\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{binca} \pdfinfo{ /Title (metasploit.pdf) /Creator (Cheatography) /Author (binca) /Subject (Metasploit Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{3797AB} \definecolor{LightBackground}{HTML}{F2F8F9} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Metasploit Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{binca} via \textcolor{DarkBackground}{\uline{cheatography.com/44948/cs/13466/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}binca \\ \uline{cheatography.com/binca} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 9th November, 2017.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Overview}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Most popular exploitation framework and largest Ruby project.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Commonly associated with network explotation but has useful auxiliary modules for web app testing.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Uses modular approach for payloads an exploits allowing for flexibility} \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Auxiliary modules available for scanning, crawling/spidering and querying web servers; \textgreater{} 150 unique entries in auxiliary/scanner/http.} \tn % Row Count 9 (+ 3) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Especially useful for testing off-the-shelf applications including WordPress, Joomla, Drupal, Oracle DB, SQL Server, SCADA frontends and more.} \tn % Row Count 12 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Seeding Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Metasploit has two spiders:\{\{nl\}\}{\bf{auxiliary/crawler/msfcrawler}}\{\{nl\}\}{\bf{auxiliary/scanner/http/crawler}}} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{But Metasploit's crawlers are not a replacement for ZAP or Burp and instead Metasploit can import results from other tools.} \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{db\_import}} allows Metasploit to ingest the output files of certain tools, parsing them into its own database structure.} \tn % Row Count 9 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{db\_import -h}} provides a list of supported files and formats, many tools are included including Acunetix, AppScan, Burp, NetSparker, Nikto, and Wapiti.} \tn % Row Count 13 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{WMAP}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{A web scanning plugin in Metasploit, last updated in 2012 but still useful.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Interfaces with Metaspoit's backend database launching auxiliary and exploit modules related to the web apps results within the database.} \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Can create custom profiles to run using {\bf{wmap\_sample\_profile.txt}} as a template.} \tn % Row Count 7 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Lack documentation.} \tn % Row Count 8 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{BeEF and Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Having a hooked browser allows:\{\{nl\}\}limited system privileges\{\{nl\}\}low persistence\{\{nl\}\}lacks the ability to exploit vulnerabilities\{\{nl\}\}wealth of knowledge about browsing environment} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Can configure BeEF to point at {\bf{Metasploit RPC listener}} to expose Metasploit modules.} \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Enabling integration: \newline 1. Update config.yml in beef direoctry \newline 2. Configure Metasploit RPC in msfconsole by typing \newline load msgrpc ServerHost=127.0.0.1 \newline Pass = password \newline 3. Update config.yml in extensions/metasploit directory with info about Metasploit RPC \newline 4. Start BeEF \newline 5. Inject Metasploit} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Sqlmap and Metasploit}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{2-way integration: \{\{nl\} {\bf{Sqlmap.py}} can leverage a local {\bf{Metasploit}} install or use {\bf{sqlmap}} module within {\bf{Metasploit}} (less common)} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Within Sqlmap, Metasploit is primarily used for shellcode (shell, VNC, Meterpreter)\{\{nl\}\}{\bf{-{}-os-pwn : leverage Metasploit}}\{\{nl\}\}{\bf{-{}-priv-esc: Attempts privilege escalation on Windows}}\{\{nl\}\}{\bf{-{}-msf-path: Defines local Metasploit install location}}} \tn % Row Count 8 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Metasploit and Known Vulnerabilities}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Main use in web apps is for known vulnerabilities} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Custom application testing can be done with WMAP or auxiliary modules but exploitation is the main purpose.} \tn % Row Count 4 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Exploits against CMS, databases, specified SQLi Flaws, and major vulnerabilities such as ShellShock, Heartbleed, Drupalgeddon} \tn % Row Count 7 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Drupal and Drupalgeddon}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{One of the most common CMS serving content to end users and providing functionality.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{CMS are high-value targets because of their critical purpose.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Drupalgeddon (CVE-2014-3704)}} and patched on October 15, 2014} \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Flaw is an unauthenticated SQLi vulnerability present on all Drupal 7 installs.} \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Successful exploitation provides {\bf{data access, remote code execution and local privilege execution}}.} \tn % Row Count 11 (+ 3) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Widespread automated exploitation within hours.} \tn % Row Count 12 (+ 1) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Reason for the flaw lies within Drupal's use of prepared statements for SQL queries meant to defend against SQLi.} \tn % Row Count 15 (+ 3) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Drupal includes {\bf{expandArguments()}} that explodes the arrays but it did not handle specially crafted input properly.} \tn % Row Count 18 (+ 3) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Compounded by Drupal's use of {\bf{PHP Data Objects (PDO)}}, which employs emulated prepared statements allowing for {\bf{multiple queries}} as one request.} \tn % Row Count 21 (+ 3) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The result was unfiltered input was passed to {\bf{expandArguments()}} fnction allowing for an exploit entry point (SELECT pivot to INSERT)} \tn % Row Count 24 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Metasploit and Drupalgeddon}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{exploit/multi/http/drupal\_drupalgeddon}} is the exploit in msfconsole} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The searcher who discovered posted 2 POC:\{\{nl\}\}1. Hijacks an admin session\{\{nl\}\} 2. Enabled remote code execution} \tn % Row Count 5 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{When Tools Fail}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Tools often fail because of {\bf{differences in server confgurations, quality issues, some may not be reliable, or results are indeterminate}}} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Additional testing may reveal an alternative tool or it may require manual exploitation. Researching the vulnerability and exploit may help.} \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{CVE-2014-16010}} is a MediaWiki vulnerability with a Metasploit exploit available {\bf{exploit/multi/http/media\_wiki\_thumb}} and it uses either a DjVu (default) or PDF. The default fails.} \tn % Row Count 10 (+ 4) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The vulnerability allowed for a PHP backdoor to be uploaded via command execution} \tn % Row Count 12 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{The Metasploit module works by manually uploading a PDF} \tn % Row Count 14 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}