Show Menu

Metasploit Cheat Sheet (DRAFT) by

This is a draft cheat sheet. It is a work in progress and is not finished yet.


Most popular exploi­tation framework and largest Ruby project.
Commonly associated with network explot­ation but has useful auxiliary modules for web app testing.
Uses modular approach for payloads an exploits allowing for flexib­ility
Auxiliary modules available for scanning, crawli­ng/­spi­dering and querying web servers; > 150 unique entries in auxili­ary­/sc­ann­er/­http.
Especially useful for testing off-th­e-shelf applic­ations including WordPress, Joomla, Drupal, Oracle DB, SQL Server, SCADA frontends and more.

Seeding Metasploit

Metasploit has two spiders:
But Metasp­loit's crawlers are not a replac­ement for ZAP or Burp and instead Metasploit can import results from other tools.
db_i­mport allows Metasploit to ingest the output files of certain tools, parsing them into its own database structure.
db_i­mport -h provides a list of supported files and formats, many tools are included including Acunetix, AppScan, Burp, NetSpa­rker, Nikto, and Wapiti.


A web scanning plugin in Metasp­loit, last updated in 2012 but still useful.
Interfaces with Metasp­oit's backend database launching auxiliary and exploit modules related to the web apps results within the database.
Can create custom profiles to run using wmap­_sa­mpl­e_p­rof­ile.txt as a template.
Lack docume­nta­tion.

BeEF and Metasploit

Having a hooked browser allows:
limited system privileges
low persistence
lacks the ability to exploit vulnerabilities
wealth of knowledge about browsing enviro­nment
Can configure BeEF to point at Meta­sploit RPC listener to expose Metasploit modules.
Enabling integr­ation:
1. Update config.yml in beef direoctry
2. Configure Metasploit RPC in msfconsole by typing
load msgrpc Server­Hos­t=1­
Pass = password
3. Update config.yml in extens­ion­s/m­eta­sploit directory with info about Metasploit RPC
4. Start BeEF
5. Inject Metasploit

Sqlmap and Metasploit

2-way integr­ation: {{nl} Sqlm­ can leverage a local Meta­spl­oit install or use sqlmap module within Meta­spl­oit (less common)
Within Sqlmap, Metasploit is primarily used for shellcode (shell, VNC, Meterpreter)
--os-pwn : leverage Metasploit
--priv-esc: Attempts privilege escalation on Windows
--msf-path: Defines local Metasploit install location

Metasploit and Known Vulner­abi­lities

Main use in web apps is for known vulner­abi­lities
Custom applic­ation testing can be done with WMAP or auxiliary modules but exploi­tation is the main purpose.
Exploits against CMS, databases, specified SQLi Flaws, and major vulner­abi­lities such as ShellS­hock, Heartb­leed, Drupal­geddon

Drupal and Drupal­geddon

One of the most common CMS serving content to end users and providing functi­ona­lity.
CMS are high-value targets because of their critical purpose.
Drup­alg­eddon (CVE-2­014­-37­04) and patched on October 15, 2014
Flaw is an unauth­ent­icated SQLi vulner­ability present on all Drupal 7 installs.
Successful exploi­tation provides data access, remote code execution and local privilege execut­ion.
Widespread automated exploi­tation within hours.
Reason for the flaw lies within Drupal's use of prepared statements for SQL queries meant to defend against SQLi.
Drupal includes expa­ndA­rgu­men­ts() that explodes the arrays but it did not handle specially crafted input properly.
Compounded by Drupal's use of PHP Data Objects (PDO), which employs emulated prepared statements allowing for multiple queries as one request.
The result was unfiltered input was passed to expa­ndA­rgu­men­ts() fnction allowing for an exploit entry point (SELECT pivot to INSERT)

Metasploit and Drupal­geddon

expl­oit­/mu­lti­/ht­tp/­dru­pal­_dr­upa­lge­ddon is the exploit in msfconsole
The searcher who discovered posted 2 POC:
1. Hijacks an admin session
2. Enabled remote code execution

When Tools Fail

Tools often fail because of diff­erences in server confgu­rat­ions, quality issues, some may not be reliable, or results are indete­rmi­nate
Additional testing may reveal an altern­ative tool or it may require manual exploi­tation. Resear­ching the vulner­ability and exploit may help.
CVE-­201­4-1­6010 is a MediaWiki vulner­ability with a Metasploit exploit available expl­oit­/mu­lti­/ht­tp/­med­ia_­wik­i_t­humb and it uses either a DjVu (default) or PDF. The default fails.
The vulner­ability allowed for a PHP backdoor to be uploaded via command execution
The Metasploit module works by manually uploading a PDF

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi