killchain-compendium/misc/metasploit.md

96 lines
2.0 KiB
Markdown
Raw Normal View History

2021-09-26 02:06:10 +02:00
# Metasploit
## Modules
* __Auxiliary__ scanners, crawlers and fuzzers
* __Encoders__ encode payloads
* __Evasion__ prepare payloads to circumvent signature based malware detection
* __NOPs__ various architectures
* __Payloads__ to run on target systems
* Singles, inline payloads, for example generic/shell_reverse_tcp
* Stagers, downloads the stages payloads
* Stages, for example windows/x64/shell/reverse_tcp
* __Post__ postexploitation
## Notes
* Search via scope
```sh
search type:auxiliary <stuff>
```
* Send exploit to background
```
run -z
```
* `check` if target is vulnerable
* `setg` sets variables globally
* `unset payload`
* Flush via `unset all`
## Sessions
* `background` or `ctrl+z`
* Foreground via `sessions -i <number>`
## Scanning
* Portscan
```sh
search portscan
```
* UDP Sweep via `scanner/discovery/udp_sweep`
* SMB Scan via `scanner/smb/smb_version` and `smb_enumshares`
* SMB login dictionary attack `scanner/smb/smb_login`
* NetBios via `scanner/netbios/nbname`
* HTTP version `scanner/http/http_version`
## Database
* Start postgres
* `msfdb init`
* `db_status`
* Separate `workspace -a <projectname>`
* Safe scans via `db_nmap`
* Show `hosts`
* Show `services`
* Set RHOST values via `hosts -R`
2021-09-27 00:48:14 +02:00
## Exploits
* `show targets`
* `show payloads`
## Reverse Shells
* Multihandler, set options
```sh
use exploit/multi/handler
set payload <payloadhandler>
```
* Shellshock as an example
```sh
use multi/http/apache_mod_cgi_bash_env_exec
```
## Post Exploitation
2021-10-05 01:48:56 +02:00
* `load kiwi`
* `load python`
2021-09-27 00:48:14 +02:00
* Windows
2021-10-05 01:48:56 +02:00
* list SAM database
```sh
migrate <lsass.exe-PID>
hashdump
```
* enum shares
```sh
post/windows/gather/enum_shares
```
2021-09-27 00:48:14 +02:00
* Linux
* `use post/linux/gather/hashdump`
2021-10-05 01:48:56 +02:00
## Other Meterpreter stuff
* Staged and in disguise running as another servicename
```
getpid
ps
```
* Attempt to elevate privileges
```sh
getsystem
```
* Use `multi/handler` or exploit and get an overview via `show payloads`
* UserID via `getuid`