Edit

Metasploit

Port Scan

use auxiliary/scanner/portscan/
tcp
set RHOSTS 10.10.10.0/24
run

DNS Enumeration

use auxiliary/gather/dns_enum
set DOMAIN target.tgt
run

Host FTP Server

use auxiliary/server/ftp
set FTPROOT /tmp/ftproot
run

Proxy Server

  • Any proxied traffic that matches the subnet of a route will be routed through the session specified by route.

  • Use proxychains configured for socks4 to route any application's traffic through a Meterpreter session.

msfvenom

  • The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them.

List Payloads

Basic Examples

Format Options

Encoders

  • See all encoders

  • Basic Example:

Meterpreter

  • Core commands will be helpful to navigate and interact with the target system. Below are some of the most commonly used.

  • Remember to check all available commands running the help command once a Meterpreter session has started.

Post Exploitation Modules Reference

  • https://www.offensive-security.com/metasploit-unleashed/post-module-reference/

Core commands

  • background: Backgrounds the current session

  • exit: Terminate the Meterpreter session

  • guid: Get the session GUID (Globally Unique Identifier)

  • help: Displays the help menu

  • info: Displays information about a Post module

  • irb: Opens an interactive Ruby shell on the current session

  • load: Loads one or more Meterpreter extensions

  • migrate: Allows you to migrate Meterpreter to another process

  • run: Executes a Meterpreter script or Post module

  • sessions: Quickly switch to another session

File system commands

  • cd: Will change directory

  • ls: Will list files in the current directory (dir will also work)

  • pwd: Prints the current working directory

  • edit: will allow you to edit a file

  • cat: Will show the contents of a file to the screen

  • rm: Will delete the specified file

  • search: Will search for files

  • upload: Will upload a file or directory

  • download: Will download a file or directory

Networking commands

  • arp: Displays the host ARP (Address Resolution Protocol) cache

  • ifconfig: Displays network interfaces available on the target system

  • netstat: Displays the network connections

  • portfwd: Forwards a local port to a remote service

  • route: Allows you to view and modify the routing table

System commands

  • clearev: Clears the event logs

  • execute: Executes a command

  • getpid: Shows the current process identifier

  • getuid: Shows the user that Meterpreter is running as

  • kill: Terminates a process

  • pkill: Terminates processes by name

  • ps: Lists running processes

  • reboot: Reboots the remote computer

  • shell: Drops into a system command shell

  • shutdown: Shuts down the remote computer

  • sysinfo: Gets information about the remote system, such as OS

Others Commands (these will be listed under different menu categories in the help menu)

  • idletime: Returns the number of seconds the remote user has been idle

  • keyscan_dump: Dumps the keystroke buffer

  • keyscan_start: Starts capturing keystrokes

  • keyscan_stop: Stops capturing keystrokes

  • screenshare: Allows you to watch the remote user's desktop in real time

  • screenshot: Grabs a screenshot of the interactive desktop

  • record_mic: Records audio from the default microphone for X seconds

  • webcam_chat: Starts a video chat

  • webcam_list: Lists webcams

  • webcam_snap: Takes a snapshot from the specified webcam

  • webcam_stream: Plays a video stream from the specified webcam

  • getsystem: Attempts to elevate your privilege to that of local system

  • hashdump: Dumps the contents of the SAM database

Modules

Kiwi Commands

  • Although all these commands may seem available under the help menu, they may not all work. For example, the target system might not have a webcam, or it can be running on a virtual machine without a proper desktop environment.

New Meterpreter Session Steps

  • Assuming you gained access, inserted AV Path Exception, wrote implant to disk and executed to catch you callback

  • Now you are set up and running as a thread in the address space of the svchost.exe process

Accessing the Filesystem

  • Common commands include

  • cd - change directory on the target

  • cat - read and output to stdout the contents of a file

  • del - delete a file on the target

  • edit - edit a file with vim

  • ls - list files in current directory

  • mkdir - make a directory on the target system

  • rmdir - remove directory on the target system

File collect with meterpreter

  • download and upload commands

  • Ensure you are escaping the windows ""

  • Example:

Harvest Credentials

  • One way to try and harvest come credentials is with the hashdump module

  • The output of each line is in the following format: Username:SID:LM hash:NTLM hash:::

  • Note that the LM hash aad3b435b51404eeaad3b435b51404ee corresponds to an empty password as well as the NTLM hash 31d6cfe0d16ae931b73c59d7e0c089c0.

  • another method that can yeild more credentials (especially on the domain controller) is:

Execute a program

  • The execute command allows us to start remote processes

  • execute flags

  • -H Create the process hidden from view

  • -a Arguments to pass to the command

  • -i Interact with the process after creating it

  • -m Execute from memory

  • -t Execute process with currently impersonated thread token

  • -s Execute process in a given session as the session user

  • Regarding the last option -s, we can find out the available sessions by using the enumdesktops-command. The following example does that and then executes calc.exe on session 1:

Post Modules for Windows Survey

Winenum Windows Built In enumeration Script

  • from your meterpreter prompt:

  • This will use net, netsh, and wmic commands to enumerate the target machine.

  • Note: Each individual command in this script will have its output stored in the path output in the line starting with 'Output of each individual command is saved to '.

Clearing the Event Log

  • from a meterpreter prompt

Meterpreter Extensions

kiwi module

Powershell Extension

Powershell Commands from Meterpreter

  • run a powershell command as a "oneshot" from a meterpreter shell

Metasploit imperssonate

Upgrade shell to meterpreter

Firefox Post Exploitation

  • can be run as non Administrator or as Admin, registry information gets pulled as Admin

Routing

Set route

Autoroute module

Run autoroute

Create port forward

UAC Escalation

Change UAC to not Notify

  • Need to be admin

Disable LUA

  • EnableLUA specifies whether Windows User Account Controls (UAC) notifies the user when programs try to make changes to the computer. UAC was formerly known as Limited User Account (LUA).

Persistance Modules

  • Registry Run Key

  • Ensure to set the RUN_NAME at a minimum

  • WMI Event Subscription Persistance

  • Ensure failed login auditing is enabled on target

  • To enable:

  • Event ID for a failed logon is 4625

  • Ensure to set the USERNAME_TRIGGER and SESSION at a minimum

  • Cannot be run as SYSTEM or USER needs to be run with ADMINISTRATOR

PreviousIronPython EmpireNextMetasploit Basics

Last updated