Home 0P3N Blog Metasploit Cheat Sheet
Ready to Start Your Career?
Create Free Account
authors profile image
January 1, 2016

Metasploit Cheat Sheet

January 1, 2016
authors profile image
January 1, 2016
Thanks to the Null-Byte user OccupyTheWeb( AKA : OTW ) here is an ultimate cheat sheet on Metasploit's Meterpreter in Kali Linux ( or any other Pentesting OS ). At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of our basic Linux commands can be used on the meterpreter even if it's on a Windows or other operating system. Here are some of the core commands we can use on the meterpreter. ***Core Commands :*** ? - help menu background - moves the current session to the background bgkill - kills a background meterpreter script bglist - provides a list of all running background scripts bgrun - runs a script as a background thread channel - displays active channels close - closes a channel exit - terminates a meterpreter session help - help menu interact - interacts with a channel irb - go into Ruby scripting mode migrate - moves the active process to a designated PID quit - terminates the meterpreter session read - reads the data from a channel run - executes the meterpreter script designated after it use - loads a meterpreter extension write - writes data to a channel ***File System Commands*** cat - read and output to stdout the contents of a file cd - change directory on the victim del - delete a file on the victim download - download a file from the victim system to the attacker system edit - edit a file with vim getlwd - print the local directory getwd - print working directory lcd - change local directory lpwd - print local directory ls - list files in current directory mkdir - make a directory on the victim system pwd - print working directory rm - delete a file rmdir - remove directory on the victim system upload - upload a file from the attacker system to the victim ***Networking Commands*** ipconfig - displays network interfaces with key information including IP address, etc. portfwd - forwards a port on the victim system to a remote service route - view or modify the victim routing table ***System Commands*** clearav - clears the event logs on the victim's computer drop\_token - drops a stolen token execute - executes a command getpid - gets the current process ID (PID) getprivs - gets as many privileges as possible getuid - get the user that the server is running as kill - terminate the process designated by the PID ps - list running processes reboot - reboots the victim computer reg - interact with the victim's registry rev2self - calls RevertToSelf() on the victim machine shell - opens a command shell on the victim machine shutdown - shuts down the victim's computer steal\_token - attempts to steal the token of a specified (PID) process sysinfo - gets the details about the victim computer such as OS and name ***User Interface Commands*** enumdesktops - lists all accessible desktops getdesktop - get the current meterpreter desktop idletime - checks to see how long since the victim system has been idle keyscan\_dump - dumps the contents of the software keylogger keyscan\_start - starts the software keylogger when associated with a process such as Word or browser keyscan\_stop - stops the software keylogger screenshot - grabs a screenshot of the meterpreter desktop set\_desktop - changes the meterpreter desktop uictl - enables control of some of the user interface components ***Privilege Escalation Commands*** getsystem - uses 15 built-in methods to gain sysadmin privileges ***Password Dump Commands*** hashdump - grabs the hashes in the password (SAM) file Note that hashdump will often trip AV software, but there are now two scripts that are more stealthy, "run hashdump" and "run smart\_hashdump". Look for more on those on my upcoming meterpreter script cheat sheet. ***Timestomp Commands*** timestomp - manipulates the modify, access, and create attributes of a file ***Meterpreter Scripts Cheat Sheet :*** arp\_scanner.rb - Script for performing an ARP's Scan Discovery. autoroute.rb - Meterpreter session without having to background the current session. checkvm.rb - Script for detecting if target host is a virtual machine. credcollect.rb - Script to harvest credentials found on the host and store them in the database. domain\_list\_gen.rb - Script for extracting domain admin account list for use. dumplinks.rb - Dumplinks parses .lnk files from a user's recent documents folder and Microsoft Office's Recent documents folder, if present. The .lnk files contain time stamps, file locations, including share names, volume serial #s and more. This info may help you target additional systems. duplicate.rb - Uses a meterpreter session to spawn a new meterpreter session in a different process. A new process allows the session to take "risky" actions that might get the process killed by A/V, giving a meterpreter session to another controller, or start a keylogger on another process. enum\_chrome.rb - Script to extract data from a chrome installation. enum\_firefox.rb - Script for extracting data from Firefox. enum\_logged\_on\_users.rb - Script for enumerating current logged users and users that have logged in to the system. enum\_powershell\_env.rb - Enumerates PowerShell and WSH configurations. enum\_putty.rb - Enumerates Putty connections. enum\_shares.rb - Script for Enumerating shares offered and history of mounted shares. enum\_vmware.rb - Enumerates VMware configurations for VMware products. event\_manager.rb - Show information about Event Logs on the target system and their configuration. file\_collector.rb - Script for searching and downloading files that match a specific pattern. get\_application\_list.rb - Script for extracting a list of installed applications and their version. getcountermeasure.rb - Script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration. Provides also the option to kill the processes of detected products and disable the built-in firewall. get\_env.rb - Script for extracting a list of all System and User environment variables. getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla. getgui.rb - Script to enable Windows RDP. get\_local\_subnets.rb - Get a list of local subnets based on the host's routes. get\_pidgen\_creds.rb - Script for extracting configured services with username and passwords. gettelnet.rb - Checks to see whether telnet is installed. get\_valid\_community.rb - Gets a valid community string from SNMP. getvncpw.rb - Gets the VNC password. hashdump.rb - Grabs password hashes from the SAM. hostedit.rb - Script for adding entries in to the Windows Hosts file. keylogrecorder.rb - Script for running keylogger and saving all the keystrokes. killav.rb - Terminates nearly every antivirus software on victim. metsvc.rb - Delete one meterpreter service and start another. migrate - Moves the meterpreter service to another process. multicommand.rb - Script for running multiple commands on Windows 2003, Windows Vistaand Windows XP and Windows 2008 targets. multi\_console\_command.rb - Script for running multiple console commands on a meterpreter session. multi\_meter\_inject.rb - Script for injecting a reverce tcp Meterpreter Payload into memory of multiple PIDs, if none is provided a notepad process will be created and a Meterpreter Payload will be injected in to each. multiscript.rb - Script for running multiple scripts on a Meterpreter session. netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and Windows XP targets using native Windows commands. packetrecorder.rb - Script for capturing packets in to a PCAP file. panda2007pavsrv51.rb - This module exploits a privilege escalation vulnerability in Panda Antivirus 2007. Due to insecure permission issues, a local attacker can gain elevated privileges. persistence.rb - Script for creating a persistent backdoor on a target host. pml\_driver\_config.rb - Exploits a privilege escalation vulnerability in Hewlett-Packard's PML Driver HPZ12. Due to an insecure SERVICE\_CHANGE\_CONFIG DACL permission, a local attacker can gain elevated privileges. powerdump.rb - Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry keys. This script requires you to be running as system in order to work properly. This has currently been tested on Server 2008 and Windows 7, which installs PowerShell by default. prefetchtool.rb - Script for extracting information from windows prefetch folder. process\_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter. remotewinenum.rb - This script will enumerate windows hosts in the target environment given a username and password or using the credential under which Meterpeter is running using WMI wmic windows native tool. scheduleme.rb - Script for automating the most common scheduling tasks during a pentest. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008. schelevator.rb - Exploit for Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation. This script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. schtasksabuse.rb - Meterpreter script for abusing the scheduler service in Windows by scheduling and running a list of command against one or more targets. Using schtasks command to run them as system. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008. scraper.rb - The goal of this script is to obtain system information from a victim through an existing Meterpreter session. screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox installed on your machine. screen\_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and known signatures for the target system. screen\_dwld.rb - Script that recursively search and download files matching a given pattern. service\_manager.rb - Script for managing Windows services. service\_permissions\_escalate.rb This script attempts to create a service, then searches through a list of existing services to look for insecure file or configuration permissions that will let it replace the executable with a payload. It will then attempt to restart the replaced service to run the payload. If that fails, the next time the service is started (such as on reboot) the attacker will gain elevated privileges. sound\_recorder.rb - Script for recording in intervals the sound capture by a target host microphone. srt\_webdrive\_priv.rb - Exploits a privilege escalation vulnerability in South River Technologies WebDrive. uploadexec.rb - Script to upload executable file to host. virtualbox\_sysenter\_dos - Script to DoS Virtual Box. virusscan\_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes. vnc.rb - Meterpreter script for obtaining a quick VNC session. webcam.rb - Script to enable and capture images from the host webcam. win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only MS-Windows-2k/XP/Vista Hosts. win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine. winbf.rb - Function for checking the password policy of current system. This policy may resemble the policy of other servers in the target environment. winenum.rb - Enumerates Windows system including environment variables, network interfaces, routing, user accounts, etc wmic.rb - Script for running WMIC commands on Windows 2003, Windows Vista and Windows XP and Windows 2008 targets. ***Example of Usage : If i want to kill the antivirus of the Victim System : run killav.rb*** This will kill the Anti Virus of the Victim's System -- xMidnightSnowx Thanks to the Null-Byte user OccupyTheWeb( AKA : OTW ) here is an ultimate cheat sheet on Metasploit's Meterpreter in Kali Linux ( or any other Pentesting OS ). At its most basic use, meterpreter is a Linux terminal on the victim's computer. As such, many of our basic Linux commands can be used on the meterpreter even if it's on a Windows or other operating system. Here are some of the core commands we can use on the meterpreter. ***Core Commands :*** ? - help menu background - moves the current session to the background bgkill - kills a background meterpreter script bglist - provides a list of all running background scripts bgrun - runs a script as a background thread channel - displays active channels close - closes a channel exit - terminates a meterpreter session help - help menu interact - interacts with a channel irb - go into Ruby scripting mode migrate - moves the active process to a designated PID quit - terminates the meterpreter session read - reads the data from a channel run - executes the meterpreter script designated after it use - loads a meterpreter extension write - writes data to a channel ***File System Commands*** cat - read and output to stdout the contents of a file cd - change directory on the victim del - delete a file on the victim download - download a file from the victim system to the attacker system edit - edit a file with vim getlwd - print the local directory getwd - print working directory lcd - change local directory lpwd - print local directory ls - list files in current directory mkdir - make a directory on the victim system pwd - print working directory rm - delete a file rmdir - remove directory on the victim system upload - upload a file from the attacker system to the victim ***Networking Commands*** ipconfig - displays network interfaces with key information including IP address, etc. portfwd - forwards a port on the victim system to a remote service route - view or modify the victim routing table ***System Commands*** clearav - clears the event logs on the victim's computer drop\_token - drops a stolen token execute - executes a command getpid - gets the current process ID (PID) getprivs - gets as many privileges as possible getuid - get the user that the server is running as kill - terminate the process designated by the PID ps - list running processes reboot - reboots the victim computer reg - interact with the victim's registry rev2self - calls RevertToSelf() on the victim machine shell - opens a command shell on the victim machine shutdown - shuts down the victim's computer steal\_token - attempts to steal the token of a specified (PID) process sysinfo - gets the details about the victim computer such as OS and name ***User Interface Commands*** enumdesktops - lists all accessible desktops getdesktop - get the current meterpreter desktop idletime - checks to see how long since the victim system has been idle keyscan\_dump - dumps the contents of the software keylogger keyscan\_start - starts the software keylogger when associated with a process such as Word or browser keyscan\_stop - stops the software keylogger screenshot - grabs a screenshot of the meterpreter desktop set\_desktop - changes the meterpreter desktop uictl - enables control of some of the user interface components ***Privilege Escalation Commands*** getsystem - uses 15 built-in methods to gain sysadmin privileges ***Password Dump Commands*** hashdump - grabs the hashes in the password (SAM) file Note that hashdump will often trip AV software, but there are now two scripts that are more stealthy, "run hashdump" and "run smart\_hashdump". Look for more on those on my upcoming meterpreter script cheat sheet. ***Timestomp Commands*** timestomp - manipulates the modify, access, and create attributes of a file ***Meterpreter Scripts Cheat Sheet :*** arp\_scanner.rb - Script for performing an ARP's Scan Discovery. autoroute.rb - Meterpreter session without having to background the current session. checkvm.rb - Script for detecting if target host is a virtual machine. credcollect.rb - Script to harvest credentials found on the host and store them in the database. domain\_list\_gen.rb - Script for extracting domain admin account list for use. dumplinks.rb - Dumplinks parses .lnk files from a user's recent documents folder and Microsoft Office's Recent documents folder, if present. The .lnk files contain time stamps, file locations, including share names, volume serial #s and more. This info may help you target additional systems. duplicate.rb - Uses a meterpreter session to spawn a new meterpreter session in a different process. A new process allows the session to take "risky" actions that might get the process killed by A/V, giving a meterpreter session to another controller, or start a keylogger on another process. enum\_chrome.rb - Script to extract data from a chrome installation. enum\_firefox.rb - Script for extracting data from Firefox. enum\_logged\_on\_users.rb - Script for enumerating current logged users and users that have logged in to the system. enum\_powershell\_env.rb - Enumerates PowerShell and WSH configurations. enum\_putty.rb - Enumerates Putty connections. enum\_shares.rb - Script for Enumerating shares offered and history of mounted shares. enum\_vmware.rb - Enumerates VMware configurations for VMware products. event\_manager.rb - Show information about Event Logs on the target system and their configuration. file\_collector.rb - Script for searching and downloading files that match a specific pattern. get\_application\_list.rb - Script for extracting a list of installed applications and their version. getcountermeasure.rb - Script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration. Provides also the option to kill the processes of detected products and disable the built-in firewall. get\_env.rb - Script for extracting a list of all System and User environment variables. getfilezillacreds.rb - Script for extracting servers and credentials from Filezilla. getgui.rb - Script to enable Windows RDP. get\_local\_subnets.rb - Get a list of local subnets based on the host's routes. get\_pidgen\_creds.rb - Script for extracting configured services with username and passwords. gettelnet.rb - Checks to see whether telnet is installed. get\_valid\_community.rb - Gets a valid community string from SNMP. getvncpw.rb - Gets the VNC password. hashdump.rb - Grabs password hashes from the SAM. hostedit.rb - Script for adding entries in to the Windows Hosts file. keylogrecorder.rb - Script for running keylogger and saving all the keystrokes. killav.rb - Terminates nearly every antivirus software on victim. metsvc.rb - Delete one meterpreter service and start another. migrate - Moves the meterpreter service to another process. multicommand.rb - Script for running multiple commands on Windows 2003, Windows Vistaand Windows XP and Windows 2008 targets. multi\_console\_command.rb - Script for running multiple console commands on a meterpreter session. multi\_meter\_inject.rb - Script for injecting a reverce tcp Meterpreter Payload into memory of multiple PIDs, if none is provided a notepad process will be created and a Meterpreter Payload will be injected in to each. multiscript.rb - Script for running multiple scripts on a Meterpreter session. netenum.rb - Script for ping sweeps on Windows 2003, Windows Vista, Windows 2008 and Windows XP targets using native Windows commands. packetrecorder.rb - Script for capturing packets in to a PCAP file. panda2007pavsrv51.rb - This module exploits a privilege escalation vulnerability in Panda Antivirus 2007. Due to insecure permission issues, a local attacker can gain elevated privileges. persistence.rb - Script for creating a persistent backdoor on a target host. pml\_driver\_config.rb - Exploits a privilege escalation vulnerability in Hewlett-Packard's PML Driver HPZ12. Due to an insecure SERVICE\_CHANGE\_CONFIG DACL permission, a local attacker can gain elevated privileges. powerdump.rb - Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry keys. This script requires you to be running as system in order to work properly. This has currently been tested on Server 2008 and Windows 7, which installs PowerShell by default. prefetchtool.rb - Script for extracting information from windows prefetch folder. process\_memdump.rb - Script is based on the paper Neurosurgery With Meterpreter. remotewinenum.rb - This script will enumerate windows hosts in the target environment given a username and password or using the credential under which Meterpeter is running using WMI wmic windows native tool. scheduleme.rb - Script for automating the most common scheduling tasks during a pentest. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008. schelevator.rb - Exploit for Windows Vista/7/2008 Task Scheduler 2.0 Privilege Escalation. This script exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. schtasksabuse.rb - Meterpreter script for abusing the scheduler service in Windows by scheduling and running a list of command against one or more targets. Using schtasks command to run them as system. This script works with Windows XP, Windows 2003, Windows Vista and Windows 2008. scraper.rb - The goal of this script is to obtain system information from a victim through an existing Meterpreter session. screenspy.rb - This script will open an interactive view of remote hosts. You will need Firefox installed on your machine. screen\_unlock.rb - Script to unlock a windows screen. Needs system privileges to run and known signatures for the target system. screen\_dwld.rb - Script that recursively search and download files matching a given pattern. service\_manager.rb - Script for managing Windows services. service\_permissions\_escalate.rb This script attempts to create a service, then searches through a list of existing services to look for insecure file or configuration permissions that will let it replace the executable with a payload. It will then attempt to restart the replaced service to run the payload. If that fails, the next time the service is started (such as on reboot) the attacker will gain elevated privileges. sound\_recorder.rb - Script for recording in intervals the sound capture by a target host microphone. srt\_webdrive\_priv.rb - Exploits a privilege escalation vulnerability in South River Technologies WebDrive. uploadexec.rb - Script to upload executable file to host. virtualbox\_sysenter\_dos - Script to DoS Virtual Box. virusscan\_bypass.rb - Script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes. vnc.rb - Meterpreter script for obtaining a quick VNC session. webcam.rb - Script to enable and capture images from the host webcam. win32-sshclient.rb - Script to deploy & run the "plink" commandline ssh-client. Supports only MS-Windows-2k/XP/Vista Hosts. win32-sshserver.rb - Script to deploy and run OpenSSH on the target machine. winbf.rb - Function for checking the password policy of current system. This policy may resemble the policy of other servers in the target environment. winenum.rb - Enumerates Windows system including environment variables, network interfaces, routing, user accounts, etc wmic.rb - Script for running WMIC commands on Windows 2003, Windows Vista and Windows XP and Windows 2008 targets. ***Example of Usage : If i want to kill the antivirus of the Victim System : run killav.rb*** This will kill the Anti Virus of the Victim's System -- xMidnightSnowx Thanks for taking to time to make this , very useful and handy Very useful metasploit cheat sheet list,i have already make one for me before but your one is bigger thanks OP for this list. I've been using Metasploit and Armitage since Backtrack 3 and I must say this cheat sheet is amazing Good Job SANS also has a decent cheat sheet [here](https://www.sans.org/media/netwars/brochure-netwars-2014.pdf). SANS released an updated version of their cheat sheet today - https://sans.org/u/5pQ Thanks for the link , I'll update this ASAP -- xMidnightSnowx Also thanks to Mr\_Clark for the updated cheat sheet link from SANS . Thanks very useful commands for any PenTEST OS... Thanks, will print. Great work invaluable I love Cybrary for getting everyone together I am going to use this during my studying. Nice share, lets not forget that metasploit has great community, lets lookup resources here: http://resources.metasploit.com/ Metasploit unleashed nice and free course to learn metasploit: https://www.offensive-security.com/metasploit-unleashed/ Metasploit dev API and documentation: http://rapid7.github.io/metasploit-framework/api/ This is excellent -thanks for putting it together and posting it!!! Thank for sharing nice write-up, thanks for the share Cool, Thanks Thanks for the info. First rectify the mistake it's clearev (cleaning event management logs in a compromised Machine / server).
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry