf4/ location.

Always use snake-case, alphanumeric characters, and underscores instead of dashes.

To write a custom script all necessary information about Metasploit Ruby coding can be found on the Rubydoc.info Metasploit Framework related page.

Search

help search
search type:exploit platform:windows cve:2021 rank:excellent microsoft

GREP

grep meterpreter show payloads
grep meterpreter grep reverse_tcp show payloads

Payload Types

The table below contains the most common payloads used for Windows machines and their respective descriptions.

Payload

Description

generic/custom

Generic listener, multi-use

generic/shell_bind_tcp

Generic listener, multi-use, normal shell, TCP connection binding

generic/shell_reverse_tcp

Generic listener, multi-use, normal shell, reverse TCP connection

windows/x64/exec

Executes an arbitrary command (Windows x64)

windows/x64/loadlibrary

Loads an arbitrary x64 library path

windows/x64/messagebox

Spawns a dialog via MessageBox using a customizable title, text & icon

windows/x64/shell_reverse_tcp

Normal shell, single payload, reverse TCP connection

windows/x64/shell/reverse_tcp

Normal shell, stager + stage, reverse TCP connection

windows/x64/shell/bind_ipv6_tcp

Normal shell, stager + stage, IPv6 Bind TCP stager

windows/x64/meterpreter/$

Meterpreter payload + varieties above

windows/x64/powershell/$

Interactive PowerShell sessions + varieties above

windows/x64/vncinject/$

VNC Server (Reflective Injection) + varieties above

Encoders

Shikata Ga Nai (SGN) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it. The name (仕方がない) means It cannot be helped or Nothing can be done about it, and rightfully so if we were reading this a few years ago. However, there are other methodologies we will explore to evade protection systems. This article from FireEye details the why and the how of Shikata Ga Nai's previous rule over the other encoders.

Flags to add encoding for msfvenom

-b "\x00" -e x86/shikata_ga_nai

  • -b for bad bytes

  • -e encoding

For msfconsole:

show encoders

If we were to encode an executable payload only once with SGN, it would most likely be detected by most antiviruses today. Let's delve into that for a moment.

Iterating encoders: -i 10

Databases

Metasploit supports PostgreSQL by default.

Check status:

sudo msfdb status

Configure if not already present:

sudo service postgresql status
sudo systemctl start postgresql
sudo msfdb init

Workspaces

workspace -a Target_1
workspace Target_1 
workspace
workspace -h

Importing nmap scans

You can import XML (preferably) nmap outputs:

db_import Target.xml

Or scan directly from inside msfconsole:

db_nmap -sV -sS 10.10.10.8

See saved target hosts:

hosts

See discovered services:

services

Save Found Credentials

creds -h

Backup data

After finishing the session, make sure to back up our data if anything happens with the PostgreSQL service. To do so, use the db_export command.

db_export -f xml backup.xml

Loot

The loot command works in conjunction with the command above to offer you an at-a-glance list of owned services and users. The loot, in this case, refers to hash dumps from different system types, namely hashes, passwd, shadow, and more.

loot -h

Plugins

Listed in /usr/share/metasploit-framework/plugins

Loading plugins (example with nessus):

load nessus
nessus_help

Installing new plugins

git clone https://github.com/darkoperator/Metasploit-Plugins
sudo cp ./Metasploit-Plugins/pentest.rb /usr/share/metasploit-framework/plugins/pentest.rb

Afterward, launch msfconsole and check the plugin's installation by running the load command. After the plugin has been loaded, the help menu at the msfconsole is automatically extended by additional functions.

Some plugins

Many people write many different plugins for the Metasploit framework. They all have a specific purpose and can be an excellent help to save time after familiarizing ourselves with them. Check out the list of popular plugins below:

Sessions

To change out of the current meterpreter (or other stages) session use:

background

List with:

sessions

Switch to session ID with:

sessions -i <Number>

post modules often require to specify a session in the options

Jobs

If, for example, we are running an active exploit under a specific port and need this port for a different module, we cannot simply terminate the session using [CTRL] + [C]. If we did that, we would see that the port would still be in use, affecting our use of the new module. So instead, we would need to use the jobs command to look at the currently active tasks running in the background and terminate the old ones to free up the port.

jobs -h

When we run an exploit, we can run it as a job by typing exploit -j. Per the help menu for the exploit command, adding -j to our command. Instead of just exploit or run, will "run it in the context of a job."

exploit -h

Listing running jobs:

jobs -l

Use the jobs -K command to kill all running jobs. or kill [index no.] to kill a specific one

Useful meterpreter commands

hashdump
lsa_dump_sam
lsa_dump_secrets
PreviousDeobfuscationNextmsfvenom

Last updated 2 months ago

nMap (pre-installed)
NexPose (pre-installed)
Nessus (pre-installed)
Mimikatz (pre-installed V.1)
Stdapi (pre-installed)
Railgun
Priv
Incognito (pre-installed)
Darkoperator's